Add info about required RBAC permissions to docs

This commit adds information about required Kuryr Kubernetes user
permissions when RBAC is enabled to manual installation guide.

Change-Id: I6175350eff4a8f05b7fa9ba020ad129a455feacd
This commit is contained in:
Michał Dulko 2019-12-19 10:59:19 +01:00
parent 911d65fea7
commit ffe5962253
2 changed files with 44 additions and 0 deletions

View File

@ -31,6 +31,7 @@ Deployment and kuryr-cni DaemonSet definitions to use pre-built `controller`_
and `cni`_ images from the Docker Hub. Those definitions will be generated in
next step.
.. _containerized-generate:
Generating Kuryr resource definitions for Kubernetes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -70,6 +70,49 @@ Edit ``kuryr.conf``:
If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
a file having it.
.. note::
If your Kubernetes cluster has RBAC enabled, make sure the Kuryr user has
access to required resources:
.. code-block:: yaml
rules:
- apiGroups:
- ""
verbs: ["*"]
resources:
- endpoints
- pods
- nodes
- services
- services/status
- namespaces
- apiGroups:
- openstack.org
verbs: ["*"]
resources:
- kuryrnets
- kuryrnetpolicies
- kuryrloadbalancers
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- update
- patch
- apiGroups: ["k8s.cni.cncf.io"]
resources:
- network-attachment-definitions
verbs:
- get
You can generate ``ServiceAccount`` definition with correct ``ClusterRole``
using instructions on :ref:`containerized-generate` page.
Note that the service_subnet and the pod_subnet *should be routable* and that
the pods should allow service subnet access.