---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: metallb
  name: metallb-system:controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - list
  - apiGroups:
      - ""
    resources:
      - services/status
    verbs:
      - update
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - policy
    resourceNames:
      - controller
    resources:
      - podsecuritypolicies
    verbs:
      - use
  - apiGroups:
      - admissionregistration.k8s.io
    resourceNames:
      - metallb-webhook-configuration
    resources:
      - validatingwebhookconfigurations
      - mutatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
      - mutatingwebhookconfigurations
    verbs:
      - list
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resourceNames:
      - bfdprofiles.metallb.io
      - bgpadvertisements.metallb.io
      - bgppeers.metallb.io
      - ipaddresspools.metallb.io
      - l2advertisements.metallb.io
      - communities.metallb.io
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - list
      - watch