apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "aws-vpc-cni.fullname" . }}
  labels:
{{ include "aws-vpc-cni.labels" . | indent 4 }}
rules:
  - apiGroups:
      - crd.k8s.amazonaws.com
    resources:
      - eniconfigs
    verbs: ["list", "watch", "get"]
  - apiGroups: [""]
    resources:
      - namespaces
    verbs: ["list", "watch", "get"]
{{- if .Values.env.ANNOTATE_POD_IP }}
  - apiGroups: [""]
    resources:
      - pods
    verbs: ["list", "watch", "get", "patch"]
{{- else }}
  - apiGroups: [""]
    resources:
      - pods
    verbs: ["list", "watch", "get"]
{{- end }}        
  - apiGroups: [""]
    resources:
      - nodes
    verbs: ["list", "watch", "get", "update"]
  - apiGroups: ["", "events.k8s.io"]
    resources:
      - events
    verbs: ["create", "patch", "list"]