github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity
Production-Grade Container Scheduling and Management
58,514 Commits 42 Branches 7,905 Tags 1.3 GiB
Go 97%
Shell 2.6%
PowerShell 0.2%
215844219b
Go to file
Kubernetes Submit Queue 215844219b
Merge pull request #55643 from tallclair/psp-scale 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

[PodSecurityPolicy] Optimize authorization check

**What this PR does / why we need it**:

Authorizing PodSecurityPolicy use may involve a remote call, and can be slow. Rather than authorizing the user / SA for every policy in the cluster, only test authz for the policies under which the pod is valid.

This is a big improvement in the case where there are a lot of policies for which the pod is not valid (benchmark below), but should also help when the pod is valid under other policies, as it allows the authorization to short-circuit on the first accepted policy.

**Benchmark:**
Highlight from scale testing (see https://docs.google.com/document/d/1IIcHHE_No1KMAybW5krIphdN325eGa2sxF2eqg2YAPI/edit for the full results). These were run with 1000 policies under which the pods were not valid, and had no role bindings.

| | method | resource | 50th percentile | 90th percentile | 99th percentile
| -- | -- | -- | -- | -- | --
| 1.8 HEAD | POST | pods | 8.696784s | 20.497659s | 22.472421s
| 1.8 With fix | POST | pods | 25.454ms | 29.068ms | 85.817ms

(I didn't benchmark master, but expect the difference to be more drastic, since the authorization is run twice - for both Admit and Validate)

**Which issue(s) this PR fixes**:
Fixes #55521

**Special notes for your reviewer**:
The validation errors are no longer totally accurate, as they may include errors from PSPs that the user/pod isn't authorized to use. However, I think this is a worthwhile tradeoff. If this is a big concern, we could authorize all policies in the case where none admitted /validated the pod.

**Release note**:
```release-note
Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies.
```
2017-11-22 15:47:54 -08:00
.github Merge pull request #54114 from xiangpengzhao/fix-pr-template 2017-10-30 18:37:06 -07:00
api Merge pull request #54140 from wackxu/updds 2017-11-22 14:12:57 -08:00
build install ipset in debian-iptables docker image and bump tag to v10 2017-11-22 15:37:15 +08:00
cluster move the MutatingAdmissionWebhook to the last in the mutating amdission 2017-11-22 08:55:16 -08:00
cmd Merge pull request #56201 from luxas/new_kubeadm_owners 2017-11-22 14:13:10 -08:00
docs Merge pull request #54140 from wackxu/updds 2017-11-22 14:12:57 -08:00
examples Update generated files 2017-11-09 12:14:08 +01:00
Godeps udpate cadvisor dependency to v0.28.2 2017-11-22 08:45:26 -08:00
hack move the MutatingAdmissionWebhook to the last in the mutating amdission 2017-11-22 08:55:16 -08:00
logo Don't use strokes in the logo SVG 2017-10-12 09:38:56 -07:00
pkg Merge pull request #56233 from liggitt/psp-owners 2017-11-22 12:45:08 -08:00
plugin Merge pull request #55643 from tallclair/psp-scale 2017-11-22 15:47:54 -08:00
staging Merge pull request #54140 from wackxu/updds 2017-11-22 14:12:57 -08:00
test Merge pull request #56183 from jeffvance/e2e-issue-56041 2017-11-22 11:59:58 -08:00
third_party Update generated files 2017-11-09 12:14:08 +01:00
translations Merge pull request #47584 from zjj2wry/translate 2017-11-15 23:57:28 -08:00
vendor udpate cadvisor dependency to v0.28.2 2017-11-22 08:45:26 -08:00
.bazelrc move build related files out of the root directory 2017-05-15 15:53:54 -07:00
.generated_files Move .generated_docs to docs/ so docs OWNERS can review / approve 2017-02-16 10:11:57 -08:00
.gitattributes Hide openapi-spec in diffs 2017-11-04 23:16:04 -07:00
.gitignore make clean will remove all gitignored files 2017-09-04 11:04:09 -07:00
.kazelcfg.json Switch from gazel to kazel, and move kazelcfg into build/root 2017-07-18 12:48:51 -07:00
BUILD.bazel move build related files out of the root directory 2017-05-15 15:53:54 -07:00
CHANGELOG-1.2.md Update TOC of CHANGELOG 2017-09-09 13:38:29 +08:00
CHANGELOG-1.3.md Move 1.3.* release notes out of CHANGELOG.md 2017-09-15 11:21:25 +08:00
CHANGELOG-1.4.md Update invalid TOC anchor of 1.4 CHANGELOG 2017-10-26 17:25:23 +08:00
CHANGELOG-1.5.md Regenerate CHANGELOG TOCs 2017-10-11 17:04:47 -04:00
CHANGELOG-1.6.md Update CHANGELOG-1.6.md for v1.6.13. 2017-11-22 14:06:09 -08:00
CHANGELOG-1.7.md Update CHANGELOG-1.7.md for v1.7.10. 2017-11-03 16:39:03 -04:00
CHANGELOG-1.8.md Update CHANGELOG-1.8.md for v1.8.4. 2017-11-20 10:08:31 -08:00
CHANGELOG-1.9.md Update CHANGELOG-1.9.md for v1.9.0-alpha.3. 2017-11-15 16:08:16 -08:00
CHANGELOG.md Move 1.8.x release notes 2017-10-11 22:41:36 -04:00
code-of-conduct.md
CONTRIBUTING.md Close kubernetes/community#420 2017-03-08 09:59:30 -08:00
labels.yaml Merge pull request #51848 from xiangpengzhao/milestone-label 2017-09-05 15:46:19 -07:00
LICENSE LICENSE: revert modifications to Apache license 2016-11-22 11:44:46 -08:00
Makefile move build related files out of the root directory 2017-05-15 15:53:54 -07:00
Makefile.generated_files move build related files out of the root directory 2017-05-15 15:53:54 -07:00
OWNERS Fix my incorrect username in #46649 2017-08-10 11:59:54 -07:00
OWNERS_ALIASES Add bsalamat to milestone maintainers 2017-10-26 10:25:42 -07:00
README.md Add CII Best Practices Badge 2017-08-22 10:56:16 -05:00
SUPPORT.md Add a SUPPORT.md file for github 2017-08-11 14:42:36 -04:00
Vagrantfile Customizable vagrant rsync args and excludes 2016-11-14 11:18:44 +01:00
WORKSPACE move build related files out of the root directory 2017-05-15 15:53:54 -07:00

README.md

Kubernetes

Submit Queue Widget GoDoc Widget CII Best Practices

Kubernetes is an open source system for managing containerized applications across multiple hosts, providing basic mechanisms for deployment, maintenance, and scaling of applications.

Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.

Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.

To start using Kubernetes

See our documentation on kubernetes.io.

Try our interactive tutorial.

Take a free course on Scalable Microservices with Kubernetes.

To start developing Kubernetes

The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.

If you want to build Kubernetes right away there are two options:

You have a working Go environment.
$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make
You have a working Docker environment.
$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release

If you are less impatient, head over to the developer's documentation.

Support

If you need support, start with the troubleshooting guide and work your way through the process that we've outlined.

That said, if you have questions, reach out to us one way or another.

Analytics