---
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: rbac-members
rules:
# List and get configmap, pv & pvc and namespaces, nodes & pods & pod logs & services
- apiGroups: [""]
  resources:
  - "configmaps"
  - "nodes"
  - "namespaces"
  - "persistentvolumeclaims"
  - "persistentvolumes"
  - "pods"
  - "pods/log"
  - "services"
  verbs: ["get", "list", "watch"]
# List all get applications
- apiGroups: ["apps"]
  resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
  verbs: ["get", "list", "watch"]
# List and get hpa
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["get", "list", "watch"]
# View orders and challenges
- apiGroups: ["acme.cert-manager.io"]
  resources: ["challenges", "orders"]
  verbs: ["get", "list", "watch"]
# View certificates
- apiGroups: ["cert-manager.io"]
  resources: ["certificates"]
  verbs: ["get", "list", "watch"]
# View resource usage for nodes and pods
- apiGroups: ["metrics.k8s.io"]
  resources: ["nodes", "pods"]
  verbs: ["get", "list", "watch"]
# View storageclasses
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "list", "watch"]
# View podmonitors and prometheusrules
- apiGroups: ["monitoring.coreos.com"]
  resources: ["podmonitors", "prometheusrules"]
  verbs: ["get", "list", "watch"]