github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Update delegated authorization options default to eliminate unnecessary

Browse Source 
SARs

healthz, readyz, and livez are canonical names for checks that the kubelet does.  By default, allow access to them in the options. Callers can adjust the defaults if they have a reason to require checks.

system:masters has full power, so the authorization check is unnecessary and just uses an extra call for in-cluster access.  Callers can adjust the defaults if they have a reason to require checks.
This commit is contained in:
David Eads 2021-01-22 16:16:14 -05:00
parent 7b3f0cd5ca
commit cebce291dd
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
View File

@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
DenyCacheTTL: 10 * time.Second,
ClientTimeout: 10 * time.Second,
WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(),
// This allows the kubelet to always get health and readiness without causing an authorization check.
// This field can be cleared by callers if they don't want this behavior.
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"},
// In an authorization call delegated to a kube-apiserver (the expected common-case), system:masters has full
// authority in a hard-coded authorizer. This means that our default can reasonably be to skip an authorization
// check for system:masters.
// This field can be cleared by callers if they don't want this behavior.
AlwaysAllowGroups: []string{"system:masters"},
}
}