add doc for new delete option ignoreStoreReadErrorWithClusterBreakingPotential

[tkashem]

KEP: https://kep.k8s.io/3926
PR: kubernetes/kubernetes#127513

/sig api-machinery
/sig auth

[netlify]

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name	Link
🔨 Latest commit	f7cce0d
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/6745e8b24a6dbc00097c23c5

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	f7cce0d
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/6745e8b2f736e200083be4b4
😎 Deploy Preview	https://deploy-preview-48463--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[spurin]

Hello @tkashem 👋 please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before Tuesday November 19th 2024 18:00 PST. Thank you!

[sftim]

Also see kubernetes/kubernetes#127513 (comment)

[spurin]

Hello @tkashem 👋, 1.32 Docs Shadow here,

A quick reminder to get your PR ready for review before the deadline, Tuesday November 19th at 18:00 PDT. For additional information, refer to: Documenting for a release - PR Ready for Review.

Thank you!

[tkashem]

I have a couple of questions:

a) do i need to generate the updated api-reference?

b) from https://kubernetes.io/docs/contribute/new-content/new-features/#ready-for-review-feature-gates

With net new feature gates, a separate description of the feature gate is also required; create a new Markdown file inside content/en/docs/reference/command-line-tools-reference/feature-gates/ (use other files as a template).

I guess it is referring to the same markdown file at the beginning of the section, for a net new feature, i just need to create one markdown file, correct?

[tkashem]

/cc @stlaz @enj @dgrisonnet @deads2k

[stlaz]

/assign
per sig-auth triage

[sftim]

(nit)

Suggested change

	### Force deletion
	### Forcible resource deletion {#forced-deletion}

[tengqm]

should be {#force-deletion}, no d, to preserve existing links.

[sftim]

@tengqm this is new content (no existing links). Here I'm just recommending a way to make the eventual URL shorter.

[sftim]

(style nit)

Suggested change

	The user performing the force **delete** operation must have the
	`unsafe-delete-ignore-read-errors` permission on the resource.
	The user performing the force **delete** operation must be permitted to perform
	both the **delete** and **unsafe-delete-ignore-read-errors** verbs on that resource.

We write API verbs in non-monospaced bold. I assume that unsafe-delete-ignore-read-errors is a verb and that a SubjectAccessReview happens. Have I got that right?

[tkashem]

Yes, unsafe-delete-ignore-read-errors is a right/verb. I was going through the existing doc (for example https://kubernetes.io/docs/concepts/security/rbac-good-practices/) and how they format RBAC rights. I used the same format ( verb ) in this doc. It seems the format delete is used to represent an API operation, thoughts?

[sftim]

If you're defining access through RBAC, you use monospace. But: outside of the RBAC docs, we avoid assuming that clusters use RBAC for authz. It's a common choice but not the only option.

[sftim]

I'm rewording here to avoid an RBAC-centric framing.

[sftim]

/lgtm

This is already alpha quality.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 048f93145320f6d10ab034abf0ef3d2af6882320

[tkashem]

@sftim i dropped the and - #48463 (comment), ptal

[sftim]

(style nit)

Suggested change

	In addition to `delete` rights, the user performing the force **delete**
	operation must have `unsafe-delete-ignore-read-errors` rights on the given resource.
	The user performing the force **delete** operation must be permitted to perform
	both the **delete** and **unsafe-delete-ignore-read-errors** verbs on that resource.

We write API verbs in non-monospaced bold. I assume that unsafe-delete-ignore-read-errors is a verb and that a SubjectAccessReview happens. Have I got that right?

Also, avoid implying that clusters always use Kubernetes RBAC. Many do but it's not mandatory to.

[sftim]

I'm happy with the changes since #48463 (review)

/lgtm
/approve

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: bdd3173a87feaa1b76dcaa75278a71fd685898d5

[dgrisonnet]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgrisonnet, sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/docs/OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sftim]

Also, please fix the changelog for the k/k PR; see kubernetes/kubernetes#127513 (comment)