resolve some semantics around ABAC and RBAC (#10256)

* resolve some semantics around ABAC and RBAC some minor tweaks for readability. * Update abac.md * Update abac.md * Update abac.md * Update abac.md * Update abac.md
2018-10-03 23:37:03 -04:00 · 2018-10-03 23:37:03 -04:00 · 35cc6ed576
parent f39bc10631
commit 35cc6ed576
1 changed files with 9 additions and 11 deletions
--- a/content/en/docs/reference/access-authn-authz/abac.md
+++ b/content/en/docs/reference/access-authn-authz/abac.md
@ -16,12 +16,12 @@ Attribute-based access control (ABAC) defines an access control paradigm whereby
 {{% capture body %}}
 ## Policy File Format

-For mode `ABAC`, also specify `--authorization-policy-file=SOME_FILENAME`.
+To enable `ABAC` mode, specify `--authorization-policy-file=SOME_FILENAME` and `--authorization-mode=ABAC` on startup.

 The file format is [one JSON object per line](http://jsonlines.org/).  There
 should be no enclosing list or map, just one map per line.

-Each line is a "policy object".  A policy object is a map with the following
+Each line is a "policy object", where each such object is a map with the following
 properties:

  - Versioning properties:
@ -104,12 +104,12 @@ up the verbosity:
    ```json
    {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "alice", "namespace": "*", "resource": "*", "apiGroup": "*"}}
    ```
- 2. Kubelet can read any pods:
+ 2. The Kubelet can read any pods:

    ```json
    {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "pods", "readonly": true}}
    ```
- 3. Kubelet can read and write events:
+ 3. The Kubelet can read and write events:

    ```json
    {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "events"}}
@ -130,22 +130,20 @@ up the verbosity:

 ## A quick note on service accounts

-A service account automatically generates a user. The user's name is generated
-according to the naming convention:
+Every service account has a corresponding ABAC username, and that service account's user name is generated according to the naming convention:

 ```shell
 system:serviceaccount:<namespace>:<serviceaccountname>
 ```
-Creating a new namespace also causes a new service account to be created, of
-this form:
+
+Creating a new namespace leads to the creation of a new service account in the following format:

 ```shell
 system:serviceaccount:<namespace>:default
 ```

-For example, if you wanted to grant the default service account in the
-kube-system full privilege to the API, you would add this line to your policy
-file:
+For example, if you wanted to grant the default service account (in the `kube-system` namespace) full 
+privilege to the API using ABAC, you would add this line to your policy file:

 ```json
 {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:serviceaccount:kube-system:default","namespace":"*","resource":"*","apiGroup":"*"}}