docs(operator): Installation with kubectl (aquasecurity#273)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
syseleven · Dec 9, 2020 · 030f48d · 030f48d
1 parent 6ce107b
commit 030f48d
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 6 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -7,13 +7,15 @@ on:
       - '.github/ISSUE_TEMPLATE/*.md'
       - '*.md'
       - 'docs/**'
+      - 'mkdocs.yml'
       - 'LICENSE'
       - 'NOTICE'
   pull_request:
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*.md'
       - '*.md'
       - 'docs/**'
+      - 'mkdocs.yml'
       - 'LICENSE'
       - 'NOTICE'
 jobs:

diff --git a/README.md b/README.md
@@ -328,7 +328,7 @@ namespace:
 3. Create the `starboard-operator` deployment in the `starboard-operator` namespace to run the operator's container:
 
    ```
-   $ kubectl apply -f deploy/static/05-starboard-operator.deployment.yaml
+   $ kubectl apply -f deploy/static/06-starboard-operator.deployment.yaml
    ```
 
 #### With Helm

diff --git a/deploy/static/05-starboard-operator.cm.yaml b/deploy/static/05-starboard-operator.cm.yaml
@@ -0,0 +1 @@
+../init/03-starboard.cm.yaml
diff --git a/...tic/05-starboard-operator.deployment.yaml → ...tic/06-starboard-operator.deployment.yaml b/...tic/05-starboard-operator.deployment.yaml → ...tic/06-starboard-operator.deployment.yaml
diff --git a/docs/index.md b/docs/index.md
@@ -11,9 +11,10 @@ Starboard can be run in two different modes:
 
 - As a command-line tool, so you can trigger scans and view the risks in
   a kubectl-compatible way or as part of your CI/CD pipeline.
-- As an operator to automatically update security report resources in response
-  to workload and other changes on a Kubernetes cluster - for example,
-  initiating a vulnerability scan when a new pod is started.
+- As an [operator](starboard-operator.md) to automatically update security
+  report resources in response to workload and other changes on a Kubernetes
+  cluster - for example, initiating a vulnerability scan when a new pod is
+  started.
 
 You can read more about the motivations and [use cases]
 here and join our [discussions] here.

diff --git a/docs/starboard-operator.md b/docs/starboard-operator.md
@@ -0,0 +1,52 @@
+# Starboard Operator
+
+## Overview
+
+This operator automatically updates security report resources in response to
+workload and other changes on a Kubernetes cluster - for example, initiating
+a vulnerability scan when a new pod is started. In other words, the desired
+state for this operator is that for each workload there are security reports
+stored in the cluster as custom resources.
+
+Currently, the operator only supports vulnerabilityreports security resources
+as depicted below. However, we plan to support all custom security resources.
+
+![](images/operator/starboard-operator.png)
+
+## Installation
+
+### With Static YAML Manifests
+
+You can install the operator with provided static YAML manifests with fixed
+values. However, this approach has its shortcomings. For example, if you want to
+change the container image or modify default configuration parameters, you have
+to create new manifests or edit existing ones.
+
+To deploy the operator in the `starboard-operator` namespace and configure it to
+watch the `default` namespace:
+
+1. Send the definition of the `vulnerabilityreports` custom resource to the
+   Kubernetes API:
+
+        kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/crd/vulnerabilityreports.crd.yaml
+
+2. Send the following Kubernetes objects definitions to the Kubernetes API:
+
+        kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/static/01-starboard-operator.ns.yaml \
+          -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/static/02-starboard-operator.sa.yaml \
+          -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/static/03-starboard-operator.clusterrole.yaml \
+          -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/static/04-starboard-operator.clusterrolebinding.yaml
+
+3. (Optional) Configure the operator by creating the `starboard` ConfigMap in
+   the `starboard-operator` namespace. If you skip this step, the operator will
+   ensure the ConfigMap on startup with the default configuration values.
+
+        kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/static/05-starboard-operator.cm.yaml
+   Review the default values and makes sure the operator is configured properly:
+
+        kubectl describe cm starboard -n starboard-operator
+
+4. Finally, create the `starboard-operator` Deployment in the `starboard-operator`
+   namespace to start the operator's pod:
+
+        kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.7.1/deploy/static/06-starboard-operator.deployment.yaml
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -10,9 +10,11 @@ repo_url: https://github.com/aquasecurity/starboard
 edit_uri: ""
 
 # Theme
-theme: readthedocs
+theme:
+  name: material
 
 nav:
-  - Overview: index.md
+  - Introduction: index.md
+  - Starboard Operator: starboard-operator.md
   - Frequently Asked Questions: faq.md
   - Troubleshooting: troubleshooting.md