From 1ed1ac82b2a7decbc72a867a95f025c7b87f4958 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Thu, 21 Jan 2021 12:51:04 -0500
Subject: [PATCH] punch through authz for health, ready, and system:masters

---
 pkg/cmd/server/start.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go
index 216df7cb3..624d92431 100644
--- a/pkg/cmd/server/start.go
+++ b/pkg/cmd/server/start.go
@@ -41,6 +41,13 @@ func NewAdmissionServerOptions(out, errOut io.Writer, admissionHooks ...apiserve
 	o.RecommendedOptions.Etcd = nil
 	o.RecommendedOptions.Admission = nil
 
+	// we can also optimize the authz options.  We know that system:masters should always be authorized for actions and the
+	// delegating authorizer now allows this.
+	o.RecommendedOptions.Authorization = o.RecommendedOptions.Authorization.
+		WithAlwaysAllowPaths("/healthz", "/readyz", "/livez"). // this allows the kubelet to always get health and readiness without causing an access check
+		WithAlwaysAllowGroups("system:masters") // in a kube cluster, system:masters can take any action, so there is no need to ask for an authz check
+
+
 	return o
 }