{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} {{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: {{ .Release.Namespace }} name: {{ template "query-service.serviceAccountName" . }} labels: {{ include "query-service.commonLabels" . | nindent 4 }} rules: - apiGroups: - '' resources: - "pods/log" verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "query-service.serviceAccountName" . }} labels: {{ include "query-service.commonLabels" . | nindent 4 }} rules: - apiGroups: - '' resources: - configmaps - deployments - nodes - pods - events - services - resourcequotas - replicationcontrollers - limitranges - persistentvolumeclaims - persistentvolumes - namespaces - endpoints verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - replicasets verbs: - get - list - watch - apiGroups: - apps resources: - statefulsets - deployments - daemonsets - replicasets verbs: - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - events.k8s.io resources: - events verbs: - get - list - watch {{- end }} {{- end }}