---
# Source: signalfx-agent/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: signalfx-agent
  labels:
    app: signalfx-agent
rules:
- apiGroups:
  - ""
  resources:
  - events
  - namespaces
  - namespaces/status
  - nodes
  - nodes/spec
  - pods
  - pods/status
  - replicationcontrollers
  - replicationcontrollers/status
  - services
  - resourcequotas
  # Only need to be able to view secrets if using k8s annotation
  # agent.signalfx.com/configWithSecret.*.  You can also whitelist specific
  # secrets for finer-grain permission sets.
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - update
  - create
- apiGroups:
  - ""
  resources:
  - nodes/stats
  verbs:
  - get
  - list
  # We need create because kubelet takes a POST for the stat query
  - create
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
    - autoscaling
  resources:
    - horizontalpodautoscalers
  verbs:
    - get
    - list
    - watch
- nonResourceURLs:
  - '/metrics'
  verbs:
  - get
  - list
  - watch