From cebce291ddcb8490a705c79623c0b4f13faef6e7 Mon Sep 17 00:00:00 2001 From: David Eads Date: Fri, 22 Jan 2021 16:16:14 -0500 Subject: [PATCH] Update delegated authorization options default to eliminate unnecessary SARs healthz, readyz, and livez are canonical names for checks that the kubelet does. By default, allow access to them in the options. Callers can adjust the defaults if they have a reason to require checks. system:masters has full power, so the authorization check is unnecessary and just uses an extra call for in-cluster access. Callers can adjust the defaults if they have a reason to require checks. --- .../k8s.io/apiserver/pkg/server/options/authorization.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go index bfa02bc3f47..796514e9106 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go @@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { DenyCacheTTL: 10 * time.Second, ClientTimeout: 10 * time.Second, WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(), + // This allows the kubelet to always get health and readiness without causing an authorization check. + // This field can be cleared by callers if they don't want this behavior. + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, + // In an authorization call delegated to a kube-apiserver (the expected common-case), system:masters has full + // authority in a hard-coded authorizer. This means that our default can reasonably be to skip an authorization + // check for system:masters. + // This field can be cleared by callers if they don't want this behavior. + AlwaysAllowGroups: []string{"system:masters"}, } }