---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin-role
  namespace: ${nspace}
rules:
- apiGroups: [ "", "extensions", "apps", "batch", "autoscaling" ]
  resources: [ "pods", "daemonsets", "deployments", "services", "replicasets", "replicationcontrollers", "statefulsets", "horizontalpodautoscalers", "jobs", "cronjobs", "events", "ingresses", "persistentvolumeclaims", "certificates", "configmaps", "secrets", "logs", "pods/log", "pods/exec", "pods/portforward" ]
  verbs: [ "get", "list", "watch", "create", "update", "delete", "patch" ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin-rolebinding
  namespace: ${nspace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin-role
subjects:
- kind: ServiceAccount
  name: admin-sa
  namespace: ${nspace}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: admin-cert-role
  namespace: ${nspace}
rules:
- apiGroups: [ "certmanager.k8s.io" ]
  resources: [ "issuers", "certificates" ]
  verbs: [ "get", "list", "watch", "create", "update", "delete" ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin-cert-rolebinding
  namespace: ${nspace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin-cert-role
subjects:
- kind: ServiceAccount
  name: admin-sa
  namespace: ${nspace}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: admin-${nspace}-clusterrole
rules:
- apiGroups: [ "" ]
  resources: [ "persistentvolumes" ]
  verbs: [ "get", "list", "watch", "create", "update", "delete", "patch" ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-${nspace}-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin-${nspace}-clusterrole
subjects:
- kind: ServiceAccount
  name: admin-sa
  namespace: ${nspace}