From b1bd85a421c200ecfe3688e2b376f82ab91e7013 Mon Sep 17 00:00:00 2001 From: zmquan <952473625@qq.com> Date: Wed, 5 Apr 2023 13:01:38 +0800 Subject: [PATCH] about apiGroups (#40315) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * about apiGroups Look at the source code, apiGroups is an empty set and not all are allowed, you need to use * to be able to, if it is an empty set if the resource does not have apiGroups then it will not be accessible Refer to: https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/v1/evaluation_helpers.go#L85 https://github.com/kubernetes/api/blob/master/rbac/v1/types.go#L29 * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Jordan Liggitt * Update rbac.md * Update rbac.md * Update content/en/docs/reference/access-authn-authz/rbac.md the comma Co-authored-by: Jordan Liggitt * Update rbac.md All changed * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Qiming Teng * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Qiming Teng * Update content/en/docs/reference/access-authn-authz/rbac.md Co-authored-by: Qiming Teng --------- Co-authored-by: Jordan Liggitt Co-authored-by: Qiming Teng --- content/en/docs/reference/access-authn-authz/rbac.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index aa5ec669b12..26440edfdb6 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -285,9 +285,13 @@ If you restrict `list` or `watch` by resourceName, clients must include a `metad For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap` {{< /note >}} -Rather than referring to individual `resources` and `verbs` you can use the wildcard `*` symbol to refer to all such objects. -For `nonResourceURLs` you can use the wildcard `*` symbol as a suffix glob match and for `apiGroups` and `resourceNames` an empty set means that everything is allowed. -Here is an example that allows access to perform any current and future action on all current and future resources (note, this is similar to the built-in `cluster-admin` role). +Rather than referring to individual `resources`、`apiGroups`, and `verbs`, +you can use the wildcard `*` symbol to refer to all such objects. +For `nonResourceURLs`, you can use the wildcard `*` as a suffix glob match. +For `resourceNames`, an empty set means that everything is allowed. +Here is an example that allows access to perform any current and future action on +all current and future resources in the `example.com` API group. +This is similar to the built-in `cluster-admin` role. ```yaml apiVersion: rbac.authorization.k8s.io/v1