---
# Fix for apiserver-kubelet-client RBAC permissions
# Required when adding new control plane nodes to Talos clusters
# This ensures the kubelet can access node/pods subresource for static pod management
#
# The system:kubelet-api-admin ClusterRole should already exist in Kubernetes,
# but we ensure the ClusterRoleBinding exists and has the correct permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:apiserver-kubelet-client
  annotations:
    description: "Grants apiserver-kubelet-client permission to access nodes and pods for kubelet operations"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kubelet-api-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:apiserver-kubelet-client
---
# Ensure the ClusterRole has nodes/pods subresource permission
# This may need to be created if it doesn't exist or updated if missing nodes/pods
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:kubelet-api-admin
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  - nodes/stats
  - nodes/log
  - nodes/spec
  - nodes/metrics
  - nodes/pods  # CRITICAL: Required for kubelet to get pod status on nodes
  verbs:
  - get
  - list
  - watch
  - create
  - patch
  - update
  - delete
- apiGroups:
  - ""
  resources:
  - pods
  - pods/status
  - pods/log
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - get
  - list
  - watch
  - create
  - patch
  - update
  - delete