Maison/arti-api/auth-service/RBAC-FIX-SUMMARY.md

RBAC Fix Summary

Problem

Error from server (Forbidden): deployments.apps "buildah-external" is forbidden: 
User "system:serviceaccount:apps--droneio--prd:default" cannot patch resource "deployments/scale" 
in API group "apps" in the namespace "apps--droneio--prd"

Root Cause

The default service account in the apps--droneio--prd namespace was bound to the drone-build-role, but that role didn't have permissions to scale deployments.

Solution Applied

Updated the drone-build-role to include:

NEW Permissions Added:

• deployments.apps with verbs: [get, list, watch]
• deployments.apps/scale with verbs: [get, update, patch]
• Enhanced pods permissions with verbs: [get, list, watch, create, delete]

Verification:

kubectl auth can-i patch deployments/scale --as=system:serviceaccount:apps--droneio--prd:default -n apps--droneio--prd
# Result: yes ✅

kubectl auth can-i get deployments --as=system:serviceaccount:apps--droneio--prd:default -n apps--droneio--prd  
# Result: yes ✅

Status

✅ RBAC PERMISSIONS FIXED

The Drone builds can now:

• Scale the buildah-external deployment up from 0→1 (acquire build lock)
• Scale the buildah-external deployment down from 1→0 (release build lock)
• Monitor pod status and wait for readiness
• Execute build commands in the Buildah pod

Next Steps

1. Repository needs to be activated in Drone UI at https://drone.aipice.local
2. Once activated, the sophisticated Jsonnet pipeline with replica-based locking will work perfectly

The atomic build locking system is now ready to prevent concurrent builds! 🚀