diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 0694dbf0bfc..cfbbb2b3835 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -94,10 +94,10 @@ func ClusterRoles() []rbac.ClusterRole { }, }, { - // a role which provides just enough power to discovery API versions for negotiation + // a role which provides just enough power to determine if the server is ready and discover API versions for negotiation ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, Rules: []rbac.PolicyRule{ - rbac.NewRule("get").URLs("/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), + rbac.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index ca2d48125ba..0faf55cc6d7 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -369,6 +369,7 @@ items: - /api/* - /apis - /apis/* + - /healthz - /swaggerapi - /swaggerapi/* - /version diff --git a/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz.go b/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz.go index a1e339fa4e4..441500dcb5b 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz.go +++ b/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz.go @@ -96,9 +96,10 @@ func handleRootHealthz(checks ...HealthzChecker) http.HandlerFunc { failed := false var verboseOut bytes.Buffer for _, check := range checks { - err := check.Check(r) - if err != nil { - fmt.Fprintf(&verboseOut, "[-]%v failed: %v\n", check.Name(), err) + if check.Check(r) != nil { + // don't include the error since this endpoint is public. If someone wants more detail + // they should have explicit permission to the detailed checks. + fmt.Fprintf(&verboseOut, "[-]%v failed: reason withheld\n", check.Name()) failed = true } else { fmt.Fprintf(&verboseOut, "[+]%v ok\n", check.Name()) diff --git a/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz_test.go b/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz_test.go index 3cd9767b4d4..b32c072d2d0 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/healthz/healthz_test.go @@ -51,10 +51,10 @@ func TestMulitipleChecks(t *testing.T) { {"/healthz?verbose", "[+]ping ok\nhealthz check passed\n", http.StatusOK, false}, {"/healthz/ping", "ok", http.StatusOK, false}, {"/healthz", "ok", http.StatusOK, false}, - {"/healthz?verbose", "[+]ping ok\n[-]bad failed: this will fail\nhealthz check failed\n", http.StatusInternalServerError, true}, + {"/healthz?verbose", "[+]ping ok\n[-]bad failed: reason withheld\nhealthz check failed\n", http.StatusInternalServerError, true}, {"/healthz/ping", "ok", http.StatusOK, true}, {"/healthz/bad", "internal server error: this will fail\n", http.StatusInternalServerError, true}, - {"/healthz", "[+]ping ok\n[-]bad failed: this will fail\nhealthz check failed\n", http.StatusInternalServerError, true}, + {"/healthz", "[+]ping ok\n[-]bad failed: reason withheld\nhealthz check failed\n", http.StatusInternalServerError, true}, } for i, test := range tests {