resource "kubernetes_cluster_role" "this" {
  count = var.create_cluster_role ? 1 : 0

  metadata {
    name = var.cluster_role_name
  }
  rule {
    api_groups     = ["extensions"]
    resources      = ["podsecuritypolicies"]
    verbs          = ["use"]
    resource_names = [kubernetes_pod_security_policy.this.metadata.0.name]
  }
  rule {
    api_groups = [""]
    resources  = ["pods"]
    verbs      = ["get"]
  }
  rule {
    api_groups = [""]
    resources  = ["nodes"]
    verbs      = ["list", "watch"]
  }
  rule {
    api_groups = [""]
    resources  = ["nodes/status"]
    verbs      = ["patch"]
  }
}

resource "kubernetes_service_account" "this" {
  metadata {
    name      = "flannel"
    namespace = var.namespace
  }
}

resource "kubernetes_cluster_role_binding" "this" {
  metadata {
    name = "flannel"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = var.cluster_role_name
  }
  subject {
    kind      = "ServiceAccount"
    name      = kubernetes_service_account.this.metadata.0.name
    namespace = kubernetes_service_account.this.metadata.0.namespace
  }
}