---
# ServiceAccount for init containers that check migration Job status
apiVersion: v1
kind: ServiceAccount
metadata:
  name: piefed-init-checker
  namespace: piefed-application
  labels:
    app.kubernetes.io/name: piefed
    app.kubernetes.io/component: init-checker
---
# Role allowing read access to Jobs in this namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: piefed-init-checker
  namespace: piefed-application
  labels:
    app.kubernetes.io/name: piefed
    app.kubernetes.io/component: init-checker
rules:
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
---
# RoleBinding to grant the ServiceAccount the Role permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: piefed-init-checker
  namespace: piefed-application
  labels:
    app.kubernetes.io/name: piefed
    app.kubernetes.io/component: init-checker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: piefed-init-checker
subjects:
- kind: ServiceAccount
  name: piefed-init-checker
  namespace: piefed-application