change

dev/backstage/service-account.yaml

@@ -5,28 +5,59 @@ metadata:
   namespace: backstage
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
-  name: backstage
+  name: backstage-k8s-reader
-  namespace: backstage
 rules:
+  # Core API group
   - apiGroups: [""]
-    resources: ["pods", "services", "configmaps", "endpoints", "secrets"]
+    resources:
+      - pods
+      - services
+      - configmaps
+      - endpoints
+      - resourcequotas
+      - limitranges
+      - namespaces
     verbs: ["get", "list", "watch"]
+
+  # Apps
   - apiGroups: ["apps"]
-    resources: ["deployments", "replicasets", "statefulsets"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - replicasets
+    verbs: ["get", "list", "watch"]
+
+  # Batch
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["get", "list", "watch"]
+
+  # Autoscaling
+  - apiGroups: ["autoscaling"]
+    resources:
+      - horizontalpodautoscalers
+    verbs: ["get", "list", "watch"]
+
+  # Networking
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - ingresses
     verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: backstage
+  name: backstage-k8s-reader-binding
-  namespace: backstage
 subjects:
   - kind: ServiceAccount
     name: backstage
     namespace: backstage
 roleRef:
-  kind: Role
+  kind: ClusterRole
-  name: backstage
+  name: backstage-k8s-reader
   apiGroup: rbac.authorization.k8s.io