apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    {{- include "k8s-cloudwatch-adapter.labels" . | nindent 4 }}
  name: k8s-cloudwatch-adapter:system:auth-delegator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: k8s-cloudwatch-adapter
  namespace: amazon-cloudwatch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    {{- include "k8s-cloudwatch-adapter.labels" . | nindent 4 }}
  name: k8s-cloudwatch-adapter-auth-reader
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
  name: k8s-cloudwatch-adapter
  namespace: amazon-cloudwatch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    {{- include "k8s-cloudwatch-adapter.labels" . | nindent 4 }}
  name: k8s-cloudwatch-adapter:resource-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k8s-cloudwatch-adapter:resource-reader
subjects:
- kind: ServiceAccount
  name: k8s-cloudwatch-adapter
  namespace: amazon-cloudwatch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    {{- include "k8s-cloudwatch-adapter.labels" . | nindent 4 }}
  name: k8s-cloudwatch-adapter:external-metrics-reader
rules:
- apiGroups:
  - external.metrics.k8s.io
  resources: ["*"]
  verbs: ["*"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    {{- include "k8s-cloudwatch-adapter.labels" . | nindent 4 }}
  name: k8s-cloudwatch-adapter:resource-reader
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  - pods
  - services
  - configmaps
  verbs:
  - get
  - list
- apiGroups:
  - metrics.aws
  resources:
  - externalmetrics
  verbs: ["*"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    {{- include "k8s-cloudwatch-adapter.labels" . | nindent 4 }}
  name: k8s-cloudwatch-adapter:external-metrics-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k8s-cloudwatch-adapter:external-metrics-reader
subjects:
- kind: ServiceAccount
  name: horizontal-pod-autoscaler
  namespace: kube-system