{{- if or .Values.rbac.pspEnabled .Values.rbac.sccEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "loki.name" . }}
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
{{- if .Values.rbac.pspEnabled }}
rules:
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - use
    resourceNames:
      - {{ include "loki.name" . }}
{{- end }}
{{- if .Values.rbac.sccEnabled }}
rules:
  - apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    verbs:
      - use
    resourceNames:
      - {{ include "loki.name" . }}
  {{- if and .Values.rbac.namespaced .Values.sidecar.rules.enabled }}
  - apiGroups: [""] # "" indicates the core API group
    resources: ["configmaps", "secrets"]
    verbs: ["get", "watch", "list"]
  {{- end }}
{{- end }}
{{- end }}