You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Clarify that bind verb does not require resourceNames
This may be intuitive for most, but the existing phrasing read to me as
if `bind` were a special-case verb that _required_ me to explicitly state
which Roles or ClusterRoles it should apply to.
> You can only create/update a role binding if you […] or if you have
> been authorized to perform the bind verb on the referenced role.
> Grant them permissions needed to bind a particular role […]
> explicitly, by giving them permission to perform the bind verb on the
> particular Role (or ClusterRole).
Copy file name to clipboardExpand all lines: content/en/docs/reference/access-authn-authz/rbac.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -908,6 +908,8 @@ subjects:
908
908
name: user-1
909
909
```
910
910
911
+
Note that - as with any RBAC verb - you may omit `resourceNames` to allow `user-1` to grant other users _any_ ClusterRole in the namespace `user-1-namespace`.
912
+
911
913
When bootstrapping the first roles and role bindings, it is necessary for the initial user to grant permissions they do not yet have.
0 commit comments