kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update delegated authorization options default to eliminate unnecessary 

SARs

healthz, readyz, and livez are canonical names for checks that the kubelet does.  By default, allow access to them in the options. Callers can adjust the defaults if they have a reason to require checks.

system:masters has full power, so the authorization check is unnecessary and just uses an extra call for in-cluster access.  Callers can adjust the defaults if they have a reason to require checks.

Kubernetes-commit: cebce291ddcb8490a705c79623c0b4f13faef6e7
This commit is contained in:
David Eads 2021-01-22 16:16:14 -05:00 committed by Kubernetes Publisher
parent 978cb46e6d
commit 4925be5c06
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/server/options/authorization.go
View File

@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
DenyCacheTTL: 10 * time.Second,
ClientTimeout: 10 * time.Second,
WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(),
// This allows the kubelet to always get health and readiness without causing an authorization check.
// This field can be cleared by callers if they don't want this behavior.
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"},
// In an authorization call delegated to a kube-apiserver (the expected common-case), system:masters has full
// authority in a hard-coded authorizer. This means that our default can reasonably be to skip an authorization
// check for system:masters.
// This field can be cleared by callers if they don't want this behavior.
AlwaysAllowGroups: []string{"system:masters"},
}
}