# the RBAC role that the webhook needs to:
#  * read GMSA custom resources
#  * check authorizations to use GMSA cred specs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ .Release.Name }}
  labels: {{ include "gmsa.chartref" . | nindent 4 }}
rules:
  - apiGroups: ["windows.k8s.io"]
    resources: ["gmsacredentialspecs"]
    verbs: ["get", "use"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["localsubjectaccessreviews"]
    verbs: ["create"]