respond to review comments on Minio and RBAC

Signed-off-by: JENNIFER RONDEAU <[email protected]>

Author: JENNIFER RONDEAU

docs/get-started.md

@@ -26,7 +26,9 @@ NOTE: Make sure to check out the appropriate version. We recommend that you chec
 
 ### Set up server
 
-These instructions assume that you are running Minio inside your cluster.
+These instructions assume that you are running Minio inside your cluster. They should be used for a test environment or to explore Ark only. Service of type `NodePort` is not recommended for production.
+
+1. In `examples/minio/00-minio-deployment.yaml`, change the value of Service `spec.type` from `ClusterIP` to `NodePort`.
 
 1. Start the local storage service. In the root directory of Ark, run:
 
@@ -37,13 +39,13 @@ These instructions assume that you are running Minio inside your cluster.
 
 1.  Get the Minio URL:
 
-    - if you're running Minikube
+    - if you're running Minikube:
 
     ```shell
     minikube service minio --namespace=heptio-ark --url
     ```
 
-    - in any other environment
+    - in any other test environment:
 
        1. Get the value of an external IP address or DNS name of any node in your cluster. You must be able to reach this address from the Ark client.
 
@@ -53,7 +55,9 @@ These instructions assume that you are running Minio inside your cluster.
         kubectl -n heptio-ark get svc/minio -o jsonpath='{.spec.ports[0].nodePort}'
       ```
 
-1. In `examples/minio/05-ark-backupstoragelocation.yaml`, replace NODE_URL_OR_IP:NODE_PORT with the value of the Minio URL.
+1. **For Service type `NodePort` only** In `examples/minio/05-ark-backupstoragelocation.yaml`, replace NODE_URL_OR_IP:NODE_PORT with the value of the Minio URL.
+
+1. If you have set up Ingress or a load balancer, SOMETHINGSOMETHING PR 1006
 
 1. Start the server:
 

docs/rbac.md

@@ -2,9 +2,7 @@
 
 By default Ark runs with an RBAC policy of ClusterRole `cluster-admin`. This is to make sure that Ark can back up or restore anything in your cluster. But `cluster-admin` access is wide open -- it gives Ark components access to everything in your cluster. Depending on your environment and your security needs, you should consider whether to configure more restrictive access. 
 
-More fine-grained access control should also be part of more fine-grained configuration of [namespace-based backups and restores][4].
-
-**Note:** Roles and RoleBindings are associated with a single namespaces, not with an entire cluster. PersistentVolume backups are associated only with an entire cluster. This means that any backups or restores that use a restrictive Role and RoleBinding pair can manage only the resources that belong to the namespace. PersistentVolumes cannot be backed up with more restrictive RBAC policies.
+**Note:** Roles and RoleBindings are associated with a single namespaces, not with an entire cluster. PersistentVolume backups are associated only with an entire cluster. This means that any backups or restores that use a restrictive Role and RoleBinding pair can manage only the resources that belong to the namespace. You do not need a wide open RBAC policy to manage PersistentVolumes, however. You can configure a ClusterRole and ClusterRoleBinding that allow backups and restores only of PersistentVolumes, not of all objects in the cluster.
 
 For more information about RBAC and access control generally in Kubernetes, see the Kubernetes documentation about [access control][1], [managing service accounts][2], and [RBAC authorization][3].
 

examples/minio/00-minio-deployment.yaml

@@ -63,7 +63,10 @@ metadata:
   labels:
     component: minio
 spec:
-  type: NodePort
+  # ClusterIP is recommended for production environments
+  # change to NodePort if needed per documentation,
+  # but only you run Minio in a test/trial environment, for example with minikube
+  type: ClusterIP
   ports:
     - port: 9000
       targetPort: 9000

examples/minio/05-ark-backupstoragelocation.yaml

@@ -25,7 +25,8 @@ spec:
   config:
     region: minio
     s3ForcePathStyle: "true"
-    # get minio URL per documentation
-    s3Url: NODE_URL_OR_IP:NODE_PORT
+    s3Url: http://minio.heptio-ark.svc:9000
+    # OR get minio URL per documentation (comment out previous line)
+    # s3Url: NODE_URL_OR_IP:NODE_PORT