# The SA used by your agent workload needs these k8s RBAC permissions
# in order to track the job it starts for KubernetesFlowRunner configured deployments
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: orion-job-access-clusterrole
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["batch", "extensions"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: SA-use-orion
subjects:
- kind: ServiceAccount
  name: default # choose the k8s SAs your workloads will use
  namespace: default # choose the namespace your k8s SA is in
roleRef:
  kind: ClusterRole
  name: orion-job-access-clusterrole
  apiGroup: rbac.authorization.k8s.io