github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-10 04:27:54 +00:00
Code Issues Projects Releases Wiki Activity

split compile and eval

Browse Source 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
This commit is contained in:
Rita Zhang 2023-11-08 16:37:10 -08:00
parent fe53db0dbd
commit 11cdb8fd01
No known key found for this signature in database
GPG Key ID: 0B1D9C98A2BFE852
1 changed files with 66 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1_test.go
View File

@ -783,11 +783,23 @@ func TestStructuredAuthzConfigFeatureEnablement(t *testing.T) {
} }
func BenchmarkNoCELExpressionFeatureOff(b *testing.B) { func BenchmarkNoCELExpressionFeatureOff(b *testing.B) {
benchmarkWebhookAuthorizer(b, []apiserver.WebhookMatchCondition{}, false) expressions := []apiserver.WebhookMatchCondition{}
b.Run("compile", func(b *testing.B) {
benchmarkNewWebhookAuthorizer(b, expressions, false)
})
b.Run("authorize", func(b *testing.B) {
benchmarkWebhookAuthorize(b, expressions, false)
})
} }
func BenchmarkNoCELExpressionFeatureOn(b *testing.B) { func BenchmarkNoCELExpressionFeatureOn(b *testing.B) {
benchmarkWebhookAuthorizer(b, []apiserver.WebhookMatchCondition{}, true) expressions := []apiserver.WebhookMatchCondition{}
b.Run("compile", func(b *testing.B) {
benchmarkNewWebhookAuthorizer(b, expressions, true)
})
b.Run("authorize", func(b *testing.B) {
benchmarkWebhookAuthorize(b, expressions, true)
})
} }
func BenchmarkWithOneCELExpressions(b *testing.B) { func BenchmarkWithOneCELExpressions(b *testing.B) {
expressions := []apiserver.WebhookMatchCondition{ expressions := []apiserver.WebhookMatchCondition{
@ -795,7 +807,12 @@ func BenchmarkWithOneCELExpressions(b *testing.B) {
Expression: "request.user == 'alice'", Expression: "request.user == 'alice'",
}, },
} }
benchmarkWebhookAuthorizer(b, expressions, true) b.Run("compile", func(b *testing.B) {
benchmarkNewWebhookAuthorizer(b, expressions, true)
})
b.Run("authorize", func(b *testing.B) {
benchmarkWebhookAuthorize(b, expressions, true)
})
} }
func BenchmarkWithTwoCELExpressions(b *testing.B) { func BenchmarkWithTwoCELExpressions(b *testing.B) {
expressions := []apiserver.WebhookMatchCondition{ expressions := []apiserver.WebhookMatchCondition{
@ -806,7 +823,12 @@ func BenchmarkWithTwoCELExpressions(b *testing.B) {
Expression: "request.uid == '1'", Expression: "request.uid == '1'",
}, },
} }
benchmarkWebhookAuthorizer(b, expressions, true) b.Run("compile", func(b *testing.B) {
benchmarkNewWebhookAuthorizer(b, expressions, true)
})
b.Run("authorize", func(b *testing.B) {
benchmarkWebhookAuthorize(b, expressions, true)
})
} }
func BenchmarkWithTwoComplexCELExpressions(b *testing.B) { func BenchmarkWithTwoComplexCELExpressions(b *testing.B) {
expressions := []apiserver.WebhookMatchCondition{ expressions := []apiserver.WebhookMatchCondition{
@ -817,7 +839,12 @@ func BenchmarkWithTwoComplexCELExpressions(b *testing.B) {
Expression: "has(request.resourceAttributes) && request.resourceAttributes.namespace == 'kittensandponies'", Expression: "has(request.resourceAttributes) && request.resourceAttributes.namespace == 'kittensandponies'",
}, },
} }
benchmarkWebhookAuthorizer(b, expressions, true) b.Run("compile", func(b *testing.B) {
benchmarkNewWebhookAuthorizer(b, expressions, true)
})
b.Run("authorize", func(b *testing.B) {
benchmarkWebhookAuthorize(b, expressions, true)
})
} }
func BenchmarkWithManyCELExpressions(b *testing.B) { func BenchmarkWithManyCELExpressions(b *testing.B) {
expressions := []apiserver.WebhookMatchCondition{ expressions := []apiserver.WebhookMatchCondition{
@ -846,10 +873,37 @@ func BenchmarkWithManyCELExpressions(b *testing.B) {
Expression: "has(request.resourceAttributes) && request.resourceAttributes.namespace == 'kittensandponies'", Expression: "has(request.resourceAttributes) && request.resourceAttributes.namespace == 'kittensandponies'",
}, },
} }
benchmarkWebhookAuthorizer(b, expressions, true) b.Run("compile", func(b *testing.B) {
benchmarkNewWebhookAuthorizer(b, expressions, true)
})
b.Run("authorize", func(b *testing.B) {
benchmarkWebhookAuthorize(b, expressions, true)
})
} }
func benchmarkWebhookAuthorizer(b *testing.B, expressions []apiserver.WebhookMatchCondition, featureEnabled bool) { func benchmarkNewWebhookAuthorizer(b *testing.B, expressions []apiserver.WebhookMatchCondition, featureEnabled bool) {
service := new(mockV1Service)
service.statusCode = 200
service.Allow()
s, err := NewV1TestServer(service, serverCert, serverKey, caCert)
if err != nil {
b.Fatal(err)
}
defer s.Close()
defer featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.StructuredAuthorizationConfiguration, featureEnabled)()
b.ResetTimer()
for i := 0; i < b.N; i++ {
// Create an authorizer with or without expressions to compile
_, err := newV1Authorizer(s.URL, clientCert, clientKey, caCert, 0, noopAuthorizerMetrics(), expressions)
if err != nil {
b.Fatal(err)
}
}
b.StopTimer()
}
func benchmarkWebhookAuthorize(b *testing.B, expressions []apiserver.WebhookMatchCondition, featureEnabled bool) {
attr := authorizer.AttributesRecord{ attr := authorizer.AttributesRecord{
User: &user.DefaultInfo{ User: &user.DefaultInfo{
Name: "alice", Name: "alice",
@ -870,14 +924,14 @@ func benchmarkWebhookAuthorizer(b *testing.B, expressions []apiserver.WebhookMat
} }
defer s.Close() defer s.Close()
defer featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.StructuredAuthorizationConfiguration, featureEnabled)() defer featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.StructuredAuthorizationConfiguration, featureEnabled)()
// Create an authorizer with or without expressions to compile
wh, err := newV1Authorizer(s.URL, clientCert, clientKey, caCert, 0, noopAuthorizerMetrics(), expressions)
if err != nil {
b.Fatal(err)
}
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
// Create an authorizer with or without expressions to compile
wh, err := newV1Authorizer(s.URL, clientCert, clientKey, caCert, 0, noopAuthorizerMetrics(), expressions)
if err != nil {
b.Fatal(err)
}
// Call authorize may or may not require cel evaluations // Call authorize may or may not require cel evaluations
_, _, err = wh.Authorize(context.Background(), attr) _, _, err = wh.Authorize(context.Background(), attr)
if err != nil { if err != nil {