From d7210fb4e57e94374cb3451010d969f2c395405c Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Fri, 20 Feb 2026 11:25:29 -0500
Subject: [PATCH] feat: add clusterAccess option for Kubernetes RBAC in Helm
 chart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a clusterAccess value with five levels:
  none        — no cluster access (default, no RBAC resources created)
  readonlyns  — Role + RoleBinding: get/list/watch in release namespace
  readwritens — Role + RoleBinding: full access in release namespace
  readonly    — ClusterRole + ClusterRoleBinding: get/list/watch cluster-wide
  readwrite   — ClusterRole + ClusterRoleBinding: full access cluster-wide

A ServiceAccount is created for the pod whenever access != none and
referenced in the Deployment's serviceAccountName.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 chart/templates/deployment.yaml |  3 +
 chart/templates/rbac.yaml       | 97 +++++++++++++++++++++++++++++++++
 chart/values.yaml               |  9 +++
 3 files changed, 109 insertions(+)
 create mode 100644 chart/templates/rbac.yaml

diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 28ed630..c49f7bc 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -14,6 +14,9 @@ spec:
       labels:
         {{- include "antigravity.labels" . | nindent 8 }}
     spec:
+      {{- if ne (.Values.clusterAccess | default "none") "none" }}
+      serviceAccountName: {{ include "antigravity.fullname" . }}
+      {{- end }}
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: "OnRootMismatch"
diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml
new file mode 100644
index 0000000..cf9c4de
--- /dev/null
+++ b/chart/templates/rbac.yaml
@@ -0,0 +1,97 @@
+{{- $access := .Values.clusterAccess | default "none" }}
+{{- $name   := include "antigravity.fullname" . }}
+{{- $ns     := .Release.Namespace }}
+{{- $labels := include "antigravity.labels" . }}
+
+{{- if ne $access "none" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  namespace: {{ $ns }}
+  labels:
+    {{- $labels | nindent 4 }}
+
+{{- if or (eq $access "readonlyns") (eq $access "readwritens") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  namespace: {{ $ns }}
+  labels:
+    {{- $labels | nindent 4 }}
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs:
+    {{- if eq $access "readonlyns" }}
+      - get
+      - list
+      - watch
+    {{- else }}
+      - "*"
+    {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  namespace: {{ $ns }}
+  labels:
+    {{- $labels | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ $ns }}
+roleRef:
+  kind: Role
+  name: {{ $name }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
+{{- if or (eq $access "readonly") (eq $access "readwrite") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- $labels | nindent 4 }}
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs:
+    {{- if eq $access "readonly" }}
+      - get
+      - list
+      - watch
+    {{- else }}
+      - "*"
+    {{- end }}
+  - nonResourceURLs: ["*"]
+    verbs:
+    {{- if eq $access "readonly" }}
+      - get
+    {{- else }}
+      - "*"
+    {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- $labels | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ $ns }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $name }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
+{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index ebcc1f8..19b8281 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -38,6 +38,15 @@ resources:
     memory: "8Gi"
     cpu: "4000m"
 
+# Kubernetes cluster access granted to the devcontainer pod via RBAC.
+# Options:
+#   none        — no cluster access (default)
+#   readonlyns  — get/list/watch all resources in the release namespace
+#   readwritens — full access to all resources in the release namespace
+#   readonly    — get/list/watch all resources cluster-wide
+#   readwrite   — full access to all resources cluster-wide
+clusterAccess: none
+
 # Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.)
 # Defaults to: devcontainer-{name}-secrets-env
 envSecretName: ""