Bug 1967090

Summary: kube-apiserver should use 30s cache TTL fot openshift authentication
Product: OpenShift Container Platform Reporter: Standa Laznicka <slaznick>
Component: DocumentationAssignee: Andrea Hoffer <ahoffer>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: high    
Version: 4.8CC: ahoffer, aos-bugs, mfojtik, surbania
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-09 01:03:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Standa Laznicka 2021-06-02 12:33:10 UTC 
Description of problem:
The default cache TTL is too long (2 minutes) and could significantly lower token lifespan if OpenShift access token timeout was set to its minimal value (5 minutes).

Version-Release number of selected component (if applicable):
4.8

How reproducible:
100%

Steps to Reproduce:
see the picture at https://github.com/openshift/enhancements/pull/403/commits/cffe15c9784311e4a758774c0b21cd4de82f3903#r458090987
Comment 1 Sergiusz Urbaniak 2021-06-03 09:02:33 UTC 
As discussed OOB in https://coreos.slack.com/archives/CC3CZCQHM/p1622635368364200, we will leave the current TTL window at 2 minutes. This prevents additional tokenreview API calls due to earlier cache invalidations. Instead, we will document the edge cases and time windows, where we describe the interleaving between token timeouts and cache timeouts as outlined in https://github.com/openshift/enhancements/pull/403#discussion_r458090987.
Comment 2 Sergiusz Urbaniak 2021-06-07 11:03:31 UTC 
resetting to ASSIGNED as we don't have the documentation yet
Comment 6 Shiftzilla 2023-03-09 01:03:29 UTC 
OpenShift has moved to Jira for its defect tracking! This bug can now be found in the OCPBUGS project in Jira.

https://issues.redhat.com/browse/OCPBUGS-8893