From 04e793e65ad70df5c4ab280c42740864e54163cd Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Wed, 5 Sep 2018 09:12:19 +0200
Subject: [PATCH] apiserver: make InClusterConfig errs for delegated authn/z
 non-fatal

---
 .../k8s.io/apiserver/pkg/server/options/authentication.go  | 7 +++++--
 .../k8s.io/apiserver/pkg/server/options/authorization.go   | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
index 2df58f985a9..5c8209c35d0 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
@@ -364,9 +364,12 @@ func (s *DelegatingAuthenticationOptions) getClient() (kubernetes.Interface, err
 		clientConfig, err = loader.ClientConfig()
 	} else {
 		// without the remote kubeconfig file, try to use the in-cluster config.  Most addon API servers will
-		// use this path
+		// use this path. If it is optional, ignore errors.
 		clientConfig, err = rest.InClusterConfig()
-		if err == rest.ErrNotInCluster && s.RemoteKubeConfigFileOptional {
+		if err != nil && s.RemoteKubeConfigFileOptional {
+			if err != rest.ErrNotInCluster {
+				glog.Warningf("failed to read in-cluster kubeconfig for delegated authentication: %v", err)
+			}
 			return nil, nil
 		}
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
index a014d94a2c7..7c65dd39184 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
@@ -151,9 +151,12 @@ func (s *DelegatingAuthorizationOptions) getClient() (kubernetes.Interface, erro
 		clientConfig, err = loader.ClientConfig()
 	} else {
 		// without the remote kubeconfig file, try to use the in-cluster config.  Most addon API servers will
-		// use this path
+		// use this path. If it is optional, ignore errors.
 		clientConfig, err = rest.InClusterConfig()
-		if err == rest.ErrNotInCluster && s.RemoteKubeConfigFileOptional {
+		if err != nil && s.RemoteKubeConfigFileOptional {
+			if err != rest.ErrNotInCluster {
+				glog.Warningf("failed to read in-cluster kubeconfig for delegated authorization: %v", err)
+			}
 			return nil, nil
 		}
 	}