agones.dev/agones@v1.53.0/install/helm/agones/templates/serviceaccounts/controller.yaml

agones.dev/agones@v1.53.0/install/helm/agones/templates/serviceaccounts/controller.yaml (about)

     1  # Copyright 2018 Google LLC All Rights Reserved.
     2  #
     3  # Licensed under the Apache License, Version 2.0 (the "License");
     4  # you may not use this file except in compliance with the License.
     5  # You may obtain a copy of the License at
     6  #
     7  #     http://www.apache.org/licenses/LICENSE-2.0
     8  #
     9  # Unless required by applicable law or agreed to in writing, software
    10  # distributed under the License is distributed on an "AS IS" BASIS,
    11  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  # See the License for the specific language governing permissions and
    13  # limitations under the License.
    14  
    15  {{- if .Values.agones.registerServiceAccounts }}
    16  apiVersion: v1
    17  kind: ServiceAccount
    18  metadata:
    19    name: {{ .Values.agones.serviceaccount.controller.name }}
    20    namespace: {{ .Release.Namespace }}
    21    labels:
    22      app: {{ template "agones.name" . }}
    23      chart: {{ template "agones.chart" . }}
    24      release: {{ .Release.Name }}
    25      heritage: {{ .Release.Service }}
    26  {{- if .Values.agones.serviceaccount.controller.annotations }}
    27    annotations:
    28  {{- toYaml .Values.agones.serviceaccount.controller.annotations | nindent 4 }}
    29  {{- end }}
    30  ---
    31  {{- end}}
    32  {{- if .Values.agones.rbacEnabled }}
    33  apiVersion: rbac.authorization.k8s.io/v1
    34  kind: ClusterRole
    35  metadata:
    36    name: {{ .Values.agones.serviceaccount.controller.name }}
    37    labels:
    38      app: {{ template "agones.name" . }}
    39      chart: {{ template "agones.chart" . }}
    40      release: {{ .Release.Name }}
    41      heritage: {{ .Release.Service }}
    42  rules:
    43  - apiGroups: [""]
    44    resources: ["events"]
    45    verbs: ["create", "patch"]
    46  - apiGroups: [""]
    47    resources: ["pods"]
    48    verbs: ["create", "update", "delete", "list", "watch"]
    49  - apiGroups: [""]
    50    resources: ["nodes", "secrets"]
    51    verbs: ["list", "watch"]
    52  {{- if eq .Values.agones.cloudProduct "auto" }}
    53  - apiGroups: ["admissionregistration.k8s.io"] # only needed for cloudProduct detection
    54    resources: ["mutatingwebhookconfigurations"]
    55    verbs: ["get"]
    56  {{- end}}
    57  - apiGroups: ["apiextensions.k8s.io"]
    58    resources: ["customresourcedefinitions"]
    59    verbs: ["get"]
    60  - apiGroups: ["agones.dev"]
    61    resources: ["gameservers", "gameserversets"]
    62    verbs: ["create", "delete", "get", "list", "update", "watch"]
    63  - apiGroups: ["agones.dev"]
    64    resources: ["gameservers"]
    65    verbs: ["patch"]
    66  - apiGroups: ["agones.dev"]
    67    resources: ["fleets"]
    68    verbs: ["get", "list", "update", "watch"]
    69  - apiGroups: ["agones.dev"]
    70    resources: ["fleets/status", "gameserversets/status"]
    71    verbs: ["update"]
    72  - apiGroups: ["agones.dev"]
    73    resources: ["fleets/finalizers", "gameserversets/finalizers", "gameservers/finalizers"]
    74    verbs: ["update"]
    75  - apiGroups: ["multicluster.agones.dev"]
    76    resources: ["gameserverallocationpolicies"]
    77    verbs: ["create", "delete", "get", "list", "update", "watch"]
    78  - apiGroups: ["autoscaling.agones.dev"]
    79    resources: ["fleetautoscalers"]
    80    verbs: ["get", "list", "update", "watch"]
    81  - apiGroups: ["autoscaling.agones.dev"]
    82    resources: ["fleetautoscalers/status"]
    83    verbs: ["update"]
    84  - apiGroups: ["coordination.k8s.io"]
    85    resources: ["leases"]
    86    verbs: ["create", "delete", "get", "list", "update", "watch"]
    87  ---
    88  apiVersion: rbac.authorization.k8s.io/v1
    89  kind: ClusterRoleBinding
    90  metadata:
    91    name: {{ .Values.agones.serviceaccount.controller.name }}-access
    92    labels:
    93      app: {{ template "agones.name" . }}
    94      chart: {{ template "agones.chart" . }}
    95      release: {{ .Release.Name }}
    96      heritage: {{ .Release.Service }}
    97  subjects:
    98  - kind: User
    99    name: system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.agones.serviceaccount.controller.name }}
   100    apiGroup: rbac.authorization.k8s.io
   101  roleRef:
   102    apiGroup: rbac.authorization.k8s.io
   103    kind: ClusterRole
   104    name: {{ .Values.agones.serviceaccount.controller.name }}
   105  ---
   106  #
   107  # RBACs for APIService
   108  #
   109  apiVersion: rbac.authorization.k8s.io/v1
   110  kind: ClusterRoleBinding
   111  metadata:
   112    name: {{ .Values.agones.serviceaccount.controller.name }}:system:auth-delegator
   113  roleRef:
   114    apiGroup: rbac.authorization.k8s.io
   115    kind: ClusterRole
   116    name: system:auth-delegator
   117  subjects:
   118    - kind: ServiceAccount
   119      name: {{ .Values.agones.serviceaccount.controller.name }}
   120      namespace: {{ .Release.Namespace }}
   121  ---
   122  apiVersion: rbac.authorization.k8s.io/v1
   123  kind: RoleBinding
   124  metadata:
   125    name: {{ .Values.agones.serviceaccount.controller.name }}-auth-reader
   126    namespace: kube-system
   127  roleRef:
   128    apiGroup: rbac.authorization.k8s.io
   129    kind: Role
   130    name: extension-apiserver-authentication-reader
   131  subjects:
   132    - kind: ServiceAccount
   133      name: {{ .Values.agones.serviceaccount.controller.name }}
   134      namespace: {{ .Release.Namespace }}
   135  {{- end }}