In the Cloud VPS OpenStack environment we have an account named "novaobserver" that is associated with a role named "observer" which we add to every Cloud VPS project (T150092). The custom "observer" role is defined in our OpenStack configuration to allow it to inspect, but not change, a wide variety of OpenStack configuration related to each Cloud VPS project. The most visible use of this shared account is https://tools.wmflabs.org/openstack-browser/ which uses it extensively to interrogate the state of the OpenStack deployment.
We would like tools to be able to do similar inspection of cluster and namespace state in the Toolforge Kubernetes cluster. T201892: Toolforge: Build dashboard that breaks down webservice type usage by tool is one concrete example of a desired tool. Kubernetes equivalents of https://tools.wmflabs.org/sge-jobs/ and https://tools.wmflabs.org/sge-status/ would be other desired tools.
The "k8sobserver" role/user/whatever should NOT be able to see "private" or "secret" things in a namespace. This certainly includes [[https://kubernetes.io/docs/concepts/configuration/secret/|Secret]] objects, and also probably should extend to ConfigMap objects. The approach taken with the novaobserver account is an allowlist rather than a blocklist so that we do not accidentally expose new things before we have made a reasoned examination of their security/privacy implications.