# Least-privilege RBAC for the Platform Engineer Hermes agent.
#
# The agent can READ almost everything cluster-wide, but can only MUTATE a
# narrow allowlist of safe, idempotent resources (restart deployments, delete a
# stuck pod so its controller recreates it, etc.). It CANNOT touch RBAC, nodes,
# namespaces, CRDs, or other namespaces' Secrets beyond read.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: platform-engineer
  namespace: platform-engineer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: platform-engineer
rules:
  # ---- Broad read access (cluster-wide) ----
  - apiGroups: [""]
    resources:
      - nodes
      - nodes/proxy
      - services
      - endpoints
      - pods
      - pods/log
      - configmaps
      - secrets
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - events
      - replicationcontrollers
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
      - daemonsets
      - replicasets
    verbs: ["get", "list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
    verbs: ["get", "list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["get", "list", "watch"]
  - apiGroups: ["argoproj.io"]
    resources:
      - applications
      - appprojects
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources:
      - certificates
      - certificaterequests
      - clusterissuers
    verbs: ["get", "list", "watch"]
  - apiGroups: ["metrics.k8s.io"]
    resources:
      - pods
      - nodes
    verbs: ["get", "list"]

  # ---- Metrics / health endpoints ----
  - nonResourceURLs: ["/metrics", "/metrics/*"]
    verbs: ["get"]

  # ---- Narrow mutate allowlist (idempotent, safe remediation) ----
  # Restart a stuck pod by deleting it (its controller recreates it).
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["delete", "patch"]
  # `kubectl rollout restart` and scaling for the apps/batch controllers.
  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
      - daemonsets
      - replicasets
    verbs: ["patch", "update"]
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["patch", "update", "delete"]
  # Exec into pods for log-style / debug inspection (granted per request #5).
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: platform-engineer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: platform-engineer
subjects:
  - kind: ServiceAccount
    name: platform-engineer
    namespace: platform-engineer