# ========================================================= # ClusterRole: Infra Deployer # # Used by: # - GitHub ARC runners # - Infrastructure deployment workflows # # Allows managing: # - Postgres # - Jobs / CronJobs (migrations, backups) # - Traefik resources # - Storage primitives # # Extend this file when infra needs grow. # ========================================================= apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: infra-deployer-role rules: # ----------------------------------------------------- # Core Kubernetes resources # ----------------------------------------------------- - apiGroups: [""] resources: - pods - services - endpoints - configmaps - secrets - namespaces - serviceaccounts - persistentvolumes - persistentvolumeclaims - nodes verbs: ["*"] # ----------------------------------------------------- # Apps (Deployments, StatefulSets, etc.) # ----------------------------------------------------- - apiGroups: ["apps"] resources: - deployments - statefulsets - daemonsets - replicasets verbs: ["*"] # ----------------------------------------------------- # Batch workloads (THIS FIXES YOUR ISSUE) # Jobs + CronJobs for: # - DB backups # - Atlas migrations # ----------------------------------------------------- - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] # ----------------------------------------------------- # Networking & Ingress # ----------------------------------------------------- - apiGroups: ["networking.k8s.io", "extensions"] resources: - ingresses - ingressclasses verbs: ["*"] # ----------------------------------------------------- # Traefik CRDs (v1 + v2) # ----------------------------------------------------- - apiGroups: ["traefik.containo.us"] resources: ["*"] verbs: ["*"] - apiGroups: ["traefik.io"] resources: - ingressroutes - ingressroutetcps - ingressrouteudps - middlewares - middlewaretcps - traefikservices - tlsoptions - tlsstores - serverstransports verbs: ["*"] # ----------------------------------------------------- # CRD management (required for Traefik & others) # ----------------------------------------------------- - apiGroups: ["apiextensions.k8s.io"] resources: - customresourcedefinitions verbs: ["*"] --- # ========================================================= # ClusterRoleBinding: Bind Infra Deployer to ARC runners # ========================================================= apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: infra-deployer-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: infra-deployer-role subjects: - kind: ServiceAccount name: mealcraft-runners-gha-rs-no-permission namespace: arc-systems --- # ========================================================= # ClusterRoleBinding: Bind same role to Traefik # (Traefik needs wide read/watch permissions) # ========================================================= apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: infra-deployer-traefik-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: infra-deployer-role subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: default