Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run rbac authorizer from cache #34047

Merged
merged 3 commits into from
Oct 14, 2016
Merged

Run rbac authorizer from cache #34047

merged 3 commits into from
Oct 14, 2016

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Oct 4, 2016
edited by k8s-oncall
Loading

RBAC authorization can be run very effectively out of a cache. The cache is a normal reflector backed cache (shared informer).

I've split this into three parts:

  1. slim down the authorizer interfaces
  2. boilerplate for adding rbac shared informers and associated listers which conform to the new interfaces
  3. wiring

@liggitt @ericchiang @kubernetes/sig-auth

This change is Reviewable

@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. release-note-label-needed labels Oct 4, 2016
@erictune
Copy link
Member

erictune commented Oct 5, 2016

@cjcullen fyi. You have dealt with some authorizer caching issues and might have suggestions.

@deads2k
Copy link
Contributor Author

deads2k commented Oct 5, 2016

@cjcullen fyi. You have dealt with some authorizer caching issues and might have suggestions

This mirrors the implementation in OpenShift. The cache isn't like the web hook where you're stuck for minutes. This usually updates sub-second off the watch.

I will open a separate pull to add kubectl policy can-i verb noun -q for scripts, like we have downstream. That has worked quite well for us.

@deads2k deads2k added release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed labels Oct 5, 2016
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 6, 2016
@k8s-github-robot k8s-github-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 7, 2016
@deads2k
Copy link
Contributor Author

deads2k commented Oct 13, 2016

@ncdc give it a scan?

@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 13, 2016
@k8s-github-robot k8s-github-robot mentioned this pull request Oct 13, 2016
Closed
@deads2k deads2k mentioned this pull request Oct 13, 2016
Closed
ncdc
ncdc reviewed Oct 13, 2016
View reviewed changes
cmd/kube-apiserver/app/server.go
}
client, err := s.NewSelfClient(privilegedLoopbackToken)
if err != nil {
glog.Errorf("Failed to create clientset: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is just a code move, but shouldn't this be fatal instead of error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is just a code move, but shouldn't this be fatal instead of error?

I'm not ready to do it yet because the wiring in test-integration doesn't allow this code to succeed (didn't before, doesn't now). Once we fix test-integration to use a "normal" startup flow, yes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks. Do we have an issue about this so we don't forget to fix it?

federation/cmd/federation-apiserver/app/server.go
}
client, err := s.NewSelfClient(privilegedLoopbackToken)
if err != nil {
glog.Errorf("Failed to create clientset: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fatal?

ncdc
ncdc reviewed Oct 13, 2016
View reviewed changes
cmd/kube-apiserver/app/server.go
}
if modeEnabled(genericoptions.ModeRBAC) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is no longer needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is no longer needed?

Right, the informers are only activated if they are needed and so the net result is the same.

@ncdc
Copy link
Member

ncdc commented Oct 13, 2016

@deads2k reviewed. A couple of questions.

@deads2k deads2k added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 13, 2016
@ncdc ncdc self-assigned this Oct 13, 2016
@deads2k
Copy link
Contributor Author

deads2k commented Oct 13, 2016

Ok, thanks. Do we have an issue about this so we don't forget to fix it?

Sure: #34728 . There's some call swizzling that I need @smarterclayton's help with to be able to start doing it.

@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit c3742a8 into kubernetes:master Oct 14, 2016
@wojtek-t
Copy link
Member

This PR broke scalability test, by significantly increasing controller-manager usage, e.g.:
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/kubernetes-kubemark-500-gce/6776
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/kubernetes-kubemark-5-gce/15565
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/kubernetes-kubemark-5-gce/15566
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/kubernetes-kubemark-5-gce/15567

I'm reverting this change to unblock merge queue.

@wojtek-t wojtek-t mentioned this pull request Oct 14, 2016
Closed
@ncdc
Copy link
Member

ncdc commented Oct 14, 2016

So we still don't have kubemark as submit queue blocking? cc @eparis

@wojtek-t
Copy link
Member

@ncdc - we do have small kubemark blocking. I don't know why it didn't block the merge:
https://github.com/kubernetes/contrib/blob/master/mungegithub/submit-queue/deployment/kubernetes/configmap.yaml#L15

There is kubemark suite in the required suites here.

@wojtek-t
Copy link
Member

@ncdc - OK, I think I understand this one. We have miscofiguration of the per-PR job and we are not checking the resource usage in it. That's why we didn't catch this in presubmit, but only in post-submit.

I will send out a PR to fix in in few minutes.

@wojtek-t wojtek-t mentioned this pull request Oct 14, 2016
Merged
@wojtek-t
Copy link
Member

kubernetes/test-infra#836

@deads2k deads2k deleted the rbac-11-informer-cache branch February 1, 2017 17:26
@liggitt liggitt mentioned this pull request Feb 12, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncdc ncdc ncdc left review comments

Assignees

@ncdc ncdc

@liggitt liggitt

@ericchiang ericchiang

Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@deads2k @erictune @ncdc @k8s-github-robot @wojtek-t @liggitt @ericchiang @googlebot