{{- if and .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}}
apiVersion: {{ template "rbac.apiVersion" . }}
kind: ClusterRole
metadata:
  labels:
    {{- include "prometheus.server.labels" . | nindent 4 }}
  name: {{ include "prometheus.clusterRoleName" . }}
rules:
{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
  - apiGroups:
    - extensions
    resources:
    - podsecuritypolicies
    verbs:
    - use
    resourceNames:
    - {{ template "prometheus.server.fullname" . }}
{{- end }}
  - apiGroups:
      - ""
    resources:
      - nodes
      - nodes/proxy
      - nodes/metrics
      - services
      - endpoints
      - pods
      - ingresses
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "discovery.k8s.io"
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch
  - nonResourceURLs:
      - "/metrics"
    verbs:
      - get
{{- end }}