Allow disabling caching for webhook authorizers when using apiserver.config.k8s.io/v1{alpha1,beta1}.AuthorizationConfiguration (kubernetes#129237)

* Introduce new boolean `cache{Una,A}uthorizedRequests` field

* Run `hack/update-codegen.sh`

* Respect legacy flags values for caching

With the legacy `--authorization-webhook-cache-{un}authorized-ttl`
flags, caching was disabled when the TTL was set to `0`, so let's
continue doing so when building the authz configuration struct.

* Pass TTL=0 to webhook authz plugin when cache disabled

Author: rfranzke

pkg/kubeapiserver/authorizer/reload.go

@@ -141,10 +141,18 @@ func (r *reloadableAuthorizerResolver) newForConfig(authzConfig *authzconfig.Aut
 			default:
 				return nil, nil, fmt.Errorf("unknown failurePolicy %q", configuredAuthorizer.Webhook.FailurePolicy)
 			}
+
+			authorizedTTL, unauthorizedTTL := configuredAuthorizer.Webhook.AuthorizedTTL.Duration, configuredAuthorizer.Webhook.UnauthorizedTTL.Duration
+			if !configuredAuthorizer.Webhook.CacheAuthorizedRequests {
+				authorizedTTL = 0
+			}
+			if !configuredAuthorizer.Webhook.CacheUnauthorizedRequests {
+				unauthorizedTTL = 0
+			}
 			webhookAuthorizer, err := webhook.New(clientConfig,
 				configuredAuthorizer.Webhook.SubjectAccessReviewVersion,
-				configuredAuthorizer.Webhook.AuthorizedTTL.Duration,
-				configuredAuthorizer.Webhook.UnauthorizedTTL.Duration,
+				authorizedTTL,
+				unauthorizedTTL,
 				*r.initialConfig.WebhookRetryBackoff,
 				decisionOnError,
 				configuredAuthorizer.Webhook.MatchConditions,

pkg/kubeapiserver/options/authorization.go

@@ -33,7 +33,6 @@ import (
 	authzconfig "k8s.io/apiserver/pkg/apis/apiserver"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	versionedinformers "k8s.io/client-go/informers"
-
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
@@ -273,8 +272,10 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
 				Type: authzconfig.TypeWebhook,
 				Name: defaultWebhookName,
 				Webhook: &authzconfig.WebhookConfiguration{
-					AuthorizedTTL:   metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL},
-					UnauthorizedTTL: metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL},
+					AuthorizedTTL:             metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL},
+					CacheAuthorizedRequests:   o.WebhookCacheAuthorizedTTL != 0,
+					UnauthorizedTTL:           metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL},
+					CacheUnauthorizedRequests: o.WebhookCacheUnauthorizedTTL != 0,
 					// Timeout and FailurePolicy are required for the new configuration.
 					// Setting these two implicitly to preserve backward compatibility.
 					Timeout:                    metav1.Duration{Duration: 30 * time.Second},

staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go

@@ -213,8 +213,10 @@ func TestLoadFromData(t *testing.T) {
 					Type: "Webhook",
 					Name: "default",
 					Webhook: &api.WebhookConfiguration{
-						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
-						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+						AuthorizedTTL:             metav1.Duration{Duration: 5 * time.Minute},
+						CacheAuthorizedRequests:   true,
+						UnauthorizedTTL:           metav1.Duration{Duration: 30 * time.Second},
+						CacheUnauthorizedRequests: true,
 					},
 				}},
 			},
@@ -252,8 +254,10 @@ authorizers:
 					Type: "Webhook",
 					Name: "default",
 					Webhook: &api.WebhookConfiguration{
-						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
-						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+						AuthorizedTTL:             metav1.Duration{Duration: 5 * time.Minute},
+						CacheAuthorizedRequests:   true,
+						UnauthorizedTTL:           metav1.Duration{Duration: 30 * time.Second},
+						CacheUnauthorizedRequests: true,
 					},
 				}},
 			},
@@ -291,8 +295,10 @@ authorizers:
 					Type: "Webhook",
 					Name: "default",
 					Webhook: &api.WebhookConfiguration{
-						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
-						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+						AuthorizedTTL:             metav1.Duration{Duration: 5 * time.Minute},
+						CacheAuthorizedRequests:   true,
+						UnauthorizedTTL:           metav1.Duration{Duration: 30 * time.Second},
+						CacheUnauthorizedRequests: true,
 					},
 				}},
 			},

staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go

@@ -334,11 +334,21 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	CacheAuthorizedRequests bool
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	CacheUnauthorizedRequests bool
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go

@@ -21,6 +21,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 )
 
 var (
@@ -53,7 +54,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) {
 	if obj.AuthorizedTTL.Duration == 0 {
 		obj.AuthorizedTTL.Duration = 5 * time.Minute
 	}
+	if obj.CacheAuthorizedRequests == nil {
+		obj.CacheAuthorizedRequests = ptr.To(true)
+	}
 	if obj.UnauthorizedTTL.Duration == 0 {
 		obj.UnauthorizedTTL.Duration = 30 * time.Second
 	}
+	if obj.CacheUnauthorizedRequests == nil {
+		obj.CacheUnauthorizedRequests = ptr.To(true)
+	}
 }

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go

@@ -97,11 +97,23 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"`
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"`
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.conversion.go

@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -30,7 +31,13 @@ func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) {
 	if obj.AuthorizedTTL.Duration == 0 {
 		obj.AuthorizedTTL.Duration = 5 * time.Minute
 	}
+	if obj.CacheAuthorizedRequests == nil {
+		obj.CacheAuthorizedRequests = ptr.To(true)
+	}
 	if obj.UnauthorizedTTL.Duration == 0 {
 		obj.UnauthorizedTTL.Duration = 30 * time.Second
 	}
+	if obj.CacheUnauthorizedRequests == nil {
+		obj.CacheUnauthorizedRequests = ptr.To(true)
+	}
 }

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/zz_generated.deepcopy.go

@@ -550,11 +550,23 @@ type WebhookConfiguration struct {
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
 	// Default: 5m0s
 	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
+	// CacheAuthorizedRequests specifies whether authorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// AuthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheAuthorizedRequests *bool `json:"cacheAuthorizedRequests,omitempty"`
 	// The duration to cache 'unauthorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
 	// Default: 30s
 	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
+	// CacheUnauthorizedRequests specifies whether unauthorized requests should be cached.
+	// If set to true, the TTL for cached decisions can be configured via the
+	// UnauthorizedTTL field.
+	// Default: true
+	// +optional
+	CacheUnauthorizedRequests *bool `json:"cacheUnauthorizedRequests,omitempty"`
 	// Timeout for the webhook request
 	// Maximum allowed value is 30s.
 	// Required, no default value.