Add statusz to kubelet auth.

Author: zhifei92

pkg/kubelet/server/auth.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/apiserver/pkg/server/healthz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/configz"
+	"k8s.io/component-base/zpages/statusz"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 )
@@ -72,6 +73,7 @@ func isSubpath(subpath, path string) bool {
 //	/runningPods/*	=> verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=pods,proxy
 //	/healthz/* 		=> verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=healthz,proxy
 //	/configz 		=> verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=configz,proxy
+//	/statusz 		=> verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=statusz,proxy
 func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) []authorizer.Attributes {
 
 	apiVerb := ""
@@ -99,6 +101,8 @@ func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt
 			subresources = append(subresources, "healthz")
 		case isSubpath(requestPath, configz.DefaultConfigzPath):
 			subresources = append(subresources, "configz")
+		case isSubpath(requestPath, statusz.DefaultStatuszPath):
+			subresources = append(subresources, "statusz")
 		// We put runningpods last since it will allocate a new string on every
 		// check since the handler path has a trailing slash.
 		case isSubpath(requestPath, runningPodsPath):

pkg/kubelet/server/auth_test.go

@@ -125,6 +125,7 @@ func AuthzTestCases(fineGrained bool) []AuthzTestCase {
 		"/attach/{podNamespace}/{podID}/{uid}/{containerName}": {"proxy"},
 		"/checkpoint/{podNamespace}/{podID}/{containerName}":   {"checkpoint"},
 		"/configz": {"proxy"},
+		"/statusz": {"proxy"},
 		"/containerLogs/{podNamespace}/{podID}/{containerName}": {"proxy"},
 		"/debug/flags/v":                                     {"proxy"},
 		"/debug/pprof/{subpath:*}":                           {"proxy"},
@@ -159,6 +160,7 @@ func AuthzTestCases(fineGrained bool) []AuthzTestCase {
 		testPaths["/pods/"] = append([]string{"pods"}, testPaths["/pods/"]...)
 		testPaths["/runningpods/"] = append([]string{"pods"}, testPaths["/runningpods/"]...)
 		testPaths["/configz"] = append([]string{"configz"}, testPaths["/configz"]...)
+		testPaths["/statusz"] = append([]string{"statusz"}, testPaths["/statusz"]...)
 	}
 
 	testCases := []AuthzTestCase{}

pkg/kubelet/server/server_test.go

@@ -573,6 +573,7 @@ func TestAuthzCoverage(t *testing.T) {
 func TestAuthFilters(t *testing.T) {
 	// Enable features.ContainerCheckpoint during test
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerCheckpoint, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true)
 
 	fw := newServerTest()
 	defer fw.testHTTPServer.Close()

staging/src/k8s.io/component-base/zpages/statusz/statusz.go

@@ -35,6 +35,8 @@ var (
 	errUnsupportedMediaType = fmt.Errorf("media type not acceptable, must be: text/plain")
 )
 
+const DefaultStatuszPath = "/statusz"
+
 const (
 	headerFmt = `
 %s statusz
@@ -73,7 +75,7 @@ func Install(m mux, componentName string, reg statuszRegistry) {
 		klog.Errorf("error while parsing gotemplates: %v", err)
 		return
 	}
-	m.Handle("/statusz", handleStatusz(componentName, dataTmpl, reg))
+	m.Handle(DefaultStatuszPath, handleStatusz(componentName, dataTmpl, reg))
 }
 
 func initializeTemplates() (*template.Template, error) {