Skip to content

Commit a357242

Browse files
kosmozkosmoz
committed
docs: update readme
1 parent 7eb4002 commit a357242

File tree

1 file changed

+23
-0
lines changed

1 file changed

+23
-0
lines changed

README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,3 +64,26 @@ For `ClusterIssuer`s, the secret must be in the namespace where the webhook was
6464
By default, the webhook controller has permission to read all secrets in that namespace, although that can be restricted using helm values.
6565
For `Issuer`s, the secret must be in the same namespace as the `Issuer`.
6666
By default, the webhook controller usually **does not** have permission to read that secret, so you have to allow it explicitly.
67+
68+
## Required IAM Permissions
69+
70+
The following IAM policy is recommended for the webhook controller:
71+
72+
```json
73+
{
74+
"default-service-strategy": "deny",
75+
"services": {
76+
"dns": {
77+
"type": "rules",
78+
"rules": [
79+
{
80+
"action": "allow",
81+
"expression": "operation in ['list-dns-domains', 'get-dns-domain', 'list-dns-domain-records', 'get-dns-domain-record', 'create-dns-domain-record', 'delete-dns-domain-record']"
82+
}
83+
]
84+
}
85+
}
86+
}
87+
```
88+
89+
If the config contains a `domainId`, the `list-dns-domains` can be omitted.

0 commit comments

Comments
 (0)