Merge pull request #295 from michaeldayreads/1.1-stable

Merge pull request #289 from michaeldayreads/rbac-config
F5Networks · Aug 25, 2017 · 6c265d0 · 6c265d0
2 parents d830fac + fb6d976
commit 6c265d0
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 0 deletions.
diff --git a/docs/README.rst b/docs/README.rst
@@ -359,6 +359,7 @@ Example Configuration Files
 - `simple-ingress-fanout.yaml <./_static/config_examples/simple-ingress-fanout.yaml>`_
 - `name-based-ingress.yaml <./_static/config_examples/name-based-ingress.yaml>`_
 - `ingress-with-health-monitors.yaml <./_static/config_examples/ingress-with-health-monitors.yaml>`_
+- `sample-rbac.yaml <./_static/config_examples/sample-rbac.yaml>`_
 
 
 .. [#objectpartition]  The |kctlr-long| creates and manages objects in the BIG-IP partition defined in the `F5 resource </containers/v1/kubernetes/index.html#f5-resource-properties>`_ ConfigMap.

diff --git a/docs/_static/config_examples/sample-k8s-bigip-ctlr-secrets.yaml b/docs/_static/config_examples/sample-k8s-bigip-ctlr-secrets.yaml
@@ -13,6 +13,7 @@ spec:
       labels:
         app: k8s-bigip-ctlr
     spec:
+      serviceAccountName: bigip-ctlr-serviceaccount
       containers:
         - name: k8s-bigip-ctlr
           # Specify the path to your image here
@@ -50,3 +51,11 @@ spec:
           ]
     imagePullSecrets:
       - name: f5-docker-images
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bigip-ctlr-serviceaccount
+  namespace: kube-system
diff --git a/docs/_static/config_examples/sample-rbac.yaml b/docs/_static/config_examples/sample-rbac.yaml
@@ -0,0 +1,64 @@
+# for use in clusters using RBAC
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: bigip-ctlr-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - services
+  - endpoints
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - create
+  - patch
+- apiGroups:
+  - "extensions"
+  resources:
+  - ingresses/status
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - create
+  - patch
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: bigip-ctlr-clusterrole-binding
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bigip-ctlr-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: bigip-ctlr-serviceaccount
+  namespace: kube-system