(DOCSP-15753) Remaining prod-notes tickets, to be continued (#575)

* (DOCSP-15753) Remaining prod-notes tickets, to be continued

* Fixed a broken link, a typo, and DOCSP-13669

* (DOCSP-13744) add default permissions list used by the Operator

* Include copy review

* Address copy review

Author: JuliaMongo

source/includes/list-tables/rs-resource-base-options.rst

@@ -17,7 +17,7 @@
 
           - :setting:`metadata.name`
           - Kubernetes documentation on
-            :k8sdocs:`names </docs/concepts/overview/working-with-objects/names/>`.
+            :k8sdocs:`names </concepts/overview/working-with-objects/names/>`.
 
      - ``myproject``
 

source/reference/production-notes.txt

@@ -387,6 +387,11 @@ availability zones configuration.
                  - e2e-az1
                  - e2e-az2
 
+In this example, the |k8s-op-short| schedules the Pods deployment to
+the nodes which have the label ``kubernetes.io/e2e-az-name`` in ``e2e-az1`` or
+``e2e-az2`` availability zones. Change ``nodeAffinity`` to
+schedule the deployment of Pods to the desired availability zones.
+
 See the full example of multiple availability zones configuration in
 :github:`replica-set-affinity.yaml </mongodb/mongodb-enterprise-kubernetes/blob/master/samples/mongodb/affinity/replica-set-affinity.yaml>`
 in the :github:`Affinity Samples </mongodb/mongodb-enterprise-kubernetes/tree/master/samples/mongodb/persistent-volumes>`
@@ -397,7 +402,8 @@ configurations for sharded clusters and standalone MongoDB deployments.
 
 .. seealso::
 
-   :k8sdocs:`Running in Multiple Zones </setup/best-practices/multiple-zones/>`
+   - :k8sdocs:`Running in Multiple Zones </setup/best-practices/multiple-zones/>`
+   - :k8sdocs:`Node affinity </concepts/scheduling-eviction/assign-pod-node/#node-affinity>`
 
 Co-locate ``mongos`` Pods with Your Applications
 ------------------------------------------------
@@ -512,7 +518,93 @@ Use the :k8sdocs:`Pod affinity
 
 .. seealso::
 
-  :k8sdocs:`Pod affinity </concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity>`
+  :k8sdocs:`Pod affinity
+  </concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity>`
+
+Verify Permissions
+------------------
+
+Objects in the |k8s-op-short| configuration  use the following
+default permissions.
+
+
+.. list-table::
+   :widths: 25 75
+   :header-rows: 1
+
+   * - Kubernetes Resources
+     - Verbs
+
+   * - Configmaps
+     - Require the following permissions:
+  
+       - ``get``, ``list``, ``watch``. The |k8s-op-short| reads the organization
+         and project data from the specified ``configmap``.
+ 
+       - ``create``, ``update``. The |k8s-op-short| creates and updates ``configmap``
+         objects for configuring the :ref:`appdb-om-arch` instances.
+  
+       - ``delete``. The |k8s-op-short| needs the ``delete`` ``configmap`` permission
+         to support its :ref:`older versions <k8s-support-lifecycle>`.
+         This permission will be deleted when older versions reach their
+         End of Life Date.
+
+   * - Secrets
+     - Require the following permissions:
+  
+       - ``get``, ``list``, ``watch``. The |k8s-op-short| reads secret objects to
+         retrieve sensitive data, such as :ref:`TLS <secure-tls>` or
+         :ref:`X.509 <create-x509-certs>` access information. For example, it
+         reads the credentials from a secret object to connect to the |onprem|.
+
+       - ``create``, ``update``. The |k8s-op-short| creates secret
+         objects holding :ref:`TLS <secure-tls>` or
+         :ref:`X.509 <create-x509-certs>` access information.
+    
+       - ``delete``. The |k8s-op-short| deletes secret objects (containing passwords)
+         related to the :ref:`appdb-om-arch`.
+    
+   * - Services
+     - Require the following permissions:
+   
+       - ``get``, ``list``, ``watch``. The |k8s-op-short| reads and watches
+         MongoDB services. For example, to communicate with the Ops Manager service,
+         the |k8s-op-short| needs ``get``, ``list`` and ``watch``
+         permissions to use the |onprem| service's URL.
+ 
+       - ``create``, ``update``. To communicate with services, the |k8s-op-short|
+         creates and updates service objects corresponding to |onprem|
+         and MongoDB custom resources.
+    
+   * - StatefulSets
+     - Require the following permissions:
+  
+       - ``get``, ``list``, ``watch``. The |k8s-op-short| reacts to the changes in the
+         StatefulSets it creates for the MongoDB custom resources. It also reads
+         the fields of  the StatefulSets it manages.
+
+       - ``create``, ``update``. The |k8s-op-short| creates and updates StatefulSets
+         corresponding to the mongoDB custom resources.
+    
+       - ``delete``. The |k8s-op-short| needs permissions to delete the StatefulSets
+         when you delete the MongoDB custom resource.
+
+   * - Pods
+     - Require the following permissions:
+  
+       - ``get``, ``list``, ``watch``. The |k8s-op-short| queries the
+         Application Database Pods to get information about its state.
+  
+   * - Namespaces
+     - Require the following permissions:
+  
+       - ``list``, ``watch``. When you run the |k8s-op-short| in the cluster-wide mode,
+         it needs ``list`` and ``watch`` permissions to all namespaces
+         for the MongoDB custom resources.
+
+.. seealso::
+
+   :ref:`meko-om-arch`
 
 Enable TLS
 ----------

source/reference/troubleshooting.txt

@@ -434,6 +434,24 @@ To remove the |k8s-ns|:
 
       kubectl delete namespace <metadata.namespace>
 
+.. _k8s-create-pvc-after-deleting-pod:
+
+Create a New |k8s-pvc| after Deleting a Pod
+-------------------------------------------
+
+If you accidentally delete the MongoDB replica set Pod and its |k8s-pvc|,
+the |k8s-op-short| fails to reschedule the MongoDB Pod and issues
+the following error message:
+
+.. code-block:: sh
+   :copyable: false
+
+   scheduler error: pvc not found to schedule the pod
+
+To recover from this error, you must :k8sdocs:`manually create a new PVC
+</tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim>`
+with the PVC object's name that corresponds to this replica set Pod,
+such as ``data-<replicaset-pod-name>``.
 
 .. _k8s-disable-feature-controls:
 

source/tutorial/om-arch.txt

@@ -37,6 +37,9 @@ following |onprem| components:
          Enterprise Kubernetes Operator
    :figwidth: 600px
 
+
+.. _appdb-om-arch:
+
 Application Database
 ~~~~~~~~~~~~~~~~~~~~
 

source/tutorial/plan-k8s-op-considerations.txt

@@ -58,7 +58,7 @@ a message similar to the following that describes the error to the shell:
    shardPodSpec field is not configurable for application databases as
    it is for sharded clusters and appdb replica sets
 
-Whe the |k8s-op-short| reconciles each resource, it also validates that
+When the |k8s-op-short| reconciles each resource, it also validates that
 resource. The |k8s-op-short| doesn't require the validation webhook to
 create or update resources.