Commit Graph

74 Commits

Author SHA1 Message Date
Mike Danese 0326ed9810 migrate token cache to cache.Expiring
Kubernetes-commit: 3f194d5b413daeba93063f4610b9951069eaf13c
2019-11-06 16:23:21 -08:00
Mike Danese d8f26fe9f3 report cache mises in cached token authenticator benchmark
Kubernetes-commit: c5bfea65b9b45c01a09dfefeedffd13b8927140a
2019-11-12 12:40:19 -08:00
Jordan Liggitt 086ad4b0b9 Switch kubelet/aggregated API servers to use v1 tokenreviews
Kubernetes-commit: 5ef4fe959a45e423d2b992e9c21e6e9db4b950c5
2019-11-04 22:41:32 -05:00
Mike Danese 61dd52533e adjust token cache benchmarks to get more accurate behavior
b.N is adjusted by pkg/testing using an internal heuristic:

> The benchmark function must run the target code b.N times. During
> benchmark execution, b.N is adjusted until the benchmark function
> lasts long enough to be timed reliably.

Using b.N to seed other parameters makes the benchmark behavior
difficult to reason about. Before this change, thread count in the
CachedTokenAuthenticator benchmark is always 5000, and batch size is
almost always 1 when I run this locally. SimpleCache and StripedCache
benchmarks had similarly strange scaling.

After modifying CachedTokenAuthenticator to only adjust iterations based
on b.N, the batch chan was an point of contention and I wasn't able to
see any significant CPU consumption. This was fixed by using
ParallelBench to do the batching, rather than using a chan.

Kubernetes-commit: 43d34882c9b3612d933b97b6e470fd8d36fe492b
2019-10-26 14:12:41 -07:00
David Eads 80b16c1ce7 allow a verifyoptionsfunc to indicate that no certpool is available
Kubernetes-commit: c672affad176c22da66c7ac17cc8805f08533ce9
2019-11-06 10:38:45 -05:00
Mike Danese 44b9fc84ab migrate callers to g/g/uuid
Kubernetes-commit: a4ca9e6c93e45b4a97e7d04df37362299088f64a
2019-11-04 23:15:20 -08:00
Daniel Smith 168addcfe5 Add an authn cache benchmark
Kubernetes-commit: 420a44da0138cb64fa5d4e9fab79d8be3527ffd8
2019-10-08 13:34:51 -07:00
David Eads 84d21cfff4 wire up a means to dynamically reload ca bundles for kube-apiserver
Kubernetes-commit: 6beb96261e29754f2b7d0e44829eb6d15422cebf
2019-10-07 14:06:42 -04:00
Monis Khan c2289feb1e Hash keys used in cached token authenticator
It is possible to configure the token cache to cache failures.  We
allow 1 MB of headers per request, meaning a malicious actor could
cause the cache to use a large amount of memory by filling it with
large invalid tokens.  This change hashes the token before using it
as a key.  Measures have been taken to prevent precomputation
attacks.  SHA 256 is used as the hash to prevent collisions.

Signed-off-by: Monis Khan <mkhan@redhat.com>

Kubernetes-commit: 9a547bca8e6e15273bfafd3496aa6524fd7d35bd
2019-10-11 15:21:34 -04:00
David Eads 703545a3db add the ability for dynamic header names in delegated authentication
Kubernetes-commit: 58256346693717fd12f121f0cf74fe1e003edb0f
2019-10-03 12:56:42 -04:00
Daniel Smith 344ca1b3a8 increase auth cache size
Kubernetes-commit: 236112c6af9b22b02e35914fe8fbbdbfe856f975
2019-10-08 14:27:28 -07:00
David Eads eee025a27a add ability to authenticators for dynamic update of certs
Kubernetes-commit: 51195dd86012c4c4b17a1707ef50a46fa046f74f
2019-09-05 09:59:59 -04:00
Ted Yu 7e547519cf Add note on the role of BenchmarkSimpleCache
Kubernetes-commit: dd48a022c063e9f507ff62e1796a273d38036cb4
2019-09-11 14:39:57 -07:00
Han Kang 3e6e1db500 add some documentation around the metrics stability migration changes for clarity
Kubernetes-commit: 4e5d906c4d008f914b0ede26ea91533d6343dec5
2019-08-26 19:15:30 -07:00
Han Kang b9084e350a migrate kube-apiserver metrics to stability framework
Kubernetes-commit: 466980dd747e06e55451301c624eecccfa505123
2019-08-22 15:38:42 -07:00
Clayton Coleman 49ac3bd853 Avoid allocating when performing VisitRulesFor on service accounts
Service account authorization checks are done frequently and were
observed to perform 7% of allocations on a system running e2e tests.
The allocation comes from when we walk the authorization rules to
find matching service accounts.

Optimize the check for service account names to avoid allocating.

Kubernetes-commit: 4c87a14e6b1809359fcb6566d883a169ff0db259
2019-03-11 11:50:44 -04:00
Max Leonard Inden 041b1f1718 src/k8s.io/apiserver: Increase cert expiration histogram resolution
The `certificate_expiration_seconds` histogram measures the remaining
time of client certificates used to authenticate to the API server. It
records the lifetime of received client request certificates in buckets
of 6h, 12h, ..., 1y.

In environments with automated certificate rotation it is not uncommen
to have issued certificates expire in less than the above mentioned
minimum bucket of 6h. In such environments the above histogram is
useless given that every request will be recorded in the first bucket.

This patch increases the histogram resolution by adding a 30m, 1h and 2h
bucket. Prometheus histogram buckets are cummulative, e.g. the 12h
bucket is counting _all_ records with an expiration date lower or equal
to 12h including _all_ requests of the 6h bucket. Thereby this patch
does not break existing monitoring setups.  This histogram is exposed
once per API server, thereby the 3 additional time series do not cause a
cardinality issue.

Kubernetes-commit: f90bbc3d6bfba992831eb216161990eae1098ae5
2019-03-01 11:34:38 +01:00
Xiang Dai ca6fc75dff delete all duplicate empty blanks
Signed-off-by: Xiang Dai <764524258@qq.com>

Kubernetes-commit: 36065c6dd717c14e0a90131041e20345a7e5e324
2019-02-22 09:43:51 +08:00
Roy Lenferink 4c9524b9fb Updated OWNERS files to include link to docs
Kubernetes-commit: b43c04452f3b563473b5c2a765d4ac18cc0ff58f
2019-01-30 20:05:00 +01:00
Zhang-hoon Dennis Oh dfaa27e10c Update two doc.go files under staging/src/k8s.io/apiserver
Signed-off-by: Zhang-hoon Dennis Oh <zhanghoondennisoh@gmail.com>

Kubernetes-commit: f48480953e00f39e108833fd88a1d614459053a7
2018-10-11 19:10:16 +09:00
Mike Danese ae00afc213 patch webhook authenticator to support token review with arbitrary audiences
Kubernetes-commit: effad15ecc373beb46afd2915827247da51f399d
2018-10-29 20:45:10 -07:00
Davanum Srinivas 2710b17b80 Move from glog to klog
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135

Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
2018-11-09 13:49:10 -05:00
Jordan Liggitt b5314974ae certificates subproject approvers/reviewers
Kubernetes-commit: 4ebe084376610b88b0ac446b59ef537adcee51e3
2018-11-02 14:11:01 -04:00
Jordan Liggitt 6320ce44cc authenticators subproject approvers/reviewers
Kubernetes-commit: 4fa2a0cc8a86a5d322e52c43eb7d5ffe36b7887f
2018-11-02 13:36:47 -04:00
Mike Danese 0bf5dcd764 remove webhook cache implementation and replace with the token cache
The striped cache used by the token cache is slightly more sophisticated
however the simple cache provides about the same exact behavior. I used
the striped cache rather than the simple cache because:

* It has been used without issue as the primary token cache.
* It preforms better under load.
* It is already exposed in the public API of the token cache package.

Kubernetes-commit: 0ec4d6d396f237ccb3ae0e96922a90600befb83d
2018-10-30 12:41:46 -07:00
Mike Danese 89bdd8bce5 create audience unaware authenticator wrappers
Kubernetes-commit: c704d70d49bb9799674d84aecb2a49afb6512e11
2018-10-16 20:57:37 -07:00
Mike Danese 1692373df9 move audience context functions to authenticator package
Kubernetes-commit: 817cf70191b73d1ee9f4e7af83089e5854e5131d
2018-10-31 14:50:11 -07:00
Mike Danese 7c1e7ec029 echo audiences in anonymous and insecure authenticators
part of https://github.com/kubernetes/kubernetes/issues/69893

