github.com/oam-dev/kubevela@v1.9.11/charts/vela-core/templates/defwithtemplate/service-account.yaml (about) 1 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file. 2 # Definition source cue file: vela-templates/definitions/internal/service-account.cue 3 apiVersion: core.oam.dev/v1beta1 4 kind: TraitDefinition 5 metadata: 6 annotations: 7 definition.oam.dev/description: Specify serviceAccount for your workload which follows the pod spec in path 'spec.template'. 8 name: service-account 9 namespace: {{ include "systemDefinitionNamespace" . }} 10 spec: 11 appliesToWorkloads: 12 - deployments.apps 13 - statefulsets.apps 14 - daemonsets.apps 15 - jobs.batch 16 podDisruptive: false 17 schematic: 18 cue: 19 template: | 20 #Privileges: { 21 // +usage=Specify the verbs to be allowed for the resource 22 verbs: [...string] 23 // +usage=Specify the apiGroups of the resource 24 apiGroups?: [...string] 25 // +usage=Specify the resources to be allowed 26 resources?: [...string] 27 // +usage=Specify the resourceNames to be allowed 28 resourceNames?: [...string] 29 // +usage=Specify the resource url to be allowed 30 nonResourceURLs?: [...string] 31 // +usage=Specify the scope of the privileges, default to be namespace scope 32 scope: *"namespace" | "cluster" 33 } 34 parameter: { 35 // +usage=Specify the name of ServiceAccount 36 name: string 37 // +usage=Specify whether to create new ServiceAccount or not 38 create: *false | bool 39 // +usage=Specify the privileges of the ServiceAccount, if not empty, RoleBindings(ClusterRoleBindings) will be created 40 privileges?: [...#Privileges] 41 } 42 // +patchStrategy=retainKeys 43 patch: spec: template: spec: serviceAccountName: parameter.name 44 45 _clusterPrivileges: [ if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "cluster" {p}] 46 _namespacePrivileges: [ if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "namespace" {p}] 47 outputs: { 48 if parameter.create { 49 "service-account": { 50 apiVersion: "v1" 51 kind: "ServiceAccount" 52 metadata: name: parameter.name 53 } 54 } 55 if parameter.privileges != _|_ { 56 if len(_clusterPrivileges) > 0 { 57 "cluster-role": { 58 apiVersion: "rbac.authorization.k8s.io/v1" 59 kind: "ClusterRole" 60 metadata: name: "\(context.namespace):\(parameter.name)" 61 rules: [ for p in _clusterPrivileges { 62 verbs: p.verbs 63 if p.apiGroups != _|_ { 64 apiGroups: p.apiGroups 65 } 66 if p.resources != _|_ { 67 resources: p.resources 68 } 69 if p.resourceNames != _|_ { 70 resourceNames: p.resourceNames 71 } 72 if p.nonResourceURLs != _|_ { 73 nonResourceURLs: p.nonResourceURLs 74 } 75 }] 76 } 77 "cluster-role-binding": { 78 apiVersion: "rbac.authorization.k8s.io/v1" 79 kind: "ClusterRoleBinding" 80 metadata: name: "\(context.namespace):\(parameter.name)" 81 roleRef: { 82 apiGroup: "rbac.authorization.k8s.io" 83 kind: "ClusterRole" 84 name: "\(context.namespace):\(parameter.name)" 85 } 86 subjects: [{ 87 kind: "ServiceAccount" 88 name: parameter.name 89 namespace: (context.namespace) 90 }] 91 } 92 } 93 if len(_namespacePrivileges) > 0 { 94 role: { 95 apiVersion: "rbac.authorization.k8s.io/v1" 96 kind: "Role" 97 metadata: name: parameter.name 98 rules: [ for p in _namespacePrivileges { 99 verbs: p.verbs 100 if p.apiGroups != _|_ { 101 apiGroups: p.apiGroups 102 } 103 if p.resources != _|_ { 104 resources: p.resources 105 } 106 if p.resourceNames != _|_ { 107 resourceNames: p.resourceNames 108 } 109 if p.nonResourceURLs != _|_ { 110 nonResourceURLs: p.nonResourceURLs 111 } 112 }] 113 } 114 "role-binding": { 115 apiVersion: "rbac.authorization.k8s.io/v1" 116 kind: "RoleBinding" 117 metadata: name: parameter.name 118 roleRef: { 119 apiGroup: "rbac.authorization.k8s.io" 120 kind: "Role" 121 name: parameter.name 122 } 123 subjects: [{ 124 kind: "ServiceAccount" 125 name: parameter.name 126 }] 127 } 128 } 129 } 130 } 131