punch through authz for health, ready, and system:masters

openshift · Jan 25, 2021 · 1ed1ac8 · 1ed1ac8
1 parent 8cbb259
commit 1ed1ac8
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go
@@ -41,6 +41,13 @@ func NewAdmissionServerOptions(out, errOut io.Writer, admissionHooks ...apiserve
 	o.RecommendedOptions.Etcd = nil
 	o.RecommendedOptions.Admission = nil
 
+	// we can also optimize the authz options.  We know that system:masters should always be authorized for actions and the
+	// delegating authorizer now allows this.
+	o.RecommendedOptions.Authorization = o.RecommendedOptions.Authorization.
+		WithAlwaysAllowPaths("/healthz", "/readyz", "/livez"). // this allows the kubelet to always get health and readiness without causing an access check
+		WithAlwaysAllowGroups("system:masters") // in a kube cluster, system:masters can take any action, so there is no need to ask for an authz check
+
+
 	return o
 }