• Kubernetes Submit Queue's avatar
    Merge pull request #50258 from liggitt/token-cache · 42adb9ef
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
    
    Enable caching successful token authentication
    
    Resolves #50472
    
    To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
    
    This PR:
    * Implements a cached token authenticator that conforms to the authenticator.Token interface
    * Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
    * Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
    * Adds a 10-second TTL cache to successful token authentication
    
    ```release-note
    API server authentication now caches successful bearer token authentication results for a few seconds.
    ```
    42adb9ef
BUILD 2.31 KB