mirror of
				https://github.com/k3s-io/kubernetes.git
				synced 2025-10-26 02:55:32 +00:00 
			
		
		
		
	Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. [PodSecurityPolicy] Optimize authorization check **What this PR does / why we need it**: Authorizing PodSecurityPolicy use may involve a remote call, and can be slow. Rather than authorizing the user / SA for every policy in the cluster, only test authz for the policies under which the pod is valid. This is a big improvement in the case where there are a lot of policies for which the pod is not valid (benchmark below), but should also help when the pod is valid under other policies, as it allows the authorization to short-circuit on the first accepted policy. **Benchmark:** Highlight from scale testing (see https://docs.google.com/document/d/1IIcHHE_No1KMAybW5krIphdN325eGa2sxF2eqg2YAPI/edit for the full results). These were run with 1000 policies under which the pods were not valid, and had no role bindings. | | method | resource | 50th percentile | 90th percentile | 99th percentile | -- | -- | -- | -- | -- | -- | 1.8 HEAD | POST | pods | 8.696784s | 20.497659s | 22.472421s | 1.8 With fix | POST | pods | 25.454ms | 29.068ms | 85.817ms (I didn't benchmark master, but expect the difference to be more drastic, since the authorization is run twice - for both Admit and Validate) **Which issue(s) this PR fixes**: Fixes #55521 **Special notes for your reviewer**: The validation errors are no longer totally accurate, as they may include errors from PSPs that the user/pod isn't authorized to use. However, I think this is a worthwhile tradeoff. If this is a big concern, we could authorize all policies in the case where none admitted /validated the pod. **Release note**: ```release-note Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies. ```