UPSTREAM: <carry>: use hardcoded metrics scraping authorizer for delegated apiservers

deads2k · bertinatto · commit 6cc36ce7d532 · 2024-11-29T15:03:49.000-03:00
OpenShift-Rebase-Source: d8adc09
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/spf13/pflag"
 
+	"github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -181,6 +182,9 @@ func (s *DelegatingAuthorizationOptions) toAuthorizer(client kubernetes.Interfac
 		authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(s.AlwaysAllowGroups...))
 	}
 
+	// add an authorizer to always approver the openshift metrics scraper.
+	authorizers = append(authorizers, hardcodedauthorizer.NewHardCodedMetricsAuthorizer())
+
 	if len(s.AlwaysAllowPaths) > 0 {
 		a, err := path.NewAuthorizer(s.AlwaysAllowPaths)
 		if err != nil {
