From cd1ede09ef6deae2c6b741f5b0daddbde9fda019 Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Mon, 8 Dec 2025 10:00:56 +0200
Subject: [PATCH] Add monitoring RBAC and service account for dashboards

---
 k8s/app.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/k8s/app.yaml b/k8s/app.yaml
index 8c1ac52..adb8dcd 100644
--- a/k8s/app.yaml
+++ b/k8s/app.yaml
@@ -70,6 +70,34 @@ data:
       }
     }
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: lomavuokraus-monitor
+  namespace: ${K8S_NAMESPACE}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: lomavuokraus-monitor
+rules:
+  - apiGroups: [""]
+    resources: ["nodes", "pods", "pods/status"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: lomavuokraus-monitor-${K8S_NAMESPACE}
+subjects:
+  - kind: ServiceAccount
+    name: lomavuokraus-monitor
+    namespace: ${K8S_NAMESPACE}
+roleRef:
+  kind: ClusterRole
+  name: lomavuokraus-monitor
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -87,6 +115,7 @@ spec:
       labels:
         app: lomavuokraus-web
     spec:
+      serviceAccountName: lomavuokraus-monitor
       imagePullSecrets:
         - name: registry-halla
       containers: