diff --git a/content/en/docs/reference/access-authn-authz/node.md b/content/en/docs/reference/access-authn-authz/node.md index dd144d7fa1403..3397c5a90722f 100644 --- a/content/en/docs/reference/access-authn-authz/node.md +++ b/content/en/docs/reference/access-authn-authz/node.md @@ -29,10 +29,7 @@ Read operations: {{< feature-state feature_gate_name="AuthorizeNodeWithSelectors" >}} -When the `AuthorizeNodeWithSelectors` feature is enabled -(along with the pre-requisite `AuthorizeWithSelectors` feature), -kubelets are only allowed to read their own Node objects, -and are only allowed to read pods bound to their node. +Kubelets are limited to reading their own Node objects, and only reading pods bound to their node. Write operations: diff --git a/content/en/docs/reference/access-authn-authz/webhook.md b/content/en/docs/reference/access-authn-authz/webhook.md index cb91ac34c60a3..e24d525b9f2bf 100644 --- a/content/en/docs/reference/access-authn-authz/webhook.md +++ b/content/en/docs/reference/access-authn-authz/webhook.md @@ -166,8 +166,9 @@ Access to non-resource paths are sent as: {{< feature-state feature_gate_name="AuthorizeWithSelectors" >}} -With the `AuthorizeWithSelectors` feature enabled, field and label selectors in the request -are passed to the authorization webhook. The webhook can make authorization decisions +When calling out to an authorization webhook, Kubernetes passes +label and field selectors in the request to the authorization webhook. +The authorization webhook can make authorization decisions informed by the scoped field and label selectors, if it wishes. The [SubjectAccessReview API documentation](/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeNodeWithSelectors.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeNodeWithSelectors.md index db45f7ec27dbd..d4911cdd59b24 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeNodeWithSelectors.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeNodeWithSelectors.md @@ -13,6 +13,9 @@ stages: - stage: beta defaultValue: true fromVersion: "1.32" + toVersion: "1.33" + - stage: stable + defaultValue: true + fromVersion: "1.34" --- Make the [Node authorizer](/docs/reference/access-authn-authz/node/) use fine-grained selector authorization. -Requires `AuthorizeWithSelectors` to be enabled. diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeWithSelectors.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeWithSelectors.md index d53ff8d6305ea..12ef546e869fd 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeWithSelectors.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeWithSelectors.md @@ -13,6 +13,10 @@ stages: - stage: beta defaultValue: true fromVersion: "1.32" + toVersion: "1.33" + - stage: stable + defaultValue: true + fromVersion: "1.34" --- Allows authorization to use field and label selectors. Enables `fieldSelector` and `labelSelector` fields in the [SubjectAccessReview API](/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/), diff --git a/content/en/docs/reference/using-api/cel.md b/content/en/docs/reference/using-api/cel.md index 504c5459057a4..3bbd7a8d7d9dd 100644 --- a/content/en/docs/reference/using-api/cel.md +++ b/content/en/docs/reference/using-api/cel.md @@ -413,9 +413,10 @@ To perform an authorization check for a service account: -{{< feature-state state="alpha" for_k8s_version="v1.31" >}} +{{< feature-state feature_gate_name="AuthorizeWithSelectors" >}} -With the alpha `AuthorizeWithSelectors` feature enabled, field and label selectors can be added to authorization checks. +For CEL expressions in the API where a variable of type `Authorizer` is available, +field and label selectors can be included in authorization checks.
Examples of CEL expressions using selector authorization functions