apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pinitctl
rules:
- resources:
  - configmaps
  - secrets
  apiGroups:
  - ""
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- resources:
  - computefirewalls
  - computerouternats
  - computerouters
  - computesslpolicies
  apiGroups:
  - compute.cnrm.cloud.google.com
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- resources:
  - computefirewalls/status
  - computerouternats/status
  - computerouters/status
  - computesslpolicies/status
  apiGroups:
  - compute.cnrm.cloud.google.com
  verbs:
  - get
- resources:
  - computenetworks
  apiGroups:
  - compute.cnrm.cloud.google.com
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- resources:
  - computenetworks/status
  apiGroups:
  - compute.cnrm.cloud.google.com
  verbs:
  - get
  - watch
- resources:
  - iampolicymembers
  - iamserviceaccountkeys
  - iamserviceaccounts
  apiGroups:
  - iam.cnrm.cloud.google.com
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- resources:
  - iampolicymembers/status
  - iamserviceaccountkeys/status
  - iamserviceaccounts/status
  apiGroups:
  - iam.cnrm.cloud.google.com
  verbs:
  - get
  - watch
- resources:
  - projects
  apiGroups:
  - resourcemanager.cnrm.cloud.google.com
  verbs:
  - get
  - list
  - watch
- resources:
  - projects/status
  apiGroups:
  - resourcemanager.cnrm.cloud.google.com
  verbs:
  - get
  - watch
- resources:
  - secretmanagersecrets
  - secretmanagersecretversions
  apiGroups:
  - secretmanager.cnrm.cloud.google.com
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- resources:
  - secretmanagersecrets/status
  - secretmanagersecretversions/status
  apiGroups:
  - secretmanager.cnrm.cloud.google.com
  verbs:
  - get
  - list
  - watch