---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: openclaw-agent
  namespace: openclaw

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: openclaw-agent-readonly
rules:
- apiGroups: [""]
  resources: [pods, pods/log, services, nodes, namespaces, events]
  verbs: [get, list, watch]
- apiGroups: [apps]
  resources: [deployments, replicasets, statefulsets, daemonsets]
  verbs: [get, list, watch]
- apiGroups: [networking.k8s.io]
  resources: [ingresses]
  verbs: [get, list, watch]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: openclaw-agent-readonly-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openclaw-agent-readonly
subjects:
- kind: ServiceAccount
  name: openclaw-agent
  namespace: openclaw