apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-sidecar-injector-{{ .Release.Namespace }}
  labels:
    app: {{ template "sidecar-injector.name" . }}
    chart: {{ template "sidecar-injector.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    istio: sidecar-injector
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
{{- if not .Values.global.operatorManageWebhooks }}
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["get", "list", "watch", "patch"]
{{- end }}