From 8f637b7385ce3d1e4737fdb8c34801f10e49b2ae Mon Sep 17 00:00:00 2001
From: Staffan Olsson <staffan@repos.se>
Date: Sat, 5 Aug 2017 06:10:47 +0200
Subject: Recommends that you create rbac

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 9853d12..e0cdf91 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,13 @@ For clients we tend to use [librdkafka](https://github.com/edenhill/librdkafka)-
 To use [Kafka Connect](http://kafka.apache.org/documentation/#connect) and [Kafka Streams](http://kafka.apache.org/documentation/streams/) you may want to take a look at our [sample](https://github.com/solsson/dockerfiles/tree/master/connect-files) [Dockerfile](https://github.com/solsson/dockerfiles/tree/master/streams-logfilter)s.
 Don't forget the [addon](https://github.com/Yolean/kubernetes-kafka/labels/addon)s.
 
+## RBAC
+
+For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) there's a minimal set of policies in
+```
+kubectl apply -f rbac-namespace-default/
+```
+
 # Tests
 
 ```
-- 
cgit v1.2.3


From 27421fb58b902e595adcf062857a369485cc91cf Mon Sep 17 00:00:00 2001
From: Staffan Olsson <staffan@repos.se>
Date: Sat, 5 Aug 2017 06:11:06 +0200
Subject: Shows how to see that you need rbac, but makes readme heavier

---
 README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'README.md')

diff --git a/README.md b/README.md
index e0cdf91..c9e6c59 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,15 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r
 kubectl apply -f rbac-namespace-default/
 ```
 
+For example here's how you see that `kafka`s init containers need RBAC for [rack awareness](https://github.com/Yolean/kubernetes-kafka/pull/41):
+```
+$ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack
+#init#broker.rack=# zone lookup failed, see -c init-config logs
+$ kubectl logs -c init-config kafka-0
+++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}'
+Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\""
+```
+
 # Tests
 
 ```
-- 
cgit v1.2.3


From 79d65fd2e35b29df9cc936ceba3e4b4a1c151201 Mon Sep 17 00:00:00 2001
From: Staffan Olsson <staffan@repos.se>
Date: Sat, 5 Aug 2017 06:28:56 +0200
Subject: Details will live in the respective policies

---
 README.md                              | 9 ---------
 rbac-namespace-default/node-reader.yml | 9 ++++++++-
 2 files changed, 8 insertions(+), 10 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index c9e6c59..e0cdf91 100644
--- a/README.md
+++ b/README.md
@@ -59,15 +59,6 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r
 kubectl apply -f rbac-namespace-default/
 ```
 
-For example here's how you see that `kafka`s init containers need RBAC for [rack awareness](https://github.com/Yolean/kubernetes-kafka/pull/41):
-```
-$ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack
-#init#broker.rack=# zone lookup failed, see -c init-config logs
-$ kubectl logs -c init-config kafka-0
-++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}'
-Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\""
-```
-
 # Tests
 
 ```
diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml
index 0454579..62669cd 100644
--- a/rbac-namespace-default/node-reader.yml
+++ b/rbac-namespace-default/node-reader.yml
@@ -1,4 +1,11 @@
-# For kubectl get node, required for kafka init container rack awareness
+# To see if init containers need RBAC:
+#
+# $ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack
+# #init#broker.rack=# zone lookup failed, see -c init-config logs
+# $ kubectl logs -c init-config kafka-0
+# ++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}'
+# Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\""
+#
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
-- 
cgit v1.2.3