diff --git a/pkg/kubelet/server/auth.go b/pkg/kubelet/server/auth.go index 568f78b0484..c5543e80a7c 100644 --- a/pkg/kubelet/server/auth.go +++ b/pkg/kubelet/server/auth.go @@ -27,6 +27,7 @@ import ( "k8s.io/apiserver/pkg/server/healthz" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/configz" + "k8s.io/component-base/zpages/statusz" "k8s.io/klog/v2" "k8s.io/kubernetes/pkg/features" ) @@ -72,6 +73,7 @@ func isSubpath(subpath, path string) bool { // /runningPods/* => verb=, resource=nodes, name=, subresource(s)=pods,proxy // /healthz/* => verb=, resource=nodes, name=, subresource(s)=healthz,proxy // /configz => verb=, resource=nodes, name=, subresource(s)=configz,proxy +// /statusz => verb=, resource=nodes, name=, subresource(s)=statusz,proxy func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) []authorizer.Attributes { apiVerb := "" @@ -99,6 +101,8 @@ func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt subresources = append(subresources, "healthz") case isSubpath(requestPath, configz.DefaultConfigzPath): subresources = append(subresources, "configz") + case isSubpath(requestPath, statusz.DefaultStatuszPath): + subresources = append(subresources, "statusz") // We put runningpods last since it will allocate a new string on every // check since the handler path has a trailing slash. case isSubpath(requestPath, runningPodsPath): diff --git a/pkg/kubelet/server/auth_test.go b/pkg/kubelet/server/auth_test.go index fd0256059d2..e4c826963da 100644 --- a/pkg/kubelet/server/auth_test.go +++ b/pkg/kubelet/server/auth_test.go @@ -125,6 +125,7 @@ func AuthzTestCases(fineGrained bool) []AuthzTestCase { "/attach/{podNamespace}/{podID}/{uid}/{containerName}": {"proxy"}, "/checkpoint/{podNamespace}/{podID}/{containerName}": {"checkpoint"}, "/configz": {"proxy"}, + "/statusz": {"proxy"}, "/containerLogs/{podNamespace}/{podID}/{containerName}": {"proxy"}, "/debug/flags/v": {"proxy"}, "/debug/pprof/{subpath:*}": {"proxy"}, @@ -159,6 +160,7 @@ func AuthzTestCases(fineGrained bool) []AuthzTestCase { testPaths["/pods/"] = append([]string{"pods"}, testPaths["/pods/"]...) testPaths["/runningpods/"] = append([]string{"pods"}, testPaths["/runningpods/"]...) testPaths["/configz"] = append([]string{"configz"}, testPaths["/configz"]...) + testPaths["/statusz"] = append([]string{"statusz"}, testPaths["/statusz"]...) } testCases := []AuthzTestCase{} diff --git a/pkg/kubelet/server/server_test.go b/pkg/kubelet/server/server_test.go index 02f3194498c..e3b517fb4d7 100644 --- a/pkg/kubelet/server/server_test.go +++ b/pkg/kubelet/server/server_test.go @@ -573,6 +573,7 @@ func TestAuthzCoverage(t *testing.T) { func TestAuthFilters(t *testing.T) { // Enable features.ContainerCheckpoint during test featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerCheckpoint, true) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true) fw := newServerTest() defer fw.testHTTPServer.Close() diff --git a/staging/src/k8s.io/component-base/zpages/statusz/statusz.go b/staging/src/k8s.io/component-base/zpages/statusz/statusz.go index 7d07d5ddbb6..2c1923cb33f 100644 --- a/staging/src/k8s.io/component-base/zpages/statusz/statusz.go +++ b/staging/src/k8s.io/component-base/zpages/statusz/statusz.go @@ -35,6 +35,8 @@ var ( errUnsupportedMediaType = fmt.Errorf("media type not acceptable, must be: text/plain") ) +const DefaultStatuszPath = "/statusz" + const ( headerFmt = ` %s statusz @@ -73,7 +75,7 @@ func Install(m mux, componentName string, reg statuszRegistry) { klog.Errorf("error while parsing gotemplates: %v", err) return } - m.Handle("/statusz", handleStatusz(componentName, dataTmpl, reg)) + m.Handle(DefaultStatuszPath, handleStatusz(componentName, dataTmpl, reg)) } func initializeTemplates() (*template.Template, error) {