Helm chart parameters to tune sdk RBAC

[Oleksii-Terekhov]

Now: I tune helm chart install\helm\agones\templates\serviceaccounts\sdk.yaml to enable communicate between my sidecar and k8s, due this ClusterRole applied to all containers in mutation hook:

- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "get"]

Proposal: allow additional tunes in helm or allow manual accounts tune for containers in gs

[markmandel]

You can create your own service account for the SDK pod:
https://github.com/GoogleCloudPlatform/agones/blob/master/install/helm/README.md#configuration
via agones.serviceaccount.sdk, and use that instead.

Long term, we may manually only apply this just the sidecar, see #150 for some more details (or remove it from the GameServer process)

There could be possible options to manually mount secrets into your containers to allow a specific service account as well, if you want to go that experimental route.

Does that solve your problem?

[Oleksii-Terekhov]

• with own account - i still locked to agones: if you change rights in new release, i MUST change it too
• with "only apply this just the sidecar" - looks good if i can tune RBAC for sidecar container via fleet or gs yaml

[markmandel]

with own account - i still locked to agones: if you change rights in new release, i MUST change it too
I'm not

I'm not sure how we can provide values in values.yaml to extend something as complicated as RBAC permissions. Suggestions would be appreciated! (or PRs!) @Kuqd - do you have any ideas

I'm almost wondering if it's better if you update the RBAC permissions yourself after you install the helm chart.

with "only apply this just the sidecar" - looks good if i can tune RBAC for sidecar container via fleet or gs yaml

This would need to be done at the install time - we couldn't do this at runtime in the CRD.

But a GameServer has a full PodSpec - so you can specify your own container secrets (this probably needs research to see how well this works)

[Oleksii-Terekhov]

OK
Close issue as may local trouble
Thanks