# If RBAC is enabled in the cluster, then the operator pod for both
# metallb-controller and metallb-speaker need to be granted permission to # use the K8s API for some specific actions. 
# This step is not automated because once bug LP:1896076 and LP:1886694 are fixed, it will no
# longer be necessary to use the K8s API.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: use-k8s-api
rules:
- apiGroups: ["policy", "rbac.authorization.k8s.io"]
  resources: ["podsecuritypolicies", "roles", "rolebindings"]
  verbs: ["create", "delete"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: use-k8s-api
subjects:
- kind: ServiceAccount
  name: metallb-controller-operator
  # change namespace name according to your environment
  namespace: metallb-system
- kind: ServiceAccount
  name: metallb-speaker-operator
  # change namespace name according to your environment
  namespace: metallb-system
- kind: ServiceAccount
  name: metallb-controller
  # change namespace name according to your environment
  namespace: metallb-system
- kind: ServiceAccount
  name: metallb-speaker
  # change namespace name according to your environment
  namespace: metallb-system
roleRef:
  kind: ClusterRole
  name: use-k8s-api
  apiGroup: rbac.authorization.k8s.io