# RBAC — Dedicated service accounts with no K8s API access
# Each pod gets its own SA with automountServiceAccountToken: false,
# so a compromised pod cannot query the Kubernetes API.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: api
  namespace: honeydue
  labels:
    app.kubernetes.io/name: api
    app.kubernetes.io/part-of: honeydue
automountServiceAccountToken: false

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: worker
  namespace: honeydue
  labels:
    app.kubernetes.io/name: worker
    app.kubernetes.io/part-of: honeydue
automountServiceAccountToken: false

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: honeydue
  labels:
    app.kubernetes.io/name: admin
    app.kubernetes.io/part-of: honeydue
automountServiceAccountToken: false

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: redis
  namespace: honeydue
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/part-of: honeydue
automountServiceAccountToken: false

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: postgres
  namespace: honeydue
  labels:
    app.kubernetes.io/name: postgres
    app.kubernetes.io/part-of: honeydue
automountServiceAccountToken: false

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: minio
  namespace: honeydue
  labels:
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: honeydue
automountServiceAccountToken: false