From 0cae929ae1e11a34ad66635524daafae1052e361 Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 14:11:28 -0400 Subject: [PATCH] docs(rbac): clarify glob pattern behavior for fine-grain RBAC (#20624) (#20627) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --- docs/operator-manual/rbac.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md index 8b318e77b7060..cce883e5dddcc 100644 --- a/docs/operator-manual/rbac.md +++ b/docs/operator-manual/rbac.md @@ -122,9 +122,19 @@ To do so, when the action if performed on an application's resource, the `/kind//` but also `delete///kind/`. + + The fact that both of these match will generally not be a problem, because resource kinds generally contain capital + letters, and namespaces cannot contain capital letters. However, it is possible for a resource kind to be lowercase. + So it is better to just always include all the parts of the resource in the pattern (in other words, always use four + slashes). + If we want to grant access to the user to update all resources of an application, but not the application itself: ```csv @@ -135,7 +145,7 @@ If we want to explicitly deny delete of the application, but allow the user to d ```csv p, example-user, applications, delete, default/prod-app, deny -p, example-user, applications, delete/*/Pod/*, default/prod-app, allow +p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow ``` !!! note @@ -145,7 +155,7 @@ p, example-user, applications, delete/*/Pod/*, default/prod-app, allow ```csv p, example-user, applications, delete, default/prod-app, allow - p, example-user, applications, delete/*/Pod/*, default/prod-app, deny + p, example-user, applications, delete/*/Pod/*/*, default/prod-app, deny ``` #### The `action` action