---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: extensions.gardener.cloud:extension-shoot-fleet-agent:shoot
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - '*'
  - nonResourceURLs:
      - '*'
    verbs:
      - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: extensions.gardener.cloud:extension-shoot-fleet-agent:shoot
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: extensions.gardener.cloud:extension-shoot-fleet-agent:shoot
subjects:
  - kind: ServiceAccount
    name: {{ .Values.shootAccessServiceAccountName }}
    namespace: {{ .Values.shootAccessServiceAccountNamespace }}