You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/reference/access-authn-authz/rbac.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -279,8 +279,10 @@ rules:
279
279
```
280
280
281
281
{{< note >}}
282
-
You cannot restrict `create` or `deletecollection` requests by resourceName. For `create`, this
283
-
limitation is because the object name is not known at authorization time.
282
+
You cannot restrict `create` or `deletecollection` requests by their resource name.
283
+
For `create`, this limitation is because the name of the new object may not be known at authorization time.
284
+
If you restrict `list` or `watch` by resourceName, clients must include a `metadata.name` field selector in their `list` or `watch` request that matches the specified resourceName in order to be authorized.
285
+
For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap`
0 commit comments