-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove deprecated extensions
API group in document
#32909
Conversation
✅ Deploy Preview for kubernetes-io-main-staging ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
@@ -407,7 +407,7 @@ rules: | |||
# objects is "pods" | |||
resources: ["pods"] | |||
verbs: ["get", "list", "watch"] | |||
- apiGroups: ["batch", "extensions"] | |||
- apiGroups: ["batch", "networking.k8s.io"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
jobs don't exist in the networking.k8s.io group... if you want to use a multi-group example, "events"
resources in the core ""
and "events.k8s.io"
API groups would be a current example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh! Thanks very much for pointing it out and providing a great example!
I have pushed a new commit, could you please check the correctness again? 🙇♂️
1d30612
to
d508d28
Compare
networking.k8s.io
instead of extensions
in documentextensions
API group in document
/lgtm |
LGTM label has been added. Git tree hash: 640be8ca25b8876bfcbe27fc249b7c7fde78356a
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for proposing the update.
One question, one recommended tweak.
Allow reading/writing Events (at the HTTP level: objects with `"events"` in the | ||
resource part of their URL) in both the core `""` and `"events.k8s.io"` API groups: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd use Deployment, in its GA API group (apps
). People rarely patch Events.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for letting me know that events
is not a common resource. 😅
I think this section (Role examples) is about how to write rules instead of most used resources:
- Reading
pods
in the core API group- The most simple one
- R/W
deployments
inextensions
andapps
API group- Multiple API groups
- Reading
pods
in core API group and R/Wjobs
inbatch
andextensions
- Multiple rules
- Allow reading a ConfigMap named
my-config
- Must be bound with a RoleBinding to limit to a single ConfigMap in a single namespace.
- Allow reading the resource "nodes" in the core group
- Because a Node is cluster-scoped, this must be in a ClusterRole bound with a ClusterRoleBinding to be effective.
- Allow GET and POST requests to the non-resource endpoint
- Example for
nonResourceURLs
- Example for
Since extensions
is deprecated, I think it's good to replace it with another (although not that common) example for multiple API groups.
There are only three resources that appeared in multiple API groups:
NAME APIVERSION NAMESPACED KIND
events v1 true Event
events events.k8s.io/v1 true Event
nodes v1 false Node
nodes metrics.k8s.io/v1beta1 false NodeMetrics
pods v1 true Pod
pods metrics.k8s.io/v1beta1 true PodMetrics
I am still a beginner at Kubernetes, could you give me some advice about which could be a better example for this page?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The nodes
and pods
in v1 and metrics API groups are not the same resource, so I wouldn't expect to grant access to both in the same rule.
events
are the only remaining built-in resource that appears in multiple API groups (we had a lot in the extensions
API group but those got migrated to dedicated groups and the extensions
API group was deprecated and disabled)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for clarifying! Now I think it's better to change events
example back to deployments
. 😊
- Wildcard: `*` matches all API groups. | ||
- `namespace`, type string; a namespace. | ||
- Ex: `kube-system` | ||
- Wildcard: `*` matches all resource requests. | ||
- `resource`, type string; a resource type | ||
- Ex: `pods` | ||
- Ex: `pods`, `events` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to provide multiple examples. Just like you said that it's not common to see events
, could you give me some advice on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've change it to deployments
, hope it will be more useful for users.
@kubernetes/sig-auth-pr-reviews does this look right? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Markdown LGTM
# | ||
# at the HTTP level, the name of the resource for accessing Deployment | ||
# at the HTTP level, the name of the resource for accessing Deployments |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
# at the HTTP level, the name of the resource for accessing Deployments | |
# at the HTTP level, the name of the resource for accessing Deployment |
In the URL it's /deployments/
; in text, it's “Deployments” or “Deployment objects”.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh no, it's a typo when I manually revert the change. 😢
How could I miss that, thanks for pointing it out! 🙇♂️
Hi @liggitt, I've force-pushed the changes according to your suggestions, could you take a look? 🙇♂️ |
/lgtm |
LGTM label has been added. Git tree hash: e259f32eb38a33a1d6ac1ddecae0747fab41efb6
|
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The
extensions
API group is deprecated.Changes in ABAC page
networking.k8s.io
instead ofextensions
inapiGroups
field.Changes in RBAC page
extensions
API group for Jobsextensions
API group for Deployments