about apiGroups (#40315)

* about apiGroups Look at the source code, apiGroups is an empty set and not all are allowed, you need to use * to be able to, if it is an empty set if the resource does not have apiGroups then it will not be accessible Refer to： https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/v1/evaluation_helpers.go#L85 https://github.com/kubernetes/api/blob/master/rbac/v1/types.go#L29 * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Jordan Liggitt <jordan@liggitt.net> * Update rbac.md * Update rbac.md * Update content/en/docs/reference/access-authn-authz/rbac.md the comma Co-authored-by: Jordan Liggitt <jordan@liggitt.net> * Update rbac.md All changed * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Qiming Teng <tengqm@outlook.com> * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Qiming Teng <tengqm@outlook.com> * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Qiming Teng <tengqm@outlook.com> --------- Co-authored-by: Jordan Liggitt <jordan@liggitt.net> Co-authored-by: Qiming Teng <tengqm@outlook.com>
2023-04-05 13:01:38 +08:00 · 2023-04-05 13:01:38 +08:00 · b1bd85a421
parent 4a91a5eb87
commit b1bd85a421
1 changed files with 7 additions and 3 deletions
--- a/content/en/docs/reference/access-authn-authz/rbac.md
+++ b/content/en/docs/reference/access-authn-authz/rbac.md
@ -285,9 +285,13 @@ If you restrict `list` or `watch` by resourceName, clients must include a `metad
 For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap`
 {{< /note >}}

-Rather than referring to individual `resources` and `verbs` you can use the wildcard `*` symbol to refer to all such objects.
-For `nonResourceURLs` you can use the wildcard `*` symbol as a suffix glob match and for `apiGroups` and `resourceNames` an empty set means that everything is allowed.
-Here is an example that allows access to perform any current and future action on all current and future resources (note, this is similar to the built-in `cluster-admin` role).
+Rather than referring to individual `resources`、`apiGroups`, and `verbs`,
+you can use the wildcard `*` symbol to refer to all such objects. 
+For `nonResourceURLs`, you can use the wildcard `*` as a suffix glob match.
+For `resourceNames`, an empty set means that everything is allowed.
+Here is an example that allows access to perform any current and future action on
+all current and future resources in the `example.com` API group.
+This is similar to the built-in `cluster-admin` role.

 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1