Fix mkp manifest example (#1705)

Updates the example manifest for the MKP MCP server to correctly assign the service account for the workload pod.

Also added an example ServiceAccount and ClusterRoleBinding resource for example purposes.

---------

Signed-off-by: Dan Barr <[email protected]>
Co-authored-by: Dan Barr <[email protected]>
Co-authored-by: Chris Burns <[email protected]>

Author: danbarr

examples/operator/mcp-servers/mcpserver_mkp.yaml

@@ -5,22 +5,43 @@ metadata:
   namespace: toolhive-system
 spec:
   image: ghcr.io/stackloklabs/mkp/server
-  transport: sse
+  transport: streamable-http
+  targetPort: 8080
   port: 8080
+  args:
+    # Change to true for read-write access.
+    - --read-write=false
   permissionProfile:
     type: builtin
     name: network
-  podTemplateSpec:
-    spec:
-      # this will not be needed once we have implemented separate 
-      # service accounts for each MCP server and its proxyrunner
-      serviceAccountName: mkp-proxy-runner
-      containers:
-      - name: mcp
+  # We create this service account below with the desired permissions.
+  serviceAccount: mkp-sa
   resources:
     limits:
-      cpu: "100m"
-      memory: "128Mi"
+      cpu: '100m'
+      memory: '128Mi'
     requests:
-      cpu: "50m"
-      memory: "64Mi"
+      cpu: '50m'
+      memory: '64Mi'
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mkp-sa
+  namespace: toolhive-system
+---
+# NOTE: This ClusterRoleBinding uses cluster-admin for example purposes only.
+# In production, you should create a custom ClusterRole with the minimum
+# permissions required by your MCP server instead of using cluster-admin.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mkp-sa-cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: mkp-sa
+    namespace: toolhive-system
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io