16454277aa
Automatic merge from submit-queue
rbac validation: rules can't combine non-resource URLs and regular resources
This PR updates the validation used for RBAC to prevent rules from mixing non-resource URLs and regular resources.
For example the following is no longer valid
```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admins
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
nonResourceURLs: ["*"]
```
And must be rewritten as so.
```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admins
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
```
It also:
* Mandates non-zero length arrays for required resources.
* Mandates non-resource URLs only be used for ClusterRoles (not namespaced Roles).
* Updates the swagger validation so `verbs` are the only required field in a rule. Further validation is done by the server.
Also, do we need to bump the API version?
Discussed by @erictune and @liggitt in #28304
Updates kubernetes/features#2
cc @kubernetes/sig-auth
Edit:
* Need to update the RBAC docs if this change goes in.
Kubernetes
Are you ...
- Interested in learning more about using Kubernetes? Please see our user-facing documentation on kubernetes.io
- Interested in hacking on the core Kubernetes code base? Keep reading!
Kubernetes is an open source system for managing containerized applications across multiple hosts, providing basic mechanisms for deployment, maintenance, and scaling of applications.
Kubernetes is:
- lean: lightweight, simple, accessible
- portable: public, private, hybrid, multi cloud
- extensible: modular, pluggable, hookable, composable
- self-healing: auto-placement, auto-restart, auto-replication
Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale, combined with best-of-breed ideas and practices from the community.
Kubernetes is ready for Production!
With the 1.0.1 release Kubernetes is ready to serve your production workloads.
Kubernetes can run anywhere!
You can run Kubernetes on your local workstation under Vagrant, cloud providers (e.g. GCE, AWS, Azure), and physical hardware. Essentially, anywhere Linux runs you can run Kubernetes. Checkout the Getting Started Guides for details.
Concepts
Kubernetes works with the following concepts:
- Cluster
- A cluster is a set of physical or virtual machines and other infrastructure resources used by Kubernetes to run your applications. Kubernetes can run anywhere! See the Getting Started Guides for instructions for a variety of services.
- Node
- A node is a physical or virtual machine running Kubernetes, onto which pods can be scheduled.
- Pod
- Pods are a colocated group of application containers with shared volumes. They're the smallest deployable units that can be created, scheduled, and managed with Kubernetes. Pods can be created individually, but it's recommended that you use a replication controller even if creating a single pod.
- Replication controller
- Replication controllers manage the lifecycle of pods. They ensure that a specified number of pods are running at any given time, by creating or killing pods as required.
- Service
- Services provide a single, stable name and address for a set of pods. They act as basic load balancers.
- Label
- Labels are used to organize and select groups of objects based on key:value pairs.
Documentation
Kubernetes documentation is organized into several categories.
- Getting started guides
- for people who want to create a Kubernetes cluster
- for people who want to port Kubernetes to a new environment
- User documentation
- for people who want to run programs on an existing Kubernetes cluster
- in the Kubernetes User Guide: Managing Applications Tip: You can also view help documentation out on http://kubernetes.io/docs/.
- the Kubectl Command Line Interface is a detailed reference on
the
kubectlCLI - User FAQ
- Cluster administrator documentation
- for people who want to create a Kubernetes cluster and administer it
- in the Kubernetes Cluster Admin Guide
- Developer and API documentation
- for people who want to write programs that access the Kubernetes API, write plugins or extensions, or modify the core Kubernetes code
- in the Kubernetes Developer Guide
- see also notes on the API
- see also the API object documentation, a detailed description of all fields found in the core API objects
- Walkthroughs and examples
- hands-on introduction and example config files
- in the user guide
- in the docs/examples directory
- Contributions from the Kubernetes community
- in the docs/contrib directory
- Design documentation and design proposals
- for people who want to understand the design of Kubernetes, and feature proposals
- design docs in the Kubernetes Design Overview and the docs/design directory
- proposals in the docs/proposals directory
- Wiki/FAQ
- in the wiki
- troubleshooting information in the troubleshooting guide
Community, discussion, contribution, and support
See which companies are committed to driving quality in Kubernetes on our community page.
Do you want to help "shape the evolution of technologies that are container packaged, dynamically scheduled and microservices oriented?"
You should consider joining the Cloud Native Computing Foundation. For details about who's involved and how Kubernetes plays a role, read their announcement.
Code of conduct
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.
Are you ready to add to the discussion?
We have presence on:
You can also view recordings of past events and presentations on our Media page.
For Q&A, our threads are at:
Want to contribute to Kubernetes?
If you're interested in being a contributor and want to get involved in developing Kubernetes, start in the Kubernetes Developer Guide and also review the contributor guidelines.
Support
While there are many different channels that you can use to get ahold of us, you can help make sure that we are efficient in getting you the help that you need.
If you need support, start with the troubleshooting guide and work your way through the process that we've outlined.
That said, if you have questions, reach out to us one way or another. We don't bite!
Community resources
- Awesome-kubernetes - http://ramitsurana.github.io/awesome-kubernetes
You can find more projects, tools and articles related to Kubernetes on the awesome-kubernetes list. Add your project there and help us make it better.
- CoreKube - https://corekube.com:
Instructive & educational resources for the Kubernetes community. By the community.
- Community Documentation
Here you can learn more about the current happenings in the kubernetes community.