{{- if .Values.rbac.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "nextcloud.fullname" . }}-privileged
  namespace: {{ .Release.Namespace }}
rules:
  - apiGroups:
      - extensions
    resourceNames:
      - privileged
    resources:
      - podsecuritypolicies
    verbs:
      - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ template "nextcloud.fullname" . }}-privileged
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "nextcloud.fullname" . }}-privileged
subjects:
  - kind: ServiceAccount
    name: {{ .Values.rbac.serviceaccount.name }}
    namespace: {{ .Release.Namespace }}
{{- end }}