mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
update delegated authz defaults in kube binaries
This commit is contained in:
parent
cebce291dd
commit
62230d3c46
@ -193,7 +193,6 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
|
||||
|
||||
s.Authentication.RemoteKubeConfigFileOptional = true
|
||||
s.Authorization.RemoteKubeConfigFileOptional = true
|
||||
s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
|
||||
|
||||
// Set the PairName but leave certificate directory blank to generate in-memory by default
|
||||
s.SecureServing.ServerCert.CertDirectory = ""
|
||||
|
@ -428,7 +428,8 @@ func TestAddFlags(t *testing.T) {
|
||||
ClientTimeout: 10 * time.Second,
|
||||
WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
|
||||
RemoteKubeConfigFileOptional: true,
|
||||
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowGroups: []string{"system:masters"},
|
||||
},
|
||||
Kubeconfig: "/kubeconfig",
|
||||
Master: "192.168.4.20",
|
||||
|
@ -113,7 +113,6 @@ func NewOptions() (*Options, error) {
|
||||
o.Authentication.TolerateInClusterLookupFailure = true
|
||||
o.Authentication.RemoteKubeConfigFileOptional = true
|
||||
o.Authorization.RemoteKubeConfigFileOptional = true
|
||||
o.Authorization.AlwaysAllowPaths = []string{"/healthz"}
|
||||
|
||||
// Set the PairName but leave certificate directory blank to generate in-memory by default
|
||||
o.SecureServing.ServerCert.CertDirectory = ""
|
||||
|
@ -292,7 +292,8 @@ profiles:
|
||||
AllowCacheTTL: 10 * time.Second,
|
||||
DenyCacheTTL: 10 * time.Second,
|
||||
RemoteKubeConfigFileOptional: true,
|
||||
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowGroups: []string{"system:masters"},
|
||||
},
|
||||
Logs: logs.NewOptions(),
|
||||
},
|
||||
@ -390,7 +391,8 @@ profiles:
|
||||
AllowCacheTTL: 10 * time.Second,
|
||||
DenyCacheTTL: 10 * time.Second,
|
||||
RemoteKubeConfigFileOptional: true,
|
||||
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowGroups: []string{"system:masters"},
|
||||
},
|
||||
Logs: logs.NewOptions(),
|
||||
},
|
||||
@ -456,7 +458,8 @@ profiles:
|
||||
AllowCacheTTL: 10 * time.Second,
|
||||
DenyCacheTTL: 10 * time.Second,
|
||||
RemoteKubeConfigFileOptional: true,
|
||||
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowGroups: []string{"system:masters"},
|
||||
},
|
||||
Logs: logs.NewOptions(),
|
||||
},
|
||||
|
@ -42,6 +42,7 @@ import (
|
||||
cliflag "k8s.io/component-base/cli/flag"
|
||||
cmoptions "k8s.io/controller-manager/options"
|
||||
"k8s.io/controller-manager/pkg/clientbuilder"
|
||||
|
||||
// add the related feature gates
|
||||
_ "k8s.io/controller-manager/pkg/features/register"
|
||||
)
|
||||
@ -98,7 +99,6 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
|
||||
|
||||
s.Authentication.RemoteKubeConfigFileOptional = true
|
||||
s.Authorization.RemoteKubeConfigFileOptional = true
|
||||
s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
|
||||
|
||||
// Set the PairName but leave certificate directory blank to generate in-memory by default
|
||||
s.SecureServing.ServerCert.CertDirectory = ""
|
||||
|
@ -120,7 +120,8 @@ func TestDefaultFlags(t *testing.T) {
|
||||
ClientTimeout: 10 * time.Second,
|
||||
WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
|
||||
RemoteKubeConfigFileOptional: true,
|
||||
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or
|
||||
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowGroups: []string{"system:masters"},
|
||||
},
|
||||
Kubeconfig: "",
|
||||
Master: "",
|
||||
@ -256,7 +257,8 @@ func TestAddFlags(t *testing.T) {
|
||||
ClientTimeout: 10 * time.Second,
|
||||
WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
|
||||
RemoteKubeConfigFileOptional: true,
|
||||
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or
|
||||
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
|
||||
AlwaysAllowGroups: []string{"system:masters"},
|
||||
},
|
||||
Kubeconfig: "/kubeconfig",
|
||||
Master: "192.168.4.20",
|
||||
|
Loading…
Reference in New Issue
Block a user