---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k8s-gateway
  namespace: networking
  labels:
    app.kubernetes.io/instance: k8s-gateway
    app.kubernetes.io/name: k8s-gateway
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - namespaces
    verbs:
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - list
      - watch
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["watch", "list"]
  - apiGroups: ["k8s.nginx.org"]
    resources: ["*"]
    verbs: ["watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8s-gateway
  labels:
    app.kubernetes.io/instance: k8s-gateway
    app.kubernetes.io/name: k8s-gateway
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k8s-gateway
subjects:
  - kind: ServiceAccount
    name: k8s-gateway
    namespace: networking