Factor-out metrics related logic from authentication logic. #87631
Conversation
k8s-ci-robot
added
release-note-none
|
Reducing the diff of #85113 |
|
/assign @timstclair |
|
/assign @logicalhan |
| // Anything else (custom service accounts, custom external identities, etc.) | ||
| default: | ||
| return "other" | ||
| func audiencesIntersect(apiAuds, responseAudiences authenticator.Audiences) bool { |
There was a problem hiding this comment.
/cc @mikedanese
To double check security critical change
There was a problem hiding this comment.
I agree this preserves the existing logic, but the method name is fairly misleading, since it short-circuits on empty parameters. Consider renaming to audiencesAreAcceptable() or something similar.
As a follow-up, given that (I think) we are now wrapping all audience-agnostic authenticators in ones that know how to return the API server audience in the response, I think we should probably drop the len(responseAudiences) == 0 short-circuit.
There was a problem hiding this comment.
Renamed to audiencesAreAcceptable.
Will follow-up with a PR to remove the len(responseAudiences) == 0 short-circuit.
staging/src/k8s.io/apiserver/pkg/endpoints/filters/metrics_test.go
Outdated
Show resolved
Hide resolved
immutableT
force-pushed
the
extract-auth-metrics
branch
from
38d1ef6
to
ad5c741
Compare
k8s-ci-robot
added
area/apiserver
sig/api-machinery
immutableT
force-pushed
the
extract-auth-metrics
branch
from
ad5c741
to
ca61066
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-kubemark-e2e-gce-big |
|
/assign @liggitt |
|
/test pull-kubernetes-e2e-gce-100-performance |
| successLabel = "success" | ||
| failureLabel = "failure" | ||
| errorLabel = "error" | ||
| audiencesDoNotIntersectLabel = "non-intersecting-audiences" |
There was a problem hiding this comment.
Shouldn't we report it as an error and not as a new result type? This is a pretty old metric, so I don't want to break the semantics even if it's alpha. On top of that, "success"/"failure"/"error" seems like a reasonable breakdown for results and I'm not sure that "non-intersecting-audiences" is distinct enough from "error" to warrant introduction of another state.
There was a problem hiding this comment.
Done - now classifying non-intersecting audiences as a failure.
mikedanese
added
the
priority/important-soon
k8s-ci-robot
removed
needs-priority
immutableT
force-pushed
the
extract-auth-metrics
branch
from
1ef51cf
to
c9aa603
Compare
k8s-ci-robot
removed
the
lgtm
immutableT
force-pushed
the
extract-auth-metrics
branch
from
c9aa603
to
9562ee8
Compare
|
Verify failure looks real. |
immutableT
force-pushed
the
extract-auth-metrics
branch
from
9562ee8
to
a689048
Compare
|
/test pull-kubernetes-node-e2e-containerd |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Hello @RainbowMango |
|
/milestone v1.18 |
|
@jtslear Seems @mikedanese want @LiGgit take a look. |
|
a couple comments on method name and logging, one follow-up requested, lgtm otherwise |
immutableT
force-pushed
the
extract-auth-metrics
branch
from
a689048
to
c0bad80
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: immutableT, liggitt, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
|
Looks like this is good to go. |
k8s-ci-robot
removed
the
do-not-merge/hold
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Improve readability of the filters/authenticator package by extracting metrics' related logic into a separate file.
Cover metrics' related logic by unit tests.
Does this PR introduce a user-facing change?: