apiVersion: v1
kind: ServiceAccount
metadata:
  name: updateip-sa
  namespace: download
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: updateip-role
  namespace: download
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: updateip-rolebinding
  namespace: download
subjects:
- kind: ServiceAccount
  name: updateip-sa
  apiGroup: ""
roleRef:
  kind: Role
  name: updateip-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: updateip-job
  namespace: download
spec:
  # 0am every day
  schedule: "0 0 * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: updateip-sa
          containers:
          - name: update-ip
            image: bitnami/kubectl:latest
            imagePullPolicy: IfNotPresent
            command:
            - /bin/sh
            - -c
            - /mnt/scripts/updateip.sh
            volumeMounts:
            - name: scripts
              mountPath: /mnt/scripts
            securityContext:
              runAsNonRoot: true
              runAsUser: 10000
          restartPolicy: OnFailure
          volumes:
          - name: scripts
            configMap:
              name: updateip
              defaultMode: 0777