Merge pull request #6902 from hashicorp/k8s-auto-join-min-perms

Clarify the minimum permissions required for k8s auto-join
2019-12-06 13:35:15 -08:00 · 2019-12-06 13:35:15 -08:00 · 1f3f9a7847
parent 2343413bf0 1694f95e4a
commit 1f3f9a7847
2 changed files with 6 additions and 1 deletions
--- a/website/source/docs/agent/cloud-auto-join.html.md
+++ b/website/source/docs/agent/cloud-auto-join.html.md
@ -400,3 +400,6 @@ $ consul agent -retry-join "provider=k8s label_selector=\"app=consul,component=s
  set, it defaults to all namespaces.
 - `label_selector` (optional) - the label selector for matching pods.
 - `field_selector` (optional) - the field selector for matching pods.
+
+The Kubernetes token used by the provider needs to have permissions to list pods
+in the desired namespace.
--- a/website/source/docs/platform/k8s/out-of-cluster-nodes.html.md
+++ b/website/source/docs/platform/k8s/out-of-cluster-nodes.html.md
@ -19,7 +19,9 @@ use the ["k8s" cloud auto-join provider](/docs/agent/cloud-auto-join.html#kubern
 The auto-join provider dynamically discovers IP addresses to join using
 the Kubernetes API. It authenticates with Kubernetes using a standard
 `kubeconfig` file. This works with all major hosted Kubernetes offerings
-as well as self-hosted installations.
+as well as self-hosted installations. The token in the `kubeconfig` file
+needs to have permissions to list pods in the namespace where Consul servers
+are deployed.

 The auto-join string below will join a Consul server cluster that is
 started using the [official Helm chart](/docs/platform/k8s/helm.html):