{{- if .Values.preDelete.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rancher-webhook-pre-delete
  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": pre-delete
    "helm.sh/hook-weight": "1"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
  - apiGroups: [ "admissionregistration.k8s.io" ]
    resources: [ "mutatingwebhookconfigurations" ]
    verbs: [ "delete" ]
    resourceNames: [ "rancher.cattle.io" ]
  - apiGroups: [ "" ]
    resources: [ "serviceaccounts" ]
    verbs: [ "get" ]
  - apiGroups: [ "policy" ]
    resources: [ "podsecuritypolicies" ]
    verbs: [ "use" ]
    resourceNames: [ "rancher-webhook-pre-delete" ]
{{- end }}