---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  namespace: {{ template "istio.namespace" . }}
  name: istio-edit
rules:
  - apiGroups:
      - config.istio.io
    resources:
      - adapters
      - attributemanifests
      - handlers
      - httpapispecbindings
      - httpapispecs
      - instances
      - quotaspecbindings
      - quotaspecs
      - rules
      - templates
    verbs: ["get", "watch", "list"]
  - apiGroups:
      - networking.istio.io
    resources:
      - destinationrules
      - envoyfilters
      - gateways
      - serviceentries
      - sidecars
      - virtualservices
      - workloadentries
    verbs:
      - '*'
  - apiGroups:
      - security.istio.io
    resources:
      - authorizationpolicies
      - peerauthentications
      - requestauthentications
    verbs:
      - '*'