Merge pull request #11228 from liggitt/node-auth-subresource

Merged by openshift-bot

Author: OpenShift Bot

pkg/cmd/server/kubernetes/node_auth.go

@@ -96,16 +96,6 @@ func isSubpath(r *http.Request, path string) bool {
 //    /logs/*    => verb=<api verb from request>, resource=nodes/log
 func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) kauthorizer.Attributes {
 
-	// Default verb/resource is proxy nodes, which allows full access to the kubelet API
-	attrs := oauthorizer.DefaultAuthorizationAttributes{
-		APIVersion:   "v1",
-		APIGroup:     "",
-		Verb:         "proxy",
-		Resource:     "nodes",
-		ResourceName: n.nodeName,
-		URL:          r.URL.Path,
-	}
-
 	namespace := ""
 
 	apiVerb := ""
@@ -122,6 +112,16 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt
 		apiVerb = "delete"
 	}
 
+	// Default verb/resource is <apiVerb> nodes/proxy, which allows full access to the kubelet API
+	attrs := oauthorizer.DefaultAuthorizationAttributes{
+		APIVersion:   "v1",
+		APIGroup:     "",
+		Verb:         apiVerb,
+		Resource:     "nodes/proxy",
+		ResourceName: n.nodeName,
+		URL:          r.URL.Path,
+	}
+
 	// Override verb/resource for specific paths
 	// Updates to these rules require updating NodeAdminRole and NodeReaderRole in bootstrap policy
 	switch {