diff --git a/pkg/kubeapiserver/authorizer/reload.go b/pkg/kubeapiserver/authorizer/reload.go index 2e3525686bd..e6995631f6d 100644 --- a/pkg/kubeapiserver/authorizer/reload.go +++ b/pkg/kubeapiserver/authorizer/reload.go @@ -141,10 +141,18 @@ func (r *reloadableAuthorizerResolver) newForConfig(authzConfig *authzconfig.Aut default: return nil, nil, fmt.Errorf("unknown failurePolicy %q", configuredAuthorizer.Webhook.FailurePolicy) } + + authorizedTTL, unauthorizedTTL := configuredAuthorizer.Webhook.AuthorizedTTL.Duration, configuredAuthorizer.Webhook.UnauthorizedTTL.Duration + if !configuredAuthorizer.Webhook.CacheAuthorizedRequests { + authorizedTTL = 0 + } + if !configuredAuthorizer.Webhook.CacheUnauthorizedRequests { + unauthorizedTTL = 0 + } webhookAuthorizer, err := webhook.New(clientConfig, configuredAuthorizer.Webhook.SubjectAccessReviewVersion, - configuredAuthorizer.Webhook.AuthorizedTTL.Duration, - configuredAuthorizer.Webhook.UnauthorizedTTL.Duration, + authorizedTTL, + unauthorizedTTL, *r.initialConfig.WebhookRetryBackoff, decisionOnError, configuredAuthorizer.Webhook.MatchConditions, diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index 1c5240f3cdd..8b36309c709 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -33,7 +33,6 @@ import ( authzconfig "k8s.io/apiserver/pkg/apis/apiserver" genericoptions "k8s.io/apiserver/pkg/server/options" versionedinformers "k8s.io/client-go/informers" - "k8s.io/kubernetes/pkg/kubeapiserver/authorizer" authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" ) @@ -273,8 +272,10 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc Type: authzconfig.TypeWebhook, Name: defaultWebhookName, Webhook: &authzconfig.WebhookConfiguration{ - AuthorizedTTL: metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL}, - UnauthorizedTTL: metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL}, + AuthorizedTTL: metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL}, + CacheAuthorizedRequests: o.WebhookCacheAuthorizedTTL != 0, + UnauthorizedTTL: metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL}, + CacheUnauthorizedRequests: o.WebhookCacheUnauthorizedTTL != 0, // Timeout and FailurePolicy are required for the new configuration. // Setting these two implicitly to preserve backward compatibility. Timeout: metav1.Duration{Duration: 30 * time.Second}, diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go index 1c5eb1d0dde..687cc7d454e 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go @@ -213,8 +213,10 @@ func TestLoadFromData(t *testing.T) { Type: "Webhook", Name: "default", Webhook: &api.WebhookConfiguration{ - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, + AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, + CacheAuthorizedRequests: true, + UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, + CacheUnauthorizedRequests: true, }, }}, }, @@ -252,8 +254,10 @@ authorizers: Type: "Webhook", Name: "default", Webhook: &api.WebhookConfiguration{ - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, + AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, + CacheAuthorizedRequests: true, + UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, + CacheUnauthorizedRequests: true, }, }}, }, @@ -291,8 +295,10 @@ authorizers: Type: "Webhook", Name: "default", Webhook: &api.WebhookConfiguration{ - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, + AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, + CacheAuthorizedRequests: true, + UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, + CacheUnauthorizedRequests: true, }, }}, }, diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go index a610ebc1a6c..6ea05085c5c 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go @@ -334,11 +334,21 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + CacheAuthorizedRequests bool // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + CacheUnauthorizedRequests bool // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go index 46fb841a5f9..6ba5a7ca1ce 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go @@ -21,6 +21,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) var ( @@ -53,7 +54,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) { if obj.AuthorizedTTL.Duration == 0 { obj.AuthorizedTTL.Duration = 5 * time.Minute } + if obj.CacheAuthorizedRequests == nil { + obj.CacheAuthorizedRequests = ptr.To(true) + } if obj.UnauthorizedTTL.Duration == 0 { obj.UnauthorizedTTL.Duration = 30 * time.Second } + if obj.CacheUnauthorizedRequests == nil { + obj.CacheUnauthorizedRequests = ptr.To(true) + } } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go index 18328c5582c..ae51f8b12f2 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go @@ -97,11 +97,23 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration `json:"authorizedTTL"` + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + // +optional + CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"` // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"` + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + // +optional + CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"` // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go index 63083025a53..4d238923c47 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go @@ -255,7 +255,17 @@ func Convert_apiserver_AdmissionPluginConfiguration_To_v1_AdmissionPluginConfigu } func autoConvert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]apiserver.AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -265,7 +275,17 @@ func Convert_v1_AuthorizationConfiguration_To_apiserver_AuthorizationConfigurati } func autoConvert_apiserver_AuthorizationConfiguration_To_v1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -277,7 +297,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1_AuthorizationConfigurati func autoConvert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) out.Name = in.Name - out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(apiserver.WebhookConfiguration) + if err := Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -289,7 +317,15 @@ func Convert_v1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in func autoConvert_apiserver_AuthorizerConfiguration_To_v1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) out.Name = in.Name - out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(WebhookConfiguration) + if err := Convert_apiserver_WebhookConfiguration_To_v1_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -458,7 +494,13 @@ func Convert_apiserver_SecretboxConfiguration_To_v1_SecretboxConfiguration(in *a func autoConvert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := metav1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := metav1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion @@ -477,7 +519,13 @@ func Convert_v1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *Webho func autoConvert_apiserver_WebhookConfiguration_To_v1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := metav1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := metav1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go index 6afdbd3a2cc..a1d3954c55a 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go @@ -337,7 +337,17 @@ func (in *SecretboxConfiguration) DeepCopy() *SecretboxConfiguration { func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.AuthorizedTTL = in.AuthorizedTTL + if in.CacheAuthorizedRequests != nil { + in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests + *out = new(bool) + **out = **in + } out.UnauthorizedTTL = in.UnauthorizedTTL + if in.CacheUnauthorizedRequests != nil { + in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests + *out = new(bool) + **out = **in + } out.Timeout = in.Timeout in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo) if in.MatchConditions != nil { diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go index a9af01fe76c..825173b16a4 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/defaults.go @@ -20,6 +20,7 @@ import ( "time" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { @@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) { if obj.AuthorizedTTL.Duration == 0 { obj.AuthorizedTTL.Duration = 5 * time.Minute } + if obj.CacheAuthorizedRequests == nil { + obj.CacheAuthorizedRequests = ptr.To(true) + } if obj.UnauthorizedTTL.Duration == 0 { obj.UnauthorizedTTL.Duration = 30 * time.Second } + if obj.CacheUnauthorizedRequests == nil { + obj.CacheUnauthorizedRequests = ptr.To(true) + } } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go index 0a50799c26e..3b322d395ad 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go @@ -550,11 +550,23 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration `json:"authorizedTTL"` + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + // +optional + CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"` // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"` + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + // +optional + CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"` // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go index 3a6c66c3aac..235b0ef1ad3 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go @@ -429,7 +429,17 @@ func Convert_apiserver_AuthenticationConfiguration_To_v1alpha1_AuthenticationCon } func autoConvert_v1alpha1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]apiserver.AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -439,7 +449,17 @@ func Convert_v1alpha1_AuthorizationConfiguration_To_apiserver_AuthorizationConfi } func autoConvert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -451,7 +471,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfi func autoConvert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) out.Name = in.Name - out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(apiserver.WebhookConfiguration) + if err := Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -463,7 +491,15 @@ func Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfigurati func autoConvert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) out.Name = in.Name - out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(WebhookConfiguration) + if err := Convert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -885,7 +921,13 @@ func Convert_apiserver_UserValidationRule_To_v1alpha1_UserValidationRule(in *api func autoConvert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion @@ -904,7 +946,13 @@ func Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in func autoConvert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go index 81b652254cb..cacbca48f48 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go @@ -547,7 +547,17 @@ func (in *UserValidationRule) DeepCopy() *UserValidationRule { func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.AuthorizedTTL = in.AuthorizedTTL + if in.CacheAuthorizedRequests != nil { + in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests + *out = new(bool) + **out = **in + } out.UnauthorizedTTL = in.UnauthorizedTTL + if in.CacheUnauthorizedRequests != nil { + in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests + *out = new(bool) + **out = **in + } out.Timeout = in.Timeout in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo) if in.MatchConditions != nil { diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go index eebcb6c0025..7102cc7e37f 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/defaults.go @@ -20,6 +20,7 @@ import ( "time" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { @@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) { if obj.AuthorizedTTL.Duration == 0 { obj.AuthorizedTTL.Duration = 5 * time.Minute } + if obj.CacheAuthorizedRequests == nil { + obj.CacheAuthorizedRequests = ptr.To(true) + } if obj.UnauthorizedTTL.Duration == 0 { obj.UnauthorizedTTL.Duration = 30 * time.Second } + if obj.CacheUnauthorizedRequests == nil { + obj.CacheUnauthorizedRequests = ptr.To(true) + } } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go index 72fe602b95d..5009a579a7b 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go @@ -521,11 +521,23 @@ type WebhookConfiguration struct { // Same as setting `--authorization-webhook-cache-authorized-ttl` flag // Default: 5m0s AuthorizedTTL metav1.Duration `json:"authorizedTTL"` + // CacheAuthorizedRequests specifies whether authorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // AuthorizedTTL field. + // Default: true + // +optional + CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"` // The duration to cache 'unauthorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag // Default: 30s UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"` + // CacheUnauthorizedRequests specifies whether unauthorized requests should be cached. + // If set to true, the TTL for cached decisions can be configured via the + // UnauthorizedTTL field. + // Default: true + // +optional + CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"` // Timeout for the webhook request // Maximum allowed value is 30s. // Required, no default value. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go index 30ef049d403..d654b4b78d3 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go @@ -365,7 +365,17 @@ func Convert_apiserver_AuthenticationConfiguration_To_v1beta1_AuthenticationConf } func autoConvert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]apiserver.AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]apiserver.AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -375,7 +385,17 @@ func Convert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfig } func autoConvert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error { - out.Authorizers = *(*[]AuthorizerConfiguration)(unsafe.Pointer(&in.Authorizers)) + if in.Authorizers != nil { + in, out := &in.Authorizers, &out.Authorizers + *out = make([]AuthorizerConfiguration, len(*in)) + for i := range *in { + if err := Convert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Authorizers = nil + } return nil } @@ -387,7 +407,15 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfig func autoConvert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) out.Name = in.Name - out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(apiserver.WebhookConfiguration) + if err := Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -399,7 +427,15 @@ func Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguratio func autoConvert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) out.Name = in.Name - out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) + if in.Webhook != nil { + in, out := &in.Webhook, &out.Webhook + *out = new(WebhookConfiguration) + if err := Convert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(*in, *out, s); err != nil { + return err + } + } else { + out.Webhook = nil + } return nil } @@ -821,7 +857,13 @@ func Convert_apiserver_UserValidationRule_To_v1beta1_UserValidationRule(in *apis func autoConvert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_Pointer_bool_To_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion @@ -840,7 +882,13 @@ func Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in * func autoConvert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { out.AuthorizedTTL = in.AuthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests, s); err != nil { + return err + } out.UnauthorizedTTL = in.UnauthorizedTTL + if err := v1.Convert_bool_To_Pointer_bool(&in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests, s); err != nil { + return err + } out.Timeout = in.Timeout out.SubjectAccessReviewVersion = in.SubjectAccessReviewVersion out.MatchConditionSubjectAccessReviewVersion = in.MatchConditionSubjectAccessReviewVersion diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go index 0d78e51a96b..45b6510cad1 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go @@ -494,7 +494,17 @@ func (in *UserValidationRule) DeepCopy() *UserValidationRule { func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.AuthorizedTTL = in.AuthorizedTTL + if in.CacheAuthorizedRequests != nil { + in, out := &in.CacheAuthorizedRequests, &out.CacheAuthorizedRequests + *out = new(bool) + **out = **in + } out.UnauthorizedTTL = in.UnauthorizedTTL + if in.CacheUnauthorizedRequests != nil { + in, out := &in.CacheUnauthorizedRequests, &out.CacheUnauthorizedRequests + *out = new(bool) + **out = **in + } out.Timeout = in.Timeout in.ConnectionInfo.DeepCopyInto(&out.ConnectionInfo) if in.MatchConditions != nil {