[FEATURE] RBAC - Add a service account to the Gateway CRD

[edenreich]

Summary

As an operator I would like to be able to set permissions of what the Gateway is allowed to do and what's not.

The gateway in general need a permission to list a2a's crds and svc's in other namespaces.

We need to have to option to allow the gateway to automatically also deploy a service account by passing serviceAccount.create: true for example (default true). Or let the user define what service account they want - they will then have to deploy it.

Example of what's needed.

# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: inference-gateway
  namespace: inference-gateway

---
# Role with A2A service discovery permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: inference-gateway-a2a-discovery
  namespace: agents  # or the configured namespace
rules:
- apiGroups: ["core.inference-gateway.com"]
  resources: ["a2as"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch"]

---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: inference-gateway-a2a-discovery
  namespace: agents
subjects:
- kind: ServiceAccount
  name: inference-gateway
  namespace: inference-gateway
roleRef:
  kind: Role
  name: inference-gateway-a2a-discovery
  apiGroup: rbac.authorization.k8s.io

AC's

• There is a new serviceAccount section added to the Gateway manifest
• By default if the serviceAccount is not defined the Operator should deploy the default one mentioned above for each Gateway based on its name
• If there is a service account name specified use this one instead
• If serviceAccount.create is set to false don't create any of the above - let the user define it

[edenreich]

@claude Can you work on this feature?

[claude]

Claude finished @edenreich's task —— View job • claude/issue-32-20250729-1205 • Create PR ➔

---

RBAC ServiceAccount Feature Implementation Complete ✅

I've successfully implemented the serviceAccount configuration for the Gateway CRD with automatic RBAC setup.

Todo List:

• Set up development environment and install pre-commit hook
• Analyze current Gateway CRD and controller implementation
• Add serviceAccount fields to Gateway API types
• Update Gateway controller to create/manage RBAC resources
• Run development workflow (generate, manifests, lint, test)
• Commit changes and create pull request

Summary of Changes:

API Changes:

• Added ServiceAccountSpec to Gateway CRD with create and name fields
• Added serviceAccountName to Gateway status to track created service account
• Default behavior: automatically create service account with gateway name

Controller Changes:

• Added RBAC reconciliation functions to create ServiceAccount, Role, and RoleBinding
• Role grants permissions to list A2A CRDs and services in configured namespace
• Updated deployment to use the configured service account
• Added proper RBAC permissions for controller to manage RBAC resources

Features Implemented:

• ✅ ServiceAccount creation enabled by default (serviceAccount.create: true)
• ✅ Custom service account names via serviceAccount.name
• ✅ Disable automatic creation via serviceAccount.create: false
• ✅ A2A service discovery permissions across namespaces
• ✅ Proper cleanup via owner references
• ✅ Example configurations provided

Acceptance Criteria Met:

• ✅ New serviceAccount section added to Gateway manifest
• ✅ Default ServiceAccount deployment with gateway-based naming
• ✅ Support for custom service account names
• ✅ Optional creation via serviceAccount.create flag

---