Add instructions for clusters with RBAC installed.

This adds instructions on how to install the controller when RBAC is
enabled in the cluster.

README.md

@@ -104,20 +104,6 @@ We've provided [an example](_examples/docker-registry/manifest.yml) on how to us
 
 ## Installation
 
-### Setting up the controller
-
-First, you'll need to set up the controller. The controller takes care of
-monitoring your Resource Definitions and populating the correct Kubernetes
-Secrets with Manifold Credentials. Without it, nothing will happen.
-
-```
-$ kubectl create -f https://raw.githubusercontent.com/manifoldco/kubernetes-credentials/master/credentials-controller.yml
-```
-
-**Note:** You can customise this credentials-controller file. This is a general
-purpose Deployment. `MANIFOLD_API_TOKEN` is a required environment variable for
-the controller.
-
 ### Setting up the Manifold Auth Token to retrieve the credentials
 
 Once the controller is installed, you'll also want to enable access to the
@@ -130,13 +116,37 @@ $ manifold tokens create
 Once you have the token, you'll want to create a new Kubernetes Secret:
 
 ```
+$ kubectl create namespace manifold-system
 $ kubectl create --namespace=manifold-system secret generic manifold-api-secrets --from-literal=api_token=<AUTH_TOKEN> --from-literal=team=<MANIFOLD_TEAM>
 ```
 
 **Note:** The team value is optional. If a team is provided in the controller
 (see below), only resources that define this team will be picked up and used
 to load the credentials. If no team is defined, this is ignored.
 
+### Setting up the controller
+
+First, you'll need to set up the controller. The controller takes care of
+monitoring your Resource Definitions and populating the correct Kubernetes
+Secrets with Manifold Credentials. Without it, nothing will happen.
+
+```
+$ kubectl create -f https://raw.githubusercontent.com/manifoldco/kubernetes-credentials/master/credentials-controller.yml
+```
+
+**Note:** You can customise this credentials-controller file. This is a general
+purpose Deployment. `MANIFOLD_API_TOKEN` is a required environment variable for
+the controller.
+
+#### With RBAC installed
+
+To use RBAC, we'll add additional ClusterRoles to allow managing CRDs and
+secrets.
+
+```
+$ kubectl create -f https://raw.githubusercontent.com/manifoldco/kubernetes-credentials/master/rbac.yml
+```
+
 ## Releasing
 
 To release a new version of this package, use the Make target `release`:

credentials-controller.yml

@@ -5,6 +5,14 @@ metadata:
 
 ---
 
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manifold-credentials
+  namespace: manifold-system
+
+---
+
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -17,6 +25,7 @@ spec:
       labels:
         app: "manifold-k8s-credentials-controller"
     spec:
+      serviceAccountName: manifold-credentials
       containers:
         - name: credentials-controller
           image: manifoldco/kubernetes-credentials:v0.1.0

rbac.yml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: manifold:credentials
+rules:
+  - apiGroups: ["manifold.co"]
+    resources: ["projects", "resources"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["*"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: manifold:credentials
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manifold:credentials
+subjects:
+  - name: manifold-credentials
+    namespace: manifold-system
+    kind: ServiceAccount