blob: 1e714b606b93cdac49671a27ea139a9e341ec46a [file] [log] [blame]
Mohammed Naser8a2c8fb2023-02-19 17:23:55 +00001{{- if or .Values.rbac.pspEnabled .Values.rbac.sccEnabled }}
2apiVersion: rbac.authorization.k8s.io/v1
3kind: Role
4metadata:
5 name: {{ include "loki.name" . }}
Giovanni Tirloni59219b62024-04-09 14:50:25 -03006 namespace: {{ $.Release.Namespace }}
Mohammed Naser8a2c8fb2023-02-19 17:23:55 +00007 labels:
8 {{- include "loki.labels" . | nindent 4 }}
9{{- if .Values.rbac.pspEnabled }}
10rules:
11 - apiGroups:
12 - policy
13 resources:
14 - podsecuritypolicies
15 verbs:
16 - use
17 resourceNames:
Giovanni Tirloni59219b62024-04-09 14:50:25 -030018 - {{ include "loki.name" . }}
Mohammed Naser8a2c8fb2023-02-19 17:23:55 +000019{{- end }}
20{{- if .Values.rbac.sccEnabled }}
21rules:
22 - apiGroups:
23 - security.openshift.io
24 resources:
25 - securitycontextconstraints
26 verbs:
27 - use
28 resourceNames:
Giovanni Tirloni59219b62024-04-09 14:50:25 -030029 - {{ include "loki.name" . }}
30 {{- if and .Values.rbac.namespaced .Values.sidecar.rules.enabled }}
31 - apiGroups: [""] # "" indicates the core API group
32 resources: ["configmaps", "secrets"]
33 verbs: ["get", "watch", "list"]
34 {{- end }}
Mohammed Naser8a2c8fb2023-02-19 17:23:55 +000035{{- end }}
36{{- end }}