# Grant Headlamp's ServiceAccount read access to the Kubernetes Metrics API.
# The chart binds headlamp SA to 'edit' (safe default) but 'edit' does not include
# metrics.k8s.io — without this, Headlamp shows no CPU/memory/node data on the dashboard.
# This binding is additive: it does not escalate headlamp beyond 'edit' elsewhere.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: headlamp-metrics-reader
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups: ["metrics.k8s.io"]
    resources: ["nodes", "pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-metrics-reader
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: headlamp-metrics-reader
subjects:
  - kind: ServiceAccount
    name: headlamp
    namespace: headlamp