Skip to content

Commit

Permalink
[docs] clarify serviceAccounts as tenant owner
Browse files Browse the repository at this point in the history
  • Loading branch information
lalyos committed Sep 26, 2022
1 parent fb68795 commit 057fbf5
Showing 1 changed file with 21 additions and 4 deletions.
25 changes: 21 additions & 4 deletions docs/content/general/tutorial.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,15 +139,15 @@ metadata:
name: oil
spec:
owners:
- name: system:serviceaccount:default:robot
- name: system:serviceaccount:tenant-system:robot
kind: ServiceAccount
EOF
```

Bill can create a Service Account called `robot`, for example, in the `default` namespace and leave it to act as Tenant Owner of the `oil` tenant
Bill can create a Service Account called `robot`, for example, in the `tenant-system` namespace and leave it to act as Tenant Owner of the `oil` tenant

```
kubectl --as system:serviceaccount:default:robot --as-group capsule.clastix.io auth can-i create namespaces
kubectl --as system:serviceaccount:tenant-system:robot --as-group capsule.clastix.io auth can-i create namespaces
yes
```

Expand All @@ -160,7 +160,7 @@ metadata:
name: default
spec:
userGroups:
- system:serviceaccounts:default
- system:serviceaccounts:tenant-system
```
since each service account in a namespace is a member of following group:
Expand All @@ -169,6 +169,23 @@ since each service account in a namespace is a member of following group:
system:serviceaccounts:{service-account-namespace}
```

You can change the CapsuleConfiguration at install time with a helm parameter:
```
helm upgrade -i \
capsule \
clastix/capsule \
-n capsule-system \
--set manager.options.capsuleUserGroups=system:serviceaccounts:tenant-system \
--create-namespace
```

Or after installation:
```
kubectl patch capsuleconfigurations default \
--patch '{"spec":{"userGroups":["capsule.clastix.io","system:serviceaccounts:tenant-system"]}}' \
--type=merge
```

> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount.
### Roles assigned to Tenant Owners
Expand Down

0 comments on commit 057fbf5

Please sign in to comment.