apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "certificates:{{ .Release.Name }}"
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kubelet-serving-cert-approver
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: server
    app.kubernetes.io/part-of: {{ .Release.Name }}
rules:
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests/approval
    verbs:
      - update
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  - apiGroups:
      - certificates.k8s.io
    resourceNames:
      - kubernetes.io/kubelet-serving
    resources:
      - signers
    verbs:
      - approve

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "events:{{ .Release.Name }}"
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kubelet-serving-cert-approver
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: server
    app.kubernetes.io/part-of: {{ .Release.Name }}
rules:
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch