GameServer Pod Service Accounts
GameServer
Pod.Default Settings
By default, Agones sets up service accounts and sets them appropriately for the Pods
that are created for GameServers
.
Since Agones provides GameServer
Pods
with a sidecar container that needs access to Agones Custom Resource Definitions,
Pods
are configured with a service account with extra RBAC permissions to ensure that it can read and modify the resources it needs.
Since service accounts apply to all containers in a Pod
, Agones will automatically overwrite the mounted key for the
service account in the container that is running the dedicated game server in the backing Pod
. This is done
since game server containers are exposed publicly, and generally don’t require the extra permissions to access aspects
of the Kubernetes API.
Bringing your own Service Account
If needed, you can provide your own service account on the Pod
specification in the GameServer
configuration.
Warning
If you bring your own Service Account, it’s your responsibility to ensure it matches all the RBAC permissions
the GameServer
Pod
usually acquires from Agones by default, otherwise GameServers
can fail.
The default RBAC permissions for can be found in the installation YAML on GitHub and can be used for a reference.
For example:
apiVersion: "agones.dev/v1"
kind: GameServer
metadata:
generateName: "simple-game-server-"
spec:
ports:
- name: default
containerPort: 7654
template:
spec:
serviceAccountName: my-special-service-account # a custom service account
containers:
- name: simple-game-server
image: us-docker.pkg.dev/agones-images/examples/simple-game-server:0.35
If a service account is configured, the mounted key is not overwritten, as it assumed that you want to have full control of the service account and underlying RBAC permissions.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified December 12, 2024: Delete List Value(s) on Game Server Allocation (#4054) (3c5b7df)