apiVersion: v1
kind: Namespace
metadata:
  name: kedge
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kedge-daemon
  namespace: kedge
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kedge-daemon
rules:
  # Watch ConfigMaps for mesh topology and YANG instance data.
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Read NetworkAttachmentDefinitions.
  - apiGroups: ["k8s.cni.cncf.io"]
    resources: ["network-attachment-definitions"]
    verbs: ["get", "list", "watch"]
  # List pods for SVID mapping.
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
  # Read nodes for topology awareness.
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kedge-daemon
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kedge-daemon
subjects:
  - kind: ServiceAccount
    name: kedge-daemon
    namespace: kedge