Merge pull request #95725 from p0lyn0mial/delegated-authz-sar-timeout

sets explicit timeout for SubjectAccessReview client
2025-07-27 05:27:21 +00:00 · 2020-10-27 03:37:59 -07:00 · 2020-10-27 03:37:59 -07:00 · 4df8d97af0
commit 4df8d97af0
parent 1f0371bb3f 2160cbc53f
3 changed files with 14 additions and 0 deletions
--- a/cmd/cloud-controller-manager/app/options/options_test.go
+++ b/cmd/cloud-controller-manager/app/options/options_test.go
@ -116,6 +116,7 @@ func TestDefaultFlags(t *testing.T) {
 		Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
 			AllowCacheTTL:                10 * time.Second,
 			DenyCacheTTL:                 10 * time.Second,
 			ClientTimeout:                10 * time.Second,
 			RemoteKubeConfigFileOptional: true,
 			AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or
 		},
@ -248,6 +249,7 @@ func TestAddFlags(t *testing.T) {
 		Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
 			AllowCacheTTL:                10 * time.Second,
 			DenyCacheTTL:                 10 * time.Second,
 			ClientTimeout:                10 * time.Second,
 			RemoteKubeConfigFileOptional: true,
 			AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or
 		},
--- a/cmd/kube-controller-manager/app/options/options_test.go
+++ b/cmd/kube-controller-manager/app/options/options_test.go
@ -417,6 +417,7 @@ func TestAddFlags(t *testing.T) {
 		Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
 			AllowCacheTTL:                10 * time.Second,
 			DenyCacheTTL:                 10 * time.Second,
 			ClientTimeout:                10 * time.Second,
 			RemoteKubeConfigFileOptional: true,
 			AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
 		},
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
@ -59,6 +59,10 @@ type DelegatingAuthorizationOptions struct {
 	// AlwaysAllowGroups are groups which are allowed to take any actions.  In kube, this is system:masters.
 	AlwaysAllowGroups []string
 	// ClientTimeout specifies a time limit for requests made by SubjectAccessReviews client.
 	// The default value is set to 10 seconds.
 	ClientTimeout time.Duration
 }
 func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
@ -66,6 +70,7 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions {
 		// very low for responsiveness, but high enough to handle storms
 		AllowCacheTTL: 10 * time.Second,
 		DenyCacheTTL:  10 * time.Second,
 		ClientTimeout: 10 * time.Second,
 	}
 }
@ -81,6 +86,11 @@ func (s *DelegatingAuthorizationOptions) WithAlwaysAllowPaths(paths ...string) *
 	return s
 }
 // WithClientTimeout sets the given timeout for SAR client used by this authorizer
 func (s *DelegatingAuthorizationOptions) WithClientTimeout(timeout time.Duration) {
 	s.ClientTimeout = timeout
 }
 func (s *DelegatingAuthorizationOptions) Validate() []error {
 	allErrors := []error{}
 	return allErrors
@ -186,6 +196,7 @@ func (s *DelegatingAuthorizationOptions) getClient() (kubernetes.Interface, erro
 	// set high qps/burst limits since this will effectively limit API server responsiveness
 	clientConfig.QPS = 200
 	clientConfig.Burst = 400
 	clientConfig.Timeout = s.ClientTimeout
 	return kubernetes.NewForConfig(clientConfig)
 }