kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document the use of verb if set resourceNames 

ref to https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/helpers.go#L225
This commit is contained in:
Charlie R.C 2017-06-20 21:38:43 -05:00 committed by Andrew Chen
parent e883a27f3b
commit 4ac5baaf51
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/admin/authorization/rbac.md
View File

@ -186,9 +186,10 @@ rules:
verbs: ["update", "get"]
```
Notably, `resourceNames` can NOT be used to limit requests using the "create" verb because
authorizers only have access to information that can be obtained from the request URL, method,
and headers (resource names in a "create" request are part of the request body).
Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection.
Because resource names are not present in the URL for create, list, watch, and deletecollection API requests,
those verbs would not be allowed by a rule with resourceNames set, since the resourceNames portion of the
rule would not match the request.
#### Role Examples