diff --git a/services/bstein-dev-home/backend-deployment.yaml b/services/bstein-dev-home/backend-deployment.yaml
index 31b3f7c..50af5cd 100644
--- a/services/bstein-dev-home/backend-deployment.yaml
+++ b/services/bstein-dev-home/backend-deployment.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: bstein-dev-home-backend
     spec:
+      serviceAccountName: bstein-dev-home
       nodeSelector:
         kubernetes.io/arch: arm64
         node-role.kubernetes.io/worker: "true"
diff --git a/services/bstein-dev-home/kustomization.yaml b/services/bstein-dev-home/kustomization.yaml
index 80b6be0..e15af3e 100644
--- a/services/bstein-dev-home/kustomization.yaml
+++ b/services/bstein-dev-home/kustomization.yaml
@@ -5,6 +5,7 @@ namespace: bstein-dev-home
 resources:
   - namespace.yaml
   - image.yaml
+  - rbac.yaml
   - frontend-deployment.yaml
   - frontend-service.yaml
   - backend-deployment.yaml
diff --git a/services/bstein-dev-home/rbac.yaml b/services/bstein-dev-home/rbac.yaml
new file mode 100644
index 0000000..a6fcd03
--- /dev/null
+++ b/services/bstein-dev-home/rbac.yaml
@@ -0,0 +1,29 @@
+# services/bstein-dev-home/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bstein-dev-home
+  namespace: bstein-dev-home
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bstein-dev-home-ai-reader
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+    resourceNames: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bstein-dev-home-ai-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bstein-dev-home-ai-reader
+subjects:
+  - kind: ServiceAccount
+    name: bstein-dev-home
+    namespace: bstein-dev-home