diff --git a/docs/building-functions/on_cluster_build.md b/docs/building-functions/on_cluster_build.md index 922d43d25b..741a9e4f95 100644 --- a/docs/building-functions/on_cluster_build.md +++ b/docs/building-functions/on_cluster_build.md @@ -13,11 +13,88 @@ kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previou ``` ## Enabling a namespace to run Function related Tekton Pipelines -1. Add permission to deploy on Knative to `default` Service Account: (This is not needed on OpenShift) + +Set up RBAC permissions for the `default` Service Account to deploy Functions: (This is not needed on OpenShift). +Depending on the to be used deployers, different permissions are required: + +### Option A: Permissions for all deployers (knative, raw and Keda) + +If you plan to use all deployers, you need the full set of permissions. + +```bash +export NAMESPACE= + +kubectl create role func-deployer \ + --verb=get,list,create,update,delete \ + --resource=deployments.apps,replicasets.apps,pods,services,httpscaledobjects.http.keda.sh \ + --namespace=$NAMESPACE + +kubectl create rolebinding func-deployer-binding \ + --role=func-deployer \ + --serviceaccount=$NAMESPACE:default \ + --namespace=$NAMESPACE + +kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \ + --clusterrole=knative-eventing-namespaced-admin \ + --serviceaccount=$NAMESPACE:default + +kubectl create clusterrolebinding $NAMESPACE:knative-serving-namespaced-admin \ + --clusterrole=knative-serving-namespaced-admin \ + --serviceaccount=$NAMESPACE:default +``` + +### Option B: Permissions only needed for the raw Deployer +```bash +export NAMESPACE= + +kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \ + --clusterrole=knative-eventing-namespaced-admin \ + --serviceaccount=$NAMESPACE:default + +kubectl create role func-deployer \ + --verb=get,list,create,update,delete \ + --resource=deployments.apps,replicasets.apps,pods,services \ + --namespace=$NAMESPACE + +kubectl create rolebinding func-deployer-binding \ + --role=func-deployer \ + --serviceaccount=$NAMESPACE:default \ + --namespace=$NAMESPACE +``` + +### Option C: Permissions only needed for the KEDA Deployer + +Same as for the raw deployer, but additionally permissions for the `HTTPScaledObjects`: + +```bash +export NAMESPACE= + +kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \ + --clusterrole=knative-eventing-namespaced-admin \ + --serviceaccount=$NAMESPACE:default + +kubectl create role func-deployer \ + --verb=get,list,create,update,delete \ + --resource=deployments.apps,replicasets.apps,pods,services,httpscaledobjects.http.keda.sh \ + --namespace=$NAMESPACE + +kubectl create rolebinding func-deployer-binding \ + --role=func-deployer \ + --serviceaccount=$NAMESPACE:default \ + --namespace=$NAMESPACE +``` + +### Option D: Permissions only needed for the Knative Deployer ```bash export NAMESPACE= + +kubectl create clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin \ + --clusterrole=knative-eventing-namespaced-admin \ + --serviceaccount=$NAMESPACE:default + kubectl create clusterrolebinding $NAMESPACE:knative-serving-namespaced-admin \ ---clusterrole=knative-serving-namespaced-admin --serviceaccount=$NAMESPACE:default + --clusterrole=knative-serving-namespaced-admin \ + --serviceaccount=$NAMESPACE:default ``` ## Building a Function on Cluster @@ -72,6 +149,15 @@ Please provide credentials for image registry used by Pipeline. 1. In each namespace where Pipelines and Functions were deployed, uninstall following resources: ```bash export NAMESPACE= + +# Remove the Function deployer role and binding (if created for raw or keda deployer) +kubectl delete rolebinding func-deployer-binding --namespace=$NAMESPACE +kubectl delete role func-deployer --namespace=$NAMESPACE + +# Remove the Knative Eventing cluster role binding (if created) +kubectl delete clusterrolebinding $NAMESPACE:knative-eventing-namespaced-admin + +# Remove the Knative Serving cluster role binding (if created for knative deployer) kubectl delete clusterrolebinding $NAMESPACE:knative-serving-namespaced-admin ```