Add RBAC for backend to manage pods + update backend

- Create ServiceAccount backend-sa - Create ClusterRole for pod management - Bind role to ServiceAccount - Update deployment to use ServiceAccount - Update backend submodule with TLS fix Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
2026-01-20 17:52:46 +01:00
parent 4c152e0438
commit c56ab0ed4c
2 changed files with 31 additions and 0 deletions
--- a/k8s/backend/deployment.yaml
+++ b/k8s/backend/deployment.yaml
@@ -15,6 +15,7 @@ spec:
      labels:
        app: backend
    spec:
+      serviceAccountName: backend-sa
      imagePullSecrets:
      - name: gitea-registry
      containers:
--- a/k8s/backend/rbac.yaml
+++ b/k8s/backend/rbac.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backend-sa
+  namespace: control-plane
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backend-pod-manager
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend-pod-manager-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backend-pod-manager
+subjects:
+- kind: ServiceAccount
+  name: backend-sa
+  namespace: control-plane