---
# create role binding for OpenTelemetry daemon to read config map
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: otlp-role
  namespace: amazon-cloudwatch
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: otlp-role-binding
  namespace: amazon-cloudwatch
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: otlp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: otelcol-rbac
subjects:
- kind: ServiceAccount
  name: otlp-daemon
  namespace: amazon-cloudwatch
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---