--- # ServiceAccount per agent role # One SA per role — bound to its own OpenBao AppRole secret apiVersion: v1 kind: ServiceAccount metadata: name: agent-pm namespace: autojanet labels: autojanet/role: pm --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-coder namespace: autojanet labels: autojanet/role: coder --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-code-reviewer namespace: autojanet labels: autojanet/role: code-reviewer --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-test-engineer namespace: autojanet labels: autojanet/role: test-engineer --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-devsecops namespace: autojanet labels: autojanet/role: devsecops --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-secops namespace: autojanet labels: autojanet/role: secops --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-sre namespace: autojanet labels: autojanet/role: sre --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-kubernetes-pilot namespace: autojanet labels: autojanet/role: kubernetes-pilot --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-linux-admin namespace: autojanet labels: autojanet/role: linux-admin --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-systems-engineer namespace: autojanet labels: autojanet/role: systems-engineer --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-networking namespace: autojanet labels: autojanet/role: networking --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-dba namespace: autojanet labels: autojanet/role: dba --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-prometheus-expert namespace: autojanet labels: autojanet/role: prometheus-expert --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-tofu-engineer namespace: autojanet labels: autojanet/role: tofu-engineer --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-release-manager namespace: autojanet labels: autojanet/role: release-manager --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-doc-updater namespace: autojanet labels: autojanet/role: doc-updater --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-doc-writer namespace: autojanet labels: autojanet/role: doc-writer --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-technical-writer namespace: autojanet labels: autojanet/role: technical-writer --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-cost-optimizer namespace: autojanet labels: autojanet/role: cost-optimizer --- # Dispatcher ServiceAccount — runs the CronJob that claims tasks apiVersion: v1 kind: ServiceAccount metadata: name: dispatcher namespace: autojanet labels: autojanet/role: dispatcher --- # Role: agents can create/manage Jobs in their own namespace apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: agent-job-runner namespace: autojanet rules: - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create", "get", "list", "watch"] - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list", "watch"] --- # Dispatcher gets broader job management apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: dispatcher namespace: autojanet rules: - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create", "get", "list", "watch", "delete"] - apiGroups: [""] resources: ["pods", "pods/log", "configmaps"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dispatcher namespace: autojanet roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: dispatcher subjects: - kind: ServiceAccount name: dispatcher namespace: autojanet