Allow disabling caching for webhook authorizers when using apiserver.config.k8s.io/v1{alpha1,beta1}.AuthorizationConfiguration (#129237)

* Introduce new boolean `cache{Una,A}uthorizedRequests` field

* Run `hack/update-codegen.sh`

* Respect legacy flags values for caching

With the legacy `--authorization-webhook-cache-{un}authorized-ttl`
flags, caching was disabled when the TTL was set to `0`, so let's
continue doing so when building the authz configuration struct.

* Pass TTL=0 to webhook authz plugin when cache disabled

pkg/kubeapiserver/authorizer/reload.go

@@ -141,10 +141,18 @@ func (r *reloadableAuthorizerResolver) newForConfig(authzConfig *authzconfig.Aut
 			default:
 				return nil, nil, fmt.Errorf("unknown failurePolicy %q", configuredAuthorizer.Webhook.FailurePolicy)
 			}
+
+			authorizedTTL, unauthorizedTTL := configuredAuthorizer.Webhook.AuthorizedTTL.Duration, configuredAuthorizer.Webhook.UnauthorizedTTL.Duration
+			if !configuredAuthorizer.Webhook.CacheAuthorizedRequests {
+				authorizedTTL = 0
+			}
+			if !configuredAuthorizer.Webhook.CacheUnauthorizedRequests {
+				unauthorizedTTL = 0
+			}
 			webhookAuthorizer, err := webhook.New(clientConfig,
 				configuredAuthorizer.Webhook.SubjectAccessReviewVersion,
-				configuredAuthorizer.Webhook.AuthorizedTTL.Duration,
-				configuredAuthorizer.Webhook.UnauthorizedTTL.Duration,
+				authorizedTTL,
+				unauthorizedTTL,
 				*r.initialConfig.WebhookRetryBackoff,
 				decisionOnError,
 				configuredAuthorizer.Webhook.MatchConditions,

pkg/kubeapiserver/options/authorization.go

@@ -33,7 +33,6 @@ import (
 	authzconfig "k8s.io/apiserver/pkg/apis/apiserver"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	versionedinformers "k8s.io/client-go/informers"
-
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
@@ -273,8 +272,10 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
 				Type: authzconfig.TypeWebhook,
 				Name: defaultWebhookName,
 				Webhook: &authzconfig.WebhookConfiguration{
-					AuthorizedTTL:   metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL},
-					UnauthorizedTTL: metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL},
+					AuthorizedTTL:             metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL},
+					CacheAuthorizedRequests:   o.WebhookCacheAuthorizedTTL != 0,
+					UnauthorizedTTL:           metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL},
+					CacheUnauthorizedRequests: o.WebhookCacheUnauthorizedTTL != 0,
 					// Timeout and FailurePolicy are required for the new configuration.
 					// Setting these two implicitly to preserve backward compatibility.
 					Timeout:                    metav1.Duration{Duration: 30 * time.Second},

staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go

@@ -213,8 +213,10 @@ func TestLoadFromData(t *testing.T) {
 					Type: "Webhook",
 					Name: "default",
 					Webhook: &api.WebhookConfiguration{
-						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
-						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+						AuthorizedTTL:             metav1.Duration{Duration: 5 * time.Minute},
+						CacheAuthorizedRequests:   true,
+						UnauthorizedTTL:           metav1.Duration{Duration: 30 * time.Second},
+						CacheUnauthorizedRequests: true,
 					},
 				}},
 			},
@@ -252,8 +254,10 @@ authorizers:
 					Type: "Webhook",
 					Name: "default",
 					Webhook: &api.WebhookConfiguration{
-						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
-						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+						AuthorizedTTL:             metav1.Duration{Duration: 5 * time.Minute},
+						CacheAuthorizedRequests:   true,
+						UnauthorizedTTL:           metav1.Duration{Duration: 30 * time.Second},
+						CacheUnauthorizedRequests: true,
 					},
 				}},
 			},
@@ -291,8 +295,10 @@ authorizers:
 					Type: "Webhook",
 					Name: "default",
 					Webhook: &api.WebhookConfiguration{
-						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
-						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+						AuthorizedTTL:             metav1.Duration{Duration: 5 * time.Minute},
+						CacheAuthorizedRequests:   true,
+						UnauthorizedTTL:           metav1.Duration{Duration: 30 * time.Second},
+						CacheUnauthorizedRequests: true,
 					},
 				}},
 			},

staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go

@@ -334,11 +334,21 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	CacheAuthorizedRequests bool
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	CacheUnauthorizedRequests bool
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go

