deploy to gke manifests

Author: droot

dev/tasks/deploy-to-gke

@@ -127,5 +127,5 @@ echo "Using GKE Workload Identity Federation for Vertex AI access."
 echo "Make sure your GKE cluster has Workload Identity enabled and configured for Vertex AI."
 echo ""
 echo "To access the service:"
-echo "  kubectl port-forward ${KUBECTL_ARGS} -n ${NAMESPACE} service/kubectl-ai 8080:80"
+echo "  kubectl port-forward ${KUBECTL_ARGS} -n ${NAMESPACE} pod/kubectl-ai 8080:8080"
 echo "  Then open http://localhost:8080 in your browser" 

k8s/kubectl-ai-gke.yaml

@@ -1,3 +1,33 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: kubectl-ai
+---
+# apiVersion: v1
+# kind: Pod
+# metadata:
+#   name: kubectl-ai
+#   labels:
+#     app: kubectl-ai
+# spec:
+#   serviceAccountName: kubectl-ai
+#   containers:
+#     - name: kubectl-ai
+#       image: kubectl-ai:latest
+#       args:
+#       - --ui-type=web
+#       - --ui-listen-address=0.0.0.0:8080
+#       - --llm-provider=vertexai
+#       - --v=4
+#       - --alsologtostderr
+#       env:
+#       - name: GOOGLE_CLOUD_PROJECT
+#         value: "PROJECT_ID"
+#       - name: GOOGLE_CLOUD_LOCATION
+#         value: "global"
+#       ports:
+#         - containerPort: 8080
+# ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
@@ -27,15 +57,8 @@ spec:
         - name: GOOGLE_CLOUD_LOCATION
           value: "global"
         # Vertex AI authentication will be handled via Workload Identity Federation
+# ---
 ---
-
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  name: kubectl-ai
-  # Using GKE Workload Identity Federation - no GSA impersonation needed
----
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -47,9 +70,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: kubectl-ai
-
 ---
-
 kind: Service
 apiVersion: v1
 metadata:
@@ -62,4 +83,90 @@ spec:
   ports:
   - port: 80
     targetPort: 8888
-    protocol: TCP 
+    protocol: TCP 
+---
+# 1. The ClusterRole that grants read-only access to most resources
+# This is a cluster-wide role, so it does not have a namespace.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # This name is shared across the cluster.
+  name: read-only-except-secrets-cluster-role
+rules:
+- apiGroups:
+  - "" # core API group
+  resources:
+  # List all core resource types EXCEPT "secrets"
+  - configmaps
+  - endpoints
+  - events
+  - limitranges
+  - namespaces
+  - nodes
+  - persistentvolumeclaims
+  - persistentvolumes
+  - pods
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "*" # All other current and future API groups
+  resources:
+  - "*" # All current and future resources in those groups (including CRDs and CRs)
+  verbs:
+  - get
+  - list
+  - watch
+---
+# 2. The ClusterRoleBinding that connects the ServiceAccount to the Role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-only-kubectl-ai-binding
+subjects:
+# Grant the permissions to the specific ServiceAccount in the specific namespace
+- kind: ServiceAccount
+  name: kubectl-ai
+  namespace: kubectl-ai
+roleRef:
+  # This refers to the ClusterRole defined above
+  kind: ClusterRole
+  name: read-only-except-secrets-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubectl-ai-computer-manager
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - get
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubectl-ai-computer-manager-binding
+  namespace: computer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubectl-ai-computer-manager
+subjects:
+- kind: ServiceAccount
+  name: kubectl-ai
+  namespace: kubectl-ai