diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index d0475bd0c20..9dd39d8d889 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -193,7 +193,6 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) { s.Authentication.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true - s.Authorization.AlwaysAllowPaths = []string{"/healthz"} // Set the PairName but leave certificate directory blank to generate in-memory by default s.SecureServing.ServerCert.CertDirectory = "" diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index a04f30853a5..83b85e3d25a 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -428,7 +428,8 @@ func TestAddFlags(t *testing.T) { ClientTimeout: 10 * time.Second, WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Kubeconfig: "/kubeconfig", Master: "192.168.4.20", diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go index 338e5de7501..be0b0bb5650 100644 --- a/cmd/kube-scheduler/app/options/options.go +++ b/cmd/kube-scheduler/app/options/options.go @@ -113,7 +113,6 @@ func NewOptions() (*Options, error) { o.Authentication.TolerateInClusterLookupFailure = true o.Authentication.RemoteKubeConfigFileOptional = true o.Authorization.RemoteKubeConfigFileOptional = true - o.Authorization.AlwaysAllowPaths = []string{"/healthz"} // Set the PairName but leave certificate directory blank to generate in-memory by default o.SecureServing.ServerCert.CertDirectory = "" diff --git a/cmd/kube-scheduler/app/options/options_test.go b/cmd/kube-scheduler/app/options/options_test.go index abe32ff8483..1b49faef7d2 100644 --- a/cmd/kube-scheduler/app/options/options_test.go +++ b/cmd/kube-scheduler/app/options/options_test.go @@ -292,7 +292,8 @@ profiles: AllowCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second, RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Logs: logs.NewOptions(), }, @@ -390,7 +391,8 @@ profiles: AllowCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second, RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Logs: logs.NewOptions(), }, @@ -456,7 +458,8 @@ profiles: AllowCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second, RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Logs: logs.NewOptions(), }, diff --git a/staging/src/k8s.io/cloud-provider/options/options.go b/staging/src/k8s.io/cloud-provider/options/options.go index 6f852d8ec87..cb5ee2d420f 100644 --- a/staging/src/k8s.io/cloud-provider/options/options.go +++ b/staging/src/k8s.io/cloud-provider/options/options.go @@ -42,6 +42,7 @@ import ( cliflag "k8s.io/component-base/cli/flag" cmoptions "k8s.io/controller-manager/options" "k8s.io/controller-manager/pkg/clientbuilder" + // add the related feature gates _ "k8s.io/controller-manager/pkg/features/register" ) @@ -98,7 +99,6 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) s.Authentication.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true - s.Authorization.AlwaysAllowPaths = []string{"/healthz"} // Set the PairName but leave certificate directory blank to generate in-memory by default s.SecureServing.ServerCert.CertDirectory = "" diff --git a/staging/src/k8s.io/cloud-provider/options/options_test.go b/staging/src/k8s.io/cloud-provider/options/options_test.go index 2ea25bdcb33..57f813b03f9 100644 --- a/staging/src/k8s.io/cloud-provider/options/options_test.go +++ b/staging/src/k8s.io/cloud-provider/options/options_test.go @@ -120,7 +120,8 @@ func TestDefaultFlags(t *testing.T) { ClientTimeout: 10 * time.Second, WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Kubeconfig: "", Master: "", @@ -256,7 +257,8 @@ func TestAddFlags(t *testing.T) { ClientTimeout: 10 * time.Second, WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Kubeconfig: "/kubeconfig", Master: "192.168.4.20",