apiVersion: v1
kind: Namespace
metadata:
  labels:
    app: kyverno
    app.kubernetes.io/component: kyverno
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/name: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: kyverno-dryrun
---
# Additional permission is required to enable DryRun.
# If using DryRun to validate yaml, please deploy this Role/RoleBinding.
# If validating custom resources with DryRun, please add the resources to the role.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manifest-verify-dry-run
  namespace: kyverno-dryrun
rules:
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - bindings
  - configmaps
  - limitranges
  - persistentvolumeclaims
  - pods
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - secrets
  - serviceaccounts
  - services
  verbs:
  - create
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - create 
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - create
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
- apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manifest-verify-dry-run
  namespace: kyverno-dryrun
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: manifest-verify-dry-run
subjects:
- kind: ServiceAccount
  name: kyverno-service-account
  namespace: kyverno