# Cross-namespace RBAC: allow sorcerer ServiceAccounts to manage JobSets in dev-queue
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: beta-sorcerer-prod-queue
  namespace: prod-queue
rules:
- apiGroups:
  - jobset.x-k8s.io
  resources:
  - jobsets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: beta-sorcerer-prod-queue
  namespace: prod-queue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: beta-sorcerer-prod-queue
subjects:
- kind: ServiceAccount
  name: beta-sorcerer
  namespace: beta-sorcerer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: prod-sorcerer-prod-queue
  namespace: prod-queue
rules:
- apiGroups:
  - jobset.x-k8s.io
  resources:
  - jobsets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prod-sorcerer-prod-queue
  namespace: prod-queue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prod-sorcerer-prod-queue
subjects:
- kind: ServiceAccount
  name: prod-sorcerer
  namespace: prod-sorcerer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: staging-sorcerer-dev-queue
  namespace: dev-queue
rules:
- apiGroups:
  - jobset.x-k8s.io
  resources:
  - jobsets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: staging-sorcerer-dev-queue
  namespace: dev-queue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: staging-sorcerer-dev-queue
subjects:
- kind: ServiceAccount
  name: staging-sorcerer
  namespace: staging-sorcerer