{{- if not .Values.kubecostModel.etlReadOnlyMode -}} {{- if and .Values.reporting .Values.reporting.logCollection -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: {{ .Release.Namespace }} name: {{ template "cost-analyzer.serviceAccountName" . }} labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} rules: - apiGroups: - '' resources: - "pods/log" verbs: - get - list - watch --- {{- end }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cost-analyzer.serviceAccountName" . }} labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} rules: - apiGroups: - '' resources: - configmaps - deployments - nodes - pods - events - services - resourcequotas - replicationcontrollers - limitranges - persistentvolumeclaims - persistentvolumes - namespaces - endpoints verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - replicasets verbs: - get - list - watch {{- $isLeaderFollowerEnabled := include "cost-analyzer.leaderFollowerEnabled" . }} {{- if $isLeaderFollowerEnabled }} - apiGroups: - coordination.k8s.io resources: - leases verbs: - '*' {{- end }} - apiGroups: - apps resources: - statefulsets - deployments - daemonsets - replicasets verbs: - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - events.k8s.io resources: - events verbs: - get - list - watch {{- end }}