Add notes for addon template permission setting

Signed-off-by: zhujian <[email protected]>
open-cluster-management-io · Jul 3, 2024 · 9654381 · 9654381
1 parent 4620723
commit 9654381
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/content/en/developer-guides/addon.md b/content/en/developer-guides/addon.md
@@ -1118,6 +1118,22 @@ volumes, health probe for daemonsets) from OCM v0.14.0.
              name: ca-secret
    ```
 
+   **Notes**:
+
+   * The permission related resources(i.e. `RoleBinding` `ClusterRoleBinding`) for *the addon agent access the local
+     managed cluster* defined in the `addonTemplate.agentSpec.workload.manifests` will be created on the managed cluster
+     by the work-agent, but the work-agent may not have permission to create these resources, users should refer to
+     [permission-setting-for-work-agent](../concepts/manifestwork.md#permission-setting-for-work-agent) to grant the
+     work-agnet permissions to address the permission issue on the managed cluster side.
+   * Permissions for *the addon agent access the hub cluster* defined in
+     `addonTemplate.registration[*].kubeClient.hubPermissions`, users should ensure:
+       1) the referenced role/clusterrole(`.hubPermissions.currentCluster.clusterRoleName`
+         `.hubPermissions.singleNamespace.roleRef.name`) exists on the hub cluster
+       2) the addon-manager has permission to create (cluster)rolebinding to bind these (cluster)role for the
+          addon-agent. For example: users can create a (cluster)rolebinding to grant the permission to the
+          addon-manager (service account `open-cluster-management-hub/addon-manager-controller-sa`) to address the
+          permission issue on the hub cluster side.
+
 2. Create a `ClusterManagementAddOn` to declare this is template type addon which should be managed by the
    addon-manager:
 

diff --git a/content/zh/developer-guides/addon.md b/content/zh/developer-guides/addon.md
@@ -1118,6 +1118,22 @@ volumes, health probe for daemonsets) from OCM v0.14.0.
              name: ca-secret
    ```
 
+   **Notes**:
+
+   * The permission related resources(i.e. `RoleBinding` `ClusterRoleBinding`) for *the addon agent access the local
+     managed cluster* defined in the `addonTemplate.agentSpec.workload.manifests` will be created on the managed cluster
+     by the work-agent, but the work-agent may not have permission to create these resources, users should refer to
+     [permission-setting-for-work-agent](../concepts/manifestwork.md#permission-setting-for-work-agent) to grant the
+     work-agnet permissions to address the permission issue on the managed cluster side.
+   * Permissions for *the addon agent access the hub cluster* defined in
+     `addonTemplate.registration[*].kubeClient.hubPermissions`, users should ensure:
+       1) the referenced role/clusterrole(`.hubPermissions.currentCluster.clusterRoleName`
+         `.hubPermissions.singleNamespace.roleRef.name`) exists on the hub cluster
+       2) the addon-manager has permission to create (cluster)rolebinding to bind these (cluster)role for the
+          addon-agent. For example: users can create a (cluster)rolebinding to grant the permission to the
+          addon-manager (service account `open-cluster-management-hub/addon-manager-controller-sa`) to address the
+          permission issue on the hub cluster side.
+
 2. Create a `ClusterManagementAddOn` to declare this is template type addon which should be managed by the
    addon-manager: