mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-15 14:26:57 +00:00
c1d8f71ab5
Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. return reason for allowed rbac authorizations includes the binding, role, and subject that allowed a request so audit can make use of it xref #56209 #58083 ### example reasons > allowed by ClusterRoleBinding "system:controller:cronjob-controller" of ClusterRole "system:controller:cronjob-controller" to ServiceAccount "cronjob-controller/kube-system" > allowed by RoleBinding "bob-viewer/default" of ClusterRole "view" to User "bob" ### perf impact ```shell go test ./plugin/pkg/auth/authorizer/rbac/ -run foo -bench . -benchmem ``` on master: ``` BenchmarkAuthorize/allow_list_pods-8 500000 2674 ns/op 1632 B/op 27 allocs/op BenchmarkAuthorize/allow_update_pods/status-8 500000 2858 ns/op 1632 B/op 27 allocs/op BenchmarkAuthorize/forbid_educate_dolphins-8 500000 2654 ns/op 1632 B/op 27 allocs/op ``` with this PR: ``` BenchmarkAuthorize/allow_list_pods-8 500000 2697 ns/op 1664 B/op 28 allocs/op BenchmarkAuthorize/allow_update_pods/status-8 500000 2873 ns/op 1680 B/op 29 allocs/op BenchmarkAuthorize/forbid_educate_dolphins-8 500000 2687 ns/op 1664 B/op 28 allocs/op ``` ```release-note NONE ```