From 1e72f2e3711b8842dbe635e15dbf6aa6b5a9301e Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 20 Dec 2025 18:08:30 -0300
Subject: [PATCH] jenkins: add RBAC serviceaccount and use for agents

---
 services/jenkins/configmap-jcasc.yaml |  2 +-
 services/jenkins/deployment.yaml      |  2 +-
 services/jenkins/kustomization.yaml   |  1 +
 services/jenkins/serviceaccount.yaml  | 41 +++++++++++++++++++++++++++
 4 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 services/jenkins/serviceaccount.yaml

diff --git a/services/jenkins/configmap-jcasc.yaml b/services/jenkins/configmap-jcasc.yaml
index 615412e..99dadd8 100644
--- a/services/jenkins/configmap-jcasc.yaml
+++ b/services/jenkins/configmap-jcasc.yaml
@@ -171,7 +171,7 @@ data:
               label: "jenkins-jenkins-agent "
               nodeUsageMode: "NORMAL"
               podRetention: Never
-              serviceAccount: "default"
+              serviceAccount: "jenkins"
               slaveConnectTimeoutStr: "100"
               yamlMergeStrategy: override
               inheritYamlMergeStrategy: false
diff --git a/services/jenkins/deployment.yaml b/services/jenkins/deployment.yaml
index d9cf1ea..ec749e8 100644
--- a/services/jenkins/deployment.yaml
+++ b/services/jenkins/deployment.yaml
@@ -18,7 +18,7 @@ spec:
       labels:
         app: jenkins
     spec:
-      serviceAccountName: default
+      serviceAccountName: jenkins
       nodeSelector:
         kubernetes.io/arch: arm64
         node-role.kubernetes.io/worker: "true"
diff --git a/services/jenkins/kustomization.yaml b/services/jenkins/kustomization.yaml
index a0bd200..c183a4f 100644
--- a/services/jenkins/kustomization.yaml
+++ b/services/jenkins/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: jenkins
 resources:
   - namespace.yaml
+  - serviceaccount.yaml
   - pvc.yaml
   - configmap-jcasc.yaml
   - configmap-init-scripts.yaml
diff --git a/services/jenkins/serviceaccount.yaml b/services/jenkins/serviceaccount.yaml
new file mode 100644
index 0000000..27caeed
--- /dev/null
+++ b/services/jenkins/serviceaccount.yaml
@@ -0,0 +1,41 @@
+# services/jenkins/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jenkins
+  namespace: jenkins
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins-agent
+  namespace: jenkins
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - pods/exec
+      - pods/log
+      - pods/portforward
+      - services
+      - endpoints
+      - persistentvolumeclaims
+      - configmaps
+      - secrets
+    verbs: ["get", "list", "watch", "create", "delete"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins-agent
+  namespace: jenkins
+subjects:
+  - kind: ServiceAccount
+    name: jenkins
+    namespace: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins-agent