* Use authorization to limit users' ability to use specific PodSecurityPolicy objects

**What is the impact?**

A user that is authorized to create pods can make use of any existing PodSecurityPolicy, even ones they are not authorized to use.

**How can I mitigate this prior to installing 1.5.5?**

1. Export existing PodSecurityPolicy objects:
  * `kubectl get podsecuritypolicies -o yaml > psp.yaml`

        }
      }
    ```

### Handling authentication ([.kt][AuthenticateKotlin], [.java][AuthenticateJava])

OkHttp can automatically retry unauthenticated requests. When a response is `401 Not Authorized`, an `Authenticator` is asked to supply credentials. Implementations should build a new request that includes the missing credentials. If no credentials are available, return null to skip the retry.

		Description:    "The service is unavailable. Please retry.",
		HTTPStatusCode: http.StatusServiceUnavailable,
	},
	ErrUnauthorizedAccess: {
		Code:           "UnauthorizedAccess",
		Description:    "You are not authorized to perform this operation",
		HTTPStatusCode: http.StatusUnauthorized,
	},
	ErrExpressionTooLong: {
		Code:           "ExpressionTooLong",

### RBAC
* The `attributeRestrictions` field has been removed from the PolicyRule type in the rbac.authorization.k8s.io/v1alpha1 API. The field was not used by the RBAC authorizer. ([#39625](https://github.com/kubernetes/kubernetes/pull/39625), [@deads2k](https://github.com/deads2k))

					}
				}
				if reader != nil && proxy.Proxy && perr == nil {
					gr = reader
				}
			}
		}
		if reader == nil || !proxy.Proxy {
			// validate if the request indeed was authorized, if it wasn't we need to return "ErrAccessDenied"
			// instead of any namespace related error.
			if s3Error := authorizeRequest(ctx, r, policy.GetObjectAction); s3Error != ErrNone {

    server.enqueue(MockResponse(body = "this response comes via HTTPS"))
    server.enqueue(MockResponse(body = "another response via HTTPS"))

    // install a custom SSL socket factory so the server can be authorized
    client =
      client
        .newBuilder()
        .sslSocketFactory(
          handshakeCertificates.sslSocketFactory(),
          handshakeCertificates.trustManager,

You will see something like this:

<img src="/img/tutorial/security/image01.png">

/// check | Authorize button!

You already have a shiny new "Authorize" button.

And your *path operation* has a little lock in the top-right corner that you can click.

///

object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. By default, node users are authorized for create and patch requests but not delete requests against their node object. Since the NodeRestriction admission controller does not prevent patching OwnerReferences, a compromised node could leverage this vulnerability to delete and then recreate...

界面如下图所示：

<img src="/img/tutorial/security/image01.png">

/// check | Authorize 按钮！

页面右上角出现了一个「**Authorize**」按钮。

*路径操作*的右上角也出现了一个可以点击的小锁图标。

///

点击 **Authorize** 按钮，弹出授权表单，输入 `username` 与 `password` 及其它可选字段：

<img src="/img/tutorial/security/image02.png">

/// note | 笔记

目前，在表单中输入内容不会有任何反应，后文会介绍相关内容。

///

Sie werden etwa Folgendes sehen:

<img src="/img/tutorial/security/image01.png">

/// check | Authorize-Button!

Sie haben bereits einen glänzenden, neuen „Authorize“-Button.

Und Ihre *Pfadoperation* hat in der oberen rechten Ecke ein kleines Schloss, auf das Sie klicken können.

///