Browse Source

Merge "Add info about required RBAC permissions to docs"

tags/2.0.0.0rc1
Zuul 7 months ago
committed by Gerrit Code Review
parent
commit
39e92f3322
2 changed files with 44 additions and 0 deletions
  1. +1
    -0
      doc/source/installation/containerized.rst
  2. +43
    -0
      doc/source/installation/manual.rst

+ 1
- 0
doc/source/installation/containerized.rst View File

@@ -31,6 +31,7 @@ Deployment and kuryr-cni DaemonSet definitions to use pre-built `controller`_
and `cni`_ images from the Docker Hub. Those definitions will be generated in
next step.

.. _containerized-generate:

Generating Kuryr resource definitions for Kubernetes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


+ 43
- 0
doc/source/installation/manual.rst View File

@@ -70,6 +70,49 @@ Edit ``kuryr.conf``:
If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
a file having it.

.. note::

If your Kubernetes cluster has RBAC enabled, make sure the Kuryr user has
access to required resources:

.. code-block:: yaml

rules:
- apiGroups:
- ""
verbs: ["*"]
resources:
- endpoints
- pods
- nodes
- services
- services/status
- namespaces
- apiGroups:
- openstack.org
verbs: ["*"]
resources:
- kuryrnets
- kuryrnetpolicies
- kuryrloadbalancers
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- update
- patch
- apiGroups: ["k8s.cni.cncf.io"]
resources:
- network-attachment-definitions
verbs:
- get

You can generate ``ServiceAccount`` definition with correct ``ClusterRole``
using instructions on :ref:`containerized-generate` page.

Note that the service_subnet and the pod_subnet *should be routable* and that
the pods should allow service subnet access.



Loading…
Cancel
Save