Skip to content

Clarified RBAC doc about resourceNames field and create verb #50455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+5 −4
Open

Clarified RBAC doc about resourceNames field and create verb #50455

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8ffcce8
docs: added explaination about resourceNames and create verb and subr…
NahisWayard Apr 10, 2025
73b123c
Merge branch 'kubernetes:main' into doc-create-resourceName-subresource
NahisWayard Apr 10, 2025
db61789
Update content/en/docs/reference/access-authn-authz/rbac.md
NahisWayard Apr 14, 2025
8bd0b76
Update content/en/docs/reference/access-authn-authz/rbac.md
NahisWayard Apr 14, 2025
ea3d6a1
Merge branch 'main' into doc-create-resourceName-subresource
NahisWayard Apr 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions content/en/docs/reference/access-authn-authz/rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,10 +216,11 @@ rules:
```

{{< note >}}
You cannot restrict `create` or `deletecollection` requests by their resource name.
For `create`, this limitation is because the name of the new object may not be known at authorization time.
If you restrict `list` or `watch` by resourceName, clients must include a `metadata.name` field selector in their `list` or `watch` request that matches the specified resourceName in order to be authorized.
For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap`
You cannot restrict **deletecollection** or top-level **create** requests by resource name.
For **create**, this limitation is because the name of the new object may not be known at authorization time. However, the **create** limitation applies only to top-level resources, not subresources. For example, you can use the `resourceNames` field with `pods/exec`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We believe you can actually restrict this if you use Server side apply (SSA) for create. Could you try investigating that and updating the docs to cover that as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(it's also OK to file a new issue about SSA / resourceNames, and park this PR whilst that issue and detail gets addressed)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to apply my tests resources declared in the issue i openned. I doesn't works either

If you restrict **list** or **watch** by `resourceName`, clients must include a `metadata.name` field selector in their **list** or **watch** request (that matches the specified `resourceName`)
in order to be authorized.
For example: `kubectl get configmaps --field-selector=metadata.name=my-configmap`
{{< /note >}}

Rather than referring to individual `resources`, `apiGroups`, and `verbs`,
Expand Down