search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
365 stars 195 forks source link

Installation instructions on F5 website are wrong #3383

Closed skenderidis closed 4 months ago

skenderidis commented 7 months ago

As per our installation instructions on https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html you need to create the following clusterRole. On Clouddocs it is mentioned that "The example below shows the broadest supported permission set. You can narrow the permissions down to specific resources, namespaces, etc.".

But the RBAC that is provided on clouddocs is incomplete and not the same as on CIS Github (https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/rbac/clusterrole.yaml) 

 # for use in k8s clusters only
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: bigip-ctlr-clusterrole
 rules:
 - apiGroups: ["", "extensions"]
   resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["", "extensions"]
   resources: ["configmaps", "events", "ingresses/status"]
   verbs: ["get", "list", "watch", "update", "create", "patch"]
 - apiGroups: ["", "extensions"]
   resources: ["secrets"]
   resourceNames: ["<secret-containing-bigip-login>"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["cis.f5.com"]
   resources: ["virtualservers", "tlsprofiles", "transportservers", "externaldnss"]
   verbs: ["get", "list", "watch", "update"]

 ---

 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: bigip-ctlr-clusterrole-binding
   namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: bigip-ctlr-clusterrole
 subjects:
 - apiGroup: ""
   kind: ServiceAccount
   name: bigip-ctlr
   namespace: kube-system

Can you please make sure that the instructions on clouddocs are aligned with github k8s-bigip-ctlr repository.

trinaths commented 7 months ago

Created [CONTCNTR-4696] for internal tracking.

vklohiya commented 4 months ago

@skenderidis , This looks like an old bookmarked page https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html .

New installation instructions are updated on following pages:

https://clouddocs.f5.com/containers/latest/userguide/cis-installation.html#installing-cis-manually

https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#installing-cis-manually

https://clouddocs.f5.com/containers/latest/userguide/openshift/#installing-cis-manually