Skip to content

Commit c651442

Browse files
palnabarunpalnabarun
committed
fixup! KEP-3221: update kep
Signed-off-by: Nabarun Pal <[email protected]>
1 parent 546823b commit c651442

File tree

1 file changed

+8
-8
lines changed
  • keps/sig-auth/3221-structured-authorization-configuration

1 file changed

+8
-8
lines changed

keps/sig-auth/3221-structured-authorization-configuration/README.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -297,13 +297,13 @@ there will be an error and API Server would exit right away.
297297
The configuration would be validated at startup and the API server will fail to
298298
start if the configuration is invalid.
299299

300-
The API server will periodically reload the configuration. If it changes, the
301-
new configuration will be used for the Authorizer chain. If the new configuration
302-
is invalid, the last known valid configuration will be used. The reloader will also
303-
check if the webhook is healthy, thereby preventing any typo/misconfiguration with the
304-
Webhook resulting in bad Authorizer config. If healthcheck on the wehobook failed, the
305-
last known good config will be used. The time-based loop will try later and when webhook
306-
health comes back, the new config will be used. Logging and metrics would be used to
300+
The API server will periodically reload the configuration at a specific time
301+
interval. If it changes, the new configuration will be used for the Authorizer
302+
chain. The reloader will also check if the webhook is healthy, thereby
303+
preventing any typo/misconfiguration with the Webhook resulting in bad
304+
Authorizer config. If healthcheck on the webhook failed, the last known good
305+
config will be used. In the next iteration of reload, if webhook is found to be
306+
healthy, the new config will be used. Logging and metrics would be used to
307307
signal success/failure of a config reload so that cluster admins can have
308308
observability over this process.Reload must not add or remove Node or RBAC
309309
authorizers. They can be reordered, but cannot be added or removed.
@@ -465,7 +465,7 @@ Labels {along with possible values}:
465465

466466
4. `apiserver_authorization_webhook_evaluations_fail_open_total`
467467

468-
This metric will be incremented when a webhook returns `code != errAuthzWebhookOKCode` and
468+
This metric will be incremented when a webhook returns `code != errAuthzWebhookOKCode` and
469469
decision on error is not set to `deny`.
470470

471471
Labels {along with possible values}:

0 commit comments

Comments
 (0)