games/valheim: allow patryk@ and palid@ to administer valheim namespace

This will create the following:

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: RoleBinding
    metadata:
      annotations: {}
      labels:
        name: sso-admins
      name: sso:admins
      namespace: valheim
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: system:admin-namespace
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: patryk@hackerspace.pl
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: palid@hackerspace.pl

It's not enough to allow palid to use kubecfg (as we use a secretstore
secret in this jsonnet), but at least to manually restart the server via
kubectl, which is needed to update the game.

Change-Id: I6cb42ca87c9a78bbe34957f2c5e23acd2efe3423
This commit is contained in:
q3k 2021-02-25 12:05:58 +01:00
parent a715a02ad0
commit 2371ca9073

View file

@ -155,7 +155,20 @@ local kube = import "../../kube/kube.libsonnet";
},
},
ns: kube.Namespace("valheim") {
# Make namespace for valheim.
ns: kube.Namespace("valheim"),
# Allow patryk and palid to administer this namespace via the namespace-admin clusterrole.
adminRB: top.ns.Contain(kube.RoleBinding("sso:admins")) {
subjects: [
{ apiGroup: "rbac.authorization.k8s.io", kind: "User", name: "%s@hackerspace.pl" % [u] }
for u in ["patryk", "palid"]
],
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "system:admin-namespace",
},
},
q3k: top.env(top.ns, "q3k") {