Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force token cache to support audit annotations #90140

Merged
merged 1 commit into from Jun 19, 2020
Merged

Force token cache to support audit annotations #90140

merged 1 commit into from Jun 19, 2020

Conversation

enj
Copy link
Member

@enj enj commented Apr 14, 2020

Signed-off-by: Monis Khan mok@vmware.com

/kind feature
@kubernetes/sig-auth-pr-reviews
/assign @liggitt @mikedanese
xref: #89305

NONE

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Apr 14, 2020
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Apr 14, 2020
@mikedanese
Copy link
Member

Can you add an annotation to the benchmark?

@mikedanese
Copy link
Member

Can you add a test as well?

@fedebongio
Copy link
Contributor

/cc @lavalamp

@lavalamp
Copy link
Member

uh, is it OK for annotations for 1 request to get announced for all of them? what will be in these annotations? Is there a design I can read?

@enj
Copy link
Member Author

enj commented Apr 20, 2020

uh, is it OK for annotations for 1 request to get announced for all of them?

Overall, yes, because the assumption is that for some period of time (cache TTL), all requests with the same API audiences and the same bearer token result in the same audit annotations. This may not be true if the authenticator sets an annotation based on the current time, but that may be okay since cache TTLs are generally small (seconds).

what will be in these annotations?

That depends on the authenticator but one of the initial use cases is to make it safer to use bound SA tokens (see below).

Is there a design I can read?

See #89305 and #89549

@lavalamp
Copy link
Member

Overall, yes, because the assumption is that for some period of time (cache TTL), all requests with the same API audiences and the same bearer token result in the same audit annotations. This may not be true if the authenticator sets an annotation based on the current time, but that may be okay since cache TTLs are generally small (seconds).

Can you state this in a comment? It'll be very helpful for future readers.

@enj
Copy link
Member Author

enj commented Apr 28, 2020

If 20% of successful authentications set audit annotations, there does not seem to be any real difference in the benchmark:

Old:

goos: darwin
goarch: amd64
pkg: k8s.io/apiserver/pkg/authentication/token/cache
BenchmarkCacheContentions/Simple/keys=256-12         	 6511776	      1069 ns/op	      54 B/op	       1 allocs/op
BenchmarkCacheContentions/Striped/keys=256-12        	10329835	       420 ns/op	     157 B/op	       5 allocs/op
BenchmarkCacheContentions/Simple/keys=4096-12        	 6208036	      1115 ns/op	      53 B/op	       1 allocs/op
BenchmarkCacheContentions/Striped/keys=4096-12       	 9752660	       436 ns/op	     157 B/op	       5 allocs/op
BenchmarkCacheContentions/Simple/keys=65536-12       	 4540059	      1729 ns/op	      57 B/op	       1 allocs/op
BenchmarkCacheContentions/Striped/keys=65536-12      	 9601804	       508 ns/op	     158 B/op	       5 allocs/op
BenchmarkKeyFunc/has_audiences-12                    	 1000000	      3202 ns/op	      36 B/op	       2 allocs/op
BenchmarkKeyFunc/nil_audiences-12                    	 1270927	      3106 ns/op	      36 B/op	       2 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=100_threads=1-12         	 2137609	      1867 ns/op	         0.000080 lookups/op	     391 B/op	      16 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=100_threads=16-12        	 1590171	      1926 ns/op	         0.000101 lookups/op	     424 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=100_threads=256-12       	 1843376	      1768 ns/op	         0.000103 lookups/op	     406 B/op	      16 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=500_threads=1-12         	 1801042	      1835 ns/op	         0.000424 lookups/op	     393 B/op	      16 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=500_threads=16-12        	 2006400	      2092 ns/op	         0.000690 lookups/op	     424 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=500_threads=256-12       	 1681060	      2201 ns/op	         0.000462 lookups/op	     406 B/op	      16 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=2500_threads=1-12        	 1762971	      2030 ns/op	         0.00231 lookups/op	     427 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=2500_threads=16-12       	 1882524	      1990 ns/op	         0.00218 lookups/op	     427 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=2500_threads=256-12      	 1881532	      1972 ns/op	         0.00216 lookups/op	     440 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=12500_threads=1-12       	 1063195	      3122 ns/op	         0.0170 lookups/op	     444 B/op	      18 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=12500_threads=16-12      	 1800205	      2096 ns/op	         0.0113 lookups/op	     438 B/op	      18 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=12500_threads=256-12     	 1715931	      2233 ns/op	         0.0120 lookups/op	     452 B/op	      18 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=62500_threads=1-12       	   38581	     79135 ns/op	         0.766 lookups/op	    1356 B/op	      36 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=62500_threads=16-12      	  889266	      3613 ns/op	         0.0897 lookups/op	     539 B/op	      20 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=62500_threads=256-12     	  891417	      3542 ns/op	         0.0860 lookups/op	     562 B/op	      20 allocs/op
PASS
ok  	k8s.io/apiserver/pkg/authentication/token/cache	162.014s

