Skip to content

Commit

Permalink
docs: add service account group to Capsule group (#450)
Browse files Browse the repository at this point in the history
  • Loading branch information
bsctl authored Oct 15, 2021
1 parent b17c6c4 commit 0784dc7
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
2 changes: 1 addition & 1 deletion docs/operator/use-cases/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ To simplify the usage of Capsule in this scenario, we'll work with the following

Use Capsule to address any of the following scenarios:

* [Onboard Tenants](./onboarding.md)
* [Assign Tenant Ownership](./tenant-ownership.md)
* [Create Namespaces](./create-namespaces.md)
* [Assign Permissions](./permissions.md)
* [Enforce Resources Quotas and Limits](./resources-quota-limits.md)
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Onboard a new tenant
# Tenant ownership
Bill, the cluster admin, receives a new request from Acme Corp.'s CTO asking for a new tenant to be onboarded and Alice user will be the tenant owner. Bill then assigns Alice's identity of `alice` in the Acme Corp. identity management system. Since Alice is a tenant owner, Bill needs to assign `alice` the Capsule group defined by `--capsule-user-group` option, which defaults to `capsule.clastix.io`.

To keep things simple, we assume that Bill just creates a client certificate for authentication using X.509 Certificate Signing Request, so Alice's certificate has `"/CN=alice/O=capsule.clastix.io"`.
Expand Down Expand Up @@ -136,5 +136,26 @@ kubectl --as system:serviceaccount:default:robot --as-group capsule.clastix.io a
yes
```

The service account has to be part of Capsule group, so Bill has to set in the `CapsuleConfiguration`

```yaml
apiVersion: capsule.clastix.io/v1alpha1
kind: CapsuleConfiguration
metadata:
name: default
spec:
userGroups:
- capsule.clastix.io
- system:serviceaccounts:default
```
because, by default, each service account is a member of following groups:
```
system:serviceaccounts
system:serviceaccounts:{service-account-namespace}
system:authenticated
```

# What’s next
See how a tenant owner, creates new namespaces. [Create namespaces](./create-namespaces.md).

0 comments on commit 0784dc7

Please sign in to comment.