Merge pull request #14916 from liggitt/token-cache

Automatic merge from submit-queue Add short TTL cache to token authentication Addresses frequent etcd lookups due to high-volume controllers Fixes authenticator aspect of https://bugzilla.redhat.com/show_bug.cgi?id=1464579
openshift · Sep 8, 2017 · 8a47952 · 8a47952
2 parents 72f5bc5 + 49589f4
commit 8a47952
Show file tree

Hide file tree

Showing 15 changed files with 854 additions and 31 deletions.
diff --git a/pkg/cmd/server/kubernetes/master/master_config_test.go b/pkg/cmd/server/kubernetes/master/master_config_test.go
@@ -140,6 +140,9 @@ func TestAPIServerDefaults(t *testing.T) {
 			},
 			TokenFile: &kubeoptions.TokenFileAuthenticationOptions{},
 			WebHook:   &kubeoptions.WebHookAuthenticationOptions{CacheTTL: 2 * time.Minute},
+
+			TokenSuccessCacheTTL: 10 * time.Second,
+			TokenFailureCacheTTL: 0,
 		},
 		Authorization: &kubeoptions.BuiltInAuthorizationOptions{
 			Mode: "AlwaysAllow",

diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"reflect"
 	"strings"
+	"time"
 
 	"github.com/golang/glog"
 
@@ -27,6 +28,8 @@ import (
 	"k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/authentication/request/websocket"
 	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
+	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
+	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	"k8s.io/apiserver/pkg/authentication/user"
 	kauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -672,7 +675,7 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu
 
 func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter userclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, error) {
 	authenticators := []authenticator.Request{}
-	tokenAuthenticators := []authenticator.Request{}
+	tokenAuthenticators := []authenticator.Token{}
 
 	// ServiceAccount token
 	if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 {
@@ -685,31 +688,32 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 			publicKeys = append(publicKeys, readPublicKeys...)
 		}
 		serviceAccountTokenAuthenticator := serviceaccount.JWTTokenAuthenticator(publicKeys, true, tokenGetter)
-		tokenAuthenticators = append(
-			tokenAuthenticators,
-			bearertoken.New(serviceAccountTokenAuthenticator),
-			websocket.NewProtocolAuthenticator(serviceAccountTokenAuthenticator),
-			paramtoken.New("access_token", serviceAccountTokenAuthenticator, true),
-		)
+		tokenAuthenticators = append(tokenAuthenticators, serviceAccountTokenAuthenticator)
 	}
 
 	// OAuth token
 	if config.OAuthConfig != nil {
 		oauthTokenAuthenticator := authnregistry.NewTokenAuthenticator(accessTokenGetter, userGetter, groupMapper)
-		oauthTokenRequestAuthenticators := []authenticator.Request{
-			bearertoken.New(oauthTokenAuthenticator),
-			websocket.NewProtocolAuthenticator(oauthTokenAuthenticator),
-			paramtoken.New("access_token", oauthTokenAuthenticator, true),
-		}
-
 		tokenAuthenticators = append(tokenAuthenticators,
 			// if you have a bearer token, you're a human (usually)
 			// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
-			group.NewGroupAdder(union.New(oauthTokenRequestAuthenticators...), []string{bootstrappolicy.AuthenticatedOAuthGroup}))
+			group.NewTokenGroupAdder(oauthTokenAuthenticator, []string{bootstrappolicy.AuthenticatedOAuthGroup}))
 	}
 
 	if len(tokenAuthenticators) > 0 {
-		authenticators = append(authenticators, union.New(tokenAuthenticators...))
+		// Combine all token authenticators
+		tokenAuth := tokenunion.New(tokenAuthenticators...)
+
+		// wrap with short cache on success.
+		// this means a revoked service account token or access token will be valid for up to 10 seconds.
+		// it also means group membership changes on users may take up to 10 seconds to become effective.
+		tokenAuth = tokencache.New(tokenAuth, 10*time.Second, 0)
+
+		authenticators = append(authenticators,
+			bearertoken.New(tokenAuth),
+			websocket.NewProtocolAuthenticator(tokenAuth),
+			paramtoken.New("access_token", tokenAuth, true),
+		)
 	}
 
 	// build cert authenticator

diff --git a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/config.go b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/config.go
diff --git a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
diff --git a/....io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go b/....io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
diff --git a/...ubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go b/...ubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD