games/valheim: allow patryk@ and palid@ to administer valheim namespace

This will create the following: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: annotations: {} labels: name: sso-admins name: sso:admins namespace: valheim roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:admin-namespace subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: patryk@hackerspace.pl - apiGroup: rbac.authorization.k8s.io kind: User name: palid@hackerspace.pl It's not enough to allow palid to use kubecfg (as we use a secretstore secret in this jsonnet), but at least to manually restart the server via kubectl, which is needed to update the game. Change-Id: I6cb42ca87c9a78bbe34957f2c5e23acd2efe3423
2021-02-25 12:05:58 +01:00 · 2021-02-25 12:05:58 +01:00 · 2371ca9073
parent a715a02ad0
commit 2371ca9073
1 changed files with 14 additions and 1 deletions
--- a/games/valheim/prod.jsonnet
+++ b/games/valheim/prod.jsonnet
@ -155,7 +155,20 @@ local kube = import "../../kube/kube.libsonnet";
        },
    },

-    ns: kube.Namespace("valheim") {
+    # Make namespace for valheim.
+    ns: kube.Namespace("valheim"),
+
+    # Allow patryk and palid to administer this namespace via the namespace-admin clusterrole.
+    adminRB: top.ns.Contain(kube.RoleBinding("sso:admins")) {
+        subjects: [
+            { apiGroup: "rbac.authorization.k8s.io", kind: "User", name: "%s@hackerspace.pl" % [u] }
+            for u in ["patryk", "palid"]
+        ],
+        roleRef: {
+            apiGroup: "rbac.authorization.k8s.io",
+            kind: "ClusterRole",
+            name: "system:admin-namespace",
+        },
    },

    q3k: top.env(top.ns, "q3k") {