apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "operator.fullname" . }}
  labels:
    {{- include "operator.labels" . | nindent 4 }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    app.kubernetes.io/managed-by: argocd
rules:
- apiGroups: [""]
  resources: ["pods", "services", "secrets", "configmaps"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["persistentvolumes", "persistentvolumeclaims"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["resourcequotas", "limitranges"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "impersonate"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Routes replaced with Ingress for vanilla Kubernetes
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "bind", "escalate"]
- apiGroups: ["containermom.josie.cloud"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["container.mom"]
  resources: ["containermomdeployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["container.mom"]
  resources: ["containermomdeployments/status"]
  verbs: ["get", "update", "patch"]
- apiGroups: ["container.mom"]
  resources: ["templates"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["container.mom"]
  resources: ["templates/status"]
  verbs: ["get", "update", "patch"]
- apiGroups: ["container.mom"]
  resources: ["customers"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["container.mom"]
  resources: ["customers/status"]
  verbs: ["get", "update", "patch"]
# For vanilla Kubernetes, use standard image pull secrets and registries
# Special permission to assign the edit and admin role to other users in any namespace
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["bind"]
  resourceNames: ["admin", "edit", "view", "system:image-builder", "system:image-puller"]
# Allow the operator to use subjectaccessreviews for validating permissions
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews", "localsubjectaccessreviews"]
  verbs: ["create"]