Skip to content

Commit

Permalink
List & watch can be authorized on named resources (#14339)
Browse files Browse the repository at this point in the history
  • Loading branch information
tallclair authored and k8s-ci-robot committed May 16, 2019
1 parent 22db0bb commit 5f5883a
Showing 1 changed file with 4 additions and 7 deletions.
11 changes: 4 additions & 7 deletions content/en/docs/reference/access-authn-authz/rbac.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,9 +193,8 @@ rules:
```

Resources can also be referred to by name for certain requests through the `resourceNames` list.
When specified, requests using the "get", "delete", "update", and "patch" verbs can be restricted
to individual instances of a resource. To restrict a subject to only "get" and "update" a single
configmap, you would write:
When specified, requests can be restricted to individual instances of a resource. To restrict a
subject to only "get" and "update" a single configmap, you would write:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
Expand All @@ -210,10 +209,8 @@ rules:
verbs: ["update", "get"]
```

Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection.
Because resource names are not present in the URL for create, list, watch, and deletecollection API requests,
those verbs would not be allowed by a rule with `resourceNames` set, since the `resourceNames` portion of the
rule would not match the request.
Note that `create` requests cannot be restricted by resourceName, as the object name is not known at
authorization time. The other exception is `deletecollection`.

### Aggregated ClusterRoles

Expand Down

0 comments on commit 5f5883a

Please sign in to comment.