search

int128 / kubelogin

kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Apache License 2.0
1.76k stars 195 forks source link

slow kubectl api calls with Macos kubelogin #711

Open henro001 opened 2 years ago

henro001 commented 2 years ago

I am looking for some help troubleshooting slowness with kubectl api calls. With client certificate or webhook token the “kubectl get all” takes 1-2 seconds. With oidc/kubelogin with Azure AD this same command takes 15-20 seconds.

Configuration:

kube-apiserver
    - --oidc-client-id=xx
    - --oidc-issuer-url=xx
    - --oidc-groups-claim=groups
    - --oidc-username-claim=email

kubeconfig

- name: xx
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=xx
      - --oidc-client-id=xx
      - --oidc-client-secret=xx
      command: kubectl
      env: null
      provideClusterInfo: false

Reproduce

This is slow only on my current Mac and mac kubelogin client. Deployed a Linux VM on this mac and installed same version of kubectl and kubelogin and the response is 1-2 seconds

Environment

Additional logs

Linux

I0322 22:44:37.195426   19311 round_trippers.go:445] GET https://kube.xxx:6443/api/v1/namespaces/monitoring/pods?limit=500 200 OK in 196 milliseconds
I0322 22:44:37.352002   19311 round_trippers.go:445] GET https://kube.xxx:6443/api/v1/namespaces/monitoring/replicationcontrollers?limit=500 200 OK in 100 milliseconds
I0322 22:44:37.451317   19311 round_trippers.go:445] GET https://kube.xxx:6443/api/v1/namespaces/monitoring/services?limit=500 200 OK in 98 milliseconds
I0322 22:44:37.568004   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/monitoring/daemonsets?limit=500 200 OK in 99 milliseconds
I0322 22:44:37.670779   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/monitoring/deployments?limit=500 200 OK in 101 milliseconds
I0322 22:44:37.774087   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/monitoring/replicasets?limit=500 200 OK in 101 milliseconds
I0322 22:44:37.921389   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/monitoring/statefulsets?limit=500 200 OK in 95 milliseconds
I0322 22:44:38.041745   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/autoscaling/v1/namespaces/monitoring/horizontalpodautoscalers?limit=500 200 OK in 109 milliseconds
I0322 22:44:38.171884   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/batch/v1/namespaces/monitoring/jobs?limit=500 200 OK in 129 milliseconds
I0322 22:44:38.313637   19311 round_trippers.go:445] GET https://kube.xxx:6443/apis/batch/v1beta1/namespaces/monitoring/cronjobs?limit=500 200 OK in 140 milliseconds

Mac

I0322 18:45:10.053652   44775 round_trippers.go:445] GET https://kube.xxx:6443/api/v1/namespaces/keycloak/pods?limit=500 200 OK in 1285 milliseconds
I0322 18:45:11.203856   44775 round_trippers.go:445] GET https://kube.xxx:6443/api/v1/namespaces/keycloak/replicationcontrollers?limit=500 200 OK in 1125 milliseconds
I0322 18:45:12.375851   44775 round_trippers.go:445] GET https://kube.xxx:6443/api/v1/namespaces/keycloak/services?limit=500 200 OK in 1171 milliseconds
I0322 18:45:13.539273   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/keycloak/daemonsets?limit=500 200 OK in 1136 milliseconds
I0322 18:45:14.675947   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/keycloak/deployments?limit=500 200 OK in 1136 milliseconds
I0322 18:45:15.847715   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/keycloak/replicasets?limit=500 200 OK in 1171 milliseconds
I0322 18:45:16.989410   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/apps/v1/namespaces/keycloak/statefulsets?limit=500 200 OK in 1141 milliseconds
I0322 18:45:18.113441   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/autoscaling/v1/namespaces/keycloak/horizontalpodautoscalers?limit=500 200 OK in 1123 milliseconds
I0322 18:45:19.277459   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/batch/v1/namespaces/keycloak/jobs?limit=500 200 OK in 1163 milliseconds
I0322 18:45:20.421006   44775 round_trippers.go:445] GET https://kube.xxx:6443/apis/batch/v1beta1/namespaces/keycloak/cronjobs?limit=500 200 OK in 1142 milliseconds
henro001 commented 2 years ago

Looks like with older version of kubectl this works - 1.19.3 and this problem was introduced in 1.19.4