From ab404b9d9d21673f3eed6e269db6afe503fba13f Mon Sep 17 00:00:00 2001 From: Ivan Font Date: Tue, 12 Dec 2017 15:44:12 -0800 Subject: [PATCH] Add steps for extension api-server setup Update extension api-server to include missing steps for auth delegation cluster role binding and extension-apiserver-authentication-reader role binding. --- .../tasks/access-kubernetes-api/setup-extension-api-server.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/tasks/access-kubernetes-api/setup-extension-api-server.md b/docs/tasks/access-kubernetes-api/setup-extension-api-server.md index ea06e7c3b25f9..66c91cecb65fd 100644 --- a/docs/tasks/access-kubernetes-api/setup-extension-api-server.md +++ b/docs/tasks/access-kubernetes-api/setup-extension-api-server.md @@ -37,7 +37,9 @@ Alternatively, you can use an existing 3rd party solution, such as [apiserver-bu 1. Make sure that your extension-apiserver loads those certs from that volume and that they are used in the HTTPS handshake. 1. Create a Kubernetes service account in your namespace. 1. Create a Kubernetes cluster role for the operations you want to allow on your resources. -1. Create a Kubernetes cluster role binding from the default service account in your namespace to the cluster role you just created. +1. Create a Kubernetes cluster role binding from the service account in your namespace to the cluster role you just created. +1. Create a Kubernetes cluster role binding from the service account in your namespace to the `system:auth-delegator` cluster role to delegate auth decisions to the Kubernetes core API server. +1. Create a Kubernetes role binding from the service account in your namespace to the `extension-apiserver-authentication-reader` role. This allows your extension api-server to access the `extension-apiserver-authentication` configmap. 1. Create a Kubernetes apiservice. The CA cert above should be base64 encoded, stripped of new lines and used as the spec.caBundle in the apiservice. This should not be namespaced. If using the [kube-aggregator API](https://github.com/kubernetes/kube-aggregator/), only pass in the PEM encoded CA bundle because the base 64 encoding is done for you. 1. Use kubectl to get your resource. It should return "No resources found." Which means that everything worked but you currently have no objects of that resource type created yet.