- Some examples are actually not good "examples", i.e. they are not
not ready for the users to try out.
- Some examples are failing the validation in their current format.
- Some examples skipped the test case.
These issues are fixed.
Rather than mention trust bundles as a subtopic of certificate signing
requests, reshape the page so that:
- it's clear that CSRs are stable but ClusterTrustBundles are alpha
- the task for issuing a certificate to a user stands separately from
the concepts explained elsewhere in the page
- it's clear that signers are relevant to both CSRs and
ClusterTrustBundles
Document the API types as they exist today, plus a hint of the future
integrations that will be available.
Co-Authored-By: Taahir Ahmed <taahm@google.com>
* about apiGroups
Look at the source code, apiGroups is an empty set and not all are allowed, you need to use * to be able to, if it is an empty set if the resource does not have apiGroups then it will not be accessible
Refer to:
https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/v1/evaluation_helpers.go#L85https://github.com/kubernetes/api/blob/master/rbac/v1/types.go#L29
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
* Update rbac.md
* Update rbac.md
* Update content/en/docs/reference/access-authn-authz/rbac.md
the comma
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
* Update rbac.md
All changed
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
---------
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
Note the shortcomings of the implementation of this admission plugin
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
The `admission.k8s.io/v1` API group is not generated into the v2/v3 OpenAPI
specification as part of Kubernetes API because it is not officially "served".
However, the structs in the API group are used in other APIs that are user-facing.
This PR addes the reference API and fixes references to it.
Document EndpointSlice as the preferred and most appropriate mechanism
to record the backing endpoints of a Service.
Co-authored-by: Rob Scott <rob.scott87@gmail.com>
Co-authored-by: Shannon Kularathna <ax3shannonkularathna@gmail.com>
* Make example service account output match 1.24+ output with auto-generated tokens omitted
* Prefer `kubectl create token` as token creation mechanism
Signed-off-by: Tom Kivlin <tom.kivlin@vodafone.com>
added link to best practice doc
update from sftim comments
update from liggitt comments
Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
update from liggitt comment
This PR updates the admission controllers page by:
- removing two plugins which have been removed since 1.18
- removing text about ancient history
- removing shortcode about plugins that graduated into GA a long time ago;
--service-account-key-file flag to the kube-api-server is used to verify ServiceAccount tokens (and not to sign them).
--service-account-signing-key-file is the kube-api-server flag that's used to sign ServiceAccount tokens (short-lived ones).
--service-account-private-key-file is the kube-controller-manager flag that's used to sign ServiceAccount tokens (long-lived ones).
The `get`, `list` and `watch` verbs can all be used to retrieve the full details of a resource. It is not an uncommon assumption amongst users that they return different data (e.g. that `list` only returns the names of resources; when it can return the full object).
This adds a caution block to highlight this potential gotcha.
This PR removes outdated information about `admissionregistration.v1beta1` API groups
which are no longer supported in 1.24. Additional notes are added to
avoid confusion when parsing the examples.
* Callout that impersonation needs (ClusterRole)Binding
I learned through trial and error that impersonation does not work with Role and RoleBinding - this was not obvious. It would be good if the docs call this out.
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: Tim Bannister <tim@scalefactory.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
Qiming Teng
Taahir Ahmed
Mickey Boxell
Tim Bannister
朱正浩,Zhu Zhenghao
Aitor
zmquan
Jiahui Feng
Joe Betz
Tim Allclair
samitks
Kubernetes Prow Robot
liulijin
Cici Huang
Eric Fortin
m.nabokikh
Guangwen Feng
Richard Tweed
windsonsea
mtardy
Mathieu Benoit
Saloni1814
Yash Pimple
Sam Stoelinga
Marcus Noble
Sergey Kanzhelev
Maksim Nabokikh
Sergey Shevchenko
Shubham Kuchhal
Michael
Abigail McCarthy
lakshmi prasuna
houjun
Gaël Jourdan-Weil
Jordan Liggitt
W Geng
whitebear009
Tom Kivlin
carolina valencia
Meha Bhalodiya
Rohit Agarwal
Sam Cook
Osuolale Emmanuel
Raki
Sean Wei