github.com/oam-dev/kubevela@v1.9.11/vela-templates/definitions/internal/trait/service-account.cue (about) 1 "service-account": { 2 type: "trait" 3 annotations: {} 4 labels: {} 5 description: "Specify serviceAccount for your workload which follows the pod spec in path 'spec.template'." 6 attributes: { 7 podDisruptive: false 8 appliesToWorkloads: ["deployments.apps", "statefulsets.apps", "daemonsets.apps", "jobs.batch"] 9 } 10 } 11 template: { 12 #Privileges: { 13 // +usage=Specify the verbs to be allowed for the resource 14 verbs: [...string] 15 // +usage=Specify the apiGroups of the resource 16 apiGroups?: [...string] 17 // +usage=Specify the resources to be allowed 18 resources?: [...string] 19 // +usage=Specify the resourceNames to be allowed 20 resourceNames?: [...string] 21 // +usage=Specify the resource url to be allowed 22 nonResourceURLs?: [...string] 23 // +usage=Specify the scope of the privileges, default to be namespace scope 24 scope: *"namespace" | "cluster" 25 } 26 parameter: { 27 // +usage=Specify the name of ServiceAccount 28 name: string 29 // +usage=Specify whether to create new ServiceAccount or not 30 create: *false | bool 31 // +usage=Specify the privileges of the ServiceAccount, if not empty, RoleBindings(ClusterRoleBindings) will be created 32 privileges?: [...#Privileges] 33 } 34 // +patchStrategy=retainKeys 35 patch: spec: template: spec: serviceAccountName: parameter.name 36 37 _clusterPrivileges: [ if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "cluster" {p}] 38 _namespacePrivileges: [ if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "namespace" {p}] 39 outputs: { 40 if parameter.create { 41 "service-account": { 42 apiVersion: "v1" 43 kind: "ServiceAccount" 44 metadata: name: parameter.name 45 } 46 } 47 if parameter.privileges != _|_ { 48 if len(_clusterPrivileges) > 0 { 49 "cluster-role": { 50 apiVersion: "rbac.authorization.k8s.io/v1" 51 kind: "ClusterRole" 52 metadata: name: "\(context.namespace):\(parameter.name)" 53 rules: [ for p in _clusterPrivileges { 54 verbs: p.verbs 55 if p.apiGroups != _|_ { 56 apiGroups: p.apiGroups 57 } 58 if p.resources != _|_ { 59 resources: p.resources 60 } 61 if p.resourceNames != _|_ { 62 resourceNames: p.resourceNames 63 } 64 if p.nonResourceURLs != _|_ { 65 nonResourceURLs: p.nonResourceURLs 66 } 67 }] 68 } 69 "cluster-role-binding": { 70 apiVersion: "rbac.authorization.k8s.io/v1" 71 kind: "ClusterRoleBinding" 72 metadata: name: "\(context.namespace):\(parameter.name)" 73 roleRef: { 74 apiGroup: "rbac.authorization.k8s.io" 75 kind: "ClusterRole" 76 name: "\(context.namespace):\(parameter.name)" 77 } 78 subjects: [{ 79 kind: "ServiceAccount" 80 name: parameter.name 81 namespace: (context.namespace) 82 }] 83 } 84 } 85 if len(_namespacePrivileges) > 0 { 86 "role": { 87 apiVersion: "rbac.authorization.k8s.io/v1" 88 kind: "Role" 89 metadata: name: parameter.name 90 rules: [ for p in _namespacePrivileges { 91 verbs: p.verbs 92 if p.apiGroups != _|_ { 93 apiGroups: p.apiGroups 94 } 95 if p.resources != _|_ { 96 resources: p.resources 97 } 98 if p.resourceNames != _|_ { 99 resourceNames: p.resourceNames 100 } 101 if p.nonResourceURLs != _|_ { 102 nonResourceURLs: p.nonResourceURLs 103 } 104 }] 105 } 106 "role-binding": { 107 apiVersion: "rbac.authorization.k8s.io/v1" 108 kind: "RoleBinding" 109 metadata: name: parameter.name 110 roleRef: { 111 apiGroup: "rbac.authorization.k8s.io" 112 kind: "Role" 113 name: parameter.name 114 } 115 subjects: [{ 116 kind: "ServiceAccount" 117 name: parameter.name 118 }] 119 } 120 } 121 } 122 } 123 }