From d6ce69e5517d4b04c84c5fa23ef2bc0f0c4f94b3 Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Fri, 1 Dec 2017 15:21:23 -0800
Subject: [PATCH] short circuit deny

---
 docs/admin/authorization/index.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/admin/authorization/index.md b/docs/admin/authorization/index.md
index a0d72e91bff62..3d407021c8404 100644
--- a/docs/admin/authorization/index.md
+++ b/docs/admin/authorization/index.md
@@ -33,8 +33,10 @@ depend on specific fields of specific kinds of objects are handled by Admission
 Controllers.)
 
 When multiple authorization modules are configured, each is checked in sequence,
-and if any module authorizes the request, then the request can proceed. If all
-modules deny the request, then the request is denied (HTTP status code 403).
+and if any module authorizes the request, then the request can proceed. If any
+module denies the request, the request is denied. If all modules have no opinion
+on the request, then the request is denied. A deny returns an HTTP status code
+403.
 
 ## Review Your Request Attributes
 Kubernetes reviews only the following API request attributes:
@@ -136,6 +138,7 @@ spec:
     verb: create
 status:
   allowed: true
+  denied: false
 ```
 
 ## Using Flags for Your Authorization Module