# This rule is not used by the project onepassword-operator itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants read-only access to onepassword.com resources.
# This role is intended for users who need visibility into these resources
# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: onepassworditem-viewer-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: onepassword-connect-operator
    app.kubernetes.io/part-of: onepassword-connect-operator
    app.kubernetes.io/managed-by: kustomize
  name: onepassworditem-viewer-role
rules:
- apiGroups:
  - onepassword.com
  resources:
  - onepassworditems
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - onepassword.com
  resources:
  - onepassworditems/status
  verbs:
  - get