The `get`, `list` and `watch` verbs can all be used to retrieve the full details of a resource. It is not an uncommon assumption amongst users that they return different data (e.g. that `list` only returns the names of resources; when it can return the full object).
This adds a caution block to highlight this potential gotcha.
The logical navigation definitely works better if Pod Security admission
and PodSecurityPolicy are pages in the same section. Make It So.
Co-authored-by: Rey Lejano <rlejano@gmail.com>
Add example for querying SA permissions
Add missing example for querying the API authorization layer for checking the permissions of a Service Account
Add missing SA identifying prefix
Improve suggested text to align with current content
Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
Improve suggested text to align with current content
Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
* Clarified scenarios that could lead to privilege escalation
Made it clearer that it's not just creating pods which enables the privilege escalation. It's all workloads, all reconfiguration of workloads, and conceptually the creation and reconfiguration of custom resources which create workloads.
* Allowing link to priv escalation heading if required
* Update content/en/docs/reference/access-authn-authz/authorization.md
Co-authored-by: Tim Bannister <tim@scalefactory.com>
* Adding further clarifications
* Retitled escalation section
* Apply suggestions from vjftw
Co-authored-by: VJ Patel <VJftw@users.noreply.github.com>
* Clarified CRDs and reduced duplication
* Updating caution based on Geoffrey's comments
* Updating controller comment and linking out to reference docs
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: VJ Patel <VJftw@users.noreply.github.com>
* Add the code blocks in the Markdown spec to make it easy to read.
* Add description that distinguish between **command** and **output** make it easy to read.
* Adjust description in Kubernetes components for smoother reading.
Signed-off-by: ydFu <ader.ydfu@gmail.com>
Readers from several different backgrounds will find it useful to know
about how Kubernetes controls access to its API. Promote this overview
to the Security subsection of Concepts.
The content describing authorization modes used the term "authorization
modules" erroneously. This patch uses the term "mode" as is appropriate
but keeps the section link header the old "authorization-modules" in
order not to break older links.
Jordan Liggitt
Sam Cook
Tim Bannister
chirangaalwis
Richard Tweed
Karen Bradshaw
ydFu
Qiming Teng
Chen, Xu Chun (Simon)
Yecheng Fu
Prasad Katti
Ashish
Jay Pipes
Neha Yadav
ROY
Luc Perkins
Tamal Saha
makocchi
Jennifer Rondeau