From ffe59622538ed561c8328fb45f96c41a274de61e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Dulko?= <mdulko@redhat.com>
Date: Thu, 19 Dec 2019 10:59:19 +0100
Subject: [PATCH] Add info about required RBAC permissions to docs

This commit adds information about required Kuryr Kubernetes user
permissions when RBAC is enabled to manual installation guide.

Change-Id: I6175350eff4a8f05b7fa9ba020ad129a455feacd
---
 doc/source/installation/containerized.rst |  1 +
 doc/source/installation/manual.rst        | 43 +++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/doc/source/installation/containerized.rst b/doc/source/installation/containerized.rst
index 4644d853d..fe1f14faa 100644
--- a/doc/source/installation/containerized.rst
+++ b/doc/source/installation/containerized.rst
@@ -31,6 +31,7 @@ Deployment and kuryr-cni DaemonSet definitions to use pre-built `controller`_
 and `cni`_ images from the Docker Hub. Those definitions will be generated in
 next step.
 
+.. _containerized-generate:
 
 Generating Kuryr resource definitions for Kubernetes
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/installation/manual.rst b/doc/source/installation/manual.rst
index 48405436c..6271a4f44 100644
--- a/doc/source/installation/manual.rst
+++ b/doc/source/installation/manual.rst
@@ -70,6 +70,49 @@ Edit ``kuryr.conf``:
    If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
    a file having it.
 
+.. note::
+
+   If your Kubernetes cluster has RBAC enabled, make sure the Kuryr user has
+   access to required resources:
+
+   .. code-block:: yaml
+
+      rules:
+      - apiGroups:
+        - ""
+        verbs: ["*"]
+        resources:
+          - endpoints
+          - pods
+          - nodes
+          - services
+          - services/status
+          - namespaces
+      - apiGroups:
+          - openstack.org
+        verbs: ["*"]
+        resources:
+          - kuryrnets
+          - kuryrnetpolicies
+          - kuryrloadbalancers
+      - apiGroups: ["networking.k8s.io"]
+        resources:
+        - networkpolicies
+        verbs:
+        - get
+        - list
+        - watch
+        - update
+        - patch
+      - apiGroups: ["k8s.cni.cncf.io"]
+        resources:
+        - network-attachment-definitions
+        verbs:
+        - get
+
+   You can generate ``ServiceAccount`` definition with correct ``ClusterRole``
+   using instructions on :ref:`containerized-generate` page.
+
 Note that the service_subnet and the pod_subnet *should be routable* and that
 the pods should allow service subnet access.