---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: kyverno
  name: kyverno:policies
rules:
- apiGroups:
  - kyverno.io
  resources:
  - policies
  - policies/status
  - clusterpolicies
  - clusterpolicies/status
  - generaterequests
  - generaterequests/status
  - updaterequests
  - updaterequests/status
  - reportchangerequests
  - reportchangerequests/status
  - clusterreportchangerequests
  - clusterreportchangerequests/status
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
  - deletecollection
- apiGroups:
  - wgpolicyk8s.io
  resources:
  - policyreports
  - policyreports/status
  - clusterpolicyreports
  - clusterpolicyreports/status
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
  - deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: kyverno
  name: kyverno:view
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: kyverno
  name: kyverno:generate
rules:
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingressclasses
  - networkpolicies
  verbs:
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - namespaces
  - configmaps
  - secrets
  - resourcequotas
  - limitranges
  verbs:
  - create
  - update
  - patch
  - delete
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - create
  - update
  - patch
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: kyverno
  name: kyverno:events
rules:
- apiGroups:
  - "*"
  resources:
  - events
  verbs:
  - create
  - update
  - patch 
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: kyverno
  name: kyverno:userinfo
rules:
- apiGroups:
  - "rbac.authorization.k8s.io"
  resources:
  - roles
  - clusterroles
  - rolebindings
  - clusterrolebindings
  verbs:
  - watch
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: kyverno
  name: kyverno:webhook
rules:
- apiGroups:
  - 'admissionregistration.k8s.io'
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch