Merge pull request #33297 from liggitt/loopback-union-ordering

Automatic merge from submit-queue

Put loopback authn/authz first in chain

We want the loopback token auth to go first in the chain, for performance reasons, and so the loopback token isn't seen by any remote token authenticators configured.

The loopback authorizer should also go first in the chain for performance.
This commit is contained in:
Kubernetes Submit Queue 2016-09-25 19:34:22 -07:00 committed by GitHub
commit 4476561659
2 changed files with 4 additions and 4 deletions

View File

@ -279,10 +279,10 @@ func Run(s *options.APIServer) error {
}
tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
apiAuthenticator = authenticatorunion.New(apiAuthenticator, tokenAuthenticator)
apiAuthenticator = authenticatorunion.New(tokenAuthenticator, apiAuthenticator)
tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
apiAuthorizer = authorizerunion.New(apiAuthorizer, tokenAuthorizer)
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
}
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)

View File

@ -187,10 +187,10 @@ func Run(s *options.ServerRunOptions) error {
}
tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
apiAuthenticator = authenticatorunion.New(apiAuthenticator, tokenAuthenticator)
apiAuthenticator = authenticatorunion.New(tokenAuthenticator, apiAuthenticator)
tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
apiAuthorizer = authorizerunion.New(apiAuthorizer, tokenAuthorizer)
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
}
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)