feat(bstein-dev-home): add SA/RBAC for ai pod discovery

services/bstein-dev-home/backend-deployment.yaml

@@ -15,6 +15,7 @@ spec:
       labels:
         app: bstein-dev-home-backend
     spec:
+      serviceAccountName: bstein-dev-home
       nodeSelector:
         kubernetes.io/arch: arm64
         node-role.kubernetes.io/worker: "true"

services/bstein-dev-home/kustomization.yaml

@@ -5,6 +5,7 @@ namespace: bstein-dev-home
 resources:
   - namespace.yaml
   - image.yaml
+  - rbac.yaml
   - frontend-deployment.yaml
   - frontend-service.yaml
   - backend-deployment.yaml

services/bstein-dev-home/rbac.yaml

@@ -0,0 +1,29 @@
+# services/bstein-dev-home/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bstein-dev-home
+  namespace: bstein-dev-home
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bstein-dev-home-ai-reader
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+    resourceNames: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bstein-dev-home-ai-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bstein-dev-home-ai-reader
+subjects:
+  - kind: ServiceAccount
+    name: bstein-dev-home
+    namespace: bstein-dev-home