---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cilium
rules:
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
      - services
      - nodes
      - endpoints
      - componentstatuses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - pods
      - nodes
    verbs:
      - get
      - list
      - watch
      - update
  - apiGroups:
      - extensions
    resources:
      - networkpolicies  # FIXME remove this when we drop support for k8s NP-beta GH-1202
      - thirdpartyresources
      - ingresses
    verbs:
      - create
      - get
      - list
      - watch
  - apiGroups:
      - "apiextensions.k8s.io"
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - get
      - list
      - watch
      - update
  - apiGroups:
      - cilium.io
    resources:
      - ciliumnetworkpolicies
      - ciliumnetworkpolicies/status
      - ciliumendpoints
      - ciliumendpoints/status
    verbs:
      - "*"
  - apiGroups:
    - policy
    resourceNames:
    - privileged
    resources:
    - podsecuritypolicies
    verbs:
    - use