Merge pull request #58598 from WanLinghao/rbac_improve

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add a comment on specical case on authorization In file /staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go, function WithAuthorization() returns DecisionAllow before error check. It is intentional to avoid leaking authorization errors to attackers. This patch add a comment here to give a hint **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
2025-07-30 06:54:01 +00:00 · 2018-01-31 03:23:16 -08:00 · 2018-01-31 03:23:16 -08:00 · 8f71d6d840
commit 8f71d6d840
parent 9719607849 983435bdce
1 changed files with 1 additions and 0 deletions
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go
@ -47,6 +47,7 @@ func WithAuthorization(handler http.Handler, requestContextMapper request.Reques
 			return
 		}
 		authorized, reason, err := a.Authorize(attributes)
+		// an authorizer like RBAC could encounter evaluation errors and still allow the request, so authorizer decision is checked before error here.
 		if authorized == authorizer.DecisionAllow {
 			handler.ServeHTTP(w, req)
 			return