redaction (#1)

Add the redacted source file for demo purposes

Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1
Co-authored-by: Michael DiLeo <michael_dileo@proton.me>
Co-committed-by: Michael DiLeo <michael_dileo@proton.me>

manifests/infrastructure/cluster-policies/kubelet-rbac-fix.yaml

@@ -0,0 +1,68 @@
+---
+# Fix for apiserver-kubelet-client RBAC permissions
+# Required when adding new control plane nodes to Talos clusters
+# This ensures the kubelet can access node/pods subresource for static pod management
+#
+# The system:kubelet-api-admin ClusterRole should already exist in Kubernetes,
+# but we ensure the ClusterRoleBinding exists and has the correct permissions.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:apiserver-kubelet-client
+  annotations:
+    description: "Grants apiserver-kubelet-client permission to access nodes and pods for kubelet operations"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kubelet-api-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:apiserver-kubelet-client
+---
+# Ensure the ClusterRole has nodes/pods subresource permission
+# This may need to be created if it doesn't exist or updated if missing nodes/pods
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:kubelet-api-admin
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - nodes/proxy
+  - nodes/stats
+  - nodes/log
+  - nodes/spec
+  - nodes/metrics
+  - nodes/pods  # CRITICAL: Required for kubelet to get pod status on nodes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - patch
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/status
+  - pods/log
+  - pods/exec
+  - pods/portforward
+  - pods/proxy
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - patch
+  - update
+  - delete
+