apiVersion: v1 kind: ServiceAccount metadata: namespace: {{ .Release.Namespace }} name: {{ template "kubevirt.namespaceHook.name" . }} {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 1) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kubevirt.namespaceHook.name" . }} {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 1) }} rules: - apiGroups: [ "" ] resources: [ "namespaces" ] resourceNames: - {{ .Release.Namespace | quote }} verbs: [ "get", "patch" ] - apiGroups: [ "management.cattle.io" ] # Rancher resources: [ "projects" ] verbs: [ "updatepsa" ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "kubevirt.namespaceHook.name" . }} {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 2) }} subjects: - kind: ServiceAccount namespace: {{ .Release.Namespace }} name: {{ template "kubevirt.namespaceHook.name" . }} roleRef: kind: ClusterRole name: {{ template "kubevirt.namespaceHook.name" . }} apiGroup: rbac.authorization.k8s.io --- apiVersion: batch/v1 kind: Job metadata: namespace: {{ .Release.Namespace }} name: {{ template "kubevirt.namespaceHook.name" . }} {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 3) }} spec: template: metadata: name: {{ template "kubevirt.namespaceHook.name" . }} spec: serviceAccountName: {{ template "kubevirt.namespaceHook.name" . }} restartPolicy: {{ .Values.hookRestartPolicy }} containers: - name: {{ template "kubevirt.namespaceHook.name" . }} securityContext: {{- toYaml .Values.hookSecurityContext | nindent 12 }} image: {{ .Values.hookImage }} args: - label - namespace - {{ .Release.Namespace }} - kubevirt.io= - pod-security.kubernetes.io/enforce=privileged