New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force token cache to support audit annotations #90140
Force token cache to support audit annotations #90140
Conversation
Can you add an annotation to the benchmark? |
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
Outdated
Show resolved
Hide resolved
Can you add a test as well? |
/cc @lavalamp |
uh, is it OK for annotations for 1 request to get announced for all of them? what will be in these annotations? Is there a design I can read? |
Overall, yes, because the assumption is that for some period of time (cache TTL), all requests with the same API audiences and the same bearer token result in the same audit annotations. This may not be true if the authenticator sets an annotation based on the current time, but that may be okay since cache TTLs are generally small (seconds).
That depends on the authenticator but one of the initial use cases is to make it safer to use bound SA tokens (see below).
|
Can you state this in a comment? It'll be very helpful for future readers. |
If 20% of successful authentications set audit annotations, there does not seem to be any real difference in the benchmark: Old:
New:
Delta:
|
f024f68
to
989dad7
Compare
@lavalamp @mikedanese comments addressed. I am a little surprised by the benchmark results so please confirm I updated the benchmark correctly. |
c4fcaa0
to
08dfe39
Compare
Timeout on scale test could be related though benchmark results seem to disagree. /retest |
/test all |
/retest |
@lavalamp @mikedanese bump. |
// add some realistic annotations on ~20% of successful authentications | ||
if rr.Float64() < 0.2 { | ||
r.annotations = map[string]string{ | ||
"audience.authentication.kubernetes.io": "e8357258-88b1-11ea-bc55-0242ac130003", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
embed the float64 in an annotation with Sprint.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Monis Khan <mok@vmware.com>
08dfe39
to
6039451
Compare
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
index 21d4b220677..10c715372ef 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
@@ -47,7 +47,7 @@ go_library(
"//staging/src/k8s.io/component-base/metrics:go_default_library",
"//staging/src/k8s.io/component-base/metrics/legacyregistry:go_default_library",
"//vendor/golang.org/x/sync/singleflight:go_default_library",
- "//vendor/k8s.io/klog:go_default_library",
+ "//vendor/k8s.io/klog/v2:go_default_library",
],
)
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
index 146af6fe500..a10564f04d9 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
@@ -38,7 +38,7 @@ import (
"k8s.io/apiserver/pkg/audit"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/endpoints/request"
- "k8s.io/klog"
+ "k8s.io/klog/v2"
)
var errAuthnCrash = apierrors.NewInternalError(errors.New("authentication failed unexpectedly"))
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
index 75f4017963e..ed3abfc1d1f 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
@@ -480,10 +480,11 @@ func (s *singleBenchmark) makeTokens() {
r.err = nil
// add some realistic annotations on ~20% of successful authentications
- if rr.Float64() < 0.2 {
+ if f := rr.Float64(); f < 0.2 {
r.annotations = map[string]string{
"audience.authentication.kubernetes.io": "e8357258-88b1-11ea-bc55-0242ac130003",
"namespace.authentication.kubernetes.io": "kube-system",
+ "float.authentication.kubernetes.io": fmt.Sprint(f),
}
}
case choice < 0.99: |
/retest |
1 similar comment
/retest |
/lgtm |
/retest Review the full test history for this PR. Silence the bot with an |
Signed-off-by: Monis Khan mok@vmware.com
/kind feature
@kubernetes/sig-auth-pr-reviews
/assign @liggitt @mikedanese
xref: #89305