kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

List & watch can be authorized on named resources (#14339)

pull/14354/head
Tim Allclair (St. Clair) 2019-05-16 05:03:49 -07:00 committed by Kubernetes Prow Robot
parent 22db0bbf30
commit 5f5883a5ea
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
content/en/docs/reference/access-authn-authz/rbac.md
View File

@ -193,9 +193,8 @@ rules:
```
Resources can also be referred to by name for certain requests through the `resourceNames` list.
When specified, requests using the "get", "delete", "update", and "patch" verbs can be restricted
to individual instances of a resource. To restrict a subject to only "get" and "update" a single
configmap, you would write:
When specified, requests can be restricted to individual instances of a resource. To restrict a
subject to only "get" and "update" a single configmap, you would write:
```yaml
apiVersion: rbac.authorization.k8s.io/v1
@ -210,10 +209,8 @@ rules:
verbs: ["update", "get"]
```
Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection.
Because resource names are not present in the URL for create, list, watch, and deletecollection API requests,
those verbs would not be allowed by a rule with `resourceNames` set, since the `resourceNames` portion of the
rule would not match the request.
Note that `create` requests cannot be restricted by resourceName, as the object name is not known at
authorization time. The other exception is `deletecollection`.
### Aggregated ClusterRoles