fix: grant session-runner permission to update tasks/status

[j-bennet]

What type of PR is this?

/kind bug

What this PR does / why we need it:

The kelos-session-runner service account was missing RBAC permission to update the tasks/status subresource. This caused session pods to fail with:

Error updating task status: tasks.kelos.dev "..." is forbidden: User "system:serviceaccount:kelos-agents:kelos-session-runner" cannot update resource "tasks/status" in API group "kelos.dev"

This PR adds the missing update verb on tasks/status to the session-runner ClusterRole.

Which issue(s) this PR is related to:

N/A

Special notes for your reviewer:

Single RBAC rule addition — no other changes.

Does this PR introduce a user-facing change?

NONE

[greptile-apps]

Greptile Summary

This PR adds the missing tasks/status RBAC rule to kelos-session-runner-role, which was causing session pods to fail with a forbidden error when attempting to update task status. The fix is minimal and targeted, adding a single RBAC rule block.

• Adds get, patch, and update verbs on tasks/status to kelos-session-runner-role, aligning with the pattern already used in kelos-controller-role (lines 129–134) and kelos-spawner-role (lines 168–172).
• The previous reviewer comment about missing patch has been proactively addressed in this PR — both patch and update are included alongside get.

Confidence Score: 5/5

Safe to merge — single RBAC rule addition that unblocks a known runtime failure without granting any broad or unexpected permissions.

The change adds three verbs (get, patch, update) on the tasks/status subresource to the session-runner role, exactly matching the pattern used by sibling roles. The scope is narrow and the fix directly corresponds to the documented forbidden error. No other parts of the system are touched.

No files require special attention.

Sequence Diagram

sequenceDiagram
    participant SP as Session Pod (kelos-session-runner SA)
    participant K8S as Kubernetes API
    participant CRD as tasks.kelos.dev

    Note over SP,CRD: Before this PR
    SP->>K8S: PATCH/UPDATE tasks/status
    K8S-->>SP: 403 Forbidden (missing RBAC rule)

    Note over SP,CRD: After this PR
    SP->>K8S: GET tasks/status
    K8S->>CRD: Authorize (get ✅)
    CRD-->>SP: Task status

    SP->>K8S: PATCH tasks/status
    K8S->>CRD: Authorize (patch ✅)
    CRD-->>SP: Updated

    SP->>K8S: UPDATE tasks/status
    K8S->>CRD: Authorize (update ✅)
    CRD-->>SP: Updated

Loading

_{Reviews (2): Last reviewed commit: "fix: add get and patch verbs to session-..." | Re-trigger Greptile}

[j-bennet]

@greptile Review and update Greptile Summary.

[tmarshall]

i'll approve to unblock, but hans can share thoughts when he's back online

[tmarshall]

ah, forgot this slack comment from hans: https://anomalo-ai.slack.com/archives/C0ANDBX8H6F/p1777660492229529

we should not commit anything to prod branch that isn't being cherry-picked or coming from upstream. I am having a very difficult time getting this rebase to finalize without breaking things.

we can leave this change in, since we already landed it, but a heads up for next time