new platform engineer agent

2026-06-27 00:09:39 +02:00
parent d8012dfb6c
commit 6e02d9a885
13 changed files with 926 additions and 1 deletions
--- a/platform-engineer/rbac.yaml
+++ b/platform-engineer/rbac.yaml
@@ -0,0 +1,111 @@
+# Least-privilege RBAC for the Platform Engineer Hermes agent.
+#
+# The agent can READ almost everything cluster-wide, but can only MUTATE a
+# narrow allowlist of safe, idempotent resources (restart deployments, delete a
+# stuck pod so its controller recreates it, etc.). It CANNOT touch RBAC, nodes,
+# namespaces, CRDs, or other namespaces' Secrets beyond read.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: platform-engineer
+  namespace: platform-engineer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: platform-engineer
+rules:
+  # ---- Broad read access (cluster-wide) ----
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - nodes/proxy
+      - services
+      - endpoints
+      - pods
+      - pods/log
+      - configmaps
+      - secrets
+      - persistentvolumeclaims
+      - persistentvolumes
+      - namespaces
+      - events
+      - replicationcontrollers
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - replicasets
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - ingresses
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["autoscaling"]
+    resources:
+      - horizontalpodautoscalers
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["argoproj.io"]
+    resources:
+      - applications
+      - appprojects
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources:
+      - certificates
+      - certificaterequests
+      - clusterissuers
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["metrics.k8s.io"]
+    resources:
+      - pods
+      - nodes
+    verbs: ["get", "list"]
+
+  # ---- Metrics / health endpoints ----
+  - nonResourceURLs: ["/metrics", "/metrics/*"]
+    verbs: ["get"]
+
+  # ---- Narrow mutate allowlist (idempotent, safe remediation) ----
+  # Restart a stuck pod by deleting it (its controller recreates it).
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete", "patch"]
+  # `kubectl rollout restart` and scaling for the apps/batch controllers.
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - replicasets
+    verbs: ["patch", "update"]
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["patch", "update", "delete"]
+  # Exec into pods for log-style / debug inspection (granted per request #5).
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: platform-engineer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: platform-engineer
+subjects:
+  - kind: ServiceAccount
+    name: platform-engineer
+    namespace: platform-engineer