From b8ff432e351ec7f9c5af10174ff8ba114d1d2f16 Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Sun, 12 Apr 2026 08:00:59 +0000
Subject: [PATCH] Expand RBAC: allow openclaw SA to create/update secrets in
 openclaw namespace

---
 manifests/serviceaccount-rbac.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/manifests/serviceaccount-rbac.yaml b/manifests/serviceaccount-rbac.yaml
index 2c8e657..b8bcf11 100644
--- a/manifests/serviceaccount-rbac.yaml
+++ b/manifests/serviceaccount-rbac.yaml
@@ -4,8 +4,6 @@ metadata:
   name: openclaw
   namespace: openclaw
 ---
-# Minimal Role/RoleBinding placeholder.
-# Adjust permissions once we know what OpenClaw needs (MCP, secrets read, etc.)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -15,6 +13,9 @@ rules:
   - apiGroups: [""]
     resources: ["pods", "pods/log"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding