Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/admin: document RBAC authorizer #631

Closed

Conversation

ericchiang
Copy link
Contributor

@ericchiang ericchiang commented Jun 8, 2016

This PR adds documentation for the RBAC authorizer.

The API examples include fixes from kubernetes/kubernetes#26924 and kubernetes/kubernetes#26984

cc @erictune @joshix @robszumski

@ericchiang
Copy link
Contributor Author

P.S. Should I be opening this against the 1.3 release branch?


### Roles, RolesBindings, ClusterRoles, and ClusterRoleBindings

The RBAC API Group declairs four top level types which will be covered in this
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

declares

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Let me through this through a spell checker real quick.

@robszumski
Copy link
Contributor

Spotted a few spelling mistakes, the rest looks good to me. The examples are nice and concrete.

Not sure if h4 level headers are used, but those might be nice above each of the examples, for better scan-ability.

@ericchiang ericchiang force-pushed the authorization-rbac-alpha-docs branch from f0a84de to ace0f47 Compare June 8, 2016 17:18
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secerts"]
Copy link
Member

@erictune erictune Jun 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spelling of secrets.

Also, mention that the "resources" strings are not checked for existence, so be careful not to mis-spell them.

@erictune
Copy link
Member

erictune commented Jun 9, 2016

One minor comment, otherwise LGTM.

@erictune
Copy link
Member

erictune commented Jun 9, 2016

Yes, this needs to go against the 1.3 release branch.

Release 1.3 branch is here:
https://github.com/kubernetes/kubernetes.github.io/tree/release-1.3

Everything that is checked into the Release 1.3 branch is staged here:
http://kubernetes-v1-3.github.io/

@erictune erictune self-assigned this Jun 9, 2016
@ericchiang ericchiang force-pushed the authorization-rbac-alpha-docs branch from ace0f47 to ca30f79 Compare June 9, 2016 00:35
@ericchiang
Copy link
Contributor Author

closing in favor of #643

@ericchiang ericchiang closed this Jun 9, 2016
walterdolce added a commit to walterdolce/kubernetes.github.io that referenced this pull request Sep 27, 2016
ghodss pushed a commit to ghodss/kubernetes.github.io that referenced this pull request Oct 27, 2016
* Document writing portable config with storage

* Remove copyright notice from bootcamp pages.

* Update kubeadm guide to use official stable deb and rpm repos. Thanks @mikedanese!

* Use the official 1.4.0 image.

* azure: update links, owners, metadata

* Install docker.

* Noted HTTP syntax restriction on bearer tokens

Noted that every bearer token, in any of the four authentication
strategies that use bearer tokens, appears in an HTTP header
value without additional quotation/encoding (beyond that supported
by HTTP).  Included a fully concrete example.  Wrote this down once,
where the issue first arises, and referenced it from the other relevant
strategies.

This constraint was elicited in #sig-auth discussion
on Sep 21, and not previously stated explicitly and in a way that
clearly applied to all four kinds of bearer token --- leaving the
reader to wonder if some other encoding is expected.

* Update documentation to match minikube's current behaviour

Updating docs as per [minikube's kubernetes#631](kubernetes/minikube#631)

* Explain how to define group memberships with client cert authentication.

* Document subresources in RBAC.

* Add instructions for overriding autodetected network interface.

* Used master branch to link files from the repo

Implements kubernetes#1269

* fixed path to worker startup script

* update docs to point to new incubator

* Fix kubectl 404

1. Update script to:
   a) Rename kubectl.md to index.md
   b) Remove "See Also" section from kubectl subcommands md files
2. Update the _date/reference.yml link to kubectl

* Run the script to fix kubectl 404 issue

* admin: dns: merge from the build dir

Try and clean this mess up where the build dir has user facing docs and move them here.

Ref: kubernetes/kubernetes#32931

* Revise tutorial to use NodePort instead of externa IP address.

* Update docker-multinode.md

Modified cd command on line 89 (Adding a worker node) to reflect proper path.

* minor edit - removed ` in one of the cmds

* Created new ThirdPartyResource Glossary page.

1. Created a new page for the ThirdPartyResource object.
2. Added a link for the new page to the Glossary menu.

* Fix note for paused deployments

* Fix urls

* Remove body template from Create Issue button.

We now have a deafult issue template in github, so the one inserted
by the Create Issue button is no longer needed.

* Create task page: Assigning Pods to Nodes.

* Fix page title.

* Change --showlabels to --show-labels.

* Fix typo.

* Put back ticks around placeholder.

* Updated hpa config file to the latest API version.

Updated hpa config file to the latest API version.

* update resources available for kubeclt get

* partners

* Fix links to AppArmor policy references

* fix newlines

* Update rolling-updates.md

* docs/pods: update reference to pets

Now that PetSets are implemented we can link there.

* Demo app is now in different namespace

Change instructions to show use of 'sock-shop' namespace rather than default.

* Fix incorrect wording with secrets

1) The example given in the section "Using Secrets as Environment
Variables" incorrectly stated the secret was using a volume.

2) The commands used to produce secrets in the section "Use-Case: Pods
with prod / test credentials" has been modified such that the literal
used matches the text for what expected files should be on the
filesystem (changed user to username).

* Correct case used in CoreOS hyperlink in getting-started-guides

Minor typo fix to ensure 'CoreOS' case is correct and consistent throughout getting-started-guides.

* remove scheduledjobs (alpha)

* Describe anonymous access, system:authenticated group

* Fix kubectl 404

* Add docs for 3rd-party tools

* Add Tools top nav and move 3rd party doc under it

* Remove third-party page and make one page for all tools

* Change name to Kubernetes Basics. Compress introduction to each step.

* Fix 404 in tools

* Add example for pod using emptyDir

* Add generators section in kubectl conventions

* Update kubectl address

It fixes kubernetes/kubernetes#33864

* Fix kubectl get documentation

- fix list of valid resource types
- fix showing template
  It was fainling with following error message:
  Liquid Warning: Liquid syntax error (line 68): [:dot, "."] is not a valid expression in "{{.status.phase}}" in docs/user-guide/kubectl/kubectl_get.md

* Updated README.md with information on Netlify staging and removed outdated information on versioned doc branches.

* Modifies the overview for the Kubernetes Basics tutorial to make it more useful.
Adds a link to the Overview from the left-hand TOC.
Links to the Kubernetes Basics Tutorial from the Tutorials landing page.

* Fixes broken links to each module.

* Replaces links to HelloNode with links to Kubernetes Basics.

* Experiment with redirect_from.

* Clarified the apiGroup identified by empty string

Noted this where the relevance of api group is introduced, and
corrected the reference to what the empty string means ("core" api
group, which is the terminology used in the page that introduces api
group, rather than the old text "default").

* Minor corrections

* Add link to KCluster.io

* Redirection experiment 2. (kubernetes#1411)

* Point init containers to documentation

The proposal doesn't reflect reality.

* Init containers are in beta in 1.4

* Update kubectl-overview.md

Broken link

* Update centos_manual_config.md

Added flannel configuration. Now more than one worker is available.
Tested on Centos7 minimal install

* Update centos_manual_config.md

Warning about flannel network

* More broken links

* Removed confusing remark about authorizers determining groups

The old text said that the authorizer is expected to determine group
memberships when the authenticator does not.  This not true.  It is
allowed, but not expected --- and none of the standard authorizers do
it.  I tried composing a brief correct statement about this, but the
reviews were mainly aghast that internal details of some non-standard
authorizers were being injected into the discussion of authentictors.
I decided that the better part of valor is simply to delete the whole
topic from here.  Besides, it is a conclusion that any reader would
normally draw --- since there is no statement forbidding it (nor
indeed any indication that there might be a reason to forbid it), any
reader would naturally conclude that an authorizer is free to derive
additional intermediate information of any sort and in any way it
likes.

* Ensure namespace is created first in microservices-demo

Avoid 'namespaces "sock-shop" not found' messages when users try the demo

* Add kubeadm reference docs

* Fix code fencing for DNS validation example

* Move kubeadm reference, add a navigation link to it and assignees

* Note about workaround for kubernetes/kubernetes#34566

* Add replica count to tutorial. (kubernetes#1434)

* Points to documentation about running privileged containers

* 🐛 Fix broken JSON format

* Cosmetic tweaks to main kubeadm doc

- clean-up the reset script
- remove details tag

* Tutorial: Fix broken links on Basics Overview page

* fix 404 redirect

Signed-off-by: Jess Frazelle <acidburn@google.com>

* exclude sitemap, css and 404 from sitemap

Signed-off-by: Jess Frazelle <acidburn@google.com>

* dont set canonical tag for 404 page

Signed-off-by: Jess Frazelle <acidburn@google.com>

* Update index.md

* Added optional prereq to authorize API calls

* Update federated-ingress.md

minor correction, feature is in alpha not beta.

* Update page-templates.md (kubernetes#1465)

* Documented FLANNEL_BACKEND and ADMISSION_CONTROL in cluster/ubuntu doc

* Write new material about how to contribute to the Kubernetes docs.

* Write new material about how to contribute to the Kubernetes docs.

* External address (kubernetes#1432)

* Write new tutorial: Exposing an External IP Address.

* Update prerequisites.

* updating kubectl overview with explain

* fixing format

* Fix link to qos

* 34613 404 Not Found on links referring to /docs/user-guide/kubectl/kubectl/
Changed all links referring to kubectl from /docs/user-guide/kubectl/kubectl/ to /docs/user-guide/kubectl/

* Fix small typo

This removes an extra "is a" from the documentation text

* Update to Pet Set link

'Pet Set' now links correctly to  http://kubernetes.io/docs/user-guide/petset/

* Change RDB typo to RBD

I assume this is referring to `RBD (Ceph Block Device)` and not something else

* Added more prequisites.

* Correct typo in authorization header

* Update centos_manual_config.md

Request change done. 
Fixed errata in flannel network.

* Revise the section on Branch Structure and Staging.

* Additional updates to the Staging sections of the README.

* Update README.md

* Write new task: Defining Environment Variables for a Container.

* Fix broken links in work queue user guide

* Write new task: Defining a Command and Arguments for a Container.

* mungers: fix preformat balance

Signed-off-by: Jess Frazelle <acidburn@google.com>

* new partners layout

* Write new task: Defining a Command and Arguments for a Container 2

* square logos

* new opening message for partners page

* alpha sort partners

* remove parters and customers from community page

* add partners to footer nav

* hiccup

* footer test

* footer test

* rebuild footer

* investigating build problems

* Write new task: Defining a Command and Arguments for a Container 3

* Update jobs.md with link to scheduled jobs

Removed future work because we're living in the future 🚀

* Update documentation about CNI flags and requirements (kubernetes#1516)

* Update CNI kubelet option names

* Expand the minimum CNI requirements

* Get rid of git dependency in kubeadm guide

* Fix typo

Fix 'ectdclt' to 'etcdctl'.

* Document kubeadm --skip-preflight-checks.

* Document kubeadm automation.

* Document kubeadm evn variables

* Improving kubectl cheat sheet (kubernetes#1486)

* Improving kubectl cheatsheet

* removing sentence and some cleanup

* Update and refactor the kubeadm documentation + add HypriotOS instructions as well

* Add docs for kops, explain when kops and when kubeadm

Quick getting started guide for kops.

Also try to provide some guidance as to when to use kops and when
kubeadm; based on discussions with sig-cluster-lifecycle that kubeadm is
a building block and not a provisioning tool.

I used "kubeadm" as a simplifying concept for "kubeadm and the other
work done by sig-cluster-lifecycle that kubeadm is a part of", in that
tools that don't (yet) use kubeadm are still leveraging the kubeadm
stream of work.
Okabe-Junya pushed a commit to Okabe-Junya/website that referenced this pull request Dec 4, 2023
* Add content/en/idempotence.md

* Update idempotence.md

* Update content/en/idempotence.md

Co-authored-by: Catherine Paganini <74001907+CathPag@users.noreply.github.com>

* Updated content/en/idempotence.md

Updated with reviews considered. Open for reviews again!

* Changed to property

* Update idempotence.md

* removed "Agnostic" line

* Update content/en/idempotence.md

Co-authored-by: Jihoon Seo <46767780+jihoon-seo@users.noreply.github.com>

* Updated wordlist.txt as per specifications

* Update idempotence.md

Co-authored-by: Catherine Paganini <74001907+CathPag@users.noreply.github.com>
Co-authored-by: Jihoon Seo <46767780+jihoon-seo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants