1967090 – kube-apiserver should use 30s cache TTL fot openshift authentication

Bug 1967090 - kube-apiserver should use 30s cache TTL fot openshift authentication

Summary: kube-apiserver should use 30s cache TTL fot openshift authentication

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Andrea Hoffer
QA Contact:	Xiaoli Tian
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-02 12:33 UTC by Standa Laznicka
Modified:	2023-03-09 01:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-03-09 01:03:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-kube-apiserver-operator pull 1129	0	None	open	Bug 1967090: webhookauth observer: set cache TTL to 30s	2021-06-02 12:33:48 UTC
Github	openshift cluster-kube-apiserver-operator pull 1140	0	None	open	Bug 1967090: Revert webhookauth observer: set cache TTL to 30s	2021-06-04 08:36:17 UTC

Description Standa Laznicka 2021-06-02 12:33:10 UTC

Description of problem:
The default cache TTL is too long (2 minutes) and could significantly lower token lifespan if OpenShift access token timeout was set to its minimal value (5 minutes).

Version-Release number of selected component (if applicable):
4.8

How reproducible:
100%

Steps to Reproduce:
see the picture at https://github.com/openshift/enhancements/pull/403/commits/cffe15c9784311e4a758774c0b21cd4de82f3903#r458090987

Comment 1 Sergiusz Urbaniak 2021-06-03 09:02:33 UTC

As discussed OOB in https://coreos.slack.com/archives/CC3CZCQHM/p1622635368364200, we will leave the current TTL window at 2 minutes. This prevents additional tokenreview API calls due to earlier cache invalidations. Instead, we will document the edge cases and time windows, where we describe the interleaving between token timeouts and cache timeouts as outlined in https://github.com/openshift/enhancements/pull/403#discussion_r458090987.

Comment 2 Sergiusz Urbaniak 2021-06-07 11:03:31 UTC

resetting to ASSIGNED as we don't have the documentation yet

Comment 6 Shiftzilla 2023-03-09 01:03:29 UTC

OpenShift has moved to Jira for its defect tracking! This bug can now be found in the OCPBUGS project in Jira.

https://issues.redhat.com/browse/OCPBUGS-8893

Note You need to log in before you can comment on or make changes to this bug.