UPSTREAM: <carry>: use hardcoded metrics scraping authorizer for delegated apiservers

Author: deads2k

openshift-kube-apiserver/openshiftkubeapiserver/patch.go

@@ -31,6 +31,9 @@ import (
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers/usercache"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
+
+	// magnet to get authorizer package in hack/update-vendor.sh
+	_ "github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
 )
 
 func OpenShiftKubeAPIServerConfigPatch(genericConfig *genericapiserver.Config, kubeInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) error {

staging/src/k8s.io/apiserver/pkg/server/options/authorization.go

@@ -23,6 +23,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/klog/v2"
 
+	"github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -161,6 +162,9 @@ func (s *DelegatingAuthorizationOptions) toAuthorizer(client kubernetes.Interfac
 		authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(s.AlwaysAllowGroups...))
 	}
 
+	// add an authorizer to always approver the openshift metrics scraper.
+	authorizers = append(authorizers, hardcodedauthorizer.NewHardCodedMetricsAuthorizer())
+
 	if len(s.AlwaysAllowPaths) > 0 {
 		a, err := path.NewAuthorizer(s.AlwaysAllowPaths)
 		if err != nil {