--- apiVersion: v1 kind: ServiceAccount metadata: name: clusterprofile-syncer automountServiceAccountToken: true --- apiVersion: apps/v1 kind: Deployment metadata: name: clusterprofile-syncer-deployment labels: app: clusterprofile-syncer spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: clusterprofile-syncer template: metadata: labels: app: clusterprofile-syncer annotations: date: ${DATE} spec: terminationGracePeriodSeconds: 0 # gotta go fast! nodeSelector: iam.gke.io/gke-metadata-server-enabled: "true" serviceAccountName: clusterprofile-syncer containers: - name: syncer image: ${SYNCER_DOCKER_IMAGE} command: ["/usr/sbin/membership-to-clusterprofile.sh", "${PROJECT}", "${MEMBERSHIPNAME}", "${PROJECT_NUMBER}"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: clusterprofile-syncer-binding labels: app: clusterprofile-syncer subjects: - kind: ServiceAccount name: clusterprofile-syncer namespace: ${PROJECT} roleRef: kind: ClusterRole name: clusterprofileadmin apiGroup: rbac.authorization.k8s.io