k8s-manifests/jupyter/base/charts/jupyterhub/templates/image-puller/rbac.yaml

{{- /*
Permissions to be used by the hook-image-awaiter job
*/}}
{{- if .Values.rbac.create -}}
{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }}
  labels:
    {{- include "jupyterhub.labels" . | nindent 4 }}
    hub.jupyter.org/deletable: "true"
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "0"
rules:
  - apiGroups: ["apps"]       # "" indicates the core API group
    resources: ["daemonsets"]
    verbs: ["get"]
---
{{- /*
... as declared by this binding.
*/}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }}
  labels:
    {{- include "jupyterhub.labels" . | nindent 4 }}
    hub.jupyter.org/deletable: "true"
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "0"
subjects:
  - kind: ServiceAccount
    name: {{ include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . }}
    namespace: "{{ .Release.Namespace }}"
roleRef:
  kind: Role
  name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }}
  apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- end }}
Jupytherhub: Export 3.0.3 like so: ``` helm repo add jupyterhub https://hub.jupyter.org/helm-chart/ helm fetch jupyterhub/jupyterhub --version 3.0.3 --untar --untardir . ``` 2023-09-25 14:28:39 +00:00			`{{- /*`
			`Permissions to be used by the hook-image-awaiter job`
			`*/}}`
			`{{- if .Values.rbac.create -}}`
			`{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}}`
			`kind: Role`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }}`
			`labels:`
			`{{- include "jupyterhub.labels" . \| nindent 4 }}`
			`hub.jupyter.org/deletable: "true"`
			`annotations:`
			`"helm.sh/hook": pre-install,pre-upgrade`
			`"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded`
			`"helm.sh/hook-weight": "0"`
			`rules:`
			`- apiGroups: ["apps"] # "" indicates the core API group`
			`resources: ["daemonsets"]`
			`verbs: ["get"]`
			`---`
			`{{- /*`
			`... as declared by this binding.`
			`*/}}`
			`kind: RoleBinding`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }}`
			`labels:`
			`{{- include "jupyterhub.labels" . \| nindent 4 }}`
			`hub.jupyter.org/deletable: "true"`
			`annotations:`
			`"helm.sh/hook": pre-install,pre-upgrade`
			`"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded`
			`"helm.sh/hook-weight": "0"`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . }}`
			`namespace: "{{ .Release.Namespace }}"`
			`roleRef:`
			`kind: Role`
			`name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }}`
			`apiGroup: rbac.authorization.k8s.io`
			`{{- end }}`
			`{{- end }}`