Add Documentation about customresourcedefinitions creation role

2017-09-26 20:20:05 +02:00
parent 2c468ea8a0
commit cca0275b0b
1 changed files with 30 additions and 0 deletions
--- a/Documentation/storage.md
+++ b/Documentation/storage.md
@@ -53,6 +53,36 @@ status:

 Once the `CustomResourceDefinition` is created, custom resources can be created and stored at a namespace level. The CRD type and the custom resources can be queried, deleted, and edited like any other resource using `kubectl`.

+dex requires access to the non-namespaced `CustomResourceDefinition` type. For example, clusters using RBAC authorization would need to create the following roles and bindings:
+```
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: dex
+rules:
+- apiGroups: ["dex.coreos.com"] # API group created by dex
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: dex
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dex
+subjects:
+- kind: ServiceAccount
+  name: dex                 # Service account assigned to the dex pod.
+  namespace: dex-namespace  # The namespace dex is running in.
+
+```
+
+
 ## Kubernetes third party resources(TPRs)

 __NOTE:__ TPRs will be deprecated by Kubernetes version 1.8.