You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* about apiGroups
Look at the source code, apiGroups is an empty set and not all are allowed, you need to use * to be able to, if it is an empty set if the resource does not have apiGroups then it will not be accessible
Refer to:
https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/v1/evaluation_helpers.go#L85https://github.com/kubernetes/api/blob/master/rbac/v1/types.go#L29
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Jordan Liggitt <[email protected]>
* Update rbac.md
* Update rbac.md
* Update content/en/docs/reference/access-authn-authz/rbac.md
the comma
Co-authored-by: Jordan Liggitt <[email protected]>
* Update rbac.md
All changed
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <[email protected]>
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <[email protected]>
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <[email protected]>
---------
Co-authored-by: Jordan Liggitt <[email protected]>
Co-authored-by: Qiming Teng <[email protected]>
Copy file name to clipboardExpand all lines: content/en/docs/reference/access-authn-authz/rbac.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -285,9 +285,13 @@ If you restrict `list` or `watch` by resourceName, clients must include a `metad
285
285
For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap`
286
286
{{< /note >}}
287
287
288
-
Rather than referring to individual `resources` and `verbs` you can use the wildcard `*` symbol to refer to all such objects.
289
-
For `nonResourceURLs` you can use the wildcard `*` symbol as a suffix glob match and for `apiGroups` and `resourceNames` an empty set means that everything is allowed.
290
-
Here is an example that allows access to perform any current and future action on all current and future resources (note, this is similar to the built-in `cluster-admin` role).
288
+
Rather than referring to individual `resources`、`apiGroups`, and `verbs`,
289
+
you can use the wildcard `*` symbol to refer to all such objects.
290
+
For `nonResourceURLs`, you can use the wildcard `*` as a suffix glob match.
291
+
For `resourceNames`, an empty set means that everything is allowed.
292
+
Here is an example that allows access to perform any current and future action on
293
+
all current and future resources in the `example.com` API group.
294
+
This is similar to the built-in `cluster-admin` role.
0 commit comments