From 9b0299525277dcc8eca18605ee54fe43cc0f34b2 Mon Sep 17 00:00:00 2001
From: Quan Tian <qtian@vmware.com>
Date: Thu, 11 Jun 2020 22:14:24 +0800
Subject: [PATCH] Add healthz path to AlwaysAllowPaths (#816)

The "/healthz" API is supposed to be accessed anonymously. However,
there were unintentional subjectaccessreviews queries sent to the
Kubernetes API when kubelets were executing liveness probe for antrea
components. This patch adds "/healthz" path to AlwaysAllowPaths to avoid
unnecessary overheads to the Kubernetes API.
---
 cmd/antrea-controller/controller.go | 2 +-
 pkg/agent/apiserver/apiserver.go    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go
index 5abac0e1182..f88734a20fa 100644
--- a/cmd/antrea-controller/controller.go
+++ b/cmd/antrea-controller/controller.go
@@ -134,7 +134,7 @@ func createAPIServerConfig(kubeconfig string,
 	enableMetrics bool) (*apiserver.Config, error) {
 	secureServing := genericoptions.NewSecureServingOptions().WithLoopback()
 	authentication := genericoptions.NewDelegatingAuthenticationOptions()
-	authorization := genericoptions.NewDelegatingAuthorizationOptions()
+	authorization := genericoptions.NewDelegatingAuthorizationOptions().WithAlwaysAllowPaths("/healthz")
 
 	caCertController, err := certificate.ApplyServerCert(selfSignedCert, client, aggregatorClient, secureServing)
 	if err != nil {
diff --git a/pkg/agent/apiserver/apiserver.go b/pkg/agent/apiserver/apiserver.go
index 0c3655231e0..a68f0657a38 100644
--- a/pkg/agent/apiserver/apiserver.go
+++ b/pkg/agent/apiserver/apiserver.go
@@ -108,7 +108,7 @@ func New(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier
 func newConfig(bindPort int, enableMetrics bool) (*genericapiserver.CompletedConfig, error) {
 	secureServing := genericoptions.NewSecureServingOptions().WithLoopback()
 	authentication := genericoptions.NewDelegatingAuthenticationOptions()
-	authorization := genericoptions.NewDelegatingAuthorizationOptions()
+	authorization := genericoptions.NewDelegatingAuthorizationOptions().WithAlwaysAllowPaths("/healthz")
 
 	// Set the PairName but leave certificate directory blank to generate in-memory by default.
 	secureServing.ServerCert.CertDirectory = ""