New:

goos: darwin
goarch: amd64
pkg: k8s.io/apiserver/pkg/authentication/token/cache
BenchmarkCacheContentions/Simple/keys=256-12         	 6631792	      1194 ns/op	      62 B/op	       1 allocs/op
BenchmarkCacheContentions/Striped/keys=256-12        	10466500	       431 ns/op	     165 B/op	       5 allocs/op
BenchmarkCacheContentions/Simple/keys=4096-12        	 6305998	      1169 ns/op	      61 B/op	       1 allocs/op
BenchmarkCacheContentions/Striped/keys=4096-12       	 9734997	       448 ns/op	     165 B/op	       5 allocs/op
BenchmarkCacheContentions/Simple/keys=65536-12       	 4416181	      1859 ns/op	      65 B/op	       1 allocs/op
BenchmarkCacheContentions/Striped/keys=65536-12      	 8990439	       491 ns/op	     167 B/op	       5 allocs/op
BenchmarkKeyFunc/has_audiences-12                    	 1127702	      3170 ns/op	      36 B/op	       2 allocs/op
BenchmarkKeyFunc/nil_audiences-12                    	 1302345	      2798 ns/op	      36 B/op	       2 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=100_threads=1-12         	 2048858	      1789 ns/op	         0.000086 lookups/op	     422 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=100_threads=16-12        	 2013312	      1853 ns/op	         0.000077 lookups/op	     425 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=100_threads=256-12       	 2004166	      1800 ns/op	         0.000074 lookups/op	     433 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=500_threads=1-12         	 1826516	      1881 ns/op	         0.000458 lookups/op	     425 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=500_threads=16-12        	 1844925	      1860 ns/op	         0.000492 lookups/op	     426 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=500_threads=256-12       	 1986118	      1923 ns/op	         0.000400 lookups/op	     438 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=2500_threads=1-12        	 1436548	      2274 ns/op	         0.00280 lookups/op	     428 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=2500_threads=16-12       	 1634299	      2194 ns/op	         0.00256 lookups/op	     429 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=2500_threads=256-12      	 1613397	      2180 ns/op	         0.00246 lookups/op	     444 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=12500_threads=1-12       	  876624	      3531 ns/op	         0.0199 lookups/op	     423 B/op	      17 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=12500_threads=16-12      	 1694340	      2076 ns/op	         0.0116 lookups/op	     443 B/op	      18 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=12500_threads=256-12     	 1410993	      2464 ns/op	         0.0132 lookups/op	     462 B/op	      18 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=62500_threads=1-12       	   44834	     79455 ns/op	         0.736 lookups/op	    1703 B/op	      37 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=62500_threads=16-12      	  876471	      3557 ns/op	         0.0902 lookups/op	     577 B/op	      20 allocs/op
BenchmarkCachedTokenAuthenticator/tokens=62500_threads=256-12     	  895708	      3461 ns/op	         0.0858 lookups/op	     597 B/op	      20 allocs/op
PASS
ok  	k8s.io/apiserver/pkg/authentication/token/cache	159.949s

Delta:

name                                                  old time/op     new time/op     delta
CacheContentions/Simple/keys=256-12                      1.07µs ± 0%     1.19µs ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Striped/keys=256-12                      420ns ± 0%      431ns ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Simple/keys=4096-12                     1.11µs ± 0%     1.17µs ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Striped/keys=4096-12                     436ns ± 0%      448ns ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Simple/keys=65536-12                    1.73µs ± 0%     1.86µs ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Striped/keys=65536-12                    508ns ± 0%      491ns ± 0%   ~     (p=1.000 n=1+1)
KeyFunc/has_audiences-12                                 3.20µs ± 0%     3.17µs ± 0%   ~     (p=1.000 n=1+1)
KeyFunc/nil_audiences-12                                 3.11µs ± 0%     2.80µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=1-12         1.87µs ± 0%     1.79µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=16-12        1.93µs ± 0%     1.85µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=256-12       1.77µs ± 0%     1.80µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=1-12         1.83µs ± 0%     1.88µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=16-12        2.09µs ± 0%     1.86µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=256-12       2.20µs ± 0%     1.92µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=1-12        2.03µs ± 0%     2.27µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=16-12       1.99µs ± 0%     2.19µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=256-12      1.97µs ± 0%     2.18µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=1-12       3.12µs ± 0%     3.53µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=16-12      2.10µs ± 0%     2.08µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=256-12     2.23µs ± 0%     2.46µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=1-12       79.1µs ± 0%     79.5µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=16-12      3.61µs ± 0%     3.56µs ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=256-12     3.54µs ± 0%     3.46µs ± 0%   ~     (p=1.000 n=1+1)

