diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go
index b5117a72c8121..1000f319ae89e 100644
--- a/cmd/kubelet/app/auth.go
+++ b/cmd/kubelet/app/auth.go
@@ -62,6 +62,7 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
 	if err != nil {
 		return nil, nil, err
 	}
+	authorizer = wrapAuthorizerWithMetricsScraper(authorizer)
 
 	return server.NewKubeletAuth(authenticator, attributes, authorizer), runAuthenticatorCAReload, nil
 }
diff --git a/cmd/kubelet/app/patch_auth.go b/cmd/kubelet/app/patch_auth.go
new file mode 100644
index 0000000000000..04d860cf5e6d5
--- /dev/null
+++ b/cmd/kubelet/app/patch_auth.go
@@ -0,0 +1,17 @@
+package app
+
+import (
+	"github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/authorization/union"
+)
+
+// wrapAuthorizerWithMetricsScraper add an authorizer to always approver the openshift metrics scraper.
+// This eliminates an unnecessary SAR for scraping metrics and enables metrics gathering when network access
+// to the kube-apiserver is interrupted
+func wrapAuthorizerWithMetricsScraper(authz authorizer.Authorizer) authorizer.Authorizer {
+	return union.New(
+		hardcodedauthorizer.NewHardCodedMetricsAuthorizer(),
+		authz,
+	)
+}