From cebce291ddcb8490a705c79623c0b4f13faef6e7 Mon Sep 17 00:00:00 2001 From: David Eads Date: Fri, 22 Jan 2021 16:16:14 -0500 Subject: [PATCH 1/2] Update delegated authorization options default to eliminate unnecessary SARs healthz, readyz, and livez are canonical names for checks that the kubelet does. By default, allow access to them in the options. Callers can adjust the defaults if they have a reason to require checks. system:masters has full power, so the authorization check is unnecessary and just uses an extra call for in-cluster access. Callers can adjust the defaults if they have a reason to require checks. --- .../k8s.io/apiserver/pkg/server/options/authorization.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go index bfa02bc3f47..796514e9106 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go @@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { DenyCacheTTL: 10 * time.Second, ClientTimeout: 10 * time.Second, WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(), + // This allows the kubelet to always get health and readiness without causing an authorization check. + // This field can be cleared by callers if they don't want this behavior. + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, + // In an authorization call delegated to a kube-apiserver (the expected common-case), system:masters has full + // authority in a hard-coded authorizer. This means that our default can reasonably be to skip an authorization + // check for system:masters. + // This field can be cleared by callers if they don't want this behavior. + AlwaysAllowGroups: []string{"system:masters"}, } } From 62230d3c46d4e3082c5911a6e2022e524e6da621 Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 26 Jan 2021 12:53:24 -0500 Subject: [PATCH 2/2] update delegated authz defaults in kube binaries --- cmd/kube-controller-manager/app/options/options.go | 1 - cmd/kube-controller-manager/app/options/options_test.go | 3 ++- cmd/kube-scheduler/app/options/options.go | 1 - cmd/kube-scheduler/app/options/options_test.go | 9 ++++++--- staging/src/k8s.io/cloud-provider/options/options.go | 2 +- .../src/k8s.io/cloud-provider/options/options_test.go | 6 ++++-- 6 files changed, 13 insertions(+), 9 deletions(-) diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index d0475bd0c20..9dd39d8d889 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -193,7 +193,6 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) { s.Authentication.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true - s.Authorization.AlwaysAllowPaths = []string{"/healthz"} // Set the PairName but leave certificate directory blank to generate in-memory by default s.SecureServing.ServerCert.CertDirectory = "" diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index a04f30853a5..83b85e3d25a 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -428,7 +428,8 @@ func TestAddFlags(t *testing.T) { ClientTimeout: 10 * time.Second, WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Kubeconfig: "/kubeconfig", Master: "192.168.4.20", diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go index 338e5de7501..be0b0bb5650 100644 --- a/cmd/kube-scheduler/app/options/options.go +++ b/cmd/kube-scheduler/app/options/options.go @@ -113,7 +113,6 @@ func NewOptions() (*Options, error) { o.Authentication.TolerateInClusterLookupFailure = true o.Authentication.RemoteKubeConfigFileOptional = true o.Authorization.RemoteKubeConfigFileOptional = true - o.Authorization.AlwaysAllowPaths = []string{"/healthz"} // Set the PairName but leave certificate directory blank to generate in-memory by default o.SecureServing.ServerCert.CertDirectory = "" diff --git a/cmd/kube-scheduler/app/options/options_test.go b/cmd/kube-scheduler/app/options/options_test.go index abe32ff8483..1b49faef7d2 100644 --- a/cmd/kube-scheduler/app/options/options_test.go +++ b/cmd/kube-scheduler/app/options/options_test.go @@ -292,7 +292,8 @@ profiles: AllowCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second, RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Logs: logs.NewOptions(), }, @@ -390,7 +391,8 @@ profiles: AllowCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second, RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Logs: logs.NewOptions(), }, @@ -456,7 +458,8 @@ profiles: AllowCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second, RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Logs: logs.NewOptions(), }, diff --git a/staging/src/k8s.io/cloud-provider/options/options.go b/staging/src/k8s.io/cloud-provider/options/options.go index 6f852d8ec87..cb5ee2d420f 100644 --- a/staging/src/k8s.io/cloud-provider/options/options.go +++ b/staging/src/k8s.io/cloud-provider/options/options.go @@ -42,6 +42,7 @@ import ( cliflag "k8s.io/component-base/cli/flag" cmoptions "k8s.io/controller-manager/options" "k8s.io/controller-manager/pkg/clientbuilder" + // add the related feature gates _ "k8s.io/controller-manager/pkg/features/register" ) @@ -98,7 +99,6 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) s.Authentication.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true - s.Authorization.AlwaysAllowPaths = []string{"/healthz"} // Set the PairName but leave certificate directory blank to generate in-memory by default s.SecureServing.ServerCert.CertDirectory = "" diff --git a/staging/src/k8s.io/cloud-provider/options/options_test.go b/staging/src/k8s.io/cloud-provider/options/options_test.go index 2ea25bdcb33..57f813b03f9 100644 --- a/staging/src/k8s.io/cloud-provider/options/options_test.go +++ b/staging/src/k8s.io/cloud-provider/options/options_test.go @@ -120,7 +120,8 @@ func TestDefaultFlags(t *testing.T) { ClientTimeout: 10 * time.Second, WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Kubeconfig: "", Master: "", @@ -256,7 +257,8 @@ func TestAddFlags(t *testing.T) { ClientTimeout: 10 * time.Second, WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), RemoteKubeConfigFileOptional: true, - AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or + AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/* + AlwaysAllowGroups: []string{"system:masters"}, }, Kubeconfig: "/kubeconfig", Master: "192.168.4.20",