Merge branch 'pr/1076'

LGTM from: arschles MHBauer
kubernetes-retired · Jul 31, 2017 · 2bd85d6 · 2bd85d6
2 parents d8b7899 + e324287
commit 2bd85d6
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/charts/catalog/templates/controller-manager-deployment.yaml b/charts/catalog/templates/controller-manager-deployment.yaml
@@ -55,7 +55,9 @@ spec:
         - --service-catalog-api-server-url
         - https://{{ template "fullname" . }}-apiserver
         {{- end }}
+        {{ if .Values.controllerManager.apiserverSkipVerify -}}
         - "--service-catalog-insecure-skip-verify=true"
+        {{- end }}
         - -v
         - "{{ .Values.controllerManager.verbosity }}"
         - --resync-interval

diff --git a/charts/catalog/values.yaml b/charts/catalog/values.yaml
@@ -1,4 +1,6 @@
 # Default values for Service Catalog
+# determines whether the API server should be registered with the kube-aggregator
+useAggregator: false
 apiserver:
   # apiserver image to use
   image: quay.io/kubernetes-service-catalog/apiserver:v0.0.14
@@ -93,4 +95,5 @@ controllerManager:
     # Whether the controller has option to set leader election namespace.
     activated: false
   serviceAccount: service-catalog-controller-manager
-useAggregator: false
+  # Controls whether the API server's TLS verification should be skipped.
+  apiserverSkipVerify: true
diff --git a/docs/walkthrough.md b/docs/walkthrough.md
@@ -16,9 +16,9 @@ DNS enabled already.
 * If you are using hack/local-up-cluster.sh, ensure the
 `KUBE_ENABLE_CLUSTER_DNS` environment variable is set as follows:
 
-  ```console
-  KUBE_ENABLE_CLUSTER_DNS=true hack/local-up-cluster.sh -O
-  ```
+```console
+hack/local-up-cluster.sh -O
+```
 
 ### Getting Helm and installing Tiller
 
@@ -32,6 +32,18 @@ be done with Helm setup.
 If you don't already have Helm v2, see the
 [installation instructions](https://github.com/kubernetes/helm/blob/master/docs/install.md).
 
+### RBAC Considerations
+
+If your kubernetes cluster has [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)
+enabled, you must ensure that the default service account for the `kube-system`
+namespace has the `cluster-admin` role:
+
+```console
+kubectl create clusterrolebinding default-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
+```
+
+This is required in order for helm to work correctly in clusters with RBAC enabled.
+
 ## Step 1 - Installing the Service Catalog
 
 The service catalog is packaged as a Helm chart located in the