apiVersion: v1
kind: ServiceAccount
metadata:
  name: mas
  namespace: mas
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mas-viewer
rules:
  # Read-only access to most resources
  - apiGroups: [""]
    resources:
      - pods
      - pods/log
      - services
      - endpoints
      - namespaces
      - nodes
      - persistentvolumeclaims
      - configmaps
    verbs: ["get", "list", "watch"]
  
  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
      - daemonsets
      - replicasets
    verbs: ["get", "list", "watch"]
  
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["get", "list", "watch"]
  
  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
    verbs: ["get", "list", "watch"]
  
  - apiGroups: ["argoproj.io"]
    resources:
      - applications
    verbs: ["get", "list", "watch"]
  
  # Describe resources
  - apiGroups: [""]
    resources:
      - pods/status
      - services/status
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: mas-viewer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mas-viewer
subjects:
  - kind: ServiceAccount
    name: mas
    namespace: mas
---
# YAML Manager용 write 권한 (Groq 에이전트)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mas-writer
rules:
  # Write access for YAML Manager
  - apiGroups: [""]
    resources:
      - pods
      - services
      - configmaps
      - secrets
    verbs: ["create", "update", "patch", "delete"]

  - apiGroups: ["apps"]
    resources:
      - deployments
      - statefulsets
      - daemonsets
      - replicasets
    verbs: ["create", "update", "patch", "delete"]

  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
    verbs: ["create", "update", "patch", "delete"]

  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["create", "update", "patch", "delete"]

  # Namespace management
  - apiGroups: [""]
    resources:
      - namespaces
    verbs: ["create", "update", "patch"]

  # ArgoCD Application management
  - apiGroups: ["argoproj.io"]
    resources:
      - applications
    verbs: ["create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: mas-writer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mas-writer
subjects:
  - kind: ServiceAccount
    name: mas
    namespace: mas