---
# Bind the Service Account with the Role Privileges.
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "nfsProvisioner.fullname" . }}
  {{- with .Values.nfsProvisioner.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
  {{- include "nfsProvisioner.labels" . | nindent 4 }}
roleRef:
  kind: ClusterRole
  name: {{ include "nfsProvisioner.fullname" . }}
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: {{ include "nfsProvisioner.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}

{{- if .Values.rbac.pspEnabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "nfsProvisioner.fullname" . }}-psp
  {{- with .Values.nfsProvisioner.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
  {{- include "nfsProvisioner.labels" . | nindent 4 }}
roleRef:
  kind: ClusterRole
  name: {{ include "nfsProvisioner.fullname" . }}-psp
  apiGroup: rbac.authorization.k8s.io
subjects:
  # Authorize specific service accounts:
  - kind: ServiceAccount
    name: {{ include "nfsProvisioner.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}