From cca0275b0bbe0251f244420483d25e07f0a2684d Mon Sep 17 00:00:00 2001
From: Laurent Rolaz <lrolaz@pictet.com>
Date: Tue, 26 Sep 2017 20:20:05 +0200
Subject: [PATCH] Add Documentation about customresourcedefinitions creation
 role

---
 Documentation/storage.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/Documentation/storage.md b/Documentation/storage.md
index 3ebb72b9..7c2abae8 100644
--- a/Documentation/storage.md
+++ b/Documentation/storage.md
@@ -53,6 +53,36 @@ status:
 
 Once the `CustomResourceDefinition` is created, custom resources can be created and stored at a namespace level. The CRD type and the custom resources can be queried, deleted, and edited like any other resource using `kubectl`.
 
+dex requires access to the non-namespaced `CustomResourceDefinition` type. For example, clusters using RBAC authorization would need to create the following roles and bindings:
+```
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: dex
+rules:
+- apiGroups: ["dex.coreos.com"] # API group created by dex
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: dex
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dex
+subjects:
+- kind: ServiceAccount
+  name: dex                 # Service account assigned to the dex pod.
+  namespace: dex-namespace  # The namespace dex is running in.
+
+```
+
+
 ## Kubernetes third party resources(TPRs)
 
 __NOTE:__ TPRs will be deprecated by Kubernetes version 1.8.