apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "{{ .Values.clusterRole }}"
rules:
  # Framework: knowing which other operators are running (i.e. peering).
  - apiGroups: [kopf.dev]
    resources: [clusterkopfpeerings]
    verbs: [list, watch, patch, get]

  # Framework: runtime observation of namespaces & CRDs (addition/deletion).
  - apiGroups: [apiextensions.k8s.io]
    resources: [customresourcedefinitions]
    verbs: [list, watch]
  - apiGroups: [""]
    resources: [namespaces]
    verbs: [list, watch]

  # Framework: admission webhook configuration management.
  - apiGroups: [admissionregistration.k8s.io/v1, admissionregistration.k8s.io/v1beta1]
    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
    verbs: [create, patch]

  # Application: read-only access for watching cluster-wide.
  - apiGroups: [eks.amazonaws.com]
    resources: [refactorspacesservices]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  # Application: read-only access for watching cluster-wide.
  - apiGroups: [eks.amazonaws.com]
    resources: [refactorspacesconfigs]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]  

  - apiGroups: [""]
    resources: [services]
    verbs: [list, watch, get]  

  - apiGroups: [""]
    resources: [events]
    verbs: ["get", "list", "watch", "create", "update", "patch"]  

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: "{{ .Values.clusterRoleBinding }}"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: "{{ .Values.clusterRole }}"
subjects:
  - kind: ServiceAccount
    name: "{{ .Values.serviceAccount.name }}"
    namespace: "{{ .Values.namespace }}"