apiVersion: v1
kind: ServiceAccount
metadata:
  name: minikura-backend
  namespace: minikura
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: minikura-backend-role
  namespace: minikura
rules:
  # Pods - read access and log access
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list"]
  # Pods - exec and attach access for terminal connections
  - apiGroups: [""]
    resources: ["pods/exec", "pods/attach"]
    verbs: ["create", "get"]
  # Services - read access
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  # ConfigMaps - read access
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Deployments and StatefulSets - read access
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets"]
    verbs: ["get", "list", "watch"]
  # Ingresses - read access
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # Custom Resources - read access
  - apiGroups: ["minikura.kirameki.cafe"]
    resources: ["minecraftservers", "reverseproxyservers"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: minikura-backend-rolebinding
  namespace: minikura
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: minikura-backend-role
subjects:
  - kind: ServiceAccount
    name: minikura-backend
    namespace: minikura
---
# ClusterRole for cluster-scoped resources (nodes)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: minikura-backend-clusterrole
rules:
  # Nodes - read access for getting node IPs
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list"]
---
# ClusterRoleBinding to grant the ServiceAccount access to cluster-scoped resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: minikura-backend-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: minikura-backend-clusterrole
subjects:
  - kind: ServiceAccount
    name: minikura-backend
    namespace: minikura