Change reference spec for the kubernetes events input binding. (#752)

* Change reference spec for the kubernetes events input binding. Add Role ,RoleBinding doc.

* Refactor docs

* Update kubernetes.md
This commit is contained in:
Mukundan Sundararajan 2020-08-18 12:50:46 -07:00 committed by GitHub
parent fccb7d60f2
commit 94d2fe90eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 80 additions and 2 deletions

View File

@ -10,7 +10,85 @@ spec:
type: bindings.kubernetes
metadata:
- name: namespace
value: default
value: <NAMESPACE>
- name: resyncPeriodInSec
vale: "<seconds>"
```
- `namespace` is the Kubernetes namespace to read events from. Default is `default`.
- `namespace` (required) is the Kubernetes namespace to read events from.
- `resyncPeriodInSec` (optional, default `10`) the period of time to refresh event list from Kubernetes API server.
Output received from the binding is of format `bindings.ReadResponse` with the `Data` field populated with the following structure:
```json
{
"event": "",
"oldVal": {
"metadata": {
"name": "hello-node.162c2661c524d095",
"namespace": "kube-events",
"selfLink": "/api/v1/namespaces/kube-events/events/hello-node.162c2661c524d095",
...
},
"involvedObject": {
"kind": "Deployment",
"namespace": "kube-events",
...
},
"reason": "ScalingReplicaSet",
"message": "Scaled up replica set hello-node-7bf657c596 to 1",
...
},
"newVal": {
"metadata": { "creationTimestamp": "null" },
"involvedObject": {},
"source": {},
"firstTimestamp": "null",
"lastTimestamp": "null",
"eventTime": "null",
...
}
}
```
Three different event types are available:
- Add : Only the `newVal` field is populated, `oldVal` field is an empty `v1.Event`, `event` is `add`
- Delete : Only the `oldVal` field is populated, `newVal` field is an empty `v1.Event`, `event` is `delete`
- Update : Both the `oldVal` and `newVal` fields are populated, `event` is `update`
## Required permisiions
For consuming `events` from Kubernetes, permissions need to be assigned to a User/Group/ServiceAccount using [RBAC Auth] mechanism of Kubernetes.
### Role
One of the rules need to be of the form as below to give permissions to `get, watch` and `list` `events`. API Groups can be as restrictive as needed.
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: <NAMESPACE>
name: <ROLENAME>
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list"]
```
### RoleBinding
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: <NAME>
namespace: <NAMESPACE> # same as above
subjects:
- kind: ServiceAccount
name: default # or as need be, can be changed
namespace: <NAMESPACE> # same as above
roleRef:
kind: Role
name: <ROLENAME> # same as the one above
apiGroup: ""
```