---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-role
  namespace: ${nspace}
rules:
  - apiGroups: [ "", "extensions", "apps", "batch", "autoscaling" ]
    resources:
      - pods
      - pods/log
      - pods/exec
      - pods/portforward
      - daemonsets
      - deployments
      - services
      - replicasets
      - replicationcontrollers
      - statefulsets
      - horizontalpodautoscalers
      - jobs
      - cronjobs
      - events
      - ingresses
      - persistentvolumeclaims
      - certificates
      - configmaps
      - secrets
      - logs
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
  - apiGroups: [ "certmanager.k8s.io" ]
    resources:
      - issuers
    verbs:
      - get
      - list
      - watch
  - apiGroups: [ "certmanager.k8s.io" ]
    resources:
      - certificates
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
  - apiGroups: [ "networking.k8s.io" ]
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-rolebinding
  namespace: ${nspace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin-role
subjects:
- kind: ServiceAccount
  name: admin-sa
  namespace: ${nspace}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: admin-${nspace}-clusterrole
rules:
- apiGroups: [ "" ]
  resources:
    - persistentvolumes
  verbs: 
    - get
    - list
    - watch
    - create
    - update
    - delete
    - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-${nspace}-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin-${nspace}-clusterrole
subjects:
- kind: ServiceAccount
  name: admin-sa
  namespace: ${nspace}