kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: calico-25-migration
rules:
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - create
      - get
      - list
      - post
      - patch
      - update
      - watch
  - apiGroups: ["extensions"]
    resources:
      - thirdpartyresources
    verbs:
      - create
      - get
      - list
      - post
      - patch
      - update
      - watch
  - apiGroups: ["apiextensions.k8s.io"]
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - get
      - list
      - post
      - patch
      - update
      - watch
  - apiGroups: ["projectcalico.org"]
    resources:
      - globalbgppeers
      - globalconfigs
      - globalbgpconfigs
      - ippools
    verbs:
      - create
      - get
      - list
      - post
      - patch
      - update
      - watch
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - globalfelixconfigs
      - bgppeers
      - globalbgpconfigs
      - ippools
      - globalnetworkpolicies
    verbs:
      - create
      - get
      - list
      - post
      - patch
      - update
      - watch

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: calico-25-migration
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calico-25-migration
subjects:
 - kind: ServiceAccount
   name: calico-25-migration
   namespace: default

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: calico-25-migration

---

apiVersion: batch/v1
kind: Job
metadata:
  name: calico-upgrade-v2.5
spec:
  template:
    metadata:
      name: calico-upgrade-v2.5
    spec:
      serviceAccountName: calico-25-migration
      containers:
      - name: calico-upgrade
        image: calico/v2.5-upgrade:v0.0.1
      restartPolicy: Never