Merge "Add info about required RBAC permissions to docs"
This commit is contained in:
commit
39e92f3322
|
@ -31,6 +31,7 @@ Deployment and kuryr-cni DaemonSet definitions to use pre-built `controller`_
|
||||||
and `cni`_ images from the Docker Hub. Those definitions will be generated in
|
and `cni`_ images from the Docker Hub. Those definitions will be generated in
|
||||||
next step.
|
next step.
|
||||||
|
|
||||||
|
.. _containerized-generate:
|
||||||
|
|
||||||
Generating Kuryr resource definitions for Kubernetes
|
Generating Kuryr resource definitions for Kubernetes
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
|
@ -70,6 +70,49 @@ Edit ``kuryr.conf``:
|
||||||
If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
|
If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
|
||||||
a file having it.
|
a file having it.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
If your Kubernetes cluster has RBAC enabled, make sure the Kuryr user has
|
||||||
|
access to required resources:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
verbs: ["*"]
|
||||||
|
resources:
|
||||||
|
- endpoints
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
- services
|
||||||
|
- services/status
|
||||||
|
- namespaces
|
||||||
|
- apiGroups:
|
||||||
|
- openstack.org
|
||||||
|
verbs: ["*"]
|
||||||
|
resources:
|
||||||
|
- kuryrnets
|
||||||
|
- kuryrnetpolicies
|
||||||
|
- kuryrloadbalancers
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- update
|
||||||
|
- patch
|
||||||
|
- apiGroups: ["k8s.cni.cncf.io"]
|
||||||
|
resources:
|
||||||
|
- network-attachment-definitions
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
|
||||||
|
You can generate ``ServiceAccount`` definition with correct ``ClusterRole``
|
||||||
|
using instructions on :ref:`containerized-generate` page.
|
||||||
|
|
||||||
Note that the service_subnet and the pod_subnet *should be routable* and that
|
Note that the service_subnet and the pod_subnet *should be routable* and that
|
||||||
the pods should allow service subnet access.
|
the pods should allow service subnet access.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue