container lifecycle management

deploy/k8s/base/lifecycle-sidecar-rbac.yaml

@@ -0,0 +1,53 @@
+# RBAC for lifecycle sidecar - allows self-deletion only
+# Each agent pod gets this ServiceAccount and can only delete its own deployment
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agent-lifecycle
+  namespace: dexorder-agents
+---
+# Role allowing deletion of deployments and PVCs
+# This is scoped to the dexorder-agents namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: agent-self-delete
+  namespace: dexorder-agents
+rules:
+  # Allow getting and deleting deployments
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "delete"]
+  
+  # Allow getting and deleting PVCs (for anonymous users)
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "delete"]
+  
+  # Read-only access to pods (for status checking)
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: agent-self-delete
+  namespace: dexorder-agents
+subjects:
+  - kind: ServiceAccount
+    name: agent-lifecycle
+    namespace: dexorder-agents
+roleRef:
+  kind: Role
+  name: agent-self-delete
+  apiGroup: rbac.authorization.k8s.io
+---
+# Additional security: ValidatingWebhookConfiguration to restrict deletion
+# This ensures sidecars can only delete their own deployment
+# Requires a validating webhook server (can be added later)
+# For now, we rely on:
+# 1. Sidecar only knowing its own deployment name (from env)
+# 2. RBAC limiting to dexorder-agents namespace
+# 3. Admission policy restricting deployment creation (already defined)