DelegatingAuthorizationOptions: exposes and sets a default timeout for SubjectAccessReview client

previously no timeout was set. Requests without explicit timeout might potentially hang forever and lead to starvation of the application. Kubernetes-commit: 2160cbc53fdd27a3cbc1b361e523abda4c39ac42
2020-10-20 14:39:45 +02:00 · 2020-10-20 14:39:45 +02:00 · 972d12cb5f
parent 9b5d4be311
commit 972d12cb5f
1 changed files with 11 additions and 0 deletions
--- a/pkg/server/options/authorization.go
+++ b/pkg/server/options/authorization.go
@ -59,6 +59,10 @@ type DelegatingAuthorizationOptions struct {

 	// AlwaysAllowGroups are groups which are allowed to take any actions.  In kube, this is system:masters.
 	AlwaysAllowGroups []string
+
+	// ClientTimeout specifies a time limit for requests made by SubjectAccessReviews client.
+	// The default value is set to 10 seconds.
+	ClientTimeout time.Duration
 }

 func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
@ -66,6 +70,7 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
 		// very low for responsiveness, but high enough to handle storms
 		AllowCacheTTL: 10 * time.Second,
 		DenyCacheTTL:  10 * time.Second,
+		ClientTimeout: 10 * time.Second,
 	}
 }

@ -81,6 +86,11 @@ func (s *DelegatingAuthorizationOptions) WithAlwaysAllowPaths(paths ...string) *
 	return s
 }

+// WithClientTimeout sets the given timeout for SAR client used by this authorizer
+func (s *DelegatingAuthorizationOptions) WithClientTimeout(timeout time.Duration) {
+	s.ClientTimeout = timeout
+}
+
 func (s *DelegatingAuthorizationOptions) Validate() []error {
 	allErrors := []error{}
 	return allErrors
@ -186,6 +196,7 @@ func (s *DelegatingAuthorizationOptions) getClient() (kubernetes.Interface, erro
 	// set high qps/burst limits since this will effectively limit API server responsiveness
 	clientConfig.QPS = 200
 	clientConfig.Burst = 400
+	clientConfig.Timeout = s.ClientTimeout

 	return kubernetes.NewForConfig(clientConfig)
 }