Apply RBAC permissions for SRE agent

[jwaldrip]

Summary

The SRE agent needs cluster access to diagnose and fix production issues, but RBAC permissions are not currently applied.

Current State

Agent is running as system:serviceaccount:claude:default with no cluster permissions.

Required Action

Apply RBAC configuration that already exists in the codebase:

kubectl apply -f kubernetes-agent-rbac.yaml

Or via Terraform:

cd terraform
terraform apply -target=module.agent

RBAC Configuration

The RBAC config grants read-only access for troubleshooting:

• Pods, deployments, services (get, list, watch)
• Logs and events
• CNPG/Redis/MinIO operator resources
• Network policies and ingresses
• Secrets (read-only for connection strings)

No destructive permissions granted.

Files

• kubernetes-agent-rbac.yaml - Manual application
• terraform/modules/agent/main.tf - Terraform module

Priority

HIGH - Blocks agent from diagnosing production issues

Related Issues

• CRITICAL: Production pods failing health checks - HTML UI not deployed #24 - Production health check failures (currently investigating)

[jwaldrip]

🔧 Implementing agent RBAC permissions

Reading PER recommendations and creating Terraform resources to grant cluster read permissions.

Service Account: system:serviceaccount:claude:default
Permissions Needed: pods, services, endpoints, namespaces, deployments, CNPG clusters, Redis resources

[jwaldrip]

Agent RBAC module already exists in terraform/modules/agent/ with comprehensive permissions. It will be automatically deployed with the next Terraform run (triggered by commit ee1fdf1). After deployment, the agent will have cluster-wide read access to inspect pods, logs, deployments, CNPG clusters, Redis resources, and more.