Kubernetes-commit: f94bc6193e1e299b1cb258b59504fab81cf8da1c
2018-10-26 15:29:55 -07:00
Mike Danese 908a04653f make token cache include audience in hash key
Kubernetes-commit: 809f278b032103cd24fcbb5ea2196c6c7caa6f63
2018-10-16 10:02:01 -07:00
Mike Danese 2ced48ac6e rebase authenticators onto new interface.
Kubernetes-commit: e5227216c0796d725c695e36cfc1d54e7631d3a6
2018-10-15 15:17:36 -07:00
Mike Danese b411a20b15 tokenreview: authenticator interface changes
Kubernetes-commit: 11be17175798773a1011afad8d0a9119254e728c
2018-10-09 10:22:06 -07:00
Mike Danese adddd63698 add some helpers to Audiences to find intersecting audiences
Kubernetes-commit: 01ce5bb8a470280d1a8ce68d5b2b4f1b2ac283cf
2018-10-16 20:01:58 -07:00
Mike Danese 37ab80320b tokenreview: add APIAudiences config to generic API server and augment context
Kubernetes-commit: 21fd8f204128a7847786927b460d95be34a6dbde
2018-10-09 22:04:52 -07:00
David McCormick a948ad1df7 Remove excessive warnings with x509 certificate auth
Suppress common name verify warning log and roll up into returned error

remove glog test dependency

Kubernetes-commit: bb3124c48a4d276ed280175e5825ea9db022d699
2018-09-24 17:15:27 +01:00
Dr. Stefan Schimanski 16d4968bf9 authn/z: optionally opt-out of mandatory authn/authz kubeconfig
Kubernetes-commit: a671d65673590f0dfcf5c2b673e1518d11510bdb
2018-08-22 11:56:07 +02:00
Jake Sanders 41bff9cd5e Escape illegal characters in remote extra keys
Signed-off-by: Jake Sanders <jsand@google.com>

Kubernetes-commit: f35e3d07c9898f8ec156209a868fa4451eb9afe2
2018-07-03 21:19:15 -07:00
Jordan Liggitt 524198321e Remove unused x509 code
Kubernetes-commit: 82f603c3274e3a1c2927a019670ec17f15281a28
2018-07-10 13:22:24 -04:00
Kubernetes Publisher 627fa76a8b sync: initially remove files BUILD */BUILD BUILD.bazel */BUILD.bazel 2018-03-15 09:38:17 +00:00
Wang Guoliang 32fe314a1e fix some syntax related errors
Kubernetes-commit: d065157dd74fa02eec87f5849528b079a3736c3d
2018-02-11 19:50:49 +08:00
Jeff Grafton 1ab12b2dc8 Autogenerated: hack/update-bazel.sh
Kubernetes-commit: ef56a8d6bb3800ab7803713eafc4191e8202ad6e
2018-02-16 13:43:01 -08:00
Jeff Grafton c8a97ee31a Autogenerate BUILD files
Kubernetes-commit: efee0704c60a2ee3049268a41535aaee7f661f6c
2017-12-23 13:06:26 -08:00
Mike Danese c463eb3137 certs: add month buckets
Kubernetes-commit: e08c98b171ff9dd3982377103f9e43c311c7a78d
2017-11-27 10:59:56 -08:00
hzxuzhonghu c79bc73664 verify token file
Kubernetes-commit: 62c170fc1da2a94cd4dacd56f8f798f491b29ae1
2017-11-10 11:30:51 +08:00
Jeff Grafton f4dbe23125 update BUILD files
Kubernetes-commit: aee5f457dbfd70c2d15c33e392dce6a3ca710116
2017-10-12 13:52:10 -07:00
Jeff Grafton eabf5a2c6e Use buildozer to delete licenses() rules
Kubernetes-commit: 02fb4200dcdf8636eac5953d04b2c4af912f443b
2017-09-21 14:54:29 -07:00
Jeff Grafton ecbbfb0461 Use buildozer to remove deprecated automanaged tags
Kubernetes-commit: 532bd482dfbe25c6fc970d2175f7e02fec2fc8c0
2017-09-21 14:53:56 -07:00
Cao Shufeng 81eb3429e7 remove useless argument "name"
Kubernetes-commit: 2e97611bc62b88c48777d6209a0ed28d17d0e52d
2017-08-29 13:16:16 +00:00
Jacob Simpson 68a92a4526 Add metric for remaining life of authenticating certificates
When incoming requests to the API server are authenticated by a
certificate, the expiration of the certificate can affect the validity
of the authentication. With auto rotation of certificates, which is
starting with kubelet certificates, the goal is to use shorter lifetimes
and let the kubelet renew the certificate as desired. Monitoring
certificates which are approaching expiration and not renewing would be
an early warning sign that nodes are about to stop participating in the
cluster.

Kubernetes-commit: 49a19c6011e05363a8baf8e99c917d11a9496568
2017-08-29 13:16:14 +00:00
Jordan Liggitt be8f046a0c Add union token authenticator
Kubernetes-commit: 4fd8196cf56aa7884f5a385017b2be651a259e59
2017-08-29 13:15:24 +00:00
Jordan Liggitt 80d2e2dae5 Add token cache component
Kubernetes-commit: 1670ba58d5425caecbde8871b07521e9e5888f78
2017-08-29 13:15:24 +00:00