mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
pkg/apiserver/authenticator: move oidc after service accounts
Both plugins verify JWTs, but the OpenID Connect plugin performs much worse when faced with cache misses. Reorder the plugins so the service account plugin tries to authenticate a bearer token first.
This commit is contained in:
parent
ea69570f61
commit
9b5ce5218f
@ -80,14 +80,6 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
|
|||||||
authenticators = append(authenticators, tokenAuth)
|
authenticators = append(authenticators, tokenAuth)
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
|
|
||||||
oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCGroupsClaim)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
authenticators = append(authenticators, oidcAuth)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(config.ServiceAccountKeyFile) > 0 {
|
if len(config.ServiceAccountKeyFile) > 0 {
|
||||||
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFile, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
|
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFile, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -96,6 +88,20 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
|
|||||||
authenticators = append(authenticators, serviceAccountAuth)
|
authenticators = append(authenticators, serviceAccountAuth)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NOTE(ericchiang): Keep the OpenID Connect after Service Accounts.
|
||||||
|
//
|
||||||
|
// Because both plugins verify JWTs whichever comes first in the union experiences
|
||||||
|
// cache misses for all requests using the other. While the service account plugin
|
||||||
|
// simply returns an error, the OpenID Connect plugin may query the provider to
|
||||||
|
// update the keys, causing performance hits.
|
||||||
|
if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
|
||||||
|
oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCGroupsClaim)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
authenticators = append(authenticators, oidcAuth)
|
||||||
|
}
|
||||||
|
|
||||||
if len(config.KeystoneURL) > 0 {
|
if len(config.KeystoneURL) > 0 {
|
||||||
keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL)
|
keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user