add statusz implementation and enablement in apiserver

This commit is contained in:
Richa Banker
2024-06-18 20:30:43 -07:00
parent 847be85000
commit 8bf6eecedf
17 changed files with 792 additions and 13 deletions

View File

@@ -25,6 +25,7 @@ import (
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user"
utilfeature "k8s.io/apiserver/pkg/util/feature"
zpagesfeatures "k8s.io/component-base/zpages/features"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
"k8s.io/kubernetes/pkg/features"
@@ -194,6 +195,18 @@ func NodeRules() []rbacv1.PolicyRule {
// ClusterRoles returns the cluster roles to bootstrap an API server with
func ClusterRoles() []rbacv1.ClusterRole {
monitoringRules := []rbacv1.PolicyRule{
rbacv1helpers.NewRule("get").URLs(
"/metrics", "/metrics/slis",
"/livez", "/readyz", "/healthz",
"/livez/*", "/readyz/*", "/healthz/*",
).RuleOrDie(),
}
if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentStatusz) {
monitoringRules = append(monitoringRules, rbacv1helpers.NewRule("get").URLs("/statusz").RuleOrDie())
}
roles := []rbacv1.ClusterRole{
{
// a "root" role which can do absolutely anything
@@ -223,13 +236,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
// The splatted health check endpoints allow read access to individual health check
// endpoints which may contain more sensitive cluster information information
ObjectMeta: metav1.ObjectMeta{Name: "system:monitoring"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("get").URLs(
"/metrics", "/metrics/slis",
"/livez", "/readyz", "/healthz",
"/livez/*", "/readyz/*", "/healthz/*",
).RuleOrDie(),
},
Rules: monitoringRules,
},
}