From e44e45cae2dd0ba2db8a881aa678d8c4db8ae949 Mon Sep 17 00:00:00 2001
From: Guangya Liu <gyliu513@gmail.com>
Date: Tue, 22 Aug 2017 17:44:33 +0800
Subject: [PATCH] Added ClusterRoleBinding for configmap.

---
 .project                         | 11 +++++++++++
 docs/cleanup.md                  |  4 ++++
 docs/deploy-envoy-initializer.md |  8 ++++++++
 rbac/bindings.yaml               | 12 ++++++++++++
 4 files changed, 35 insertions(+)
 create mode 100644 .project
 create mode 100644 rbac/bindings.yaml

diff --git a/.project b/.project
new file mode 100644
index 0000000..ff814da
--- /dev/null
+++ b/.project
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>kubernetes-initializer-tutorial</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+	</buildSpec>
+	<natures>
+	</natures>
+</projectDescription>
diff --git a/docs/cleanup.md b/docs/cleanup.md
index 86a6129..58df1de 100644
--- a/docs/cleanup.md
+++ b/docs/cleanup.md
@@ -10,6 +10,10 @@ kubectl delete initializerconfiguration envoy
 kubectl delete deployment envoy-initializer helloworld helloworld-with-annotation
 ```
 
+```
+kubectl delete clusterrolebindings cluster-admin-for-configmap
+```
+
 ```
 kubectl delete configmaps envoy envoy-initializer
 ```
diff --git a/docs/deploy-envoy-initializer.md b/docs/deploy-envoy-initializer.md
index 39f9279..87c7664 100644
--- a/docs/deploy-envoy-initializer.md
+++ b/docs/deploy-envoy-initializer.md
@@ -20,6 +20,14 @@ The Envoy Initializer is configured using a ConfigMap, identified by the `-confi
 kubectl apply -f configmaps/envoy-initializer.yaml
 ```
 
+### Create the ClusterRoleBinding
+
+The `ClusterRoleBinding` is needed to make sure the user `system:serviceaccount:default:default` have permission to get data from configmap `envoy-initializer`. 
+
+```
+kubectl apply -f rbac/bindings.yaml
+```
+
 ### Create the Envoy Initializer Deployment
 
 Deploy the `envoy-initializer` controller:
diff --git a/rbac/bindings.yaml b/rbac/bindings.yaml
new file mode 100644
index 0000000..4d0f950
--- /dev/null
+++ b/rbac/bindings.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin-for-configmap
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:serviceaccount:default:default