Steps to reproduce

Currently the kubernetes backend expects certain privileges to be able to interact with the cluster. It is unclear currently what ClusterRole or Role bindings are needed.

https://kubernetes.io/docs/concepts/security/rbac-good-practices/
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

Please provide more details as to what is required by the dstack backend, so we can follow RBAC good practices.

Actual behaviour

When you assign the service account with

--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: company:namespace-admin
  namespace: namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- kind: ServiceAccount
  name: dstack-server
  namespace: namespace

You then start dstack server you get the following warning and the discovery is not working..

[07:02:22] INFO     Applying ~/.dstack/server/config.yml...                     
           WARNING  dstack._internal.server.services.config:173 Failed to configure backend kubernetes: Invalid credentials           

Expected behaviour

Have documentation provide an example that follows kubernetes rbac best practices allowing for easier implementation and avoid trial and error.

dstack version

0.19.31

Server logs

Additional information

No response