From 4ac5baaf5127526bcd9ba31be22081d9aa8e13fd Mon Sep 17 00:00:00 2001
From: "Charlie R.C" <chenr.fnst@cn.fujitsu.com>
Date: Tue, 20 Jun 2017 21:38:43 -0500
Subject: [PATCH] Document the use of verb if set resourceNames

ref to https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/helpers.go#L225
---
 docs/admin/authorization/rbac.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/admin/authorization/rbac.md b/docs/admin/authorization/rbac.md
index ac1f826002..921704a988 100644
--- a/docs/admin/authorization/rbac.md
+++ b/docs/admin/authorization/rbac.md
@@ -186,9 +186,10 @@ rules:
   verbs: ["update", "get"]
 ```
 
-Notably, `resourceNames` can NOT be used to limit requests using the "create" verb because
-authorizers only have access to information that can be obtained from the request URL, method,
-and headers (resource names in a "create" request are part of the request body).
+Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection.
+Because resource names are not present in the URL for create, list, watch, and deletecollection API requests,
+those verbs would not be allowed by a rule with resourceNames set, since the resourceNames portion of the
+rule would not match the request.
 
 #### Role Examples