# k8s/rbac/api-velero-reader.yaml
# API Pod 讀取 Velero backup 資源的 RBAC
# Sprint 5.1 K-001 / 2026-04-08 Asia/Taipei
# 說明: awoooi-executor ServiceAccount 需要讀取 velero namespace 的 backup 資源
#       用於 Pre-flight Check 查詢最近備份時間（Q7 決策：kubectl 方式）
# 注意: ServiceAccount 名稱為 awoooi-executor（非 awoooi-api，經 L0 確認）
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: awoooi-velero-backup-reader
  labels:
    app: awoooi
    component: api
    sprint: "5.1"
rules:
  - apiGroups: ["velero.io"]
    resources: ["backups"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: awoooi-velero-backup-reader
  labels:
    app: awoooi
    component: api
    sprint: "5.1"
subjects:
  - kind: ServiceAccount
    name: awoooi-executor
    namespace: awoooi-prod
roleRef:
  kind: ClusterRole
  name: awoooi-velero-backup-reader
  apiGroup: rbac.authorization.k8s.io