From fa17e220505d12037677200b02f80856830daa35 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Wed, 3 Jun 2020 07:06:20 -0700
Subject: [PATCH] Docs updates for vault-k8s 0.4.0 (#9107)

* Adding changes for vault-k8s 0.4.0

* add note about run-as-same-user rejecting root
---
 .../platform/k8s/injector/annotations.mdx     | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/website/pages/docs/platform/k8s/injector/annotations.mdx b/website/pages/docs/platform/k8s/injector/annotations.mdx
index 3ccb17850..b7fdbdb12 100644
--- a/website/pages/docs/platform/k8s/injector/annotations.mdx
+++ b/website/pages/docs/platform/k8s/injector/annotations.mdx
@@ -102,6 +102,30 @@ them, optional commands to run, etc.
   is rendered.  If no secret name is provided, this sets the default for all rendered 
   secrets in the pod.
 
+- `vault.hashicorp.com/agent-run-as-user` - sets the user (uid) to run Vault
+  agent as. Also available as a command-line option (`-run-as-user`) or
+  environment variable (`AGENT_INJECT_RUN_AS_USER`) for the injector. Defaults
+  to 100.
+
+- `vault.hashicorp.com/agent-run-as-group` - sets the group (gid) to run Vault
+  agent as. Also available as a command-line option (`-run-as-group`) or
+  environment variable (`AGENT_INJECT_RUN_AS_GROUP`) for the injector. Defaults
+  to 1000.
+
+- `vault.hashicorp.com/agent-set-security-context` - controls whether
+  `SecurityContext` is set in injected containers. Also available as a
+  command-line option (`-set-security-context`) or environment variable
+  (`AGENT_INJECT_SET_SECURITY_CONTEXT`). Defaults to `true`.
+
+- `vault.hashicorp.com/agent-run-as-same-user` - run the injected Vault agent
+  containers as the User (uid) of the first application container in the pod.
+  Requires `Spec.Containers[0].SecurityContext.RunAsUser` to be set in the pod
+  spec. Also available as a command-line option (`-run-as-same-user`) or
+  environment variable (`AGENT_INJECT_RUN_AS_SAME_USER`). Defaults to `false`.
+
+  ~> **Note**: If the first application container in the pod is running as root
+  (uid 0), the `run-as-same-user` annotation will fail injection with an error.
+
 ## Vault Annotations
 
 Vault annotations change how the Vault Agent containers communicate with Vault.  For