From 787820cda43eecc1f402cc60163f052b138bbd21 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Fri, 1 Dec 2017 15:21:23 -0800 Subject: [PATCH] short circuit deny --- docs/admin/authorization/index.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/admin/authorization/index.md b/docs/admin/authorization/index.md index a0d72e91bff62..68b85570f0017 100644 --- a/docs/admin/authorization/index.md +++ b/docs/admin/authorization/index.md @@ -33,8 +33,10 @@ depend on specific fields of specific kinds of objects are handled by Admission Controllers.) When multiple authorization modules are configured, each is checked in sequence, -and if any module authorizes the request, then the request can proceed. If all -modules deny the request, then the request is denied (HTTP status code 403). +and if any module authorizes the request, then the request can proceed. If any +module denies the request, the request is denied. If all modules have no opinion +on the request, then the request is denied. A deny returns an HTTP status code +403. ## Review Your Request Attributes Kubernetes reviews only the following API request attributes: