Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
{{- if .Values.serviceAccount.create -}}
2
apiVersion: v1
3
kind: ServiceAccount
4
metadata:
5
  name: {{ include "thinkphp.serviceAccountName" . }}
6
  labels:
7
    {{- include "thinkphp.labels" . | nindent 4 }}
8
  {{- with .Values.serviceAccount.annotations }}
9
  annotations:
10
    {{- toYaml . | nindent 4 }}
11
  {{- end }}
12

13
---
14
{{- $allAccess := printf "%s-all-access" (include "thinkphp.fullname" .) }}
15
{{- $noAccess := printf "%s-no-access" (include "thinkphp.fullname" .) }}
16
{{- $roleRefName := .Values.privileges.bindClusterRoleOverride | default $noAccess }}
17
{{- if eq $roleRefName $noAccess -}}
18
# Grant the service account no access to Kubernetes
19
apiVersion: rbac.authorization.k8s.io/v1
20
kind: ClusterRole
21
metadata:
22
  name: {{ include "thinkphp.fullname" . }}-no-access
23
rules: []
24
---
25
{{- else if eq $roleRefName $allAccess -}}
26
# Grant the service account full access to Kubernetes
27
apiVersion: rbac.authorization.k8s.io/v1
28
kind: ClusterRole
29
metadata:
30
  name: {{ include "thinkphp.fullname" . }}-all-access
31
rules:
32
  - apiGroups: [""] # "" indicates the core API group
33
    resources: ["*"]
34
    verbs: ["*"]
35
---
36
{{- end -}}
37

38
apiVersion: rbac.authorization.k8s.io/v1
39
kind: ClusterRoleBinding
40
metadata:
41
  name: {{ include "thinkphp.fullname" . }}-role-binding
42
subjects:
43
  - kind: ServiceAccount
44
    name: {{ include "thinkphp.serviceAccountName" . }}
45
    apiGroup: ""
46
    namespace: {{ .Release.Namespace }}
47
roleRef:
48
  kind: ClusterRole
49
  name: {{ $roleRefName }}
50
  apiGroup: ""
51

52
{{- end }}
53

54