misc small typos, paragraph breaks, and cross-links

Signed-off-by: clux <sszynrae@gmail.com>

docs/controllers/generics.md

@@ -29,7 +29,7 @@ where
 
     // example work; apply some labels to the object
     let patch: Patch<serde_json::Value> = get_standard_labels_for(&obj)?;
-    let serverside = PatchParams::apply("labeler");
+    let serverside = PatchParams::apply("labeller");
     api.patch(&object_name, &serverside, &patch).await?;
 
     Ok(Action::requeue(Duration::from_secs(5 * 60)))
@@ -85,7 +85,9 @@ where
 }
 ```
 
-This example assumes no [[relations]] between the main controller [[object]], so that each controller can be started in isolation without worrying about inefficiencies in [[streams]] usage. It uses [metadata_watcher] to provide a consistent input stream of `PartialObjectMeta<K>` with pruning ([[optimization#pruning-fields]]) and [Store] management through [WatchStreamExt].
+This example assumes no [[relations]] between the main controller [[object]], so that each controller can be started in isolation without worrying about inefficiencies in [[streams]] usage.
+
+It uses [metadata_watcher] to provide a consistent input stream of `PartialObjectMeta<K>` with pruning ([[optimization#pruning-fields]]) and [Store] management through [WatchStreamExt].
 
 We can start and control the lifecycle of all the controllers with a [tokio::join!]:
 

docs/controllers/manifests.md

@@ -7,6 +7,10 @@ This chapter is about deployment manifests and common resources you likely want
 A Kubernetes `Role` / `ClusterRole` (with an associated binding) is necessary for your controller to function in-cluster. Below we list the common rules you need for the basics:
 
 ```yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kube-rs-controller
 rules:
 # You want access to your CRD if you have one
 # Replace documents with plural resource name, and kube.rs with your group
@@ -124,8 +128,7 @@ Some notes on the above:
 - DNS egress should work for both `coredns` and `kube-dns` (via `k8s-app: kube-dns`)
 - `prometheus` port and app labels might depend on deployment setup, drop lines from the strict default, or tune values as you see fit
 - `opentelemetry-collector` values are the regular defaults from the [collector helm chart](https://github.com/open-telemetry/opentelemetry-helm-charts/blob/1d31c4bf71445595a3a7f5f2edc0850a83422a90/charts/opentelemetry-collector/values.yaml#L238-L285) - change as you see fit
-- the interactive network policy editor does not like 'http' as a port, it only accepts integers
-
+- the [policy editor](https://editor.networkpolicy.io/) needs a non-aliased integer port - while valid, it will reject `port: http` above
 
 
 --8<-- "includes/abbreviations.md"

docs/controllers/security.md

@@ -36,7 +36,7 @@ Depending on the scope of what your controller is in charge of, you should revie
 
 Managing the RBAC rules requires a **declaration** somewhere (usually in your yaml/chart) of your controllers access **intentions**.
 
-Kubernetes manifests with such rules can be kept up-to-date via [[testing#end-to-end-tests]] in terms of **sufficiency**, but one should also **document the intent** of your controller so that excessive permissions are not just "assumed to be needed" down the road.
+Kubernetes [[manifests]] with such rules can be kept up-to-date via [[testing#end-to-end-tests]] in terms of **sufficiency**, but one should also **document the intent** of your controller so that excessive permissions are not just "assumed to be needed" down the road.
 
 !!! note "RBAC Rules Sanity"
 
@@ -50,23 +50,23 @@ Installing a CRD into a cluster requires write access to `customresourcedefiniti
 If you do need CRD write access, consider **scoping** this to _non-delete_ access, and only for the `resourceNames` you expect:
 
 ```yaml
-- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRole
-  metadata:
-    name: NAME
-  rules:
-  - apiGroups:
-    - apiextensions.k8s.io
-    resourceNames:
-    - mycrd.kube.rs # <-- key line
-    resources:
-    - customresourcedefinitions
-    verbs:
-    - create
-    - get
-    - list
-    - watch
-    - patch
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: NAME
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resourceNames:
+  - mycrd.kube.rs # <-- key line
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - patch
 ```
 
 ### Role vs. ClusterRole
@@ -110,6 +110,8 @@ Instead, consider these security optimized base images:
 - :material-check: [distroless base images](https://github.com/GoogleContainerTools/distroless#distroless-container-images) (e.g. [`:cc`](https://github.com/GoogleContainerTools/distroless/tree/main/cc) for glibc / [`:static`](https://github.com/GoogleContainerTools/distroless/tree/main/base) for musl)
 - :material-check: [chainguard base images](https://github.com/chainguard-images/images#chainguard-images) (e.g. [gcc-glibc](https://github.com/chainguard-images/images/tree/main/images/gcc-glibc) / [static](https://github.com/chainguard-images/images/tree/main/images/static) for musl)
 
+For shell debugging, consider `kubectl debug` using [ephemeral containers](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container) instead.
+
 ### Network Permissions
 
 Limiting who your controller can talk to / be called by will limit how useful of a target the controller will be in the case of a breach.
@@ -125,7 +127,7 @@ Thankfully, you will also **most likely** hear about it quickly from your **secu
 
 We recommend the following selection of tools that play well with the Rust ecosystem:
 
-- [dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) or [renovate](https://github.com/renovatebot/renovate) for automatic dependency updates
+- [dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) or [renovate](https://github.com/renovatebot/renovate) for automatic dependency updates ([[upgrading]])
 - [`cargo audit`](https://github.com/rustsec/rustsec/blob/main/cargo-audit/README.md) against [rustsec](https://rustsec.org/)
 - [`cargo deny`](https://embarkstudios.github.io/cargo-deny/)
 - [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) embedding an SBOM for [trivy](https://github.com/aquasecurity/trivy) / [`cargo audit`](https://crates.io/crates/cargo-audit) / [syft](https://github.com/anchore/syft)
@@ -137,6 +139,7 @@ We recommend the following selection of tools that play well with the Rust ecosy
 - [CNL: Creating a “Paved Road” for Security in K8s Operators](https://www.youtube.com/watch?v=dyA2msK0pZE)
 - [Kubernetes Philly, November 2021 - Distroless Docker Images](https://www.youtube.com/watch?v=1R6vjpVON1o)
 - [Wolfi OS and Building Declarative Containers](https://www.youtube.com/watch?v=i4vE45c0fs8) (Chainguard)
+- [No more reasons to use distroless containers; kubectl debug](https://floss.social/@schnatterer/111266745878264466)
 
 --8<-- "includes/abbreviations.md"
 --8<-- "includes/links.md"