update main docs

coopernetes · Feb 18, 2020 · 147c746 · 147c746
1 parent 8e9747c
commit 147c746
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -3,11 +3,11 @@
 [![Go](https://github.com/coopernetes/kube-role-gen/workflows/Go/badge.svg)](https://github.com/coopernetes/kube-role-gen/actions?query=workflow%3AGo)
 [![Go Report Card](https://goreportcard.com/badge/github.com/coopernetes/kube-role-gen)](https://goreportcard.com/report/github.com/coopernetes/kube-role-gen)
 
-This binary will generate a valid Kubernetes RBAC role that contains every resource available on a cluster, including subresources. It will walk the API of the connected cluster and gather all available resources. All discovered resources will be grouped by their unique API group & supported verbs combinations so a complete & granular RBAC role may be created.
+`kube-role-gen` is a command-line utility that will generate a Kubernetes ClusterRole that contains every resource available on a connected cluster, including sub-resources & custom resources. All rules will be grouped by their unique API group & supported verbs combinations so a granular ClusterRole or Role may be created.
 
-This is useful when you want to define a broad RBAC role that has access to _most_ objects but is disallowed from viewing a subset. Until Kubernetes supports [substraction via role aggregation](https://github.com/kubernetes/kubernetes/issues/70387), this script is useful as a starting point.
+This is useful when you want to define a role with broad set of permissions while explicitly excluding a small subset of them. An example might be a cluster administrator who should have no access to namespace Secrets, ServiceAccounts or RBAC Roles/Bindings. Until Kubernetes supports [substraction via role aggregation](https://github.com/kubernetes/kubernetes/issues/70387), this tool is useful as a starting point to generate roles programmatically.
 
-Another use case is defining a role that relies heavily on sub-resources. Sub-resources such as `pod/exec` do not show up in any static list such as `kubectl api-resources -o wide` and must be discovered by walking the Kubernetes API. See this [stackoverflow answer for additional details](https://stackoverflow.com/a/51289417).
+Another neat feature of `kube-role-gen` is defining a role that relies heavily on sub-resources. Sub-resources such as `pod/exec` do not show up in any static list such as `kubectl api-resources -o wide` and must be discovered by interacting with the Kubernetes API directly. See this [stackoverflow answer for additional details](https://stackoverflow.com/a/51289417).
 
 This utility was inspired by [this original bash implementation](https://stackoverflow.com/a/57892189).