Merge pull request openshift#8337 from bfallonf/ingress_edit_2

Brice Fallon-Freeman · web-flow · commit 340a878ef33e · 2018-03-29T12:44:21.000+10:00
Further edits to ingress object section
diff --git a/admin_guide/managing_networking.adoc b/admin_guide/managing_networking.adoc
@@ -155,15 +155,26 @@ the same rules apply for claiming a domain for a namespace based on the creation
 time of the object. For example, the oldest route winning against any other
 claimants wanting to use the same namespace.
 
-For example, ownership of routes is based on the claims made for that host name with the same namespace. The oldest route wins against any other claims. 
+For example, ownership of routes is based on the claims made for that host name
+with the same namespace. The oldest route wins against any other claims.
+
+[NOTE]
+====
+Routes and ingress objects have the same data structure internally on the
+router, with ingress objects having the capability to turn into multiple route
+objects. The claim rules above apply for each of these objects. However, because
+an ingress object can have two hostnames, one hostname can be claimed by the
+ingress object and be active, while the second cannot claim, and remains
+inactive.
+====
 
 While this makes the router compatible with Kubernetes ingress
 objects, some caveats exist:
 
 * Ingress objects store the keys and certificates in secrets, so the router needs permission to read all secrets in the system.
 * Ingress objects only support edge termination for *https* routes.
 
-To configure an existing router to have Ingress support (assuming the default
+To configure an existing router to have ingress support (assuming the default
 name of `router` for the deployment configuration and the service-account):
 
 . Set the `ROUTER_ENABLE_INGRESS` environment variable to `true`:
@@ -172,10 +183,18 @@ name of `router` for the deployment configuration and the service-account):
 $ oc env dc router ROUTER_ENABLE_INGRESS=true`
 ----
 
-. Add the cluster-admin role to the router:
+. Add the `cluster-reader` role to the router, where `-z` is the service
+account:
++
+----
+$ oc adm policy add-cluster-role-to-user cluster-reader -z router
+----
+
+. Give the router the authorization to manage ingress objects:
 +
 ----
-$ oc adm policy add-role-to-user cluster-admin router`
+$ oc adm policy add-cluster-role-to-user \ 
+    system:openshift:controller:service-serving-cert-controller -z router
 ----
 
 [[admin-guide-controlling-egress-traffic]]
