fix(ssh): allow api pod port forwarding

[onutc]

Summary

• allow the Spritz API role to create pods/portforward
• unblock SSH direct-tcpip forwarding for spz port-forward

Testing

• helm template spritz helm/spritz > /tmp/spritz-chart-render.yaml
• rg -n "pods/exec|pods/portforward" /tmp/spritz-chart-render.yaml

[gitrank-connector]

👍 GitRank PR Analysis

Score: 20 points

Metric	Value
Component	Other (1× multiplier)
Severity	P2 - Medium (20 base pts)
Final Score	20 × 1 = 20

Eligibility Checks

Check	Status
Issue/Bug Fix	✅
Fix Implementation	✅
PR Documented	✅
Tests	✅ (not required)
Lines Within Limit	✅

Impact Summary

The PR adds the 'pods/portforward' resource permission to the Spritz API role's RBAC configuration, enabling SSH direct-tcpip forwarding functionality for the 'spz port-forward' command. This is a minimal one-line change that fixes a permission-based blocker preventing legitimate API functionality. The fix is well-tested via Helm template rendering and grep verification.

Analysis Details

Component Classification: This is a Kubernetes RBAC configuration change in a Helm chart template, which doesn't fit the standard component categories. It's classified as OTHER since it's infrastructure/configuration related.

Severity Justification: This is a Medium (P2) severity fix. It unblocks a feature (SSH port forwarding) that was previously non-functional due to missing RBAC permissions, representing a functional bug with a workaround (manual RBAC modification), but not a critical service outage or security vulnerability.

Eligibility Notes: Tests are not required for this change type because it is a configuration/RBAC update in a Helm chart template, which is explicitly listed as not requiring tests. The PR is properly documented with clear description of the issue and testing methodology. The fix directly addresses the stated problem.

---

Analyzed by GitRank 🤖