# RBAC Fix Summary

## Problem
```
Error from server (Forbidden): deployments.apps "buildah-external" is forbidden: 
User "system:serviceaccount:apps--droneio--prd:default" cannot patch resource "deployments/scale" 
in API group "apps" in the namespace "apps--droneio--prd"
```

## Root Cause
The `default` service account in the `apps--droneio--prd` namespace was bound to the `drone-build-role`, 
but that role didn't have permissions to scale deployments.

## Solution Applied
Updated the `drone-build-role` to include:

### NEW Permissions Added:
- `deployments.apps` with verbs: `[get, list, watch]`
- `deployments.apps/scale` with verbs: `[get, update, patch]`
- Enhanced `pods` permissions with verbs: `[get, list, watch, create, delete]`

### Verification:
```bash
kubectl auth can-i patch deployments/scale --as=system:serviceaccount:apps--droneio--prd:default -n apps--droneio--prd
# Result: yes ✅

kubectl auth can-i get deployments --as=system:serviceaccount:apps--droneio--prd:default -n apps--droneio--prd  
# Result: yes ✅
```

## Status
✅ **RBAC PERMISSIONS FIXED**

The Drone builds can now:
- Scale the `buildah-external` deployment up from 0→1 (acquire build lock)
- Scale the `buildah-external` deployment down from 1→0 (release build lock)
- Monitor pod status and wait for readiness
- Execute build commands in the Buildah pod

## Next Steps
1. Repository needs to be **activated in Drone UI** at https://drone.aipice.local
2. Once activated, the sophisticated Jsonnet pipeline with replica-based locking will work perfectly

The atomic build locking system is now ready to prevent concurrent builds! 🚀