github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #98325 from deads2k/update-default-authorizer

Browse Source 
Update delegated authorization options default to eliminate unnecessary SARs
This commit is contained in:
Kubernetes Prow Robot 2021-02-02 11:38:28 -08:00 committed by GitHub
commit d2659101bf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/kube-controller-manager/app/options/options.go
View File

@ -193,7 +193,6 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
s.Authentication.RemoteKubeConfigFileOptional = true s.Authentication.RemoteKubeConfigFileOptional = true
s.Authorization.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true
s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
// Set the PairName but leave certificate directory blank to generate in-memory by default // Set the PairName but leave certificate directory blank to generate in-memory by default
s.SecureServing.ServerCert.CertDirectory = "" s.SecureServing.ServerCert.CertDirectory = ""

3
cmd/kube-controller-manager/app/options/options_test.go
View File

@ -428,7 +428,8 @@ func TestAddFlags(t *testing.T) {
ClientTimeout: 10 * time.Second, ClientTimeout: 10 * time.Second,
WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
RemoteKubeConfigFileOptional: true, RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
AlwaysAllowGroups: []string{"system:masters"},
}, },
Kubeconfig: "/kubeconfig", Kubeconfig: "/kubeconfig",
Master: "192.168.4.20", Master: "192.168.4.20",

1
cmd/kube-scheduler/app/options/options.go
View File

@ -113,7 +113,6 @@ func NewOptions() (*Options, error) {
o.Authentication.TolerateInClusterLookupFailure = true o.Authentication.TolerateInClusterLookupFailure = true
o.Authentication.RemoteKubeConfigFileOptional = true o.Authentication.RemoteKubeConfigFileOptional = true
o.Authorization.RemoteKubeConfigFileOptional = true o.Authorization.RemoteKubeConfigFileOptional = true
o.Authorization.AlwaysAllowPaths = []string{"/healthz"}
// Set the PairName but leave certificate directory blank to generate in-memory by default // Set the PairName but leave certificate directory blank to generate in-memory by default
o.SecureServing.ServerCert.CertDirectory = "" o.SecureServing.ServerCert.CertDirectory = ""

9
cmd/kube-scheduler/app/options/options_test.go
View File

@ -292,7 +292,8 @@ profiles:
AllowCacheTTL: 10 * time.Second, AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true, RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
AlwaysAllowGroups: []string{"system:masters"},
}, },
Logs: logs.NewOptions(), Logs: logs.NewOptions(),
}, },
@ -390,7 +391,8 @@ profiles:
AllowCacheTTL: 10 * time.Second, AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true, RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
AlwaysAllowGroups: []string{"system:masters"},
}, },
Logs: logs.NewOptions(), Logs: logs.NewOptions(),
}, },
@ -456,7 +458,8 @@ profiles:
AllowCacheTTL: 10 * time.Second, AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true, RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
AlwaysAllowGroups: []string{"system:masters"},
}, },
Logs: logs.NewOptions(), Logs: logs.NewOptions(),
}, },

8
staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
View File

@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
DenyCacheTTL: 10 * time.Second, DenyCacheTTL: 10 * time.Second,
ClientTimeout: 10 * time.Second, ClientTimeout: 10 * time.Second,
WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(), WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(),
// This allows the kubelet to always get health and readiness without causing an authorization check.
// This field can be cleared by callers if they don't want this behavior.
AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"},
// In an authorization call delegated to a kube-apiserver (the expected common-case), system:masters has full
// authority in a hard-coded authorizer. This means that our default can reasonably be to skip an authorization
// check for system:masters.
// This field can be cleared by callers if they don't want this behavior.
AlwaysAllowGroups: []string{"system:masters"},
} }
} }

2
staging/src/k8s.io/cloud-provider/options/options.go
View File

@ -42,6 +42,7 @@ import (
cliflag "k8s.io/component-base/cli/flag" cliflag "k8s.io/component-base/cli/flag"
cmoptions "k8s.io/controller-manager/options" cmoptions "k8s.io/controller-manager/options"
"k8s.io/controller-manager/pkg/clientbuilder" "k8s.io/controller-manager/pkg/clientbuilder"
// add the related feature gates // add the related feature gates
_ "k8s.io/controller-manager/pkg/features/register" _ "k8s.io/controller-manager/pkg/features/register"
) )
@ -98,7 +99,6 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
s.Authentication.RemoteKubeConfigFileOptional = true s.Authentication.RemoteKubeConfigFileOptional = true
s.Authorization.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true
s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
// Set the PairName but leave certificate directory blank to generate in-memory by default // Set the PairName but leave certificate directory blank to generate in-memory by default
s.SecureServing.ServerCert.CertDirectory = "" s.SecureServing.ServerCert.CertDirectory = ""

6
staging/src/k8s.io/cloud-provider/options/options_test.go
View File

@ -120,7 +120,8 @@ func TestDefaultFlags(t *testing.T) {
ClientTimeout: 10 * time.Second, ClientTimeout: 10 * time.Second,
WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
RemoteKubeConfigFileOptional: true, RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
AlwaysAllowGroups: []string{"system:masters"},
}, },
Kubeconfig: "", Kubeconfig: "",
Master: "", Master: "",
@ -256,7 +257,8 @@ func TestAddFlags(t *testing.T) {
ClientTimeout: 10 * time.Second, ClientTimeout: 10 * time.Second,
WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
RemoteKubeConfigFileOptional: true, RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or AlwaysAllowPaths: []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
AlwaysAllowGroups: []string{"system:masters"},
}, },
Kubeconfig: "/kubeconfig", Kubeconfig: "/kubeconfig",
Master: "192.168.4.20", Master: "192.168.4.20",