UPSTREAM: <carry>: allow kubelet to self-authorize metrics scraping

deads2k · deads2k · commit e5ba00768036 · 2021-03-08T09:51:14.000-05:00
diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go
@@ -60,6 +60,7 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
 	if err != nil {
 		return nil, nil, err
 	}
+	authorizer = wrapAuthorizerWithMetricsScraper(authorizer)
 
 	return server.NewKubeletAuth(authenticator, attributes, authorizer), runAuthenticatorCAReload, nil
 }
diff --git a/cmd/kubelet/app/patch_auth.go b/cmd/kubelet/app/patch_auth.go
@@ -0,0 +1,17 @@
+package app
+
+import (
+	"github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/authorization/union"
+)
+
+// wrapAuthorizerWithMetricsScraper add an authorizer to always approver the openshift metrics scraper.
+// This eliminates an unnecessary SAR for scraping metrics and enables metrics gathering when network access
+// to the kube-apiserver is interrupted
+func wrapAuthorizerWithMetricsScraper(authz authorizer.Authorizer) authorizer.Authorizer {
+	return union.New(
+		hardcodedauthorizer.NewHardCodedMetricsAuthorizer(),
+		authz,
+	)
+}

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel`
`60`	`60`	`if err != nil {`
`61`	`61`	`return nil, nil, err`
`62`	`62`	`}`
	`63`	`+ authorizer = wrapAuthorizerWithMetricsScraper(authorizer)`
`63`	`64`
`64`	`65`	`return server.NewKubeletAuth(authenticator, attributes, authorizer), runAuthenticatorCAReload, nil`
`65`	`66`	`}`