github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
56,898 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

20 Commits (f34a24e98e7c837b567b78be3af958ac1156cd80)

Author SHA1 Message Date
Jeff Grafton aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Kubernetes Submit Queue 42adb9ef25 Merge pull request #50258 from liggitt/token-cache 
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)

Enable caching successful token authentication

Resolves #50472

To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.

This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication

```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
 2017-08-11 14:14:06 -07:00
Jeff Grafton a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton 33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jordan Liggitt 0458fac8c0
Simplify bearer token auth chain, cache successful authentications 2017-08-09 23:37:24 -04:00
Eric Chiang e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jordan Liggitt 6a872c09eb
Use websocket protocol authenticator in apiserver 2017-06-21 09:47:34 -04:00
Mike Danese a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
deads2k 379a73a8db make the system:authenticated group adder smarter 2017-03-03 12:32:52 -05:00
deads2k 0d8e6b8500 move genericapiserver authenticator and authorizer factories 2017-01-26 08:50:47 -05:00
Dr. Stefan Schimanski 2b8e938128 Update generated files 2017-01-24 20:56:03 +01:00
deads2k 5a8f075197 move authoritative client-go utils out of pkg 2017-01-24 08:59:18 -05:00
deads2k ee6752ef20 find and replace 2017-01-20 08:04:53 -05:00
deads2k 31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
deads2k 1df5b658f2 switch webhook to clientgo 2017-01-09 16:53:24 -05:00
Jeff Grafton 20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
deads2k 4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
deads2k ab1b77673f decouple genericapiserver from non-generic authenticator 2016-12-22 07:48:08 -05:00