# RBAC Review

## Overview

RBAC (Role-Based Access Control) has been configured for the besu-network namespace.

## Service Accounts Created

1. **besu-validator** - For validator pods
2. **besu-sentry** - For sentry pods
3. **besu-rpc** - For RPC pods
4. **oracle-publisher** - For oracle publisher service
5. **rpc-gateway** - For RPC gateway

## Roles Created

### keyvault-reader
- **Purpose**: Read secrets from Azure Key Vault
- **Permissions**: get, list secrets
- **Scope**: besu-network namespace

## RoleBindings Created

1. **validator-keyvault-reader** - Binds validator service account to keyvault-reader role
2. **oracle-keyvault-reader** - Binds oracle publisher service account to keyvault-reader role

## Validation

Run the validation script:
```bash
./scripts/validation/validate-rbac.sh
```

## Application

Apply RBAC configuration:
```bash
kubectl apply -f k8s/rbac/service-accounts.yaml
```

## Testing

Verify service accounts have correct permissions and pods are using correct service accounts.