# services/maintenance/metis-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metis-node-manager
rules:
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
      - delete
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metis-runner
  namespace: maintenance
rules:
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - create
      - delete
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - pods/log
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metis-node-manager
subjects:
  - kind: ServiceAccount
    name: metis
    namespace: maintenance
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metis-node-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: metis-runner
  namespace: maintenance
subjects:
  - kind: ServiceAccount
    name: metis
    namespace: maintenance
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: metis-runner