Bug 1967090 - kube-apiserver should use 30s cache TTL fot openshift authentication
Summary: kube-apiserver should use 30s cache TTL fot openshift authentication
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Andrea Hoffer
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2021-06-02 12:33 UTC by Standa Laznicka
Modified: 2023-03-09 01:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-03-09 01:03:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1129 0 None open Bug 1967090: webhookauth observer: set cache TTL to 30s 2021-06-02 12:33:48 UTC
Github openshift cluster-kube-apiserver-operator pull 1140 0 None open Bug 1967090: Revert webhookauth observer: set cache TTL to 30s 2021-06-04 08:36:17 UTC

Description Standa Laznicka 2021-06-02 12:33:10 UTC
Description of problem:
The default cache TTL is too long (2 minutes) and could significantly lower token lifespan if OpenShift access token timeout was set to its minimal value (5 minutes).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
see the picture at https://github.com/openshift/enhancements/pull/403/commits/cffe15c9784311e4a758774c0b21cd4de82f3903#r458090987

Comment 1 Sergiusz Urbaniak 2021-06-03 09:02:33 UTC
As discussed OOB in https://coreos.slack.com/archives/CC3CZCQHM/p1622635368364200, we will leave the current TTL window at 2 minutes. This prevents additional tokenreview API calls due to earlier cache invalidations. Instead, we will document the edge cases and time windows, where we describe the interleaving between token timeouts and cache timeouts as outlined in https://github.com/openshift/enhancements/pull/403#discussion_r458090987.

Comment 2 Sergiusz Urbaniak 2021-06-07 11:03:31 UTC
resetting to ASSIGNED as we don't have the documentation yet

Comment 6 Shiftzilla 2023-03-09 01:03:29 UTC
OpenShift has moved to Jira for its defect tracking! This bug can now be found in the OCPBUGS project in Jira.


Note You need to log in before you can comment on or make changes to this bug.