From 780e3fb68110cb4dbcf5df8c7d68044a43af8c5c Mon Sep 17 00:00:00 2001
From: bluejay <admin@iamworkin.lan>
Date: Sun, 22 Mar 2026 06:25:11 +0000
Subject: [PATCH] feat: add K8s exec RBAC + guacd ServiceAccount

Adds guacd-exec ServiceAccount, ClusterRole (pods/exec),
and ClusterRoleBinding for Kubernetes protocol support.
---
 apps/guacamole/guacamole.yaml | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index d0b45f4..4c5255d 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -174,6 +174,7 @@ spec:
         app: guacd
     spec:
       containers:
+        serviceAccountName: guacd-exec
         - name: guacd
           image: guacamole/guacd:latest
           ports:
@@ -388,3 +389,38 @@ metadata:
   namespace: guacamole
 spec:
   itemPath: vaults/IAmWorkin/items/Guacamole
+---
+# RBAC for guacd K8s exec protocol
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: guacd-exec
+  namespace: guacamole
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: guacd-pod-exec
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: guacd-pod-exec
+subjects:
+  - kind: ServiceAccount
+    name: guacd-exec
+    namespace: guacamole
+roleRef:
+  kind: ClusterRole
+  name: guacd-pod-exec
+  apiGroup: rbac.authorization.k8s.io