From 5a98b1539f5e2d1ab1f27e0f56a597520a77ecad Mon Sep 17 00:00:00 2001 From: Auri Munoz Date: Tue, 29 Mar 2022 22:06:45 +0200 Subject: [PATCH] doc: add k8s rbac minimal config --- docs/service-discovery/kubernetes.md | 40 +++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/docs/service-discovery/kubernetes.md b/docs/service-discovery/kubernetes.md index 0f8001f6..9e861731 100644 --- a/docs/service-discovery/kubernetes.md +++ b/docs/service-discovery/kubernetes.md @@ -17,9 +17,47 @@ First, you need to add the Stork Kubernetes Service Discovery provider: ``` -####A few words about server authentication. +#### A few words about server authentication. Stork uses Fabric8 Kubernetes Client to access the Kubernetes resources, concretely the `DefaultKubernetesClient` implementation. It will try to read the ~/.kube/config file in your home directory and load information required for authenticating with the Kubernetes API server. If you are using DefaultKubernetesClient from inside a Pod, it will load ~/.kube/config from the ServiceAccount volume mounted inside the Pod. You can override this configuration if you want a more complex configuration. +##### Role-based access control (RBAC) +If you're using a Kubernetes cluster with RBAC enabled, the default permissions for a ServiceAccount don't allow it ot list or modify any resources. +A `ServiceAccount`, a `Role` and a `RoleBinding` will be needed in order to allow Stork to get/list service instances from the cluster. An example that allows listing all endpoints could look something like this: + +```yaml +------ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: + namespace: +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: + name: +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["endpoints"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: + namespace: +subjects: + - kind: ServiceAccount + # Reference to upper's `metadata.name` + name: default + # Reference to upper's `metadata.namespace` + namespace: +roleRef: + kind: Role + name: + apiGroup: rbac.authorization.k8s.io +``` ## Configuration