pub fn build_mc_writer_role(namespace: &str, sa_name: &str) -> RoleExpand description
Build the namespaced Role for the multi-cluster service account on the queen-ship.
Grants:
- Full CRUD on
arecords— scout creates/deletes ARecords via the remote client - Read-only on
dnszones— scout validates zones before creating ARecords
Both resources live in the same target namespace on the queen-ship cluster, so a
namespaced Role is sufficient. The scout watches DNSZones via
Api::namespaced(remote_client, target_namespace) (not Api::all), which means no
cluster-scoped ClusterRole is required.
The Role name matches the service account name, mirroring the convention in
deploy/scout/remote-cluster-rbac.yaml.