{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: {{ template "kube2iam.name" . }}
    helm.sh/chart: {{ template "kube2iam.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  name: {{ template "kube2iam.fullname" . }}
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
      - pods
    verbs:
      - list
      - watch
      - get
{{- if .Values.podSecurityPolicy.enabled }}
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - use
    resourceNames:
      - {{ template "kube2iam.fullname" . }}
{{- end }}

{{- end -}}