© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
As far as bikeshedding around exact syntax, this is the sort of syntax that I would go for, as a consumer of pod spec set:
roles:
pod:
bindings: ["foo"] # Creates a RoleBinding
globalBindings: ["bar"] # Creates a ClusterRoleBinding
rules: # Creates a Role and RoleBinding
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
globalRules: # Creates a ClusterRole and ClusterRoleBinding
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
extra:
- name: secondary-sa
bindings: ["foo"]
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
A few reasons for the why of the naming:
- serviceAccount is Kubernetes-specific naming that might be confusing on another CaaS, but `roles` is abstract enough to work on another CaaS (or even clouds like AWS), but still gets the point across
- "clusterRoleNames" is confusing due to Juju not currently supporting binding to ClusterRoles, only Roles. It's also K8s-specific naming, whereas `bindings` is generic enough that it should work in other CaaS systems (and even makes sense in non-CaaS systems)