Skip to content

Split “Using RBAC Authorization” into concept / reference / task pages #24414

New issue
New issue
Open
Open
Split “Using RBAC Authorization” into concept / reference / task pages#24414
Assignees
shannonxtreme
Labels
kind/cleanupCategorizes issue or PR as related to cleaning up code, process, or technical debt.kind/documentationCategorizes issue or PR as related to documentation.language/enIssues or PRs related to English languagelifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/securityCategorizes an issue or PR as relevant to SIG Security.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@sftim

Description

@sftim
sftim
opened on Oct 7, 2020

This is a Feature Request

What would you like to be added
Update the content on https://kubernetes.io/docs/reference/access-authn-authz/rbac/ to new pages:

  • a new concept page inside https://kubernetes.io/docs/concepts/security/
  • new task pages
    • assigning default roles
      For this task, say that it is assumed the user is a cluster administrator.
      For this task, say it is assumed that cluster is already configured to use RBAC. Point to "Setting up RBAC" Task for users missing this pre-req.
      Explain what it means to bind a user or group to a cluster role.
      No need to show the ClusterRole or Role object definition at this point.
      steps to bind a user, a group, or an SA to a ClusterRole.
      Explain different between cluster-wide and per-namespace
      steps to bind a user to a role within a namespace
    • creating a custom role
      For this task, say that it is assumed the user is a cluster administrator.
      Explain rules and relation to REST paths.
      Task to create a new ClusterRole.
      Explain that all ClusterRoles can be used at cluster or namespace scope
    • editing a role
      How to add a new permission to an existing Role
      Move explanation of Auto-Reconciliation to this section as a warning about editing default roles.
    • delegating permission management to namespaces
      Explain Privilege Escalation Prevention
      Example: cluster admin creates namespace and grants admin to another user in that namespace. Then second user can grant to third in that namespace, but not escalate.
    • migrating from ABAC to RBAC
  • a smaller reference section, which would include the default roles and bindings.

ℹ️ Clearly signpost anyone visiting https://kubernetes.io/docs/reference/access-authn-authz/rbac/ to the related task and concept pages that are added.

Optional: add a tutorial page too

Why is this needed
https://kubernetes.io/docs/reference/access-authn-authz/rbac/ is a long document that (currently) mixes conceptual, reference and task-focused documentation.

Comments
/sig auth
/sig security
/language en
/kind cleanup
/lifecycle frozen
/priority important-longterm

Replacement for issue #2792

Metadata

Metadata

Assignees

Labels

kind/cleanupCategorizes issue or PR as related to cleaning up code, process, or technical debt.kind/documentationCategorizes issue or PR as related to documentation.language/enIssues or PRs related to English languagelifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/securityCategorizes an issue or PR as relevant to SIG Security.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

SIG Auth

Status

Backlog
SIG Docs Longterm issues

Status

Triage Accepted

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions