{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.clusterWide) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "minecluster.serviceAccountName" . }}
rules:
- apiGroups: ["apps"]
  resources:
  - deployments
  verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
- apiGroups: [""]
  resources:
  - nodes
  verbs: ["list"]
- apiGroups: [""]
  resources:
  - services
  - pods
  - pods/log
  - containers
  - persistentvolumeclaims
  - secrets
  verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods"]
  verbs: ["list"]
{{- end }}