{{- if .Values.connectInject.cni.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "consul.fullname" . }}-cni
  namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
  labels:
    app: {{ template "consul.name" . }}
    chart: {{ template "consul.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    component: cni 
rules:
- apiGroups: [""]
  resources: 
  - pods
  verbs: 
  - get
  - list
  - watch
  - patch
  - update
- apiGroups: ["policy"]
  resources:
  - podsecuritypolicies 
  resourceNames:
  - {{ template "consul.fullname" . }}-cni
  verbs:
  - use
{{- if .Values.global.openshift.enabled}}
- apiGroups: ["security.openshift.io"]
  resources: ["securitycontextconstraints"]
  resourceNames:
  - {{ template "consul.fullname" . }}-cni
  verbs:
  - use
{{- end }}
{{- end }}