UPSTREAM: <carry>: use hardcoded metrics scraping authorizer for dele…

…gated apiservers OpenShift-Rebase-Source: d8adc09
openshift · Jul 25, 2023 · 1af70be · 1af70be
1 parent 21c3bce
commit 1af70be
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
@@ -35,6 +35,9 @@ import (
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managednode"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managementcpusoverride"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
+
+	// magnet to get authorizer package in hack/update-vendor.sh
+	_ "github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
 )
 
 func OpenShiftKubeAPIServerConfigPatch(genericConfig *genericapiserver.Config, kubeInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) error {

diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/spf13/pflag"
 
+	"github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -181,6 +182,9 @@ func (s *DelegatingAuthorizationOptions) toAuthorizer(client kubernetes.Interfac
 		authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(s.AlwaysAllowGroups...))
 	}
 
+	// add an authorizer to always approver the openshift metrics scraper.
+	authorizers = append(authorizers, hardcodedauthorizer.NewHardCodedMetricsAuthorizer())
+
 	if len(s.AlwaysAllowPaths) > 0 {
 		a, err := path.NewAuthorizer(s.AlwaysAllowPaths)
 		if err != nil {