DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: Updated the content of deploy/rbac.md (#10054)

Browse source 
Due to Kubernetes having deprecated the use of configmap as a mechanism
for elections, we have migrated to a mechanism based on leases
resources. However, the documentation has not been updated, resulting in
inconsistencies.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
This commit is contained in:
Jintao Zhang 2023-06-07 22:58:13 +08:00 committed by GitHub
parent 712e10d417
commit c3ea3b861e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
docs/deploy/rbac.md
View file

@ -29,39 +29,38 @@ namespace specific permissions defined by the `Role` named `ingress-nginx`.
These permissions are granted in order for the ingress-nginx-controller to be These permissions are granted in order for the ingress-nginx-controller to be
able to function as an ingress across the cluster. These permissions are able to function as an ingress across the cluster. These permissions are
granted to the ClusterRole named `ingress-nginx` granted to the `ClusterRole` named `ingress-nginx`
* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch * `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
* `nodes`: get * `nodes`: get
* `services`, `ingresses`: get, list, watch * `services`, `ingresses`, `ingressclasses`, `endpointslices`: get, list, watch
* `events`: create, patch * `events`: create, patch
* `ingresses/status`: update * `ingresses/status`: update
* `leases`: list, watch
### Namespace Permissions ### Namespace Permissions
These permissions are granted specific to the ingress-nginx namespace. These These permissions are granted specific to the ingress-nginx namespace. These
permissions are granted to the Role named `ingress-nginx` permissions are granted to the `Role` named `ingress-nginx`
* `configmaps`, `pods`, `secrets`: get * `configmaps`, `pods`, `secrets`: get
* `endpoints`: get * `endpoints`: get
Furthermore to support leader-election, the ingress-nginx-controller needs to Furthermore to support leader-election, the ingress-nginx-controller needs to
have access to a `configmap` using the resourceName `ingress-controller-leader-nginx` have access to a `leases` using the resourceName `ingress-nginx-leader`
> Note that resourceNames can NOT be used to limit requests using the “create” > Note that resourceNames can NOT be used to limit requests using the “create”
> verb because authorizers only have access to information that can be obtained > verb because authorizers only have access to information that can be obtained
> from the request URL, method, and headers (resource names in a “create” request > from the request URL, method, and headers (resource names in a “create” request
> are part of the request body). > are part of the request body).
* `configmaps`: get, update (for resourceName `ingress-controller-leader-nginx`) * `leases`: get, update (for resourceName `ingress-controller-leader`)
* `configmaps`: create * `leases`: create
This resourceName is the concatenation of the `election-id` and the This resourceName is the `election-id` defined by the ingress-controller, which defaults to:
`ingress-class` as defined by the ingress-controller, which defaults to:
* `election-id`: `ingress-controller-leader` * `election-id`: `ingress-controller-leader`
* `ingress-class`: `nginx` * `resourceName` : `<election-id>`
* `resourceName` : `<election-id>-<ingress-class>`
Please adapt accordingly if you overwrite either parameter when launching the Please adapt accordingly if you overwrite either parameter when launching the
ingress-nginx-controller. ingress-nginx-controller.