apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: drone
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: drone
  namespace: default
subjects:
- kind: ServiceAccount
  name: drone-pipeline
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: drone

---
# Grant the pipeline SA cross-namespace permissions to manage Deployments and Services
# and to read/create Namespaces when needed.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: drone-deployer
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get","list","watch","create"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get","list","watch","create","update","patch"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","list","watch","create","update","patch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: drone-deployer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: drone-deployer
subjects:
- kind: ServiceAccount
  name: drone-pipeline
  namespace: default