@@ -21,6 +21,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 )
 
 var (
@@ -53,7 +54,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) {
 	if obj.AuthorizedTTL.Duration == 0 {
 		obj.AuthorizedTTL.Duration = 5 * time.Minute
 	}
+	if obj.CacheAuthorizedRequests == nil {
+		obj.CacheAuthorizedRequests = ptr.To(true)
+	}
 	if obj.UnauthorizedTTL.Duration == 0 {
 		obj.UnauthorizedTTL.Duration = 30 * time.Second
 	}
+	if obj.CacheUnauthorizedRequests == nil {
+		obj.CacheUnauthorizedRequests = ptr.To(true)
+	}
 }

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go

@@ -97,11 +97,23 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"`
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"`
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go

@@ -255,7 +255,17 @@ func Convert_apiserver_AdmissionPluginConfiguration_To_v1_AdmissionPluginConfigu
 }
 
 func autoConvert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error {
-	out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers))
+	if in.Authorizers != nil {
+		in, out := &in.Authorizers, &out.Authorizers
+		*out = make([]apiserver.AuthorizerConfiguration, len(*in))
+		for i := range *in {
+			if err := Convert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Authorizers = nil
+	}
 	return nil
 }
 
@@ -265,7 +275,17 @@ func Convert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfigurati
 }
 
 func autoConvert_apiserver_AuthorizationConfiguration_To_v1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error {
-	out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers))
+	if in.Authorizers != nil {
+		in, out := &in.Authorizers, &out.Authorizers
+		*out = make([]AuthorizerConfiguration, len(*in))
+		for i := range *in {
+			if err := Convert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Authorizers = nil
+	}
 	return nil
 }
 
@@ -277,7 +297,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1_AuthorizationConfigurati
 func autoConvert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error {
 	out.Type = apiserver.AuthorizerType(in.Type)
 	out.Name = in.Name
-	out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook))
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(apiserver.WebhookConfiguration)
+		if err := Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Webhook = nil
+	}
 	return nil
 }
 
@@ -289,7 +317,15 @@ func Convert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in
 func autoConvert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error {
 	out.Type = string(in.Type)
 	out.Name = in.Name
-	out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook))
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(WebhookConfiguration)
+		if err := Convert_apiserver_WebhookConfiguration_To_v1_WebhookConfiguration(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Webhook = nil
+	}
 	return nil
 }
 
@@ -458,7 +494,13 @@ func Convert_apiserver_SecretboxConfiguration_To_v1_SecretboxConfiguration(in *a
 
 func autoConvert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error {
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if err := metav1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil {
+		return err
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if err := metav1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil {
+		return err
+	}
 	out.Timeout = in.Timeout
 	out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion
 	out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion
@@ -477,7 +519,13 @@ func Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *Webho
 
 func autoConvert_apiserver_WebhookConfiguration_To_v1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error {
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if err := metav1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil {
+		return err
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if err := metav1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil {
+		return err
+	}
 	out.Timeout = in.Timeout
 	out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion
 	out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go

@@ -337,7 +337,17 @@ func (in *SecretboxConfiguration) DeepCopy() *SecretboxConfiguration {
 func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
 	*out = *in
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if in.CacheAuthorizedRequests != nil {
+		in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests
+		*out = new(bool)
+		**out = **in
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if in.CacheUnauthorizedRequests != nil {
+		in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests
+		*out = new(bool)
+		**out = **in
+	}
 	out.Timeout = in.Timeout
 	in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo)
 	if in.MatchConditions != nil {

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go

@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) {
 	if obj.AuthorizedTTL.Duration == 0 {
 		obj.AuthorizedTTL.Duration = 5 * time.Minute
 	}
+	if obj.CacheAuthorizedRequests == nil {
+		obj.CacheAuthorizedRequests = ptr.To(true)
+	}
 	if obj.UnauthorizedTTL.Duration == 0 {
 		obj.UnauthorizedTTL.Duration = 30 * time.Second
 	}
+	if obj.CacheUnauthorizedRequests == nil {
+		obj.CacheUnauthorizedRequests = ptr.To(true)
+	}
 }

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go

@@ -550,11 +550,23 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"`
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"`
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go

@@ -429,7 +429,17 @@ func Convert_apiserver_AuthenticationConfiguration_To_v1alpha1_AuthenticationCon
 }
 
 func autoConvert_v1alpha1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error {
-	out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers))
+	if in.Authorizers != nil {
+		in, out := &in.Authorizers, &out.Authorizers
+		*out = make([]apiserver.AuthorizerConfiguration, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Authorizers = nil
+	}
 	return nil
 }
 
@@ -439,7 +449,17 @@ func Convert_v1alpha1_AuthorizationConfiguration_To_apiserver_AuthorizationConfi
 }
 
 func autoConvert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error {
-	out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers))
+	if in.Authorizers != nil {
+		in, out := &in.Authorizers, &out.Authorizers
+		*out = make([]AuthorizerConfiguration, len(*in))
+		for i := range *in {
+			if err := Convert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Authorizers = nil
+	}
 	return nil
 }
 
