# Kubernetes RBAC (Role-Based Access Control) for Provisioning # Creates ServiceAccounts and Roles for each service # # Usage: # nickel eval --format json rbac.yaml.ncl | yq -P > rbac.yaml # kubectl apply -f rbac.yaml { # ============================================================================ # Orchestrator Service Account and Role # ============================================================================ orchestrator_service_account = { apiVersion = "v1", kind = "ServiceAccount", metadata = { name = "orchestrator", namespace = "provisioning", labels = { app = "orchestrator", component = "provisioning-platform", }, }, }, orchestrator_role = { apiVersion = "rbac.authorization.k8s.io/v1", kind = "Role", metadata = { name = "orchestrator", namespace = "provisioning", labels = { app = "orchestrator", component = "provisioning-platform", }, }, rules = [ # Allow reading ConfigMaps (for configuration) { apiGroups = [""], resources = ["configmaps"], verbs = ["get", "list", "watch"], }, # Allow reading Secrets (for credentials) { apiGroups = [""], resources = ["secrets"], verbs = ["get", "list"], }, # Allow reading and writing Pod logs { apiGroups = [""], resources = ["pods", "pods/log"], verbs = ["get", "list", "watch"], }, # Allow reading Services { apiGroups = [""], resources = ["services"], verbs = ["get", "list", "watch"], }, ], }, orchestrator_rolebinding = { apiVersion = "rbac.authorization.k8s.io/v1", kind = "RoleBinding", metadata = { name = "orchestrator", namespace = "provisioning", labels = { app = "orchestrator", component = "provisioning-platform", }, }, roleRef = { apiGroup = "rbac.authorization.k8s.io", kind = "Role", name = "orchestrator", }, subjects = [ { kind = "ServiceAccount", name = "orchestrator", namespace = "provisioning", }, ], }, # ============================================================================ # Control Center Service Account and Role # ============================================================================ control_center_service_account = { apiVersion = "v1", kind = "ServiceAccount", metadata = { name = "control-center", namespace = "provisioning", labels = { app = "control-center", component = "provisioning-platform", }, }, }, control_center_role = { apiVersion = "rbac.authorization.k8s.io/v1", kind = "Role", metadata = { name = "control-center", namespace = "provisioning", labels = { app = "control-center", component = "provisioning-platform", }, }, rules = [ # Allow reading ConfigMaps { apiGroups = [""], resources = ["configmaps"], verbs = ["get", "list", "watch"], }, # Allow reading and writing Secrets (for JWT, etc) { apiGroups = [""], resources = ["secrets"], verbs = ["get", "list", "create", "update", "patch"], }, # Allow reading Service information { apiGroups = [""], resources = ["services"], verbs = ["get", "list", "watch"], }, # Allow reading Pod information (for status) { apiGroups = [""], resources = ["pods"], verbs = ["get", "list", "watch"], }, # Allow reading Deployments { apiGroups = ["apps"], resources = ["deployments"], verbs = ["get", "list", "watch"], }, ], }, control_center_rolebinding = { apiVersion = "rbac.authorization.k8s.io/v1", kind = "RoleBinding", metadata = { name = "control-center", namespace = "provisioning", labels = { app = "control-center", component = "provisioning-platform", }, }, roleRef = { apiGroup = "rbac.authorization.k8s.io", kind = "Role", name = "control-center", }, subjects = [ { kind = "ServiceAccount", name = "control-center", namespace = "provisioning", }, ], }, # ============================================================================ # MCP Server Service Account and Role # ============================================================================ mcp_server_service_account = { apiVersion = "v1", kind = "ServiceAccount", metadata = { name = "mcp-server", namespace = "provisioning", labels = { app = "mcp-server", component = "provisioning-platform", }, }, }, mcp_server_role = { apiVersion = "rbac.authorization.k8s.io/v1", kind = "Role", metadata = { name = "mcp-server", namespace = "provisioning", labels = { app = "mcp-server", component = "provisioning-platform", }, }, rules = [ # Allow reading ConfigMaps (for configuration) { apiGroups = [""], resources = ["configmaps"], verbs = ["get", "list", "watch"], }, # Allow reading Secrets (for credentials) { apiGroups = [""], resources = ["secrets"], verbs = ["get", "list"], }, # Allow reading Pod information { apiGroups = [""], resources = ["pods"], verbs = ["get", "list", "watch"], }, # Allow reading Services { apiGroups = [""], resources = ["services"], verbs = ["get", "list", "watch"], }, ], }, mcp_server_rolebinding = { apiVersion = "rbac.authorization.k8s.io/v1", kind = "RoleBinding", metadata = { name = "mcp-server", namespace = "provisioning", labels = { app = "mcp-server", component = "provisioning-platform", }, }, roleRef = { apiGroup = "rbac.authorization.k8s.io", kind = "Role", name = "mcp-server", }, subjects = [ { kind = "ServiceAccount", name = "mcp-server", namespace = "provisioning", }, ], }, }