forked from googleforgames/agones
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove serviceaccount for game server container
This mounts an emptydir over the service account token that is automatically mounted in the container that runs the game server binary. Since this is exposed to the outside world, removing the serviceaccount token removes authentication against the rest of the Kubernetes cluster if it ever gets compromised. Closes googleforgames#150
- Loading branch information
1 parent
b133e52
commit fe0abc9
Showing
4 changed files
with
151 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
--- | ||
title: "GameServer Pod Service Accounts" | ||
linkTitle: "Service Accounts" | ||
date: 2019-03-14T04:30:37Z | ||
publishDate: 2019-04-01 | ||
description: > | ||
RBAC permissions and service accounts for the `GameServer` Pod. | ||
--- | ||
|
||
## Default Settings | ||
|
||
By default, Agones sets up service accounts and sets them appropriately for the `Pods` that are created for `GameServers`. | ||
|
||
Since Agones provides `GameServer` `Pods` with a sidecar container that needs access to Agones Custom Resource Definitions, | ||
`Pods` are configured with a service account with extra RBAC permissions to ensure that it can read and modify the resources it needs. | ||
|
||
Since service accounts apply to all containers in a `Pod`, Agones will automatically overwrite the mounted key for the | ||
service account in the container that is running the dedicate game server in the backing `Pod`. This is done | ||
since game server containers are exposed publicly, and generally dom't require the extra permissions to access aspects | ||
of the Kubernetes API. | ||
|
||
## Bringing your own Service Account | ||
|
||
If needed, you can provide your own service account on the `Pod` specification in the `GameServer` configuration. | ||
|
||
For example: | ||
|
||
```yaml | ||
apiVersion: "stable.agones.dev/v1alpha1" | ||
kind: GameServer | ||
metadata: | ||
generateName: "simple-udp-" | ||
spec: | ||
ports: | ||
- name: default | ||
containerPort: 7654 | ||
template: | ||
spec: | ||
serviceAccountName: my-special-service-account # a custom service account | ||
containers: | ||
- name: simple-udp | ||
image: gcr.io/agones-images/udp-server:0.7 | ||
``` | ||
If a service account is configured, the mounted key is not overwritten, as it assumed that you want to have full control | ||
of the service account and underlying RBAC permissions. |