---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2025-10-11T10:27:20Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:ownerReferences:
          k:{"uid":"216d30b3-cc7f-49b9-949f-43cde8dd9ab2"}: {}
      f:rules: {}
    manager: cluster-network-operator/operconfig
    operation: Apply
    time: "2025-10-11T10:27:20Z"
  name: openshift-ovn-kubernetes-control-plane-limited
  ownerReferences:
  - apiVersion: operator.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Network
    name: cluster
    uid: 216d30b3-cc7f-49b9-949f-43cde8dd9ab2
  resourceVersion: "3534"
  uid: 48c80c44-867a-417d-b5c8-b641cdd0c605
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  - events.k8s.io
  resources:
  - events
  verbs:
  - create
  - patch
  - update
- apiGroups:
  - security.openshift.io
  resourceNames:
  - privileged
  resources:
  - securitycontextconstraints
  verbs:
  - use
- apiGroups:
  - ""
  resources:
  - nodes/status
  - pods/status
  verbs:
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - k8s.ovn.org
  resources:
  - egressips
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - k8s.ovn.org
  resources:
  - adminpolicybasedexternalroutes
  - egressfirewalls
  - egressqoses
  - egressservices
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - k8s.ovn.org
  resources:
  - adminpolicybasedexternalroutes/status
  - egressfirewalls/status
  - egressqoses/status
  verbs:
  - patch
- apiGroups:
  - policy.networking.k8s.io
  resources:
  - adminnetworkpolicies
  - baselineadminnetworkpolicies
  verbs:
  - list
- apiGroups:
  - policy.networking.k8s.io
  resources:
  - adminnetworkpolicies/status
  - baselineadminnetworkpolicies/status
  verbs:
  - patch
- apiGroups:
  - k8s.ovn.org
  resources:
  - egressservices/status
  verbs:
  - update
- apiGroups:
  - cloud.network.openshift.io
  resources:
  - cloudprivateipconfigs
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
- apiGroups:
  - k8s.cni.cncf.io
  resources:
  - network-attachment-definitions
  - multi-networkpolicies
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - k8s.cni.cncf.io
  resources:
  - network-attachment-definitions
  verbs:
  - patch
- apiGroups:
  - k8s.cni.cncf.io
  resources:
  - ipamclaims
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - k8s.cni.cncf.io
  resources:
  - ipamclaims/status
  verbs:
  - patch
  - update
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - create
  - delete
  - update
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services/finalizers
  verbs:
  - update
- apiGroups:
  - k8s.ovn.org
  resources:
  - userdefinednetworks
  - clusteruserdefinednetworks
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - k8s.ovn.org
  resources:
  - userdefinednetworks
  - userdefinednetworks/status
  - clusteruserdefinednetworks
  - clusteruserdefinednetworks/status
  verbs:
  - patch
  - update
- apiGroups:
  - k8s.ovn.org
  resources:
  - userdefinednetworks/finalizers
  - clusteruserdefinednetworks/finalizers
  verbs:
  - update
- apiGroups:
  - k8s.cni.cncf.io
  resources:
  - network-attachment-definitions
  verbs:
  - update
  - create
  - delete
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch