diff --git a/content/en/docs/reference/config-api/apiserver-audit.v1.md b/content/en/docs/reference/config-api/apiserver-audit.v1.md index e89270a91a3..2837e7c3233 100644 --- a/content/en/docs/reference/config-api/apiserver-audit.v1.md +++ b/content/en/docs/reference/config-api/apiserver-audit.v1.md @@ -322,12 +322,14 @@ The empty string represents the core API group.

Resources is a list of resources this rule applies to.

-

For example: -'pods' matches pods. -'pods/log' matches the log subresource of pods. -'' matches all resources and their subresources. -'pods/' matches all subresources of pods. -'*/scale' matches all scale subresources.

+

For example:

+

If wildcard is present, the validation rule will ensure resources do not overlap with each other.

An empty list implies all resources and subresources in this API groups apply.

@@ -501,10 +503,12 @@ An empty list implies every namespace.

NonResourceURLs is a set of URL paths that should be audited. -s are allowed, but only as the full, final step in the path. -Examples: -"/metrics" - Log requests for apiserver metrics -"/healthz" - Log all health checks

+*s are allowed, but only as the full, final step in the path. +Examples:

+
    +
  • "/metrics" - Log requests for apiserver metrics
    • +
  • "/healthz*" - Log all health checks
    • +
omitStages
@@ -552,4 +556,4 @@ Policy.OmitManagedFields will stand. - \ No newline at end of file + diff --git a/content/en/docs/reference/config-api/kubelet-config.v1.md b/content/en/docs/reference/config-api/kubelet-config.v1.md index 0b55fb12c52..c4b8a999ea6 100644 --- a/content/en/docs/reference/config-api/kubelet-config.v1.md +++ b/content/en/docs/reference/config-api/kubelet-config.v1.md @@ -81,9 +81,9 @@ to provide credentials. Images are expected to contain the registry domain and URL path.

Each entry in matchImages is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. -Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.

+as subdomains like *.k8s.io or k8s.*.io, and top-level-domains such as k8s.*. +Matching partial subdomains like app*.k8s.io is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.

A match exists between an image and a matchImage when all of the below are true:

  • Both contain the same number of domain parts and each part matches.
    • @@ -93,9 +93,9 @@ a single subdomain segment, so *.io does not match *.k8s.io.

    Example values of matchImages:

    • 123456789.dkr.ecr.us-east-1.amazonaws.com
      • -
    • *.azurecr.io
      • +
    • *.azurecr.io
    • gcr.io
      • -
    • *.registry.io
      • +
    • *.*.registry.io
    • registry.io:8080/path
    diff --git a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md index ceb38a718f2..3ecb49baca8 100644 --- a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md +++ b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md @@ -1303,9 +1303,9 @@ to provide credentials. Images are expected to contain the registry domain and URL path.

    Each entry in matchImages is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. -Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.

    +as subdomains like *.k8s.io or k8s.*.io, and top-level-domains such as k8s.*. +Matching partial subdomains like app*.k8s.io is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.

    A match exists between an image and a matchImage when all of the below are true:

    • Both contain the same number of domain parts and each part matches.
      • @@ -1315,9 +1315,9 @@ a single subdomain segment, so *.io does not match *.k8s.io.

      Example values of matchImages:

      • 123456789.dkr.ecr.us-east-1.amazonaws.com
        • -
      • *.azurecr.io
        • +
      • *.azurecr.io
      • gcr.io
        • -
      • *.registry.io
        • +
      • *.*.registry.io
      • registry.io:8080/path
      diff --git a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md index 16084427108..5379c0651c2 100644 --- a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md +++ b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1.md @@ -89,9 +89,9 @@ should be valid for all images that match against this key. A plugin should set this field to null if no valid credentials can be returned for the requested image.

      Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.

      +as subdomains like *.k8s.io or k8s.*.io, and top-level-domains such as k8s.*. +Matching partial subdomains like app*.k8s.io is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.

      The kubelet will match images against the key when all of the below are true:

      • Both contain the same number of domain parts and each part matches.
        • @@ -108,9 +108,9 @@ stopping after the first successfully authenticated pull.

        Example keys:

        • 123456789.dkr.ecr.us-east-1.amazonaws.com
          • -
        • *.azurecr.io
          • +
        • *.azurecr.io
        • gcr.io
          • -
        • ..registry.io
          • +
        • *.*.registry.io
        • registry.io:8080/path
        @@ -166,4 +166,4 @@ An empty password is valid.

        - \ No newline at end of file + diff --git a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md index 4d2e9196edd..f4f610ffe23 100644 --- a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md +++ b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md @@ -89,9 +89,9 @@ should be valid for all images that match against this key. A plugin should set this field to null if no valid credentials can be returned for the requested image.

        Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.

        +as subdomains like *.k8s.io or k8s.*.io, and top-level-domains such as k8s.*. +Matching partial subdomains like app*.k8s.io is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.

        The kubelet will match images against the key when all of the below are true:

        • Both contain the same number of domain parts and each part matches.
          • @@ -108,9 +108,9 @@ stopping after the first successfully authenticated pull.

          Example keys:

          • 123456789.dkr.ecr.us-east-1.amazonaws.com
            • -
          • *.azurecr.io
            • +
          • *.azurecr.io
          • gcr.io
            • -
          • ..registry.io
            • +
          • *.*.registry.io
          • registry.io:8080/path
          @@ -166,4 +166,4 @@ An empty password is valid.

          - \ No newline at end of file + diff --git a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md index cac38ef9bd8..b53b6bde50d 100644 --- a/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md +++ b/content/en/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md @@ -89,9 +89,9 @@ should be valid for all images that match against this key. A plugin should set this field to null if no valid credentials can be returned for the requested image.

          Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.

          +as subdomains like *.k8s.io or k8s.*.io, and top-level-domains such as k8s.*. +Matching partial subdomains like app*.k8s.io is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.

          The kubelet will match images against the key when all of the below are true:

          • Both contain the same number of domain parts and each part matches.
            • @@ -108,9 +108,9 @@ stopping after the first successfully authenticated pull.

            Example keys:

            • 123456789.dkr.ecr.us-east-1.amazonaws.com
              • -
            • *.azurecr.io
              • +
            • *.azurecr.io
            • gcr.io
              • -
            • ..registry.io
              • +
            • *.*.registry.io
            • registry.io:8080/path
            @@ -166,4 +166,4 @@ An empty password is valid.

            - \ No newline at end of file +