From 1694f95e4a9c2896541bfa663f92f2c6323d24a4 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Fri, 6 Dec 2019 12:32:33 -0800 Subject: [PATCH] Clarify minimum perms required for k8s auto-join --- website/source/docs/agent/cloud-auto-join.html.md | 3 +++ website/source/docs/platform/k8s/out-of-cluster-nodes.html.md | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/website/source/docs/agent/cloud-auto-join.html.md b/website/source/docs/agent/cloud-auto-join.html.md index 1c24f5a646..edabff27b5 100644 --- a/website/source/docs/agent/cloud-auto-join.html.md +++ b/website/source/docs/agent/cloud-auto-join.html.md @@ -373,3 +373,6 @@ $ consul agent -retry-join "provider=k8s label_selector=\"app=consul,component=s set, it defaults to all namespaces. - `label_selector` (optional) - the label selector for matching pods. - `field_selector` (optional) - the field selector for matching pods. + +The Kubernetes token used by the provider needs to have permissions to list pods +in the desired namespace. \ No newline at end of file diff --git a/website/source/docs/platform/k8s/out-of-cluster-nodes.html.md b/website/source/docs/platform/k8s/out-of-cluster-nodes.html.md index 529e633344..7ff9d69814 100644 --- a/website/source/docs/platform/k8s/out-of-cluster-nodes.html.md +++ b/website/source/docs/platform/k8s/out-of-cluster-nodes.html.md @@ -19,7 +19,9 @@ use the ["k8s" cloud auto-join provider](/docs/agent/cloud-auto-join.html#kubern The auto-join provider dynamically discovers IP addresses to join using the Kubernetes API. It authenticates with Kubernetes using a standard `kubeconfig` file. This works with all major hosted Kubernetes offerings -as well as self-hosted installations. +as well as self-hosted installations. The token in the `kubeconfig` file +needs to have permissions to list pods in the namespace where Consul servers +are deployed. The auto-join string below will join a Consul server cluster that is started using the [official Helm chart](/docs/platform/k8s/helm.html):