kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/kubernetes/kubernetes.github.io into release-1.7 

* 'master' of https://github.com/kubernetes/kubernetes.github.io:
  Document the use of verb if set resourceNames
reviewable/pr4170/r1
Andrew Chen 2017-06-22 13:40:42 -07:00
parent 83474c06d6 4ac5baaf51
commit 64531da47d
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/admin/authorization/rbac.md
View File

@ -186,9 +186,10 @@ rules:
verbs: ["update", "get"]
```
Notably, `resourceNames` can NOT be used to limit requests using the "create" verb because
authorizers only have access to information that can be obtained from the request URL, method,
and headers (resource names in a "create" request are part of the request body).
Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection.
Because resource names are not present in the URL for create, list, watch, and deletecollection API requests,
those verbs would not be allowed by a rule with resourceNames set, since the resourceNames portion of the
rule would not match the request.
#### Role Examples