- CEL authorizer checks no longer raise runtime errors. Calls to "check" will always return a decision object and the authorization error (if any) can be accessed within expressions using the new decision methods "errored" and "error". ([#118804](https://github.com/kubernetes/kubernetes/pull/118804), [@benluddy](https://github.com/benluddy)) [SIG API Machinery]

- Kube-apiserver: timeouts configured for authorization webhooks in the --authorization-config file are now honored, and webhook timeouts are accurately reflected in webhook metrics with result=timeout ([#125552](https://github.com/kubernetes/kubernetes/pull/125552), [@liggitt](https://github.com/liggitt)) [SIG API...

<img src="/img/tutorial/security/image10.png">

/// note | Примітка

Зверніть увагу на заголовок `Authorization` зі значенням, що починається з `Bearer `.

///

## Просунуте використання зі `scopes` { #advanced-usage-with-scopes }

OAuth2 має поняття «scopes».

api.cors.allow.methods=GET, POST, OPTIONS, DELETE, PUT
# Max age for CORS preflight requests.
api.cors.max.age=3600
# Allowed headers for CORS.
api.cors.allow.headers=Origin, Content-Type, Accept, Authorization, X-Requested-With
# Whether to allow credentials for CORS.
api.cors.allow.credentials=true
# Whether to enable JSONP for API.
api.jsonp.enabled=false
# Fields for API ping to search engine.

Ancak scope'lu OAuth2, API'nize (OpenAPI ile) ve API dokümanlarınıza güzel biçimde entegre edilebilir.

Buna rağmen, bu scope'ları (veya başka herhangi bir security/authorization gereksinimini) kodunuzda ihtiyaç duyduğunuz şekilde yine siz zorunlu kılarsınız.

Birçok durumda scope'lu OAuth2 gereğinden fazla (overkill) olabilir.

  In addition, please be careful that:
  - kube-scheduler MUST start with `--authorization-kubeconfig` and `--authentication-kubeconfig` correctly set to get authentication/authorization working.
  - liveness/readiness probes to kube-scheduler MUST use HTTPS now, and the default port has been changed to 10259.

<img src="/img/tutorial/security/image10.png">

/// note | Техническая информация

Обратите внимание на HTTP-заголовок `Authorization`, значение которого начинается с `Bearer `.

///

## Продвинутое использование `scopes` { #advanced-usage-with-scopes }

В OAuth2 существует понятие "диапазоны" ("`scopes`").

* a classe
* a classe base
* a classe pai
* a subclasse
* a classe filha
* a classe irmã
* o método de classe

* o cabeçalho
* os cabeçalhos
* o cabeçalho de autorização
* o cabeçalho `Authorization`
* o cabeçalho encaminhado

* o sistema de injeção de dependências
* a dependência
* o dependable
* o dependant

* limitado por I/O
* limitado por CPU
* concorrência
* paralelismo

* la clase
* la clase base
* la clase padre
* la subclase
* la clase hija
* la clase hermana
* el método de clase

* el header
* los headers
* el header de autorización
* el header `Authorization`
* el header forwarded

* el sistema de inyección de dependencias
* la dependencia
* el dependable
* el dependiente

* limitado por I/O
* limitado por CPU
* concurrencia
* paralelismo

* la classe de base
* la classe parente
* la sous-classe
* la classe enfant
* la classe sœur
* la méthode de classe

* l’en-tête
* les en-têtes
* l’en-tête d’autorisation
* l’en-tête `Authorization`
* l’en-tête transféré

* le système d’injection de dépendances
* la dépendance
* l’élément dépendable
* le dépendant

* lié aux E/S
* lié au processeur
* concurrence
* parallélisme