From 4618fd2f64a904b1949f1d0a9a76ebe6ab8cb719 Mon Sep 17 00:00:00 2001 From: Andrey Arapov Date: Sat, 3 Jun 2017 11:24:35 +0200 Subject: [PATCH] rbac-nginx: resourceNames cannot filter create verb --- examples/rbac/nginx/README.md | 8 +++++++- examples/rbac/nginx/nginx-ingress-controller-rbac.yml | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/examples/rbac/nginx/README.md b/examples/rbac/nginx/README.md index 2ba899907..cea82cbe7 100644 --- a/examples/rbac/nginx/README.md +++ b/examples/rbac/nginx/README.md @@ -53,7 +53,13 @@ permissions are granted to the Role named `nginx-ingress-role` Furthermore to support leader-election, the nginx-ingress-controller needs to have access to a `configmap` using the resourceName `ingress-controller-leader-nginx` -* `configmaps`: create, get, update (for resourceName `ingress-controller-leader-nginx`) +> Note that resourceNames can NOT be used to limit requests using the “create” +> verb because authorizers only have access to information that can be obtained +> from the request URL, method, and headers (resource names in a “create” request +> are part of the request body). + +* `configmaps`: get, update (for resourceName `ingress-controller-leader-nginx`) +* `configmaps`: create This resourceName is the concatenation of the `election-id` and the `ingress-class` as defined by the ingress-controller, which default to: diff --git a/examples/rbac/nginx/nginx-ingress-controller-rbac.yml b/examples/rbac/nginx/nginx-ingress-controller-rbac.yml index a3e534ac5..64561f375 100644 --- a/examples/rbac/nginx/nginx-ingress-controller-rbac.yml +++ b/examples/rbac/nginx/nginx-ingress-controller-rbac.yml @@ -86,9 +86,14 @@ rules: # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - - create - get - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - "" resources: