Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1887392: allow configuring authn/z caches TTLs #970

Merged
merged 1 commit into from Jan 5, 2021
Merged

Bug 1887392: allow configuring authn/z caches TTLs #970

merged 1 commit into from Jan 5, 2021

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Dec 14, 2020

This should contribute to reducing traffic inside a cluster since not every metrics request to our operators (once every 30s per operator) will need to pass an authn/z check (tokenreview/SAR).

/assign @sttts

/hold
contains fake bump

@openshift-ci-robot openshift-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. labels Dec 14, 2020
@openshift-ci-robot
Copy link

@stlaz: This pull request references Bugzilla bug 1887392, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1887392: allow configuring authn/z caches TTLs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Dec 14, 2020
@stlaz
Copy link
Member Author

stlaz commented Dec 14, 2020

/retest
google was out

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Dec 14, 2020
edited

@stlaz: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/verify 5007a12 link /test verify

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

sttts
sttts reviewed Dec 14, 2020
View reviewed changes
pkg/config/serving/server.go Outdated
@@ -58,6 +59,7 @@ func ToServerConfig(ctx context.Context, servingInfo configv1.HTTPServingInfo, a
if !authorizationConfig.Disabled {
authorizationOptions := genericapiserveroptions.NewDelegatingAuthorizationOptions()
authorizationOptions.RemoteKubeConfigFile = kubeConfigFile
authorizationOptions.AllowCacheTTL = authorizationConfig.AllowCacheTTL.Duration
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the default? None?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's 10s as set by the NewDelegatingAuthenticationOptions/NewDelegatingAuthorizationOptions functions

@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 17, 2020
@stlaz
Copy link
Member Author

stlaz commented Jan 5, 2021

depends on openshift/api#832

@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 5, 2021
@stlaz
Hardcode authn/z cache TTL periods to 35 seconds
b2d11cb 
Most, if not all core components on the platform are using
30s as a timer for the /metrics endpoint. This increases authn/z
cache TTL from the kube-original 10s to 35s to avoid delegating
approx. every other metrics request to the API server.
@stlaz
Copy link
Member Author

stlaz commented Jan 5, 2021

/hold cancel
no longer needs API change, the timeout is hardcoded

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 5, 2021
@sttts
Copy link
Contributor

sttts commented Jan 5, 2021

/lgtm
/approve

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 5, 2021
@openshift-merge-robot openshift-merge-robot merged commit 42fe32e into openshift:master Jan 5, 2021
@openshift-ci-robot
Copy link

@stlaz: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 1887392 has not been moved to the MODIFIED state.

In response to this:

Bug 1887392: allow configuring authn/z caches TTLs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Jan 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@deads2k deads2k Awaiting requested review from deads2k

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@stlaz @openshift-ci-robot @openshift-merge-robot @sttts