From 2a566f40fce576250d9559a6cb6c57c6cdcc6007 Mon Sep 17 00:00:00 2001
From: Jakob Beckmann <32326425+f4z3r@users.noreply.github.com>
Date: Thu, 1 Feb 2024 20:41:07 +0100
Subject: [PATCH] docs(kubernetes-auth): add API documentation for kubernetes
 auth namespace selectors (#19318)

Co-authored-by: Thy Ton <maithytonn@gmail.com>
---
 website/content/api-docs/auth/kubernetes.mdx | 23 +++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
index 52659d64a99e..b4db1ace3ba5 100644
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@@ -129,8 +129,14 @@ entities attempting to login.
 - `name` `(string: <required>)` - Name of the role.
 - `bound_service_account_names` `(array: <required>)` - List of service account
   names able to access this role. If set to "\*" all names are allowed.
-- `bound_service_account_namespaces` `(array: <required>)` - List of namespaces
+- `bound_service_account_namespaces` `(array: [])` - List of namespaces
   allowed to access this role. If set to "\*" all namespaces are allowed.
+- `bound_service_account_namespace_selector` `(string: "")` - A label selector for Kubernetes
+  namespaces allowed to acces this role. Accepts either a JSON or YAML object. The value
+  should be of type
+  [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). Currently, label selectors with `matchExpressions` are not supported.
+  If this parameter is used, the Vault requires permissions to read namespaces on the Kubernetes
+  cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
 - `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
 - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
   Valid choices are: `serviceaccount_uid`, `serviceaccount_name`
@@ -144,7 +150,7 @@ entities attempting to login.
 
 @include 'tokenfields.mdx'
 
-### Sample payload
+### Sample Payload 1
 
 ```json
 {
@@ -155,7 +161,18 @@ entities attempting to login.
 }
 ```
 
-### Sample request
+### Sample Payload 2
+
+```json
+{
+  "bound_service_account_names": "vault-auth",
+  "bound_service_account_namespace_selector": "\"{\"matchLabels\":{\"stage\":\"dev\",\"vault-role\":\"dev-role\"}}",
+  "policies": ["dev", "prod"],
+  "max_ttl": 1800000
+}
+```
+
+### Sample Request
 
 ```shell-session
 $ curl \