* Callout that impersonation needs (ClusterRole)Binding
I learned through trial and error that impersonation does not work with Role and RoleBinding - this was not obvious. It would be good if the docs call this out.
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: Tim Bannister <tim@scalefactory.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
This PR fixes several things in the admission-controllers page:
- The `PodSecurity` plugin is enabled by default, but it was not listed so;
- The `apiserver.config.k8s.io/v1alpha1` has been deprecated since v1.17, we are still documenting it side by side with the `apiserver.config.k8s.io/v1` API group;
- The `eventratelimit.admission.k8s.io/v1alpha1` API could use a better reference rather than the design doc; **The imagepolicy.v1alpha1 API is not documented anywhere, I'll add it later on.**
- There are statements about future, which should be removed;
- We are supposed refer to the `LimitRage` API reference rather than pointing users to the design docs;
- We are supposed refer to the `ResourceQuota` API reference rather than pointing users to the design docs;
- There are long lines in the page source which could have been wrapped properly.
The `kubelet-authentication-authorization` and the `kubelet-tls-bootstrapping`
pages do not belong to `reference/command-line-tools-reference` topic.
This PR moves them into `reference/access-authn-authz` subdirectory
which is a better fit.
The `static/_redirects` file is updated to point to the new location.
The logical navigation definitely works better if Pod Security admission
and PodSecurityPolicy are pages in the same section. Make It So.
Co-authored-by: Rey Lejano <rlejano@gmail.com>
- This page referenced the "CertificationSigningRequests API," but this should be "CertificateSigningRequests API" or "Certificates API."
- Added a link to the documentation for CertificateSigningRequests.
The previous commit for configuration APIs has some nits to fix:
- The client-authentication API has both v1beta1 and v1 supported.
We need to include both.
- The kube-scheduler v1alpha1 is superceded by v1alpha3 which is new.
- The links to some external type definitions should point to the 1.23
API rather than old versions.
*should* implies that an `extra` can be mixed case. but really it can't because a mixed case `extra` will mismatch on an RBAC `ClusterRole` once the header is canonicalized.
Add example for querying SA permissions
Add missing example for querying the API authorization layer for checking the permissions of a Service Account
Add missing SA identifying prefix
Improve suggested text to align with current content
Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
Improve suggested text to align with current content
Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
* Clarified scenarios that could lead to privilege escalation
Made it clearer that it's not just creating pods which enables the privilege escalation. It's all workloads, all reconfiguration of workloads, and conceptually the creation and reconfiguration of custom resources which create workloads.
* Allowing link to priv escalation heading if required
* Update content/en/docs/reference/access-authn-authz/authorization.md
Co-authored-by: Tim Bannister <tim@scalefactory.com>
* Adding further clarifications
* Retitled escalation section
* Apply suggestions from vjftw
Co-authored-by: VJ Patel <VJftw@users.noreply.github.com>
* Clarified CRDs and reduced duplication
* Updating caution based on Geoffrey's comments
* Updating controller comment and linking out to reference docs
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: VJ Patel <VJftw@users.noreply.github.com>
This is a reference for WebhookAdmission config generated from kubernetes-sigs/reference-docs/genref tool.
More specifically, it is generated using the following command:
```shell
./genref -include apiserver-webhookadmission
```
This is a reference for client authentication API generated from kubernetes-sigs/reference-docs/genref tool.
More specifically, it is generated using the following command:
```shell
./genref -include client-authentication
```
Osuolale Emmanuel
Raki
Sean Wei
Guangwen Feng
Kubernetes Prow Robot
Rishit Dagli
kadtendulkar
wei.wang
Qiming Teng
Nate W
xin.li
CJ Cullen
Mads Jensen
Tim Bannister
Cezary Czekalski
Margo Crawford
Tim Allclair
Jay Beale
Shubham
Marc Boorshtein
Jesse Butler
Wang
Hemant Kumar
Jordan Liggitt
Rodrigo Queiro
Jonas Steinberg
Pranshu Srivastava
chirangaalwis
Richard Tweed
Sergiusz Urbaniak
Abirdcfly
Mengjiao Liu
Maciej Filocha
Rob Scott
Monis Khan
Samuel Roth
Andrew Keesler
Christopher Negus
AStraw
Edward Huang
Shihang Zhang
chenxuc
Jai Govindani
Smuu
Michael Gugino
Victor Palade