From 96fb07d6b3fbe2f78b10930e4a54ae00b5992b29 Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Thu, 29 Oct 2020 23:30:21 -0700 Subject: [PATCH] add a jitter to bound token renewal --- pkg/kubelet/token/token_manager.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pkg/kubelet/token/token_manager.go b/pkg/kubelet/token/token_manager.go index 3eff42b9c9b..1497be509bc 100644 --- a/pkg/kubelet/token/token_manager.go +++ b/pkg/kubelet/token/token_manager.go @@ -22,6 +22,7 @@ import ( "context" "errors" "fmt" + "math/rand" "sync" "time" @@ -36,8 +37,9 @@ import ( ) const ( - maxTTL = 24 * time.Hour - gcPeriod = time.Minute + maxTTL = 24 * time.Hour + gcPeriod = time.Minute + maxJitter = 10 * time.Second ) // NewManager returns a new token manager. @@ -177,11 +179,12 @@ func (m *Manager) requiresRefresh(tr *authenticationv1.TokenRequest) bool { exp := tr.Status.ExpirationTimestamp.Time iat := exp.Add(-1 * time.Duration(*tr.Spec.ExpirationSeconds) * time.Second) - if now.After(iat.Add(maxTTL)) { + jitter := time.Duration(rand.Float64()*maxJitter.Seconds()) * time.Second + if now.After(iat.Add(maxTTL - jitter)) { return true } - // Require a refresh if within 20% of the TTL from the expiration time. - if now.After(exp.Add(-1 * time.Duration((*tr.Spec.ExpirationSeconds*20)/100) * time.Second)) { + // Require a refresh if within 20% of the TTL plus a jitter from the expiration time. + if now.After(exp.Add(-1*time.Duration((*tr.Spec.ExpirationSeconds*20)/100)*time.Second - jitter)) { return true } return false