@@ -451,7 +471,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfi
 func autoConvert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error {
 	out.Type = apiserver.AuthorizerType(in.Type)
 	out.Name = in.Name
-	out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook))
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(apiserver.WebhookConfiguration)
+		if err := Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Webhook = nil
+	}
 	return nil
 }
 
@@ -463,7 +491,15 @@ func Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfigurati
 func autoConvert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error {
 	out.Type = string(in.Type)
 	out.Name = in.Name
-	out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook))
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(WebhookConfiguration)
+		if err := Convert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Webhook = nil
+	}
 	return nil
 }
 
@@ -885,7 +921,13 @@ func Convert_apiserver_UserValidationRule_To_v1alpha1_UserValidationRule(in *api
 
 func autoConvert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error {
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if err := v1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil {
+		return err
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if err := v1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil {
+		return err
+	}
 	out.Timeout = in.Timeout
 	out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion
 	out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion
@@ -904,7 +946,13 @@ func Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in
 
 func autoConvert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error {
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if err := v1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil {
+		return err
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if err := v1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil {
+		return err
+	}
 	out.Timeout = in.Timeout
 	out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion
 	out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go

@@ -547,7 +547,17 @@ func (in *UserValidationRule) DeepCopy() *UserValidationRule {
 func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
 	*out = *in
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if in.CacheAuthorizedRequests != nil {
+		in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests
+		*out = new(bool)
+		**out = **in
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if in.CacheUnauthorizedRequests != nil {
+		in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests
+		*out = new(bool)
+		**out = **in
+	}
 	out.Timeout = in.Timeout
 	in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo)
 	if in.MatchConditions != nil {

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go

@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) {
 	if obj.AuthorizedTTL.Duration == 0 {
 		obj.AuthorizedTTL.Duration = 5 * time.Minute
 	}
+	if obj.CacheAuthorizedRequests == nil {
+		obj.CacheAuthorizedRequests = ptr.To(true)
+	}
 	if obj.UnauthorizedTTL.Duration == 0 {
 		obj.UnauthorizedTTL.Duration = 30 * time.Second
 	}
+	if obj.CacheUnauthorizedRequests == nil {
+		obj.CacheUnauthorizedRequests = ptr.To(true)
+	}
 }

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go

@@ -521,11 +521,23 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"`
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"`
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go

@@ -365,7 +365,17 @@ func Convert_apiserver_AuthenticationConfiguration_To_v1beta1_AuthenticationConf
 }
 
 func autoConvert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error {
-	out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers))
+	if in.Authorizers != nil {
+		in, out := &in.Authorizers, &out.Authorizers
+		*out = make([]apiserver.AuthorizerConfiguration, len(*in))
+		for i := range *in {
+			if err := Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Authorizers = nil
+	}
 	return nil
 }
 
@@ -375,7 +385,17 @@ func Convert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfig
 }
 
 func autoConvert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error {
-	out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers))
+	if in.Authorizers != nil {
+		in, out := &in.Authorizers, &out.Authorizers
+		*out = make([]AuthorizerConfiguration, len(*in))
+		for i := range *in {
+			if err := Convert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Authorizers = nil
+	}
 	return nil
 }
 
@@ -387,7 +407,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfig
 func autoConvert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error {
 	out.Type = apiserver.AuthorizerType(in.Type)
 	out.Name = in.Name
-	out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook))
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(apiserver.WebhookConfiguration)
+		if err := Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Webhook = nil
+	}
 	return nil
 }
 
@@ -399,7 +427,15 @@ func Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguratio
 func autoConvert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error {
 	out.Type = string(in.Type)
 	out.Name = in.Name
-	out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook))
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(WebhookConfiguration)
+		if err := Convert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Webhook = nil
+	}
 	return nil
 }
 
@@ -821,7 +857,13 @@ func Convert_apiserver_UserValidationRule_To_v1beta1_UserValidationRule(in *apis
 
 func autoConvert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error {
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if err := v1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil {
+		return err
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if err := v1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil {
+		return err
+	}
 	out.Timeout = in.Timeout
 	out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion
 	out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion
@@ -840,7 +882,13 @@ func Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *
 
 func autoConvert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error {
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if err := v1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil {
+		return err
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if err := v1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil {
+		return err
+	}
 	out.Timeout = in.Timeout
 	out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion
 	out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go

@@ -494,7 +494,17 @@ func (in *UserValidationRule) DeepCopy() *UserValidationRule {
 func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
 	*out = *in
 	out.AuthorizedTTL = in.AuthorizedTTL
+	if in.CacheAuthorizedRequests != nil {
+		in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests
+		*out = new(bool)
+		**out = **in
+	}
 	out.UnauthorizedTTL = in.UnauthorizedTTL
+	if in.CacheUnauthorizedRequests != nil {
+		in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests
+		*out = new(bool)
+		**out = **in
+	}
 	out.Timeout = in.Timeout
 	in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo)
 	if in.MatchConditions != nil {