jenkins: add RBAC serviceaccount and use for agents

services/jenkins/configmap-jcasc.yaml

@@ -171,7 +171,7 @@ data:
               label: "jenkins-jenkins-agent "
               nodeUsageMode: "NORMAL"
               podRetention: Never
-              serviceAccount: "default"
+              serviceAccount: "jenkins"
               slaveConnectTimeoutStr: "100"
               yamlMergeStrategy: override
               inheritYamlMergeStrategy: false

services/jenkins/deployment.yaml

@@ -18,7 +18,7 @@ spec:
       labels:
         app: jenkins
     spec:
-      serviceAccountName: default
+      serviceAccountName: jenkins
       nodeSelector:
         kubernetes.io/arch: arm64
         node-role.kubernetes.io/worker: "true"

services/jenkins/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: jenkins
 resources:
   - namespace.yaml
+  - serviceaccount.yaml
   - pvc.yaml
   - configmap-jcasc.yaml
   - configmap-init-scripts.yaml

services/jenkins/serviceaccount.yaml

@@ -0,0 +1,41 @@
+# services/jenkins/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jenkins
+  namespace: jenkins
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins-agent
+  namespace: jenkins
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - pods/exec
+      - pods/log
+      - pods/portforward
+      - services
+      - endpoints
+      - persistentvolumeclaims
+      - configmaps
+      - secrets
+    verbs: ["get", "list", "watch", "create", "delete"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins-agent
+  namespace: jenkins
+subjects:
+  - kind: ServiceAccount
+    name: jenkins
+    namespace: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins-agent