# Based on bitnami/metallb helm chart 4.1.12 for metallb 0.13.7

---
kind: ServiceAccount
apiVersion: v1
metadata:
  namespace: metallb
  name: metallb-controller
automountServiceAccountToken: true

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metallb-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
      - update
  - apiGroups:
      - ""
    resources:
      - services/status
    verbs:
      - update
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - policy
    resourceNames:
      - metallb-controller
    resources:
      - podsecuritypolicies
    verbs:
      - use
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
      - mutatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metallb-controller
subjects:
  - kind: ServiceAccount
    namespace: metallb
    name: metallb-controller
roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
  name: metallb-controller

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: metallb
  name: metallb-controller
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - metallb-memberlist
    verbs:
      - list
  - apiGroups:
      - apps
    resources:
      - deployments
    resourceNames:
      - metallb-controller
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - addresspools
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - ipaddresspools
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - bgppeers
    verbs:
      - get
      - list
  - apiGroups:
      - metallb.io
    resources:
      - bgpadvertisements
    verbs:
      - get
      - list
  - apiGroups:
      - metallb.io
    resources:
      - l2advertisements
    verbs:
      - get
      - list
  - apiGroups:
      - metallb.io
    resources:
      - communities
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - bfdprofiles
    verbs:
      - get
      - list
      - watch

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: metallb
  name: metallb-controller
subjects:
  - kind: ServiceAccount
    namespace: metallb
    name: metallb-controller
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: metallb-controller

---
kind: ServiceAccount
apiVersion: v1
metadata:
  namespace: metallb
  name: metallb-speaker
automountServiceAccountToken: true

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metallb-speaker
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - policy
    resourceNames:
      - metallb-speaker
    resources:
      - podsecuritypolicies
    verbs:
      - use
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metallb-speaker
subjects:
  - kind: ServiceAccount
    namespace: metallb
    name: metallb-speaker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-speaker

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: metallb
  name: metallb-pod-lister
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - list
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - addresspools
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - bfdprofiles
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - bgppeers
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - l2advertisements
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - bgpadvertisements
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - ipaddresspools
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metallb.io
    resources:
      - communities
    verbs:
      - get
      - list
      - watch

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: metallb
  name: metallb-pod-lister
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: metallb-pod-lister
subjects:
  - kind: ServiceAccount
    name: metallb-speaker