Merge pull request #33297 from liggitt/loopback-union-ordering

Automatic merge from submit-queue Put loopback authn/authz first in chain We want the loopback token auth to go first in the chain, for performance reasons, and so the loopback token isn't seen by any remote token authenticators configured. The loopback authorizer should also go first in the chain for performance.
2025-07-29 06:27:05 +00:00 · 2016-09-25 19:34:22 -07:00 · 2016-09-25 19:34:22 -07:00 · 4476561659
commit 4476561659
parent 4785f6f517 2ac293a0bd
2 changed files with 4 additions and 4 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -279,10 +279,10 @@ func Run(s *options.APIServer) error {
 		}

 		tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
-		apiAuthenticator = authenticatorunion.New(apiAuthenticator, tokenAuthenticator)
+		apiAuthenticator = authenticatorunion.New(tokenAuthenticator, apiAuthenticator)

 		tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
-		apiAuthorizer = authorizerunion.New(apiAuthorizer, tokenAuthorizer)
+		apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
 	}

 	sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
--- a/federation/cmd/federation-apiserver/app/server.go
+++ b/federation/cmd/federation-apiserver/app/server.go
@ -187,10 +187,10 @@ func Run(s *options.ServerRunOptions) error {
 		}

 		tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
-		apiAuthenticator = authenticatorunion.New(apiAuthenticator, tokenAuthenticator)
+		apiAuthenticator = authenticatorunion.New(tokenAuthenticator, apiAuthenticator)

 		tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
-		apiAuthorizer = authorizerunion.New(apiAuthorizer, tokenAuthorizer)
+		apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
 	}

 	sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)