{{- if .Values.k8s_sensor.deployment.enabled -}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: k8sensor labels: {{- include "instana-agent.commonLabels" . | nindent 4 }} rules: - nonResourceURLs: - /version - /healthz verbs: - get - apiGroups: - extensions resources: - deployments - replicasets - ingresses verbs: - get - list - watch - apiGroups: - "" resources: - configmaps - events - services - endpoints - namespaces - nodes - pods - replicationcontrollers - resourcequotas - persistentvolumes - persistentvolumeclaims verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - deployments - replicasets - statefulsets verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - "" resources: - pods/log verbs: - get - list - watch - apiGroups: - autoscaling/v1 resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - autoscaling/v2 resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - apps.openshift.io resources: - deploymentconfigs verbs: - get - list - watch - apiGroups: - security.openshift.io resourceNames: - privileged resources: - securitycontextconstraints verbs: - use {{ if .Values.podSecurityPolicy.enable }} - apiGroups: - policy resourceNames: - k8sensor resources: - podsecuritypolicies verbs: - use {{ end }} {{- end }}