Skip to content

Commit 1376909

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #28264 from tengqm/fix-28249
[zh] Fix and resync RBAC
2 parents 286c1b1 + bd7a705 commit 1376909

File tree

1 file changed

+6
-6
lines changed
  • content/zh/docs/reference/access-authn-authz

1 file changed

+6
-6
lines changed

content/zh/docs/reference/access-authn-authz/rbac.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -273,13 +273,13 @@ RoleBinding 所在名字空间的资源。这种引用使得你可以跨整个
273273

274274
```yaml
275275
apiVersion: rbac.authorization.k8s.io/v1
276-
# 此角色绑定使得用户 "dave" 能够读取 "default" 名字空间中的 Secrets
276+
# 此角色绑定使得用户 "dave" 能够读取 "development" 名字空间中的 Secrets
277277
# 你需要一个名为 "secret-reader" 的 ClusterRole
278278
kind: RoleBinding
279279
metadata:
280280
name: read-secrets
281281
# RoleBinding 的名字空间决定了访问权限的授予范围。
282-
# 这里仅授权在 "development" 名字空间内的访问权限。
282+
# 这里隐含授权仅在 "development" 名字空间内的访问权限。
283283
namespace: development
284284
subjects:
285285
- kind: User
@@ -338,15 +338,15 @@ There are two reasons for this restriction:
338338
1. A binding to a different role is a fundamentally different binding.
339339
Requiring a binding to be deleted/recreated in order to change the `roleRef`
340340
ensures the full list of subjects in the binding is intended to be granted
341-
the new role (as opposed to enabling accidentally modifying just the roleRef
341+
the new role (as opposed to enabling or accidentally modifying only the roleRef
342342
without verifying all of the existing subjects should be given the new role's permissions).
343343
2. Making `roleRef` immutable allows giving `update` permission on an existing binding object
344344
to a user, which lets them manage the list of subjects, without being able to change the
345345
role that is granted to those subjects.
346346
-->
347347
1. 针对不同角色的绑定是完全不一样的绑定。要求通过删除/重建绑定来更改 `roleRef`,
348-
这样可以确保要赋予绑定的所有主体会被授予新的角色(而不是在允许修改
349-
`roleRef` 的情况下导致所有现有主体未经验证即被授予新角色对应的权限)。
348+
这样可以确保要赋予绑定的所有主体会被授予新的角色(而不是在允许或者不小心修改
349+
`roleRef` 的情况下导致所有现有主体未经验证即被授予新角色对应的权限)。
350350
1. 将 `roleRef` 设置为不可以改变,这使得可以为用户授予对现有绑定对象的 `update` 权限,
351351
这样可以让他们管理主体列表,同时不能更改被授予这些主体的角色。
352352

@@ -503,7 +503,7 @@ as a cluster administrator, include rules for custom resources, such as those se
503503
or aggregated API servers, to extend the default roles.
504504

505505
For example: the following ClusterRoles let the "admin" and "edit" default roles manage the custom resource
506-
named CronTab, whereas the "view" role can perform just read actions on CronTab resources.
506+
named CronTab, whereas the "view" role can perform only read actions on CronTab resources.
507507
You can assume that CronTab objects are named `"crontabs"` in URLs as seen by the API server.
508508
-->
509509
默认的[面向用户的角色](#default-roles-and-role-bindings) 使用 ClusterRole 聚合。

0 commit comments

Comments
 (0)