kind: Namespace
apiVersion: v1
metadata:
  name: linkerd-multicluster
  labels:
    linkerd.io/extension: multicluster
    pod-security.kubernetes.io/enforce: privileged
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .AccountName }}
  labels:
    linkerd.io/extension: multicluster
  annotations:
    linkerd.io/created-by: linkerd/cli {{ .Version }}
rules:
- apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["list", "get", "watch"]
- apiGroups: [""]
  resources: ["pods", "endpoints", "services"]
  verbs: ["list", "get", "watch"]
- apiGroups: ["discovery.k8s.io"]
  resources: ["endpointslices"]
  verbs: ["list", "get", "watch"]
- apiGroups: ["policy.linkerd.io"]
  resources: ["servers"]
  verbs: ["list", "get", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get"]
  resourceNames: ["linkerd-config"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .AccountName }}
  namespace: linkerd-multicluster
  labels:
    linkerd.io/extension: multicluster
  annotations:
    linkerd.io/created-by: linkerd/cli {{ .Version }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ .AccountName }}-token
  namespace: linkerd-multicluster
  labels:
    linkerd.io/extension: multicluster
  annotations:
    kubernetes.io/service-account.name: {{ .AccountName }}
    linkerd.io/created-by: linkerd/cli {{ .Version }}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .AccountName }}
  labels:
    linkerd.io/extension: multicluster
  annotations:
    linkerd.io/created-by: linkerd/cli {{ .Version }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .AccountName }}
subjects:
  - kind: ServiceAccount
    name: {{ .AccountName }}
    namespace: linkerd-multicluster
---