feat: add RBAC roles and dedicated service account for app pods
Summary
Create a dedicated ServiceAccount with minimal Role/RoleBinding instead of using the default service account.
Motivation
The default service account has more permissions than the app needs. Principle of least privilege — pods should only have the Kubernetes API access they actually require.
Tasks
Acceptance Criteria
- Pods run under a named service account, not
default
- The SA has no unnecessary permissions
feat: add RBAC roles and dedicated service account for app pods
Summary
Create a dedicated
ServiceAccountwith minimalRole/RoleBindinginstead of using the default service account.Motivation
The default service account has more permissions than the app needs. Principle of least privilege — pods should only have the Kubernetes API access they actually require.
Tasks
kubernetes/service-account.yamlwith a dedicated SAkubernetes/rbac.yamlwith a minimal Role (read-only ConfigMaps if needed, nothing else)Acceptance Criteria
default