name                                                  old alloc/op    new alloc/op    delta
CacheContentions/Simple/keys=256-12                       54.0B ± 0%      62.0B ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Striped/keys=256-12                       157B ± 0%       165B ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Simple/keys=4096-12                      53.0B ± 0%      61.0B ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Striped/keys=4096-12                      157B ± 0%       165B ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Simple/keys=65536-12                     57.0B ± 0%      65.0B ± 0%   ~     (p=1.000 n=1+1)
CacheContentions/Striped/keys=65536-12                     158B ± 0%       167B ± 0%   ~     (p=1.000 n=1+1)
KeyFunc/has_audiences-12                                  36.0B ± 0%      36.0B ± 0%   ~     (all equal)
KeyFunc/nil_audiences-12                                  36.0B ± 0%      36.0B ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=100_threads=1-12           391B ± 0%       422B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=16-12          424B ± 0%       425B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=256-12         406B ± 0%       433B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=1-12           393B ± 0%       425B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=16-12          424B ± 0%       426B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=256-12         406B ± 0%       438B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=1-12          427B ± 0%       428B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=16-12         427B ± 0%       429B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=256-12        440B ± 0%       444B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=1-12         444B ± 0%       423B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=16-12        438B ± 0%       443B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=256-12       452B ± 0%       462B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=1-12       1.36kB ± 0%     1.70kB ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=16-12        539B ± 0%       577B ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=256-12       562B ± 0%       597B ± 0%   ~     (p=1.000 n=1+1)

name                                                  old allocs/op   new allocs/op   delta
CacheContentions/Simple/keys=256-12                        1.00 ± 0%       1.00 ± 0%   ~     (all equal)
CacheContentions/Striped/keys=256-12                       5.00 ± 0%       5.00 ± 0%   ~     (all equal)
CacheContentions/Simple/keys=4096-12                       1.00 ± 0%       1.00 ± 0%   ~     (all equal)
CacheContentions/Striped/keys=4096-12                      5.00 ± 0%       5.00 ± 0%   ~     (all equal)
CacheContentions/Simple/keys=65536-12                      1.00 ± 0%       1.00 ± 0%   ~     (all equal)
CacheContentions/Striped/keys=65536-12                     5.00 ± 0%       5.00 ± 0%   ~     (all equal)
KeyFunc/has_audiences-12                                   2.00 ± 0%       2.00 ± 0%   ~     (all equal)
KeyFunc/nil_audiences-12                                   2.00 ± 0%       2.00 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=100_threads=1-12           16.0 ± 0%       17.0 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=16-12          17.0 ± 0%       17.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=100_threads=256-12         16.0 ± 0%       17.0 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=1-12           16.0 ± 0%       17.0 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=16-12          17.0 ± 0%       17.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=500_threads=256-12         16.0 ± 0%       17.0 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=1-12          17.0 ± 0%       17.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=2500_threads=16-12         17.0 ± 0%       17.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=2500_threads=256-12        17.0 ± 0%       17.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=12500_threads=1-12         18.0 ± 0%       17.0 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=16-12        18.0 ± 0%       18.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=12500_threads=256-12       18.0 ± 0%       18.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=62500_threads=1-12         36.0 ± 0%       37.0 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=16-12        20.0 ± 0%       20.0 ± 0%   ~     (all equal)
CachedTokenAuthenticator/tokens=62500_threads=256-12       20.0 ± 0%       20.0 ± 0%   ~     (all equal)

name                                                  old lookups/op  new lookups/op  delta
CachedTokenAuthenticator/tokens=100_threads=1-12           0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=16-12          0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=100_threads=256-12         0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=1-12           0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=16-12          0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=500_threads=256-12         0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=1-12          0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=16-12         0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=2500_threads=256-12        0.00 ± 0%       0.00 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=1-12         0.02 ± 0%       0.02 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=16-12        0.01 ± 0%       0.01 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=12500_threads=256-12       0.01 ± 0%       0.01 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=1-12         0.77 ± 0%       0.74 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=16-12        0.09 ± 0%       0.09 ± 0%   ~     (p=1.000 n=1+1)
CachedTokenAuthenticator/tokens=62500_threads=256-12       0.09 ± 0%       0.09 ± 0%   ~     (p=1.000 n=1+1)

@enj enj force-pushed the enj/i/token_cache_annotations branch from f024f68 to 989dad7 Compare April 28, 2020 05:12
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 28, 2020
@enj
Copy link
Member Author

enj commented Apr 28, 2020

@lavalamp @mikedanese comments addressed. I am a little surprised by the benchmark results so please confirm I updated the benchmark correctly.

