search

kubernetes / kubernetes

Production-Grade Container Scheduling and Management
https://kubernetes.io
Apache License 2.0
111.47k stars 39.76k forks source link

Implement caching for resolved OIDC distributed claims #128438

Open dkhachyan opened 1 month ago

dkhachyan commented 1 month ago

What would you like to be added?

The oidc distributed claims feature was implemented (see PR #63213), but caching for resolved claims was left as a TODO (see code reference).

I am interested in implementing this caching feature but would like to discuss the approach before proceeding.

Why is this needed?

Tokens are evaluated on every HTTP request, which makes the process slow

k8s-ci-robot commented 1 month ago

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
vaibhav2107 commented 1 month ago

/sig auth

enj commented 1 week ago

Tokens are evaluated on every HTTP request, which makes the process slow

This is not strictly true, as all tokens pass through the global 10 second cache.

That being said, I don't see us implementing any caching for the distributed claims themselves. Instead, I would expect us to do more robust caching based on the token's exp claim while maintaining some upper bound TTL (1 hour?) and size limits on said cache, and invaliding the cache when signing keys are rotated.

I do not recommend trying to work on this at this time. These changes are nuanced and complex, and not high priority for us at this moment (and thus are unlikely to get reviewed or merged). I will likely take care of it at some point as part of addressing https://github.com/kubernetes/kubernetes/issues/122809#issuecomment-1894818219.

Aside: which IDP are you using that supports distributed claims in a way compatible with the API server? I am unaware of any, so this is mostly out of curiosity.

dkhachyan commented 4 days ago

Thank you for your response. We are using a fork of Dex that uses distributed claims to retrieve group information from an external service.