Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track opened connections with a single tracker per authenticator #97857

Merged
merged 1 commit into from Jan 11, 2021
Merged

Track opened connections with a single tracker per authenticator #97857

merged 1 commit into from Jan 11, 2021

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Jan 8, 2021
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

Consolidates connection tracking when creating exec auth clients to use a single tracker per authenticator.

This side-steps the following issues to unblock exec auth:

  • clientset.New creating egregiously many new restclients for a clientset (~40+)
  • kubectl describe creating a new clientset per object
  • kubectl get creating a new clientset per object (for some output types)

Which issue(s) this PR fixes:
Fixes #91913

Does this PR introduce a user-facing change?:

Using exec auth plugins with kubectl no longer results in warnings about constructing many client instances from the same exec auth config.

/cc @enj @ankeesler
@kubernetes/sig-auth-pr-reviews

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jan 8, 2021
@k8s-ci-robot k8s-ci-robot requested a review from enj January 8, 2021 17:15
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Jan 8, 2021
@k8s-ci-robot
Copy link
Contributor

@liggitt: GitHub didn't allow me to request PR reviews from the following users: ankeesler.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

Consolidates connection tracking when creating exec auth clients to use a single tracker per authenticator.

Which issue(s) this PR fixes:
Fixes #91913

Does this PR introduce a user-facing change?:

Using exec auth plugins with kubectl no longer results in warnings about constructing many client instances from the same exec auth config.

/cc @enj @ankeesler
@kubernetes/sig-auth-pr-reviews

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Jan 8, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 8, 2021
@liggitt
Copy link
Member Author

liggitt commented Jan 8, 2021
edited

/triage accepted
/priority important-soon
/milestone v1.21

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jan 8, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Jan 8, 2021
@k8s-ci-robot k8s-ci-robot removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 8, 2021
@liggitt liggitt modified the milestones: v1.20, v1.21 Jan 8, 2021
@liggitt liggitt mentioned this pull request Jan 8, 2021
Closed
ankeesler
ankeesler reviewed Jan 8, 2021
View reviewed changes
Copy link
Contributor

@ankeesler ankeesler left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol, i tried something remarkably similar yesterday, so that is a good sign.

one thing i still can't convince myself of: will sibling clients that use the same exec authenticator potentially interrupt each other's connections?

  • scenario: 2 rest.RESTClient's, using the same exec.Authenticator
  • rest.RESTClient A wants to make HTTP call, so it creates TCP connection to API, gets certs from tls.Config.GetCert, creates TLS session, starts long REST operation (i.e., watch?)
  • rest.RESTClient B wants to make HTTP call, so it creates TCP connection to API, gets certs from tls.Config.GetCert, exec.Authenticator sees that cert has expired, so it goes to refresh the cert and therefore calls CloseAll() on all the TCP connections, and thus rest.RESTClient A's long REST operation is interrupted because the TCP connection is closed

@liggitt
Copy link
Member Author

liggitt commented Jan 8, 2021

will sibling clients that use the same exec authenticator potentially interrupt each other's connections?

Yes, as they did before this PR

@ankeesler
Copy link
Contributor

Yes, as they did before this PR

ah, yes. dang should have caught that! alrighty, this seems like a net improvement then.

@ankeesler ankeesler mentioned this pull request Jan 8, 2021
Closed
@liggitt
Copy link
Member Author

liggitt commented Jan 8, 2021

kind flakes were both #96803

/retest

@liggitt
Copy link
Member Author

liggitt commented Jan 8, 2021

/cc @deads2k

@enj
Copy link
Member

enj commented Jan 11, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 11, 2021
@k8s-ci-robot k8s-ci-robot merged commit e9dba7a into kubernetes:master Jan 11, 2021
@liggitt liggitt deleted the exec-auth-reuse-dialer branch January 12, 2021 13:54
@github-actions github-actions bot mentioned this pull request Jan 12, 2021
Open
@GuessWhoSamFoo GuessWhoSamFoo mentioned this pull request Jan 24, 2021
Closed
@ipleten ipleten mentioned this pull request Jul 19, 2021
Closed
@ipleten
Copy link

ipleten commented Jul 21, 2021

Is there any chances it can be backported to v1.19?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ankeesler ankeesler ankeesler left review comments

@enj enj Awaiting requested review from enj

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

kubectl output flooded with warnings about aws-iam-authenticator
5 participants
@liggitt @k8s-ci-robot @ankeesler @enj @ipleten