kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

List & watch can be authorized on named resources (#14339)

This commit is contained in:
Tim Allclair (St. Clair) 2019-05-16 05:03:49 -07:00 committed by Kubernetes Prow Robot
parent 22db0bbf30
commit 5f5883a5ea
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
content/en/docs/reference/access-authn-authz/rbac.md
View File

@ -193,9 +193,8 @@ rules:
``` ```
Resources can also be referred to by name for certain requests through the `resourceNames` list. Resources can also be referred to by name for certain requests through the `resourceNames` list.
When specified, requests using the "get", "delete", "update", and "patch" verbs can be restricted When specified, requests can be restricted to individual instances of a resource. To restrict a
to individual instances of a resource. To restrict a subject to only "get" and "update" a single subject to only "get" and "update" a single configmap, you would write:
configmap, you would write:
```yaml ```yaml
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -210,10 +209,8 @@ rules:
verbs: ["update", "get"] verbs: ["update", "get"]
``` ```
Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection. Note that `create` requests cannot be restricted by resourceName, as the object name is not known at
Because resource names are not present in the URL for create, list, watch, and deletecollection API requests, authorization time. The other exception is `deletecollection`.
those verbs would not be allowed by a rule with `resourceNames` set, since the `resourceNames` portion of the
rule would not match the request.
### Aggregated ClusterRoles ### Aggregated ClusterRoles