New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Config Observer for AccessTokenInactivityTimeout in OAuth Cluster Config #874
Add Config Observer for AccessTokenInactivityTimeout in OAuth Cluster Config #874
Conversation
9432cae
to
8900920
Compare
/hold We need an e2e test proving the kube-apiserver actually does the right thing after reacting to this setting. |
b5a7dc1
to
2a4927a
Compare
2a4927a
to
b97e15b
Compare
/retest |
1 similar comment
/retest |
5caaefe
to
21aef48
Compare
b757ce8
to
136ef79
Compare
136ef79
to
cdc9c5a
Compare
59c903d
to
d4320ec
Compare
1993da4
to
9592a34
Compare
9592a34
to
f4253b0
Compare
/lgtm |
Terraform error. /retest |
AWS lease error. /retest |
/test e2e-aws-serial |
1 similar comment
/test e2e-aws-serial |
/test e2e-aws-operator |
2 similar comments
/test e2e-aws-operator |
/test e2e-aws-operator |
/lgtm |
ede6faf
to
aaf456f
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts, vareti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws |
@vareti: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test e2e-aws-serial |
Currently, access tokens are invalidated only when their token age expires. This PR wires in the bits needed to expire the token based on user inactivity.
The config observer observes if
AccessTokenInactivityTimeoutSeconds
field is set OAuth cluster config. If timeout is set to non-zero value, it appends the below config toKubeAPIServerConfig
.When
AccessTokenInactivityTimeoutSeconds
is either zero or not present in OAuth cluster config, it removes the above the config fromKubeAPIServerConfig
.