deploy/kubernetes/console/templates/service-account.yaml
{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }}
---
# Service account main Stratos Deployment
# Allows it to create some resources in its namespace
apiVersion: "v1"
kind: "ServiceAccount"
metadata:
name: "stratos"
labels:
app.kubernetes.io/component: "stratos"
app.kubernetes.io/instance: "{{ .Release.Name }}"
app.kubernetes.io/name: "stratos"
app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
---
# Role "stratos-role" only used by account "stratos"
apiVersion: "rbac.authorization.k8s.io/v1"
kind: "Role"
metadata:
name: "stratos-role"
labels:
app.kubernetes.io/component: "stratos-role"
app.kubernetes.io/instance: "{{ .Release.Name }}"
app.kubernetes.io/name: "stratos"
app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
rules:
{{- if .Values.console.pspEnabled }}
- apiGroups:
- extensions
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }}
{{- end }}
- apiGroups:
- ""
resources:
- "secrets"
- "pods"
verbs:
- "create"
- "update"
- "get"
- "list"
- "delete"
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "get"]
---
# Role binding for service account "stratos" and role "stratos-role"
apiVersion: "rbac.authorization.k8s.io/v1"
kind: "RoleBinding"
metadata:
name: "stratos-role-binding"
labels:
app.kubernetes.io/component: "stratos-role-binding"
app.kubernetes.io/instance: "{{ .Release.Name }}"
app.kubernetes.io/name: "stratos"
app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
subjects:
- kind: "ServiceAccount"
name: "stratos"
roleRef:
apiGroup: "rbac.authorization.k8s.io"
kind: "Role"
name: "stratos-role"
{{- end }}