ai/deploy/k8s/base/gateway-rbac.yaml

# RBAC for gateway to CREATE agent deployments only
# Principle of least privilege: gateway can ONLY create deployments/services/PVCs
# in the dexorder-agents namespace. Deletion is handled by the lifecycle sidecar.
# No pods, secrets, exec, or cross-namespace access.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gateway
  namespace: dexorder-system
---
# Role scoped to dexorder-agents namespace only
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: agent-creator
  namespace: dexorder-agents
rules:
  # Deployments: create and read only (deletion handled by sidecar)
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["create", "get", "list", "watch", "patch", "update"]
  
  # PVCs: create and read (deletion handled by sidecar)
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["create", "get", "list", "watch"]
  
  # Services: create and manage agent MCP endpoints
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["create", "get", "list", "watch", "patch", "update"]
  
  # Read-only pod access for status checks (no exec!)
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  
  # Pod logs for debugging (read-only)
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
  
  # Explicitly NOT included:
  # - deployments/delete - handled by lifecycle sidecar
  # - pvc/delete - handled by lifecycle sidecar
  # - services/delete - handled by lifecycle sidecar
  # - pods (create/delete) - must go through deployments
  # - pods/exec, pods/attach - no shell access
  # - secrets, configmaps - no credential access
  # - any resources in other namespaces
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gateway-agent-creator
  namespace: dexorder-agents
subjects:
  - kind: ServiceAccount
    name: gateway
    namespace: dexorder-system
roleRef:
  kind: Role
  name: agent-creator
  apiGroup: rbac.authorization.k8s.io