From 77ac601c38ef0fb8d2ac5e6209a3ec434455a574 Mon Sep 17 00:00:00 2001
From: Audrey Spaulding <aspauldi@aspauldi.bos.csb>
Date: Thu, 16 May 2024 16:15:05 -0400
Subject: [PATCH] CNV-34768

---
 modules/virt-cluster-role-VNC.adoc            | 27 +++++++++++++++++++
 .../virt-accessing-vm-consoles.adoc           |  4 +++
 2 files changed, 31 insertions(+)
 create mode 100644 modules/virt-cluster-role-VNC.adoc

diff --git a/modules/virt-cluster-role-VNC.adoc b/modules/virt-cluster-role-VNC.adoc
new file mode 100644
index 0000000000..501bb10a07
--- /dev/null
+++ b/modules/virt-cluster-role-VNC.adoc
@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-cluster-role-VNC_{context}"]
+= Granting token generation permission for the VNC console by using the cluster role
+
+As a cluster administrator, you can install a cluster role and bind it to a user or service account to allow access to the endpoint that generates tokens for the VNC console.
+
+.Procedure
+
+* Choose to bind the cluster role to either a user or service account.
+
+** Run the following command to bind the cluster role to a user:
++
+[source,terminal]
+----
+$ kubectl create rolebinding "${ROLE_BINDING_NAME}" --clusterrole="token.kubevirt.io:generate" --user="${USER_NAME}"
+----
+
+** Run the following command to bind the cluster role to a service account:
++
+[source,terminal]
+----
+$ kubectl create rolebinding "${ROLE_BINDING_NAME}" --clusterrole="token.kubevirt.io:generate" --serviceaccount="${SERVICE_ACCOUNT_NAME}"
+----
\ No newline at end of file
diff --git a/virt/virtual_machines/virt-accessing-vm-consoles.adoc b/virt/virtual_machines/virt-accessing-vm-consoles.adoc
index 12a9bfeff9..d07dc52861 100644
--- a/virt/virtual_machines/virt-accessing-vm-consoles.adoc
+++ b/virt/virtual_machines/virt-accessing-vm-consoles.adoc
@@ -27,6 +27,10 @@ include::modules/virt-connecting-vm-virtctl.adoc[leveloffset=+2]
 include::modules/virt-temporary-token-VNC.adoc[leveloffset=+2]
 :!vnc-console:
 
+:context: vnc-console
+include::modules/virt-cluster-role-VNC.adoc[leveloffset=+3]
+:!vnc-console:
+
 [id="serial-console_virt-accessing-vm-consoles"]
 == Connecting to the serial console