mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-12-12 19:15:36 +00:00
3a71e8c9f4
Automatic merge from submit-queue pkg/apiserver/authenticator: reorder oidc plugin to auth after service accounts Both plugins verify JWTs, but the OpenID Connect plugin performs much worse when faced with cache misses. Reorder the plugins so the service account plugin tries to authenticate a bearer token first. I had a fun time with this by writing an OpenID Connect provider that stores its data in third party resources. When it's running in the cluster it uses a service account and caused some interesting behavior when the keys expired. Our OpenID Connect plugin needs a more sophisticated caching model to avoid continuously re-requesting keys when seeing a lot of tokens it doesn't recognize. However, I feel this reordering is generally useful since service accounts will be more common than OpenID Connect tokens. cc @kubernetes/sig-auth