Currently oc adm inspect will send bearer tokens when scraping data from endpoints. This might expose the tokens to potentially untrustworthy parties.
Confirmed with latest oc client, the issue has fixed: [root@dhcp-140-138 ~]# rpm -q openshift-clients openshift-clients-4.4.0-202001090623.git.1.b589d0e.el7.x86_64 When use cluster-admin, could see endpoints of healthz in the result; When use normal-user with cluster-admin role , could not see endpoints of healthz in the result, and can find logs like: [zhouying@dhcp-140-138 ~]$ cat testuser-21-runtime |grep "Skipping container endpoint" I0109 17:48:26.292427 24260 pod.go:71] Skipping container endpoint collection for pod "kube-apiserver-operator-58fbdb9548-87mc9" container "kube-apiserver-operator": Using token authentication I0109 17:48:55.351001 24260 pod.go:71] Skipping container endpoint collection for pod "kube-apiserver-ip-10-0-138-150.us-east-2.compute.internal" container "kube-apiserver-5": Using token authentication ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581