Merge pull request #3 from swatisehgal/crd-cluster-role

Topology Exporter Daemon: NodeTopologyResource ClusterRole and ClusterRoleBinding

keps/sig-node/20200619-provisioning-resources-with-numa-topology.md

@@ -37,8 +37,8 @@ see-also:
   - [Graduation Criteria](#graduation-criteria)
 - [Implementation History](#implementation-history)
 - [Alternatives](#alternatives)
-  - [Annotation approach] (#annotation-approach)
-  - [NUMA specification in ResourceName] (#numa-in-resourcename)
+  - [Annotation approach](#annotation-approach)
+  - [NUMA specification in ResourceName](#numa-in-resourcename)
 <!-- /toc -->
 
 ## Summary
@@ -163,6 +163,42 @@ type NUMANodeResource struct {
 The code for working with it is generated by https://github.com/kubernetes/code-generator.git
 One CRD instance contains information of available resources of the appropriate worker node.
 
+In order to allow the Daemon (running as a pod on each node in the cluster) to create, get, update, delete NodeResourceTopology CRD instances, ClusterRole and ClusterRoleBinding would have to be configured as below:
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: noderesourcetopology-handler
+rules:
+- apiGroups: ["k8s.cncf.io"]
+  resources: ["noderesourcetopologies"]
+  verbs: ["*"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: handle-noderesourcetopology
+subjects:
+- kind: ServiceAccount
+  name: noderesourcetopology-account
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: noderesourcetopology-handler
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: noderesourcetopology-account
+```
+
+`serviceAccountName: noderesourcetopology-account` would have to be added to the manifest file of the Daemon.
+
 ### Graduation Criteria
 
 * The feature has been stable and reliable in the past several releases.