-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs/admin: document RBAC authorizer #631
docs/admin: document RBAC authorizer #631
Conversation
P.S. Should I be opening this against the 1.3 release branch? |
|
||
### Roles, RolesBindings, ClusterRoles, and ClusterRoleBindings | ||
|
||
The RBAC API Group declairs four top level types which will be covered in this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
declares
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Let me through this through a spell checker real quick.
Spotted a few spelling mistakes, the rest looks good to me. The examples are nice and concrete. Not sure if h4 level headers are used, but those might be nice above each of the examples, for better scan-ability. |
f0a84de
to
ace0f47
Compare
name: secret-reader | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["secerts"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
spelling of secrets.
Also, mention that the "resources" strings are not checked for existence, so be careful not to mis-spell them.
One minor comment, otherwise LGTM. |
Yes, this needs to go against the 1.3 release branch. Release 1.3 branch is here: Everything that is checked into the Release 1.3 branch is staged here: |
ace0f47
to
ca30f79
Compare
closing in favor of #643 |
Updating docs as per [minikube's kubernetes#631](kubernetes/minikube#631)
* Document writing portable config with storage * Remove copyright notice from bootcamp pages. * Update kubeadm guide to use official stable deb and rpm repos. Thanks @mikedanese! * Use the official 1.4.0 image. * azure: update links, owners, metadata * Install docker. * Noted HTTP syntax restriction on bearer tokens Noted that every bearer token, in any of the four authentication strategies that use bearer tokens, appears in an HTTP header value without additional quotation/encoding (beyond that supported by HTTP). Included a fully concrete example. Wrote this down once, where the issue first arises, and referenced it from the other relevant strategies. This constraint was elicited in #sig-auth discussion on Sep 21, and not previously stated explicitly and in a way that clearly applied to all four kinds of bearer token --- leaving the reader to wonder if some other encoding is expected. * Update documentation to match minikube's current behaviour Updating docs as per [minikube's kubernetes#631](kubernetes/minikube#631) * Explain how to define group memberships with client cert authentication. * Document subresources in RBAC. * Add instructions for overriding autodetected network interface. * Used master branch to link files from the repo Implements kubernetes#1269 * fixed path to worker startup script * update docs to point to new incubator * Fix kubectl 404 1. Update script to: a) Rename kubectl.md to index.md b) Remove "See Also" section from kubectl subcommands md files 2. Update the _date/reference.yml link to kubectl * Run the script to fix kubectl 404 issue * admin: dns: merge from the build dir Try and clean this mess up where the build dir has user facing docs and move them here. Ref: kubernetes/kubernetes#32931 * Revise tutorial to use NodePort instead of externa IP address. * Update docker-multinode.md Modified cd command on line 89 (Adding a worker node) to reflect proper path. * minor edit - removed ` in one of the cmds * Created new ThirdPartyResource Glossary page. 1. Created a new page for the ThirdPartyResource object. 2. Added a link for the new page to the Glossary menu. * Fix note for paused deployments * Fix urls * Remove body template from Create Issue button. We now have a deafult issue template in github, so the one inserted by the Create Issue button is no longer needed. * Create task page: Assigning Pods to Nodes. * Fix page title. * Change --showlabels to --show-labels. * Fix typo. * Put back ticks around placeholder. * Updated hpa config file to the latest API version. Updated hpa config file to the latest API version. * update resources available for kubeclt get * partners * Fix links to AppArmor policy references * fix newlines * Update rolling-updates.md * docs/pods: update reference to pets Now that PetSets are implemented we can link there. * Demo app is now in different namespace Change instructions to show use of 'sock-shop' namespace rather than default. * Fix incorrect wording with secrets 1) The example given in the section "Using Secrets as Environment Variables" incorrectly stated the secret was using a volume. 2) The commands used to produce secrets in the section "Use-Case: Pods with prod / test credentials" has been modified such that the literal used matches the text for what expected files should be on the filesystem (changed user to username). * Correct case used in CoreOS hyperlink in getting-started-guides Minor typo fix to ensure 'CoreOS' case is correct and consistent throughout getting-started-guides. * remove scheduledjobs (alpha) * Describe anonymous access, system:authenticated group * Fix kubectl 404 * Add docs for 3rd-party tools * Add Tools top nav and move 3rd party doc under it * Remove third-party page and make one page for all tools * Change name to Kubernetes Basics. Compress introduction to each step. * Fix 404 in tools * Add example for pod using emptyDir * Add generators section in kubectl conventions * Update kubectl address It fixes kubernetes/kubernetes#33864 * Fix kubectl get documentation - fix list of valid resource types - fix showing template It was fainling with following error message: Liquid Warning: Liquid syntax error (line 68): [:dot, "."] is not a valid expression in "{{.status.phase}}" in docs/user-guide/kubectl/kubectl_get.md * Updated README.md with information on Netlify staging and removed outdated information on versioned doc branches. * Modifies the overview for the Kubernetes Basics tutorial to make it more useful. Adds a link to the Overview from the left-hand TOC. Links to the Kubernetes Basics Tutorial from the Tutorials landing page. * Fixes broken links to each module. * Replaces links to HelloNode with links to Kubernetes Basics. * Experiment with redirect_from. * Clarified the apiGroup identified by empty string Noted this where the relevance of api group is introduced, and corrected the reference to what the empty string means ("core" api group, which is