From 20fb9a285c16e1cf3ca5b3c9fae21b97c66d8915 Mon Sep 17 00:00:00 2001 From: Auri Munoz Date: Tue, 29 Mar 2022 22:06:45 +0200 Subject: [PATCH 1/3] doc: add k8s rbac minimal config --- docs/service-discovery/kubernetes.md | 56 +++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/docs/service-discovery/kubernetes.md b/docs/service-discovery/kubernetes.md index 0f8001f6..f44692fe 100644 --- a/docs/service-discovery/kubernetes.md +++ b/docs/service-discovery/kubernetes.md @@ -17,9 +17,61 @@ First, you need to add the Stork Kubernetes Service Discovery provider: ``` -####A few words about server authentication. -Stork uses Fabric8 Kubernetes Client to access the Kubernetes resources, concretely the `DefaultKubernetesClient` implementation. It will try to read the ~/.kube/config file in your home directory and load information required for authenticating with the Kubernetes API server. If you are using DefaultKubernetesClient from inside a Pod, it will load ~/.kube/config from the ServiceAccount volume mounted inside the Pod. You can override this configuration if you want a more complex configuration. +#### A few words about server authentication. +Stork uses [Fabric8 Kubernetes Client](https://github.com/fabric8io/kubernetes-client#readme) to access the Kubernetes resources, concretely the `DefaultKubernetesClient` implementation. +Stork uses Fabric8 Kubernetes Client to access the Kubernetes resources, concretely the `DefaultKubernetesClient` implementation. + +It will try to read the `~/.kube/config` file from your local machine and load the token for authenticating with the Kubernetes API server. + +If you are using the Stork Kubernetes discovery provider from inside a _Pod_, it load `~/.kube/config` from the container file system. + +This file is automatically mounted inside the Pod. + +The level of access (Roles) depends on the configured `ServiceAccount`. + +You can override this configuration if you want fine-grain control. + +##### Role-based access control (RBAC) +If you're using a Kubernetes cluster with Role-Based Access Control (RBAC) enabled, the default permissions for a ServiceAccount don't allow it to list or modify any resources. +A `ServiceAccount`, a `Role` and a `RoleBinding` are needed in order to allow Stork to list the available service instances from the cluster or the namespace. + +An example that allows listing all endpoints could look something like this: + +```yaml +------ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: + namespace: +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: + namespace: +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["endpoints"] # stork queries service endpoints + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: + namespace: +subjects: + - kind: ServiceAccount + # Reference to upper's `metadata.name` + name: + # Reference to upper's `metadata.namespace` + namespace: +roleRef: + kind: Role + name: + apiGroup: rbac.authorization.k8s.io +``` ## Configuration From 49dd1df4e563774092143a6d5a3e39026de03c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aurea=20Mu=C3=B1oz=20Hern=C3=A1ndez?= <6627952+aureamunoz@users.noreply.github.com> Date: Wed, 30 Mar 2022 12:56:41 +0200 Subject: [PATCH 2/3] Update docs/service-discovery/kubernetes.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: MichaƂ Szynkiewicz --- docs/service-discovery/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/service-discovery/kubernetes.md b/docs/service-discovery/kubernetes.md index f44692fe..063aab04 100644 --- a/docs/service-discovery/kubernetes.md +++ b/docs/service-discovery/kubernetes.md @@ -24,7 +24,7 @@ Stork uses Fabric8 Kubernetes Client to access the Kubernetes resources, concret It will try to read the `~/.kube/config` file from your local machine and load the token for authenticating with the Kubernetes API server. -If you are using the Stork Kubernetes discovery provider from inside a _Pod_, it load `~/.kube/config` from the container file system. +If you are using the Stork Kubernetes discovery provider from inside a _Pod_, it loads `~/.kube/config` from the container file system. This file is automatically mounted inside the Pod. From 1eff588ccd2e7122796003b704f330c448747390 Mon Sep 17 00:00:00 2001 From: Auri Munoz Date: Wed, 30 Mar 2022 13:09:46 +0200 Subject: [PATCH 3/3] remove duplicate --- docs/service-discovery/kubernetes.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/service-discovery/kubernetes.md b/docs/service-discovery/kubernetes.md index 063aab04..5b54186b 100644 --- a/docs/service-discovery/kubernetes.md +++ b/docs/service-discovery/kubernetes.md @@ -20,8 +20,6 @@ First, you need to add the Stork Kubernetes Service Discovery provider: #### A few words about server authentication. Stork uses [Fabric8 Kubernetes Client](https://github.com/fabric8io/kubernetes-client#readme) to access the Kubernetes resources, concretely the `DefaultKubernetesClient` implementation. -Stork uses Fabric8 Kubernetes Client to access the Kubernetes resources, concretely the `DefaultKubernetesClient` implementation. - It will try to read the `~/.kube/config` file from your local machine and load the token for authenticating with the Kubernetes API server. If you are using the Stork Kubernetes discovery provider from inside a _Pod_, it loads `~/.kube/config` from the container file system.