apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "falcon-sensor.fullname" . }}-access-role
  labels:
    app: {{ include "falcon-sensor.name" . }}
    app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/component: "container_sensor"
    crowdstrike.com/provider: crowdstrike
    helm.sh/chart: {{ include "falcon-sensor.chart" . }}
rules:
{{- if .Values.container.enabled }}
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
{{- end }}
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
- apiGroups:
  - policy
  resourceNames:
{{- if .Values.node.enabled }}
  - {{ include "falcon-sensor.fullname" . }}-node
{{- end }}
{{- if .Values.container.enabled }}
  - {{ include "falcon-sensor.fullname" . }}-container
{{- end }}
  resources:
  - podsecuritypolicies
  verbs:
  - use
{{- end }}