@enj enj force-pushed the enj/i/token_cache_annotations branch 2 times, most recently from c4fcaa0 to 08dfe39 Compare April 28, 2020 05:48
@enj
Copy link
Member Author

enj commented Apr 29, 2020

Timeout on scale test could be related though benchmark results seem to disagree.

/retest

@enj
Copy link
Member Author

enj commented May 8, 2020

/test all

@enj
Copy link
Member Author

enj commented May 9, 2020

/retest

@enj
Copy link
Member Author

enj commented May 14, 2020

@lavalamp @mikedanese bump.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 17, 2020
@mikedanese mikedanese added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label May 21, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label May 21, 2020
@mikedanese mikedanese added this to the v1.19 milestone May 21, 2020
mikedanese
mikedanese reviewed Jun 15, 2020
View reviewed changes
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
// add some realistic annotations on ~20% of successful authentications
if rr.Float64() < 0.2 {
r.annotations = map[string]string{
"audience.authentication.kubernetes.io": "e8357258-88b1-11ea-bc55-0242ac130003",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

embed the float64 in an annotation with Sprint.

@mikedanese
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 15, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, mikedanese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 15, 2020
@enj
Force token cache to support audit annotations
6039451 
Signed-off-by: Monis Khan <mok@vmware.com>
@enj enj force-pushed the enj/i/token_cache_annotations branch from 08dfe39 to 6039451 Compare June 17, 2020 19:55
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jun 17, 2020
@enj
Copy link
Member Author

enj commented Jun 17, 2020 

git diff 08dfe39821b8b57a9584bd15e3f61839511dcf6e..6039451d358c20b8161e08eb1d3626134195026f staging/src/k8s.io/apiserver/pkg/authentication/token/cache

diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
index 21d4b220677..10c715372ef 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
@@ -47,7 +47,7 @@ go_library(
         "//staging/src/k8s.io/component-base/metrics:go_default_library",
         "//staging/src/k8s.io/component-base/metrics/legacyregistry:go_default_library",
         "//vendor/golang.org/x/sync/singleflight:go_default_library",
-        "//vendor/k8s.io/klog:go_default_library",
+        "//vendor/k8s.io/klog/v2:go_default_library",
     ],
 )
 
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
index 146af6fe500..a10564f04d9 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
@@ -38,7 +38,7 @@ import (
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/endpoints/request"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 var errAuthnCrash = apierrors.NewInternalError(errors.New("authentication failed unexpectedly"))
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
index 75f4017963e..ed3abfc1d1f 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
@@ -480,10 +480,11 @@ func (s *singleBenchmark) makeTokens() {
 			r.err = nil
 
 			// add some realistic annotations on ~20% of successful authentications
-			if rr.Float64() < 0.2 {
+			if f := rr.Float64(); f < 0.2 {
 				r.annotations = map[string]string{
 					"audience.authentication.kubernetes.io":  "e8357258-88b1-11ea-bc55-0242ac130003",
 					"namespace.authentication.kubernetes.io": "kube-system",
+					"float.authentication.kubernetes.io":     fmt.Sprint(f),
 				}
 			}
 		case choice < 0.99:

@enj
Copy link
Member Author

enj commented Jun 17, 2020

/retest

1 similar comment
@enj
Copy link
Member Author

enj commented Jun 17, 2020

/retest

@mikedanese
Copy link
Member

/lgtm
/retest

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 18, 2020
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 4aa98f4 into kubernetes:master Jun 19, 2020
@enj enj mentioned this pull request Jun 22, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikedanese mikedanese mikedanese left review comments

@lavalamp lavalamp Awaiting requested review from lavalamp

@wojtek-t wojtek-t Awaiting requested review from wojtek-t

Assignees

@liggitt liggitt

@mikedanese mikedanese

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@enj @mikedanese @fedebongio @lavalamp @k8s-ci-robot @fejta-bot @liggitt