apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: turbo-cluster-admin
rules:
  - apiGroups:
      - ""
      - batch
    resources:
      - pods
      - jobs
    verbs:
      - '*'
  - apiGroups:
      - ""
      - apps
      - apps.openshift.io
      - extensions
      - turbonomic.com          # Need it for backward compatibility with ORM v1
      - devops.turbonomic.io
      # API groups for ORM owners
      # It's required when using ORM with ClusterRole 'turbo-cluster-admin'.
      # It's recommended to use ORM with ClusterRole 'cluster-admin'.
      # - redis.redis.opstreelabs.in
      # - charts.helm.k8s.io
    resources:
      - deployments
      - replicasets
      - replicationcontrollers
      - statefulsets
      - daemonsets
      - deploymentconfigs
      - resourcequotas
      - operatorresourcemappings
      - operatorresourcemappings/status
      # Resources for ORM owners
      # It's required when using ORM with ClusterRole 'turbo-cluster-admin'.
      # It's recommended to use ORM with ClusterRole 'cluster-admin'.
      # - redis
      # - xls
    verbs:
      - get
      - list
      - watch
      - update
      - patch
  - apiGroups:
      - ""
      - apps
      - batch
      - extensions
      - policy
      - app.k8s.io
      - argoproj.io
      - apiextensions.k8s.io
      - config.openshift.io
    resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - limitranges
      - persistentvolumes
      - persistentvolumeclaims
      - poddisruptionbudget
      - cronjobs
      - applications
      - customresourcedefinitions
      - clusterversions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - machine.openshift.io
    resources:
      - machines
      - machinesets
    verbs:
      - get
      - list
      - update
  - apiGroups:
      - ""
    resources:
      - nodes/spec
      - nodes/stats
      - nodes/metrics
      - nodes/proxy
      - pods/log
    verbs:
      - get
  - apiGroups:
      - policy.turbonomic.io
    resources:
      - slohorizontalscales
      - policybindings
    verbs:
      - get
      - list
      - watch
  # Need it for SCC impersonation
  - apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    verbs:
      - list
      - use
  # Need it for SCC impersonation
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
    verbs:
      - create # It should be commented out if the SCC resources created externally.
      - delete # It should be commented out if the SCC resources created externally.
      - impersonate
  # Need it for SCC impersonation
  # It should be commented out if the SCC resources created externally.
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - create
      - delete
      - update
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - watch