games/valheim: allow patryk@ and palid@ to administer valheim namespace
This will create the following:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sso-admins
name: sso:admins
namespace: valheim
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:admin-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: patryk@hackerspace.pl
- apiGroup: rbac.authorization.k8s.io
kind: User
name: palid@hackerspace.pl
It's not enough to allow palid to use kubecfg (as we use a secretstore
secret in this jsonnet), but at least to manually restart the server via
kubectl, which is needed to update the game.
Change-Id: I6cb42ca87c9a78bbe34957f2c5e23acd2efe3423
diff --git a/games/valheim/prod.jsonnet b/games/valheim/prod.jsonnet
index 6c10b8b..e83d216 100644
--- a/games/valheim/prod.jsonnet
+++ b/games/valheim/prod.jsonnet
@@ -155,7 +155,20 @@
},
},
- ns: kube.Namespace("valheim") {
+ # Make namespace for valheim.
+ ns: kube.Namespace("valheim"),
+
+ # Allow patryk and palid to administer this namespace via the namespace-admin clusterrole.
+ adminRB: top.ns.Contain(kube.RoleBinding("sso:admins")) {
+ subjects: [
+ { apiGroup: "rbac.authorization.k8s.io", kind: "User", name: "%s@hackerspace.pl" % [u] }
+ for u in ["patryk", "palid"]
+ ],
+ roleRef: {
+ apiGroup: "rbac.authorization.k8s.io",
+ kind: "ClusterRole",
+ name: "system:admin-namespace",
+ },
},
q3k: top.env(top.ns, "q3k") {