From e410b76ec8eb1f29e2cd172c3e3efdd8fe67b72f Mon Sep 17 00:00:00 2001
From: Pablo Chacin <pchacin@suse.com>
Date: Wed, 13 Feb 2019 21:54:35 +0100
Subject: [PATCH] Add instructions for setting ClusterRole permissions

The default ClusterRole created by kubebuilder does not include
all the requried permissions for the controllers to access the
cluster-api objects.

This PR adds additional instructions for setting these permissions.

Signed-off-by: Pablo Chacin <pchacin@suse.com>
---
 docs/book/SUMMARY.md                          |  1 +
 .../customize_resources.md                    | 56 +++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 docs/book/provider_implementations/customize_resources.md

diff --git a/docs/book/SUMMARY.md b/docs/book/SUMMARY.md
index dfdf2b3a2a40..d4f75fbe5208 100644
--- a/docs/book/SUMMARY.md
+++ b/docs/book/SUMMARY.md
@@ -23,6 +23,7 @@
 * [Register Schemes](provider_implementations/register_schemes.md)
 * [Create Actuators](provider_implementations/create_actuators.md)
 * [Register Controllers](provider_implementations/register_controllers.md)
+* [Customize Resources](provider_implementations/customize_resources.md)
 * [Building, Running, and Testing](provider_implementations/building_running_and_testing.md)
 
 ## Appendices
diff --git a/docs/book/provider_implementations/customize_resources.md b/docs/book/provider_implementations/customize_resources.md
new file mode 100644
index 000000000000..877833457d57
--- /dev/null
+++ b/docs/book/provider_implementations/customize_resources.md
@@ -0,0 +1,56 @@
+# Customize Resources
+
+## Customize Cluster Role
+
+The `ClusterRole` created by `kubebuilder` in `config/rbac/rbac_role.yaml` 
+lacks the necessary permissions for the provider components to access the 
+cluster-api objects. Therefore it is necessary to add some additional rules.
+
+The following patch should be copied to the new file 
+`config/default/rbac_cluster_api_patch.yaml`
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - cluster.k8s.io
+  resources:
+  - clusters
+  - clusters/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - cluster.k8s.io
+  resources:
+  - machines
+  - machines/status
+  - machinedeployments
+  - machinedeployments/status
+  - machinesets
+  - machinesets/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+```
+
+And modify ``config/default/kustomization.yaml` adding the following entry 
+to `patches`:
+```yaml
+patches:
+- rbac_cluster_api_patch.yaml
+```
+