-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify that list, get and watch can return data #34873
Conversation
The `get`, `list` and `watch` verbs can all be used to retrieve the full details of a resource. It is not an uncommon assumption amongst users that they return different data (e.g. that `list` only returns the names of resources; when it can return the full object). This adds a caution block to highlight this potential gotcha.
|
Welcome @SamLR! |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
This is an important reminder for new users. |
LGTM label has been added. Git tree hash: bd719eec81be1512cb8b27dfd1a7a2833b1ec0e2
|
💯 /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Just wanted to highlight that this warning is present on the RBAC good practices page https://kubernetes.io/docs/concepts/security/rbac-good-practices/#listing-secrets! :) |
Ah thank you! I don't think I was aware of this page. |
No problem, thanks Tim for making the connection: kubernetes/sig-security#28 (comment). By the way, if you want to take a look at the work he was mentioning since it is linked to what you merged here -> security checklist here #33992 😃 . |
Relevant to #32564 |
The
get
,list
andwatch
verbs can all be used to retrieve the full details of a resource. It is not an uncommon assumption amongst users that they return different data (e.g. thatlist
only returns the names of resources; when it can return the full object).This adds a caution block to highlight this potential gotcha.
I'm not certain whether this is the best/only location that this should be called out (another option would be on the various specific authorization pages) but it feels like a reasonable start.
This was prompted by a private discussion and this issue: kubernetes/kubernetes#110866