rancher
Change import role to cluster role
Role bindings can link cluster roles, but they only grant access to the namespace of the role binding. (https://octopus.com/blog/k8s-rbac-roles-and-bindings)
This reduces the dynamically created roles. It should result in a about two less roles per cluster. Import service accounts, roles and bindings are only required for the cluster import and are cleaned up.
Upgrading existing Clusters to the new ClusterRoles
To migrate existing clusters, it should be enough to delete the ClusterRegistrationToken to get rid of the old import service accounts and roles/rolebindings. The ClusterRegistrationToken usually has a TTL of 12h, after which it is deleted.
The sa, roles and rolebindings are recreated automatically, if the agent re-registers. However, an old ClusterRegistrationToken and it's RBAC resources will break that.
