You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+40Lines changed: 40 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -539,6 +539,46 @@ new features.
539
539
540
540
---
541
541
542
+
## Managing multiple clusters
543
+
544
+
As enterprise features are deployed, the multi-cluster permissions may need to be updated as well. For example viewing canaries from a leaf cluster did not work. Below is an example rbac config that resolved the canary issue:
545
+
546
+
```yaml
547
+
apiVersion: v1
548
+
kind: ServiceAccount
549
+
metadata:
550
+
name: demo-02
551
+
namespace: default
552
+
---
553
+
apiVersion: rbac.authorization.k8s.io/v1
554
+
kind: ClusterRoleBinding
555
+
metadata:
556
+
name: impersonate-user-groups
557
+
subjects:
558
+
- kind: ServiceAccount
559
+
name: demo-02
560
+
namespace: default
561
+
roleRef:
562
+
kind: ClusterRole
563
+
name: user-groups-impersonator
564
+
apiGroup: rbac.authorization.k8s.io
565
+
---
566
+
apiVersion: rbac.authorization.k8s.io/v1
567
+
kind: ClusterRole
568
+
metadata:
569
+
name: user-groups-impersonator
570
+
rules:
571
+
- apiGroups: [""]
572
+
resources: ["users", "groups"]
573
+
verbs: ["impersonate"]
574
+
- apiGroups: [""]
575
+
resources: ["namespaces"]
576
+
verbs: ["get", "list"]
577
+
- apiGroups: ["apiextensions.k8s.io"] # required for canary support
578
+
resources: ["customresourcedefinitions"]
579
+
verbs: ["get", "list"]
580
+
```
581
+
542
582
**CAPI NAME COLLISION WARNING**
543
583
544
584
`demo-01` and `demo-02` are currently deployed on the same [GCP
0 commit comments