apiVersion: v1
kind: ServiceAccount
metadata:
  name: uncloud
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: '*'
  name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: uncloud-binding
subjects:
- kind: ServiceAccount
  name: uncloud
  namespace: default
roleRef:
  kind: ClusterRole
  name: service-reader
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
  name: kubectl-pod
spec:
  serviceAccountName: uncloud
  containers:
  - name: kubectl
    image: bitnami/kubectl:latest
    args:
    - sh
    - -c
    - sleep
    - "1000000"