github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-05-06 01:16:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: clarify usage of serviceaccount as tenant owner (#503)

Browse Source
This commit is contained in:
Adriano Pezzuto
2022-01-20 21:52:49 +01:00
committed by GitHub
parent 0b199f4136
commit be26783424
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/content/general/tutorial.md
View File

@@ -141,8 +141,6 @@ metadata:
name: oil
spec:
owners:
- name: oil-users
kind: Group
- name: system:serviceaccount:default:robot
kind: ServiceAccount
EOF
@@ -164,18 +162,18 @@ metadata:
name: default
spec:
userGroups:
- capsule.clastix.io
- system:serviceaccounts:default
```
because, by default, each service account is a member of following groups:
since each service account in a namespace is a member of following group:
```
system:serviceaccounts
system:serviceaccounts:{service-account-namespace}
system:authenticated
```
> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount.
## Create namespaces
Alice, once logged with her credentials, can create a new namespace in her tenant, as simply issuing: