apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:userinfo
rules:
  # get the roleRef for incoming api-request user
  - apiGroups:
      - "*"
    resources:
      - roles
      - clusterroles
      - rolebindings
      - clusterrolebindings
      - configmaps
    verbs:
      - watch
      - create
      - update
      - delete
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:customresources
rules:
  # Kyverno CRs
  - apiGroups:
      - '*'
    resources:
      - clusterpolicies
      - clusterpolicies/status
      - generaterequests
      - generaterequests/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:policycontroller
rules:
  # background processing, identify all existing resources
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:generatecontroller
rules:
  # process generate rules to generate resources
  - apiGroups:
      - "*"
    resources:
      - namespaces
      - networkpolicies
      - secrets
      - configmaps
      - resourcequotas
      - limitranges
      - roles
      - clusterroles
      - rolebindings
      - clusterrolebindings
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  # dynamic watches on trigger resources for generate rules
  # re-evaluate the policy if the resource is updated
  - apiGroups:
      - '*'
    resources:
      - namespaces
    verbs:
      - watch