flock/deploy/rbac/serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: flock-agent
  namespace: kube-system
---
# M1.5 RBAC: just enough to read NodeConfig. M2 adds pods + networkpolicies.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flock-agent
rules:
  - apiGroups: ["flock.fritzlab.net"]
    resources: ["nodeconfigs"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: flock-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flock-agent
subjects:
  - kind: ServiceAccount
    name: flock-agent
    namespace: kube-system