{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "coredns.fullname" . }}
  labels:
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
    {{- if .Values.isClusterService }}
    k8s-app: {{ .Chart.Name | quote }}
    kubernetes.io/cluster-service: "true"
    kubernetes.io/name: "CoreDNS"
    {{- end }}
    app.kubernetes.io/name: {{ template "coredns.name" . }}
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - services
  - pods
  - namespaces
  verbs:
  - list
  - watch
{{- if .Values.rbac.pspEnable }}
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - {{ template "coredns.fullname" . }}
{{- end }}
{{- end }}