kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # This is the access that the controller needs on a per-namespace basis.
  name: tekton-pipelines-controller-tenant-access
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
rules:
  # Read-write access to create Pods and PVCs (for Workspaces)
  - apiGroups: [""]
    resources: ["pods", "persistentvolumeclaims"]
    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  # Write permissions to publish events.
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "update", "patch"]
  # Read-only access to these.
  - apiGroups: [""]
    resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"]
    verbs: ["get", "list", "watch"]
  # Read-write access to StatefulSets for Affinity Assistant.
  - apiGroups: ["apps"]
    resources: ["statefulsets"]
    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]