apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dns-zone-editor
  namespace: authoritative-dns
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["coredns-auth-zone"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    resourceNames: ["coredns-auth"]
    verbs: ["get", "list", "watch", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: coredns-ci-zone-editor
  namespace: authoritative-dns
subjects:
  - kind: ServiceAccount
    name: coredns-ci
    namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dns-zone-editor