There’s a default “view” clusterrole (don’t let the name fool you - you can bind it in a namespace with a RoleBinding instead of ClusterRoleBinding and provide view only for that namespace) that K8s defines, that specifically excludes read permissions on secrets. Use that.