From 109ad80627f5563d854d38bfd18fb252a773803e Mon Sep 17 00:00:00 2001 From: Solly Ross Date: Mon, 25 Sep 2017 13:26:27 -0400 Subject: [PATCH] [docs] Minor walkthough fixes This fixes a typo in the walkthrough with a missing `` closing tag, and clarifies that you'll need RBAC set up for delegation. --- docs/walkthrough.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/walkthrough.md b/docs/walkthrough.md index bfad6d2d..e57d8ce5 100644 --- a/docs/walkthrough.md +++ b/docs/walkthrough.md @@ -210,14 +210,20 @@ Then, store your serving certificates in a secret: $ kubectl -n prom create secret tls serving-cm-adapter --cert=/path/to/cm-adapter/serving.crt --key=/path/to/cm-adapter/serving.key ``` -Finally, you'll need to make sure that the default service account for -your namespace has permission to list resources in the cluster: +Next, you'll need to make sure that the service account used to launch the +Deployment has permission to list resources in the cluster: ```shell $ kubectl create clusterrole resource-lister --verb=list --resource="*" $ kubectl create clusterrolebinding cm-adapter-resource-lister --clusterrole=resource-lister -- serviceaccount=prom:prom-cm-adapter ``` +Finally, ensure the deployment has all the necessary permissions to +delegate authentication and authorization decisions to the main API +server. See [Concepts: Auth and +Certificates](https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts/auth.md) +for more information. + Next, amend the file above to run the adapter as well. You may need to modify this part if you wish to inject the needed certificates a different way. @@ -328,7 +334,7 @@ spec: namespace: prom ``` -
+
Register that registration object with the aggregator: