#
# Create service account / role / role-binding:
# oc -n my-namespace apply -f service-account.yml
#
# Obtain API token and CA cert:
#
# $ SECRET_NAME=$(oc -n my-namespace get sa awx -o json | jq -r '.secrets[0].name')
# $ oc -n my-namespace get secret $SECRET_NAME  -o json | jq -r '.data["token"]  | @base64d'
# $ oc -n my-namespace get secret $SECRET_NAME  -o json | jq -r '.data["ca.crt"] | @base64d'
#

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: awx

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-manager
rules:
  - apiGroups: [""]  # "" indicates the core API group
    resources: ["pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: awx-pod-manager
subjects:
  - kind: ServiceAccount
    name: awx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-manager