k3s-cluster/platform-engineer/rbac.yaml

# Least-privilege RBAC for the Platform Engineer Hermes agent.
#
# The agent can READ almost everything cluster-wide, but can only MUTATE a
# narrow allowlist of safe, idempotent resources (restart deployments, delete a
# stuck pod so its controller recreates it, etc.). It CANNOT touch RBAC, nodes,
# namespaces, CRDs, or other namespaces' Secrets beyond read.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: platform-engineer
  namespace: platform-engineer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: platform-engineer
rules:
  # ---- Broad read access (cluster-wide) ----
  - apiGroups: [""]
    resources:
      - nodes
      - nodes/proxy
      - services
      - endpoints
      - pods
      - pods/log
      - configmaps
      - secrets
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - events
      - replicationcontrollers
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
      - daemonsets
      - replicasets
    verbs: ["get", "list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
    verbs: ["get", "list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["get", "list", "watch"]
  - apiGroups: ["argoproj.io"]
    resources:
      - applications
      - appprojects
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources:
      - certificates
      - certificaterequests
      - clusterissuers
    verbs: ["get", "list", "watch"]
  - apiGroups: ["metrics.k8s.io"]
    resources:
      - pods
      - nodes
    verbs: ["get", "list"]

  # ---- Metrics / health endpoints ----
  - nonResourceURLs: ["/metrics", "/metrics/*"]
    verbs: ["get"]

  # ---- Narrow mutate allowlist (idempotent, safe remediation) ----
  # Restart a stuck pod by deleting it (its controller recreates it).
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["delete", "patch"]
  # `kubectl rollout restart` and scaling for the apps/batch controllers.
  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
      - daemonsets
      - replicasets
    verbs: ["patch", "update"]
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["patch", "update", "delete"]
  # Exec into pods for log-style / debug inspection (granted per request #5).
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: platform-engineer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: platform-engineer
subjects:
  - kind: ServiceAccount
    name: platform-engineer
    namespace: platform-engineer
new platform engineer agent 2026-06-27 00:09:39 +02:00			`# Least-privilege RBAC for the Platform Engineer Hermes agent.`
			`#`
			`# The agent can READ almost everything cluster-wide, but can only MUTATE a`
			`# narrow allowlist of safe, idempotent resources (restart deployments, delete a`
			`# stuck pod so its controller recreates it, etc.). It CANNOT touch RBAC, nodes,`
			`# namespaces, CRDs, or other namespaces' Secrets beyond read.`
			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: platform-engineer`
			`namespace: platform-engineer`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: platform-engineer`
			`rules:`
			`# ---- Broad read access (cluster-wide) ----`
			`- apiGroups: [""]`
			`resources:`
			`- nodes`
			`- nodes/proxy`
			`- services`
			`- endpoints`
			`- pods`
			`- pods/log`
			`- configmaps`
			`- secrets`
			`- persistentvolumeclaims`
			`- persistentvolumes`
			`- namespaces`
			`- events`
			`- replicationcontrollers`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["apps"]`
			`resources:`
			`- deployments`
			`- statefulsets`
			`- daemonsets`
			`- replicasets`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["batch"]`
			`resources:`
			`- jobs`
			`- cronjobs`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["networking.k8s.io"]`
			`resources:`
			`- ingresses`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["autoscaling"]`
			`resources:`
			`- horizontalpodautoscalers`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["argoproj.io"]`
			`resources:`
			`- applications`
			`- appprojects`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["cert-manager.io"]`
			`resources:`
			`- certificates`
			`- certificaterequests`
			`- clusterissuers`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metrics.k8s.io"]`
			`resources:`
			`- pods`
			`- nodes`
			`verbs: ["get", "list"]`

			`# ---- Metrics / health endpoints ----`
			`- nonResourceURLs: ["/metrics", "/metrics/*"]`
			`verbs: ["get"]`

			`# ---- Narrow mutate allowlist (idempotent, safe remediation) ----`
			`# Restart a stuck pod by deleting it (its controller recreates it).`
			`- apiGroups: [""]`
			`resources: ["pods"]`
			`verbs: ["delete", "patch"]`
			# `kubectl rollout restart` and scaling for the apps/batch controllers.
			`- apiGroups: ["apps"]`
			`resources:`
			`- deployments`
			`- statefulsets`
			`- daemonsets`
			`- replicasets`
			`verbs: ["patch", "update"]`
			`- apiGroups: ["batch"]`
			`resources:`
			`- jobs`
			`- cronjobs`
			`verbs: ["patch", "update", "delete"]`
			`# Exec into pods for log-style / debug inspection (granted per request #5).`
			`- apiGroups: [""]`
			`resources: ["pods/exec"]`
			`verbs: ["create"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: platform-engineer`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: platform-engineer`
			`subjects:`
			`- kind: ServiceAccount`
			`name: platform-engineer`
			`namespace: platform-engineer`