kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nsx-ncp-operator
  labels:
    {{- include "nsx-ncp-operator.labels" . | nindent 4 }}
rules:
- apiGroups: ['']
  resources: [pods, pods/log, pods/exec, configmaps, namespaces, serviceaccounts, secrets, nodes/status]
  verbs: [create, get, list, patch, delete, update, watch, deletecollection]
- apiGroups: [apps]
  resources: [deployments, daemonsets]
  verbs: [create, get, list, patch, delete, update, watch]
- apiGroups: [rbac.authorization.k8s.io]
  resources: [clusterroles, clusterrolebindings, roles, rolebindings]
  verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [operator.nsx.vmware.com]
  resources: [ncpinstalls, ncpinstalls/status]
  verbs: [get, list, watch, patch, update]
# Required by nsx-node-agent
- apiGroups: ['']
  resources: [endpoints, services]
  verbs: [get, list, watch]
# Required by nsx-ncp
- apiGroups: ['', extensions, networking.k8s.io]
  resources: [namespaces, ingresses, services, pods, networkpolicies, routes]
  verbs: [get, watch, list, update, patch]
- apiGroups: [nsx.vmware.com]
  resources: [nsxerrors, nsxlocks, ncpconfigs]
  verbs: [create, get, list, patch, delete, update]
- apiGroups: ['', extensions, networking.k8s.io]
  resources: [ingresses/status, services/status, routes/status]
  verbs: [replace, update, patch]
- apiGroups: [k8s.cni.cncf.io]
  resources: [network-attachment-definitions]
  verbs: [get, list, watch]
- apiGroups: [apiextensions.k8s.io]
  resources: [customresourcedefinitions]
  verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: ['', extensions, networking.k8s.io]
  resources: [deployments, endpoints, ingressclasses, nodes, pods/log, replicationcontrollers, secrets]
  verbs: [get, list, watch]
- apiGroups: [vmware.com]
  resources: [loadbalancers, loadbalancers/status, nsxlbmonitors, nsxlbmonitors/status, virtualnetworkinterfaces, virtualnetworkinterfaces/status, virtualnetworks, virtualnetworks/status]
  verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [policy]
  resources: [podsecuritypolicies]
  verbs: [create, get, list, patch, update, watch, delete, use]