From 2371ca9073a3a140bd236cace124f41e51d39a9e Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Thu, 25 Feb 2021 12:05:58 +0100 Subject: [PATCH] games/valheim: allow patryk@ and palid@ to administer valheim namespace This will create the following: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: annotations: {} labels: name: sso-admins name: sso:admins namespace: valheim roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:admin-namespace subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: patryk@hackerspace.pl - apiGroup: rbac.authorization.k8s.io kind: User name: palid@hackerspace.pl It's not enough to allow palid to use kubecfg (as we use a secretstore secret in this jsonnet), but at least to manually restart the server via kubectl, which is needed to update the game. Change-Id: I6cb42ca87c9a78bbe34957f2c5e23acd2efe3423 --- games/valheim/prod.jsonnet | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/games/valheim/prod.jsonnet b/games/valheim/prod.jsonnet index 6c10b8b0..e83d216b 100644 --- a/games/valheim/prod.jsonnet +++ b/games/valheim/prod.jsonnet @@ -155,7 +155,20 @@ local kube = import "../../kube/kube.libsonnet"; }, }, - ns: kube.Namespace("valheim") { + # Make namespace for valheim. + ns: kube.Namespace("valheim"), + + # Allow patryk and palid to administer this namespace via the namespace-admin clusterrole. + adminRB: top.ns.Contain(kube.RoleBinding("sso:admins")) { + subjects: [ + { apiGroup: "rbac.authorization.k8s.io", kind: "User", name: "%s@hackerspace.pl" % [u] } + for u in ["patryk", "palid"] + ], + roleRef: { + apiGroup: "rbac.authorization.k8s.io", + kind: "ClusterRole", + name: "system:admin-namespace", + }, }, q3k: top.env(top.ns, "q3k") {