Add healthz path to AlwaysAllowPaths (antrea-io#816)

The "/healthz" API is supposed to be accessed anonymously. However, there were unintentional subjectaccessreviews queries sent to the Kubernetes API when kubelets were executing liveness probe for antrea components. This patch adds "/healthz" path to AlwaysAllowPaths to avoid unnecessary overheads to the Kubernetes API.
antoninbas · Jun 16, 2020 · 56fee77 · 56fee77
1 parent 6391ccc
commit 56fee77
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go
@@ -134,7 +134,7 @@ func createAPIServerConfig(kubeconfig string,
 	enableMetrics bool) (*apiserver.Config, error) {
 	secureServing := genericoptions.NewSecureServingOptions().WithLoopback()
 	authentication := genericoptions.NewDelegatingAuthenticationOptions()
-	authorization := genericoptions.NewDelegatingAuthorizationOptions()
+	authorization := genericoptions.NewDelegatingAuthorizationOptions().WithAlwaysAllowPaths("/healthz")
 
 	caCertController, err := certificate.ApplyServerCert(selfSignedCert, client, aggregatorClient, secureServing)
 	if err != nil {

diff --git a/pkg/agent/apiserver/apiserver.go b/pkg/agent/apiserver/apiserver.go
@@ -108,7 +108,7 @@ func New(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier
 func newConfig(bindPort int, enableMetrics bool) (*genericapiserver.CompletedConfig, error) {
 	secureServing := genericoptions.NewSecureServingOptions().WithLoopback()
 	authentication := genericoptions.NewDelegatingAuthenticationOptions()
-	authorization := genericoptions.NewDelegatingAuthorizationOptions()
+	authorization := genericoptions.NewDelegatingAuthorizationOptions().WithAlwaysAllowPaths("/healthz")
 
 	// Set the PairName but leave certificate directory blank to generate in-memory by default.
 	secureServing.ServerCert.CertDirectory = ""