{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:{{ template "metrics-server.fullname" . }}
  labels:
    app: {{ template "metrics-server.name" . }}
    chart: {{ template "metrics-server.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
rules:
  - apiGroups:
    - ""
    resources:
      - pods
      - nodes
      - nodes/stats
      - namespaces
    verbs:
      - get
      - list
      - watch
  {{- if .Values.rbac.pspEnabled }}
  - apiGroups:
    - extensions
    - policy
    resources:
    - podsecuritypolicies
    resourceNames:
    - privileged-{{ template "metrics-server.fullname" . }}
    verbs:
    - use
  {{- end -}}
{{- end -}}