update annotations versions and helm values doc (#1135)

Azure · Feb 6, 2021 · 098a4e0 · 098a4e0
1 parent 5b52237
commit 098a4e0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/docs/annotations.md b/docs/annotations.md
@@ -23,13 +23,13 @@ For an Ingress resource to be observed by AGIC it **must be annotated** with `ku
 | [appgw.ingress.kubernetes.io/override-frontend-port](#override-frontend-port) | `string` |   |   | `1.3.0` |
 | [appgw.ingress.kubernetes.io/use-private-ip](#use-private-ip) | `bool` | `false` | | `1.0.0` |
 | [appgw.ingress.kubernetes.io/waf-policy-for-path](#azure-waf-policy-for-path) | `string` |   |   | `1.3.0` |
-| [appgw.ingress.kubernetes.io/health-probe-hostname](#health-probe-hostname) | `string` |  `nil` |   | `not yet released` |
-| [appgw.ingress.kubernetes.io/health-probe-port](#health-probe-port) | `int32` | `nil`  |   | `not yet released` |
-| [appgw.ingress.kubernetes.io/health-probe-path](#health-probe-path) | `string` | `nil`  |   | `not yet released` |
-| [appgw.ingress.kubernetes.io/health-probe-status-codes](#health-probe-status-codes) | `[]string` | `nil`  |   | `not yet released` |
-| [appgw.ingress.kubernetes.io/health-probe-interval](#health-probe-interval) | `int32` | `nil`  |   | `not yet released` |
-| [appgw.ingress.kubernetes.io/health-probe-timeout](#health-probe-timeout) | `int32` | `nil`  |   | `not yet released` |
-| [appgw.ingress.kubernetes.io/health-probe-unhealthy-threshold](#health-probe-unhealthy-threshold) | `int32` | `nil`  |   | `not yet released` |
+| [appgw.ingress.kubernetes.io/health-probe-hostname](#health-probe-hostname) | `string` |  `nil` |   | `1.4.0-rc1` |
+| [appgw.ingress.kubernetes.io/health-probe-port](#health-probe-port) | `int32` | `nil`  |   | `1.4.0-rc1` |
+| [appgw.ingress.kubernetes.io/health-probe-path](#health-probe-path) | `string` | `nil`  |   | `1.4.0-rc1` |
+| [appgw.ingress.kubernetes.io/health-probe-status-codes](#health-probe-status-codes) | `[]string` | `nil`  |   | `1.4.0-rc1` |
+| [appgw.ingress.kubernetes.io/health-probe-interval](#health-probe-interval) | `int32` | `nil`  |   | `1.4.0-rc1` |
+| [appgw.ingress.kubernetes.io/health-probe-timeout](#health-probe-timeout) | `int32` | `nil`  |   | `1.4.0-rc1` |
+| [appgw.ingress.kubernetes.io/health-probe-unhealthy-threshold](#health-probe-unhealthy-threshold) | `int32` | `nil`  |   | `1.4.0-rc1` |
 
 ## Override Frontend Port
 

diff --git a/docs/helm-values-documenation.md b/docs/helm-values-documenation.md
@@ -14,6 +14,8 @@
 | `appgw.shared` | false | This boolean flag should be defaulted to `false`. Set to `true` should you need a [Shared App Gateway](setup/install-existing.md#multi-cluster--shared-app-gateway). |
 | `appgw.subResourceNamePrefix` | No prefix if empty | Prefix that should be used in the naming of the Application Gateway's sub-resources|
 | `kubernetes.watchNamespace` | Watches all if empty | Specify the name space, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. |
+| `kubernetes.securityContext` | `runAsUser: 0` | Specify security context to use with AGIC deployment. By default, AGIC will assume `root` permission. Jump to [Security Context](#security-context) for more information. |
+| `kubernetes.podAnnotations` | `{}` | Specify custom annotations for AGIC pod |
 | `kubernetes.nodeSelector` | `{}` | Scheduling node selector |
 | `kubernetes.tolerations` | `[]` | Scheduling tolerations |
 | `kubernetes.affinity` | `{}` | Scheduling affinity |
@@ -25,7 +27,6 @@
 | `armAuth.secretJSON` | | Only needed when Service Principal Secret type is chosen (when `armAuth.type` has been set to `servicePrincipal`) |
 | `nodeSelector` | `{}` | (Legacy: use `kubernetes.nodeSelector` instead) Scheduling node selector |
 
-
 ## Example
 
 ```yaml
@@ -46,3 +47,14 @@ kubernetes:
 rbac:
     enabled: false
 ```
+
+---
+### Security Context
+By default, AGIC will assume `root` permission which allows it to read `cloud-provider` config and get meta-data information about the cluster.
+If you want AGIC to run without `root` access, then make sure that AGIC is installed with atleast the following information to run successfully:
+* `appgw.subscriptionId`, `appgw.resourceGroup` and `appgw.name`  
+or
+* `appgw.applicationGatewayID`
+
+AGIC also uses `cloud-provider` config to get Node's Virtual Network Name / Subscription and Route table name. If AGIC is not able to reach this information,  It will skip assigning the Node's route table to Application Gateway's subnet which is required when using `kubenet` network plugin. To workaround, this assignment can be performed manually.
+