# Test environment for per-namespace scans
# The purpose of this setup is to verify that per-namespace features work without cluster level permissions
# You can test this ServiceAccount and KRR using:
#   krr simple --as system:serviceaccount:kube-system:krr-account -n kube-system
apiVersion: v1
kind: ServiceAccount
metadata:
  name: krr-account
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kube-system
  name: krr-role
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: krr-role-binding
  namespace: kube-system
subjects:
- kind: ServiceAccount
  name: krr-account
  namespace: kube-system
roleRef:
  kind: Role
  name: krr-role
  apiGroup: rbac.authorization.k8s.io