|
75 | 75 |
|
76 | 76 | ### Specify for who the `EventPolicy` applies |
77 | 77 |
|
78 | | -The `.spec.to` section specifies **where** the events are allowed to be sent. This field is optional; if left empty, the policy applies to all resources within the namespace. |
| 78 | +The `.spec.to` section specifies **where** the events are allowed to be sent. This field is optional; if left empty, the policy applies to all resources within the namespace. By specifying multiple targets in `.spec.to`, the `EventPolicies` scope gets widened by applying the same rules to multiple targets. |
79 | 79 |
|
80 | 80 | There are two ways to define these targets: |
81 | 81 |
|
@@ -123,7 +123,7 @@ The `.spec.from` section specifies **who** is allowed to send events to the targ |
123 | 123 |
|
124 | 124 | 2. `from.sub`: |
125 | 125 |
|
126 | | - * **Definition**: Specifies a subject, such as a service account, that is allowed to send events. It can include wildcard patterns as a postfix (`*`) for broader matching. |
| 126 | + * **Definition**: Specifies a subject (a service account name), that is allowed to send events. It can include wildcard patterns as a postfix (`*`) for broader matching. |
127 | 127 | * **Example**: The `EventPolicy` allows events from the `trusted-app` service account in the default namespace and any service account in `default` namespace that starts with `other-`. |
128 | 128 | * **Use Case**: Use `from.sub` to allow specific users or service accounts, or to apply wildcard patterns for more flexibility. |
129 | 129 | ```yaml |
@@ -261,7 +261,7 @@ spec: |
261 | 261 | namespace: namespace-1 |
262 | 262 | ``` |
263 | 263 |
|
264 | | -For debugging we also create an event-display service and Trigger: |
| 264 | +For debugging we also create an event-display Kservice and Trigger: |
265 | 265 |
|
266 | 266 | ```yaml |
267 | 267 | apiVersion: serving.knative.dev/v1 |
@@ -376,7 +376,7 @@ status: |
376 | 376 | name: event-policy |
377 | 377 | ``` |
378 | 378 |
|
379 | | -And in the event-display, you should see only events from `pingsource-2` anymore: |
| 379 | +And in the event-display, you should see only events from `pingsource-2` anymore, as we referenced this in our EventPolicy `event-policy` to be allowed to send events to Broker `broker`: |
380 | 380 |
|
381 | 381 | ``` |
382 | 382 | $ kubectl -n namespace-1 logs event-display-00001-deployment-56cd8dd644-64xl2 |
@@ -437,7 +437,7 @@ status: |
437 | 437 | type: Ready |
438 | 438 | ``` |
439 | 439 |
|
440 | | -And we should see only events from `pingsource-1` in the event-display (as `pingsource-1` is in the same namespace as `broker`): |
| 440 | +And we should see only events from `pingsource-1` in the event-display, as `pingsource-1` is in the same namespace as `broker`: |
441 | 441 |
|
442 | 442 | ``` |
443 | 443 | $ kubectl -n namespace-1 logs event-display-00001-deployment-56cd8dd644-64xl2 |
|
0 commit comments