From 0784dc7177da40ae5b3ef8831f72a2e1c02797a8 Mon Sep 17 00:00:00 2001 From: Adriano Pezzuto <2222461+bsctl@users.noreply.github.com> Date: Fri, 15 Oct 2021 14:57:55 +0200 Subject: [PATCH] docs: add service account group to Capsule group (#450) --- docs/operator/use-cases/overview.md | 2 +- .../{onboarding.md => tenant-ownership.md} | 23 ++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) rename docs/operator/use-cases/{onboarding.md => tenant-ownership.md} (89%) diff --git a/docs/operator/use-cases/overview.md b/docs/operator/use-cases/overview.md index 496ab41a..d189fc69 100644 --- a/docs/operator/use-cases/overview.md +++ b/docs/operator/use-cases/overview.md @@ -20,7 +20,7 @@ To simplify the usage of Capsule in this scenario, we'll work with the following Use Capsule to address any of the following scenarios: -* [Onboard Tenants](./onboarding.md) +* [Assign Tenant Ownership](./tenant-ownership.md) * [Create Namespaces](./create-namespaces.md) * [Assign Permissions](./permissions.md) * [Enforce Resources Quotas and Limits](./resources-quota-limits.md) diff --git a/docs/operator/use-cases/onboarding.md b/docs/operator/use-cases/tenant-ownership.md similarity index 89% rename from docs/operator/use-cases/onboarding.md rename to docs/operator/use-cases/tenant-ownership.md index b3c00b8c..25d195f7 100644 --- a/docs/operator/use-cases/onboarding.md +++ b/docs/operator/use-cases/tenant-ownership.md @@ -1,4 +1,4 @@ -# Onboard a new tenant +# Tenant ownership Bill, the cluster admin, receives a new request from Acme Corp.'s CTO asking for a new tenant to be onboarded and Alice user will be the tenant owner. Bill then assigns Alice's identity of `alice` in the Acme Corp. identity management system. Since Alice is a tenant owner, Bill needs to assign `alice` the Capsule group defined by `--capsule-user-group` option, which defaults to `capsule.clastix.io`. To keep things simple, we assume that Bill just creates a client certificate for authentication using X.509 Certificate Signing Request, so Alice's certificate has `"/CN=alice/O=capsule.clastix.io"`. @@ -136,5 +136,26 @@ kubectl --as system:serviceaccount:default:robot --as-group capsule.clastix.io a yes ``` +The service account has to be part of Capsule group, so Bill has to set in the `CapsuleConfiguration` + +```yaml +apiVersion: capsule.clastix.io/v1alpha1 +kind: CapsuleConfiguration +metadata: + name: default +spec: + userGroups: + - capsule.clastix.io + - system:serviceaccounts:default +``` + +because, by default, each service account is a member of following groups: + +``` +system:serviceaccounts +system:serviceaccounts:{service-account-namespace} +system:authenticated +``` + # What’s next See how a tenant owner, creates new namespaces. [Create namespaces](./create-namespaces.md).