apiVersion: v1
kind: ServiceAccount
metadata:
  name: pkg-repo-ci
  namespace: pkg-repo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pkg-repo-publisher
  namespace: pkg-repo
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pkg-repo-ci-publisher
  namespace: pkg-repo
subjects:
  - kind: ServiceAccount
    name: pkg-repo-ci
    namespace: pkg-repo
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pkg-repo-publisher
---
apiVersion: v1
kind: Secret
metadata:
  name: pkg-repo-ci-token
  namespace: pkg-repo
  annotations:
    kubernetes.io/service-account.name: pkg-repo-ci
type: kubernetes.io/service-account-token