{{- if or .Values.rbac.create (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ template "instana-agent.fullname" . }}
  labels:
    {{- include "instana-agent.commonLabels" . | nindent 4 }}
rules:
- nonResourceURLs:
    - "/version"
    - "/healthz"
  verbs: ["get"]
{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
  apiGroups: []
  resources: []
{{- end }}
- apiGroups: ["batch"]
  resources:
    - "jobs"
    - "cronjobs"
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
  resources:
    - "deployments"
    - "replicasets"
    - "ingresses"
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:
    - "deployments"
    - "replicasets"
    - "daemonsets"
    - "statefulsets"
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:
    - "namespaces"
    - "events"
    - "services"
    - "endpoints"
    - "nodes"
    - "pods"
    - "replicationcontrollers"
    - "componentstatuses"
    - "resourcequotas"
    - "persistentvolumes"
    - "persistentvolumeclaims"
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:
    - "endpoints"
  verbs: ["create", "update", "patch"]
- apiGroups: ["networking.k8s.io"]
  resources:
    - "ingresses"
  verbs: ["get", "list", "watch"]
{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
- apiGroups: ["apps.openshift.io"]
  resources:
    - "deploymentconfigs"
  verbs: ["get", "list", "watch"]
- apiGroups: ["security.openshift.io"]
  resourceNames: ["privileged"]
  resources: ["securitycontextconstraints"]
  verbs: ["use"]
{{- end -}}
{{- if .Values.podSecurityPolicy.enable}}
{{- if semverCompare "< 1.25.x" (include "kubeVersion" .) }}
- apiGroups: ["policy"]
  resources: ["podsecuritypolicies"]
  verbs:     ["use"]
  resourceNames:
  - {{ template "instana-agent.podSecurityPolicyName" . }}
{{- end }}
{{- end }}
{{- end }}