apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kube-state-metrics
rules:
- resources:
  - configmaps
  - secrets
  - nodes
  - pods
  - services
  - resourcequotas
  - replicationcontrollers
  - limitranges
  - persistentvolumeclaims
  - persistentvolumes
  - namespaces
  - endpoints
  apiGroups:
  - ""
  verbs:
  - list
  - watch
- resources:
  - statefulsets
  - daemonsets
  - deployments
  - replicasets
  apiGroups:
  - apps
  verbs:
  - list
  - watch
- resources:
  - cronjobs
  - jobs
  apiGroups:
  - batch
  verbs:
  - list
  - watch
- resources:
  - horizontalpodautoscalers
  apiGroups:
  - autoscaling
  verbs:
  - list
  - watch
- resources:
  - tokenreviews
  apiGroups:
  - authentication.k8s.io
  verbs:
  - create
- resources:
  - subjectaccessreviews
  apiGroups:
  - authorization.k8s.io
  verbs:
  - create
- resources:
  - poddisruptionbudgets
  apiGroups:
  - policy
  verbs:
  - list
  - watch
- resources:
  - certificatesigningrequests
  apiGroups:
  - certificates.k8s.io
  verbs:
  - list
  - watch
- resources:
  - storageclasses
  - volumeattachments
  apiGroups:
  - storage.k8s.io
  verbs:
  - list
  - watch
- resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  apiGroups:
  - admissionregistration.k8s.io
  verbs:
  - list
  - watch
- resources:
  - networkpolicies
  - ingresses
  apiGroups:
  - networking.k8s.io
  verbs:
  - list
  - watch
- resources:
  - leases
  apiGroups:
  - coordination.k8s.io
  verbs:
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kube-state-metrics
roleRef:
  name: kube-state-metrics
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- name: kube-state-metrics
  namespace: kube-state-metrics
  kind: ServiceAccount