Add note to Kubernetes RBAC docs about RoleBindings and namespaces #2498
Conversation
ldez
added
area/documentation
status/2-needs-review
and removed
status/0-needs-triage
labels
|
Thanks a lot! Could you rebase your PR against the |
|
Hmm that doesn't look right, do you have a hint for me how to rebase correctly? |
|
I need to rebase your commit onto the I can also take care of it for you if you don't mind. Let me know. |
|
Sure, please go ahead. I'm glad I could help. |
timoreimann
force-pushed
the
feature/k8s-rbac-docs
branch
from
a37d59a
to
25efe1f
Compare
|
@jmara alright, rebase complete. (By the way, I did it my doing a git rebase onto like this: |
docs/user-guide/kubernetes.md
Outdated
| @@ -21,6 +21,9 @@ If your cluster is configured with RBAC, you will need to authorize Træfik to u | |||
|
|
|||
| RoleBindings per namespace enable to restrict granted permissions to the very namespaces only that Træfik is watching over, thereby following the least-privileges principle. This is the preferred approach if Træfik is not supposed to watch all namespaces, and the set of namespaces does not change dynamically. Otherwise, a single ClusterRoleBinding must be employed. | |||
|
|
|||
| !!! note | |||
| RoleBindings per namespace will be available in Træfik 1.5+ please use ClusterRoleBinding for any older version. | |||
There was a problem hiding this comment.
Can we rewrite this as following:
RoleBindings per namespace are available in Træfik 1.5 and later. Please use ClusterRoleBindings for older versions.
(Present tense; replace plus by verbatim text; second sentence; plural for ClusterRoleBinding too; older versions.)
There was a problem hiding this comment.
Sure sounds good. From a documentation perspective in the 1.5 branch present tens makes totally sense. The rest is fine with me. I'll try to make the changes :)
What does this PR do?
I've updated the documentation to give the user a hint that Rolebinding per namespace in only available in version 1.5+
Motivation
Spend an hour digging through Github Issues/PRs to find that the changes how Traefik uses the kubernetes api (namespaves) was not merged into the 1.4 branch. The current docs lead to the impression that this (RoleBinding instead of ClusterRoleBinding) should just work out of the box.
Please see #1626 and #1895