Skip to content

RBAC and Dedicated Service Accounts #175

Description

@Shashank0701-byte

feat: add RBAC roles and dedicated service account for app pods

Summary

Create a dedicated ServiceAccount with minimal Role/RoleBinding instead of using the default service account.

Motivation

The default service account has more permissions than the app needs. Principle of least privilege — pods should only have the Kubernetes API access they actually require.

Tasks

  • Create kubernetes/service-account.yaml with a dedicated SA
  • Create kubernetes/rbac.yaml with a minimal Role (read-only ConfigMaps if needed, nothing else)
  • Update Deployment to use the new ServiceAccount
  • Add both as Helm templates
  • Verify the app still functions with the restricted SA

Acceptance Criteria

  • Pods run under a named service account, not default
  • The SA has no unnecessary permissions

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions