Permissions needed for cross-namespace

example_cluster_role.yaml

# give the created service account cross namespace permissions (cluster role)
extraManifests:
  - kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: extra-cluster-role
    rules:
      - apiGroups: ["batch"]
        resources: ["jobs", "jobs/status"]
        verbs: ["*"]
      - apiGroups: ["apps"]
        resources: ["deployments", "deployments/status", "deployments/revision"]
        verbs: ["*"]
      - apiGroups: [""]
        resources: ["pods", "pods/log", "pods/status", "services"]
        verbs: ["*"]

  - kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: extra-cluster-rolebinding
    subjects:
      - kind: ServiceAccount
        name: user-cloud-dagster-cloud-agent
        namespace: agent
      - kind: ServiceAccount
        name: user-cloud-dagster-cloud-agent
        namespace: target-namespace
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: extra-cluster-role

  # the pod created in the target-namespace will try to bind this, so create it
  - kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: user-cloud-dagster-cloud-agent
      namespace: target-namespace