From c56ab0ed4ca9ed0eda725aecc530182a73dd7e15 Mon Sep 17 00:00:00 2001
From: Hector Ros <hectorros@Mac.localdomain>
Date: Tue, 20 Jan 2026 17:52:46 +0100
Subject: [PATCH] Add RBAC for backend to manage pods + update backend

- Create ServiceAccount backend-sa
- Create ClusterRole for pod management
- Bind role to ServiceAccount
- Update deployment to use ServiceAccount
- Update backend submodule with TLS fix

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
---
 k8s/backend/deployment.yaml |  1 +
 k8s/backend/rbac.yaml       | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 k8s/backend/rbac.yaml

diff --git a/k8s/backend/deployment.yaml b/k8s/backend/deployment.yaml
index c19363c..dc716e6 100644
--- a/k8s/backend/deployment.yaml
+++ b/k8s/backend/deployment.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: backend
     spec:
+      serviceAccountName: backend-sa
       imagePullSecrets:
       - name: gitea-registry
       containers:
diff --git a/k8s/backend/rbac.yaml b/k8s/backend/rbac.yaml
new file mode 100644
index 0000000..33ea4e8
--- /dev/null
+++ b/k8s/backend/rbac.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backend-sa
+  namespace: control-plane
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backend-pod-manager
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend-pod-manager-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backend-pod-manager
+subjects:
+- kind: ServiceAccount
+  name: backend-sa
+  namespace: control-plane