Mix of static authorizer and subjectaccessreviews config deactivates the static authorizer

[raptorsun]

When putting both static authorizer and normal configs using subjectaccessreviews together in the config file, the part of static authorizer is not taken into account.

Here is an example. I would like to config kube-rbac-proxy to allow both using a bearer token and using a static authorizer to get access to the service behind its proxy.

• For the path "/metrics", I want to use the static authorizer to check the access, using only TLS certificates.
• For the other API calls, I would like to leave them to other authorizer schemes. I assume a request will be granted access when either authorizer gives authorization.

I have tried 2 configs but neither of them allows both use cases:

1. This allows query /metrics using certificates, but blocks call to other API

    "authorization":
      "static":
      - "path": "/metrics"
        "resourceRequest": false
        "user":
          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
        "verb": "get"

2. This allows query other API using bearer tokens, blocks querying /metrics using certificates

    "authorization":
      "resourceAttributes":
        "apiGroup": "monitoring.coreos.com"
        "namespace": "{{ .Value }}"
        "resource": "prometheusrules"
      "rewrites":
        "byQueryParameter":
          "name": "namespace"
      "static":
      - "path": "/metrics"
        "resourceRequest": false
        "user":
          "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s" 
        "verb": "get"

[s-urbaniak]

cc @ibihim can you take a look?

[ibihim]

I will try to do so next week. Thanks for the pointer