From 5f5883a5ea2fe6b8d90b095bb0863f17fd04cd34 Mon Sep 17 00:00:00 2001 From: "Tim Allclair (St. Clair)" Date: Thu, 16 May 2019 05:03:49 -0700 Subject: [PATCH] List & watch can be authorized on named resources (#14339) --- content/en/docs/reference/access-authn-authz/rbac.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index 2dce36c9b195e..36b0dd0d1ccb1 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -193,9 +193,8 @@ rules: ``` Resources can also be referred to by name for certain requests through the `resourceNames` list. -When specified, requests using the "get", "delete", "update", and "patch" verbs can be restricted -to individual instances of a resource. To restrict a subject to only "get" and "update" a single -configmap, you would write: +When specified, requests can be restricted to individual instances of a resource. To restrict a +subject to only "get" and "update" a single configmap, you would write: ```yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -210,10 +209,8 @@ rules: verbs: ["update", "get"] ``` -Notably, if `resourceNames` are set, then the verb must not be list, watch, create, or deletecollection. -Because resource names are not present in the URL for create, list, watch, and deletecollection API requests, -those verbs would not be allowed by a rule with `resourceNames` set, since the `resourceNames` portion of the -rule would not match the request. +Note that `create` requests cannot be restricted by resourceName, as the object name is not known at +authorization time. The other exception is `deletecollection`. ### Aggregated ClusterRoles