You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
authorization doesn't currently doesn't have the filter attributes on list/watch calls, so those are authorized unscoped to a particular resource name. that applies to all authorizers, not just RBAC
@liggitt now that custom resources are in use extensively , it will be nice to have a built-in solution for filtering custom objects based on k8s native RBAC. any workarounds that you can suggest?
Admission controllers [ no get operations supported AFAIK]
Pass all the objects in get operations and get only objects to which impersonated user has access to?
Related to #43299, what is the RBAC policy to lock down watching to a particular object (in my case, a secret)?
I've tried:
But that gives me "...cannot list secrets..."
It seems to need:
This is using:
The text was updated successfully, but these errors were encountered: