jenkins: Restrict role permissions

Jenkins doesn't really need full control of all resources in its
namespace.  Rather, it only needs to be able to manage Pod and
PersistentVolumeClaim resources.

jenkins/jenkins.yaml

@@ -2,6 +2,23 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: jenkins
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  - pods
+  - pods/exec
+  verbs:
+  - '*'
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10,8 +27,8 @@ metadata:
   namespace: jenkins
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
-  name: edit
+  name: jenkins
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User