diff --git a/daprdocs/content/en/reference/resource-specs/component-schema.md b/daprdocs/content/en/reference/resource-specs/component-schema.md index 349ff4923a3..875744c2868 100644 --- a/daprdocs/content/en/reference/resource-specs/component-schema.md +++ b/daprdocs/content/en/reference/resource-specs/component-schema.md @@ -8,27 +8,33 @@ description: "The basic spec for a Dapr component" Dapr defines and registers components using a [resource specifications](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/). All components are defined as a resource and can be applied to any hosting environment where Dapr is running, not just Kubernetes. +Typically, components are restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications. The namespace is either explicit on the component manifest itself, or set by the API server, which derives the namespace through context with applying to Kubernetes. + +{{% alert title="Note" color="primary" %}} +The exception to this rule is in self-hosted mode, where daprd ingests component resources when the namespace field is omitted. However, the security profile is mute, as daprd has access to the manifest anyway, unlike in Kubernetes. +{{% /alert %}} + ## Format ```yaml apiVersion: dapr.io/v1alpha1 kind: Component auth: - secretstore: [SECRET-STORE-NAME] + secretstore: metadata: - name: [COMPONENT-NAME] - namespace: [COMPONENT-NAMESPACE] + name: + namespace: spec: - type: [COMPONENT-TYPE] + type: version: v1 - initTimeout: [TIMEOUT-DURATION] - ignoreErrors: [BOOLEAN] + initTimeout: + ignoreErrors: metadata: - - name: [METADATA-NAME] - value: [METADATA-VALUE] + - name: + value: scopes: - - [APPID] - - [APPID] + - + - ``` ## Spec fields diff --git a/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md b/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md index a85a253151c..5e2b8f45d24 100644 --- a/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md +++ b/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md @@ -10,6 +10,10 @@ aliases: The `HTTPEndpoint` is a Dapr resource that is used to enable the invocation of non-Dapr endpoints from a Dapr application. +{{% alert title="Note" color="primary" %}} +Any HTTPEndpoint resource can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications. +{{% /alert %}} + ## Format ```yaml diff --git a/daprdocs/content/en/reference/resource-specs/resiliency-schema.md b/daprdocs/content/en/reference/resource-specs/resiliency-schema.md index 32888adc753..06733d1d827 100644 --- a/daprdocs/content/en/reference/resource-specs/resiliency-schema.md +++ b/daprdocs/content/en/reference/resource-specs/resiliency-schema.md @@ -8,6 +8,10 @@ description: "The basic spec for a Dapr resiliency resource" The `Resiliency` Dapr resource allows you to define and apply fault tolerance resiliency policies. Resiliency specs are applied when the Dapr sidecar starts. +{{% alert title="Note" color="primary" %}} +Any resiliency resource can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications. +{{% /alert %}} + ## Format ```yml diff --git a/daprdocs/content/en/reference/resource-specs/subscription-schema.md b/daprdocs/content/en/reference/resource-specs/subscription-schema.md index e1eb8ecc59f..c047fd40f87 100644 --- a/daprdocs/content/en/reference/resource-specs/subscription-schema.md +++ b/daprdocs/content/en/reference/resource-specs/subscription-schema.md @@ -6,7 +6,13 @@ weight: 2000 description: "The basic spec for a Dapr subscription" --- -The `Subscription` Dapr resource allows you to subscribe declaratively to a topic using an external component YAML file. This guide demonstrates two subscription API versions: +The `Subscription` Dapr resource allows you to subscribe declaratively to a topic using an external component YAML file. + +{{% alert title="Note" color="primary" %}} +Any subscription can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications. +{{% /alert %}} + +This guide demonstrates two subscription API versions: - `v2alpha` (default spec) - `v1alpha1` (deprecated)