documentation updates for v2.4.1 (#2562)

kubernetes-sigs · Mar 18, 2022 · b564cef · b564cef
1 parent c4471de
commit b564cef
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 2 deletions.
diff --git a/docs/deploy/configurations.md b/docs/deploy/configurations.md
@@ -143,4 +143,5 @@ They are a set of kye=value pairs that describe AWS load balance controller feat
 |---------------------------------------|---------------------------------|-----------------|-------------|
 | ListenerRulesTagging                  | string                          | true           | Enable or disable tagging AWS load balancer listeners and rules |
 | WeightedTargetGroups                  | string                          | true           | Enable or disable weighted target groups |
-| ServiceTypeLoadBalancerOnly           | string                          | false          | If enabled, controller will be limited to reconciling service of type `LoadBalancer`|
+| ServiceTypeLoadBalancerOnly           | string                          | false          | If enabled, controller will be limited to reconciling service of type `LoadBalancer`|
+| EndpointsFailOpen                     | string                          | false          | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
diff --git a/docs/examples/secrets_access.md b/docs/examples/secrets_access.md
@@ -0,0 +1,58 @@
+# RBAC configuration for secrets resources
+
+In this walkthrough, you will
+
+- configure RBAC permissions for the controller to access specific secrets resource in a particular namespace.
+
+# Create Role
+1. Prepare the role manifest with the appropriate name, namespace, and secretName, for example:
+
+    ```
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+        name: example-role
+        namespace: example-namespace
+    rules:
+      - apiGroups:
+           - ""
+        resourceNames:
+          - example-secret
+        resources:
+          - secrets
+        verbs:
+          - get
+          - list
+          - watch
+    ```
+
+2. Apply the role manifest
+
+    ```
+    kubectl apply -f role.yaml
+    ```
+
+# Create RoleBinding
+1. Prepare the rolebinding manifest with the appropriate name, namespace and role reference. For example:
+
+    ```
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+        name: example-rolebinding
+        namespace: example-namespace
+    roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Role
+        name: example-role
+    subjects:
+      - kind: ServiceAccount
+        name: aws-load-balancer-controller
+        namespace: kube-system
+    ```
+
+2. Apply the rolebinding manifest
+
+    ```
+    kubectl apply -f rolebinding.yaml
+    ```
diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md
@@ -86,6 +86,7 @@ If you are setting `serviceMonitor.enabled: true` you need to have installed the
 
 ## Installing the Chart
 **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed.
+**Note**: Starting chart version 1.4.1, you need to explicitly set clusterSecretsPermissions.allowAllSecrets to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)].
 
 Add the EKS repository to Helm:
 ```shell script
@@ -234,4 +235,4 @@ The default values set by the application itself can be confirmed [here](https:/
 | `serviceMonitor.enabled`                       | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed   | `false`                                                                            |
 | `serviceMonitor.additionalLabels`              | Labels to add to the service account                                                                     | `{}`                                                                               |
 | `serviceMonitor.interval`                      | Prometheus scrape interval                                                                               | `1m`                                                                               |
-| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
+| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -33,6 +33,7 @@ nav:
   - Examples:
     - EchoServer: examples/echo_server.md
     - gRPCServer: examples/grpc_server.md
+    - RBAC to access OIDC Secret: examples/secrets_access.md