Merge branch 'hfy/add-missing-step-to-external-knative-docs' into 'master'

Add ClusterRole step to external Knative docs See merge request gitlab-org/gitlab-ce!30123

Merge branch 'hfy/add-missing-step-to-external-knative-docs' into 'master'
Add ClusterRole step to external Knative docs See merge request gitlab-org/gitlab-ce!30123
02ad0c2f · Evan Read · df0be8b2 · 28997a3b · 02ad0c2f
Commit 02ad0c2f authored Jul 02, 2019 by Evan Read
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 1 deletion

doc/user/project/clusters/serverless/index.md doc/user/project/clusters/serverless/index.md +46 -1

No files found.
--- a/doc/user/project/clusters/serverless/index.md
+++ b/doc/user/project/clusters/serverless/index.md
@@ -94,10 +94,55 @@ adding an existing installation of Knative.
 It is also possible to use GitLab Serverless with an existing Kubernetes
 cluster which already has Knative installed.
-Simply:
+You must do the following:
 1. Follow the steps to
   [add an existing Kubernetes cluster](../index.md#adding-an-existing-kubernetes-cluster).
+1. Ensure GitLab can manage Knative:
+    - For a non-GitLab managed cluster, ensure that the service account for the token
+      provided can manage resources in the `serving.knative.dev` API group.
+    - For a GitLab managed cluster,
+      GitLab uses a service account with the `edit` cluster role. This account needs
+      the ability to manage resources in the `serving.knative.dev` API group.
+      We suggest you do this with an [aggregated ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles)
+      adding rules to the default `edit` cluster role:
+      First, save the following YAML as `knative-serving-only-role.yaml`:
+      ```yaml
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: knative-serving-only-role
+        labels:
+          rbac.authorization.k8s.io/aggregate-to-edit: "true"
+      rules:
+      - apiGroups:
+        - serving.knative.dev
+        resources:
+        - configurations
+        - configurationgenerations
+        - routes
+        - revisions
+        - revisionuids
+        - autoscalers
+        - services
+        verbs:
+        - get
+        - list
+        - create
+        - update
+        - delete
+        - patch
+        - watch
+        ```
+        Then run the following command:
+        ```bash
+        kubectl apply -f knative-serving-only-role.yaml
+        ```
 1. Follow the steps to deploy [functions](#deploying-functions)
   or [serverless applications](#deploying-serverless-applications) onto your
   cluster.