the terminology used in the page that introduces api group, rather than the old text "default"). * Minor corrections * Add link to KCluster.io * Redirection experiment 2. (kubernetes#1411) * Point init containers to documentation The proposal doesn't reflect reality. * Init containers are in beta in 1.4 * Update kubectl-overview.md Broken link * Update centos_manual_config.md Added flannel configuration. Now more than one worker is available. Tested on Centos7 minimal install * Update centos_manual_config.md Warning about flannel network * More broken links * Removed confusing remark about authorizers determining groups The old text said that the authorizer is expected to determine group memberships when the authenticator does not. This not true. It is allowed, but not expected --- and none of the standard authorizers do it. I tried composing a brief correct statement about this, but the reviews were mainly aghast that internal details of some non-standard authorizers were being injected into the discussion of authentictors. I decided that the better part of valor is simply to delete the whole topic from here. Besides, it is a conclusion that any reader would normally draw --- since there is no statement forbidding it (nor indeed any indication that there might be a reason to forbid it), any reader would naturally conclude that an authorizer is free to derive additional intermediate information of any sort and in any way it likes. * Ensure namespace is created first in microservices-demo Avoid 'namespaces "sock-shop" not found' messages when users try the demo * Add kubeadm reference docs * Fix code fencing for DNS validation example * Move kubeadm reference, add a navigation link to it and assignees * Note about workaround for kubernetes/kubernetes#34566 * Add replica count to tutorial. (kubernetes#1434) * Points to documentation about running privileged containers * 🐛 Fix broken JSON format * Cosmetic tweaks to main kubeadm doc - clean-up the reset script - remove details tag * Tutorial: Fix broken links on Basics Overview page * fix 404 redirect Signed-off-by: Jess Frazelle <acidburn@google.com> * exclude sitemap, css and 404 from sitemap Signed-off-by: Jess Frazelle <acidburn@google.com> * dont set canonical tag for 404 page Signed-off-by: Jess Frazelle <acidburn@google.com> * Update index.md * Added optional prereq to authorize API calls * Update federated-ingress.md minor correction, feature is in alpha not beta. * Update page-templates.md (kubernetes#1465) * Documented FLANNEL_BACKEND and ADMISSION_CONTROL in cluster/ubuntu doc * Write new material about how to contribute to the Kubernetes docs. * Write new material about how to contribute to the Kubernetes docs. * External address (kubernetes#1432) * Write new tutorial: Exposing an External IP Address. * Update prerequisites. * updating kubectl overview with explain * fixing format * Fix link to qos * 34613 404 Not Found on links referring to /docs/user-guide/kubectl/kubectl/ Changed all links referring to kubectl from /docs/user-guide/kubectl/kubectl/ to /docs/user-guide/kubectl/ * Fix small typo This removes an extra "is a" from the documentation text * Update to Pet Set link 'Pet Set' now links correctly to http://kubernetes.io/docs/user-guide/petset/ * Change RDB typo to RBD I assume this is referring to `RBD (Ceph Block Device)` and not something else * Added more prequisites. * Correct typo in authorization header * Update centos_manual_config.md Request change done. Fixed errata in flannel network. * Revise the section on Branch Structure and Staging. * Additional updates to the Staging sections of the README. * Update README.md * Write new task: Defining Environment Variables for a Container. * Fix broken links in work queue user guide * Write new task: Defining a Command and Arguments for a Container. * mungers: fix preformat balance Signed-off-by: Jess Frazelle <acidburn@google.com> * new partners layout * Write new task: Defining a Command and Arguments for a Container 2 * square logos * new opening message for partners page * alpha sort partners * remove parters and customers from community page * add partners to footer nav * hiccup * footer test * footer test * rebuild footer * investigating build problems * Write new task: Defining a Command and Arguments for a Container 3 * Update jobs.md with link to scheduled jobs Removed future work because we're living in the future 🚀 * Update documentation about CNI flags and requirements (kubernetes#1516) * Update CNI kubelet option names * Expand the minimum CNI requirements * Get rid of git dependency in kubeadm guide * Fix typo Fix 'ectdclt' to 'etcdctl'. * Document kubeadm --skip-preflight-checks. * Document kubeadm automation. * Document kubeadm evn variables * Improving kubectl cheat sheet (kubernetes#1486) * Improving kubectl cheatsheet * removing sentence and some cleanup * Update and refactor the kubeadm documentation + add HypriotOS instructions as well * Add docs for kops, explain when kops and when kubeadm Quick getting started guide for kops. Also try to provide some guidance as to when to use kops and when kubeadm; based on discussions with sig-cluster-lifecycle that kubeadm is a building block and not a provisioning tool. I used "kubeadm" as a simplifying concept for "kubeadm and the other work done by sig-cluster-lifecycle that kubeadm is a part of", in that tools that don't (yet) use kubeadm are still leveraging the kubeadm stream of work.
* Add content/en/idempotence.md * Update idempotence.md * Update content/en/idempotence.md Co-authored-by: Catherine Paganini <74001907+CathPag@users.noreply.github.com> * Updated content/en/idempotence.md Updated with reviews considered. Open for reviews again! * Changed to property * Update idempotence.md * removed "Agnostic" line * Update content/en/idempotence.md Co-authored-by: Jihoon Seo <46767780+jihoon-seo@users.noreply.github.com> * Updated wordlist.txt as per specifications * Update idempotence.md Co-authored-by: Catherine Paganini <74001907+CathPag@users.noreply.github.com> Co-authored-by: Jihoon Seo <46767780+jihoon-seo@users.noreply.github.com>
This PR adds documentation for the RBAC authorizer.
The API examples include fixes from kubernetes/kubernetes#26924 and kubernetes/kubernetes#26984
cc @erictune @joshix @robszumski