{{- $arcExtensionSettings := include "arc-extension-settings" . | fromYaml }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ama-metrics-reader rules: - apiGroups: [""] resources: [ "pods", "nodes", "nodes/stats", "nodes/metrics", "nodes/proxy", "namespaces", "services", "endpoints", "ingress" ] verbs: ["list", "get", "watch"] - apiGroups: - networking.k8s.io resources: - ingresses verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["aad-msi-auth-token", "ama-metrics-mtls-secret"] verbs: ["get", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - nonResourceURLs: ["/metrics"] verbs: ["get"] - apiGroups: ["clusterconfig.azure.com"] resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"] verbs: ["get", "update", "list", "create"] {{- if $arcExtensionSettings.operatorEnabled }} - apiGroups: - azmonitoring.coreos.com resources: - servicemonitors - podmonitors verbs: - '*' - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch - get {{- end }}