kcp-dev · openshift-merge-robot · Jan 11, 2023 · Dec 23, 2022
diff --git a/pkg/admission/apibinding/apibinding_admission.go b/pkg/admission/apibinding/apibinding_admission.go
@@ -266,7 +266,7 @@ func (o *apiBindingAdmission) Validate(ctx context.Context, a admission.Attribut
 
 func (o *apiBindingAdmission) checkAPIExportAccess(ctx context.Context, user user.Info, apiExportClusterName logicalcluster.Name, apiExportName string) error {
 	logger := klog.FromContext(ctx)
-	authz, err := o.createAuthorizer(apiExportClusterName, o.deepSARClient)
+	authz, err := o.createAuthorizer(apiExportClusterName, o.deepSARClient, delegated.Options{})
 	if err != nil {
 		// Logging a more specific error for the operator
 		logger.Error(err, "error creating authorizer from delegating authorizer config")

diff --git a/pkg/admission/apibinding/apibinding_admission_test.go b/pkg/admission/apibinding/apibinding_admission_test.go
@@ -39,6 +39,7 @@ import (
 	"github.com/kcp-dev/kcp/pkg/admission/helpers"
 	apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1"
 	"github.com/kcp-dev/kcp/pkg/apis/core"
+	"github.com/kcp-dev/kcp/pkg/authorization/delegated"
 )
 
 func createAttr(apiBinding *apisv1alpha1.APIBinding) admission.Attributes {
@@ -160,7 +161,7 @@ func TestAdmit(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			o := &apiBindingAdmission{
 				Handler: admission.NewHandler(admission.Create, admission.Update),
-				createAuthorizer: func(clusterName logicalcluster.Name, client kcpkubernetesclientset.ClusterInterface) (authorizer.Authorizer, error) {
+				createAuthorizer: func(clusterName logicalcluster.Name, client kcpkubernetesclientset.ClusterInterface, opts delegated.Options) (authorizer.Authorizer, error) {
 					return &fakeAuthorizer{
 						tc.authzDecision,
 						tc.authzError,
@@ -433,7 +434,7 @@ func TestValidate(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			o := &apiBindingAdmission{
 				Handler: admission.NewHandler(admission.Create, admission.Update),
-				createAuthorizer: func(clusterName logicalcluster.Name, client kcpkubernetesclientset.ClusterInterface) (authorizer.Authorizer, error) {
+				createAuthorizer: func(clusterName logicalcluster.Name, client kcpkubernetesclientset.ClusterInterface, opts delegated.Options) (authorizer.Authorizer, error) {
 					return &fakeAuthorizer{
 						tc.authzDecision,
 						tc.authzError,

diff --git a/pkg/admission/workspacetypeexists/admission.go b/pkg/admission/workspacetypeexists/admission.go
@@ -275,7 +275,7 @@ func (o *workspacetypeExists) Validate(ctx context.Context, a admission.Attribut
 		}
 
 		for _, alias := range wtAliases {
-			authz, err := o.createAuthorizer(logicalcluster.From(alias), o.deepSARClient)
+			authz, err := o.createAuthorizer(logicalcluster.From(alias), o.deepSARClient, delegated.Options{})
 			if err != nil {
 				return admission.NewForbidden(a, fmt.Errorf("unable to determine access to workspace type %q", ws.Spec.Type))
 			}

diff --git a/pkg/admission/workspacetypeexists/admission_test.go b/pkg/admission/workspacetypeexists/admission_test.go
@@ -43,6 +43,7 @@ import (
 	corev1alpha1 "github.com/kcp-dev/kcp/pkg/apis/core/v1alpha1"
 	tenancyv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/tenancy/v1alpha1"
 	tenancyv1beta1 "github.com/kcp-dev/kcp/pkg/apis/tenancy/v1beta1"
+	"github.com/kcp-dev/kcp/pkg/authorization/delegated"
 	corev1alpha1listers "github.com/kcp-dev/kcp/pkg/client/listers/core/v1alpha1"
 	tenancyv1alpha1listers "github.com/kcp-dev/kcp/pkg/client/listers/tenancy/v1alpha1"
 )
@@ -445,7 +446,7 @@ func TestValidate(t *testing.T) {
 				Handler:              admission.NewHandler(admission.Create, admission.Update),
 				getType:              getType(tt.types),
 				logicalClusterLister: fakeLogicalClusterClusterLister(tt.logicalClusters),
-				createAuthorizer: func(clusterName logicalcluster.Name, client kcpkubernetesclientset.ClusterInterface) (authorizer.Authorizer, error) {
+				createAuthorizer: func(clusterName logicalcluster.Name, client kcpkubernetesclientset.ClusterInterface, opts delegated.Options) (authorizer.Authorizer, error) {
 					return &fakeAuthorizer{
 						tt.authzDecision,
 						tt.authzError,

diff --git a/pkg/authorization/delegated/authorizer.go b/pkg/authorization/delegated/authorizer.go
@@ -28,15 +28,37 @@ import (
 	"k8s.io/klog/v2"
 )
 
-type DelegatedAuthorizerFactory func(clusterName logicalcluster.Name, client kcpkubernetesclient.ClusterInterface) (authorizer.Authorizer, error)
+type DelegatedAuthorizerFactory func(clusterName logicalcluster.Name, client kcpkubernetesclient.ClusterInterface, opts Options) (authorizer.Authorizer, error)
+
+// Options provides options to customize the
+// created DelegatedAuthorizer.
+type Options struct {
+	// AllowCacheTTL is the length of time that a successful authorization response will be cached
+	AllowCacheTTL time.Duration
+
+	// DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached.
+	// You generally want more responsive, "deny, try again" flows.
+	DenyCacheTTL time.Duration
+}
+
+func (d *Options) defaults() {
+	if d.AllowCacheTTL == 0 {
+		d.AllowCacheTTL = 5 * time.Minute
+	}
+	if d.DenyCacheTTL == 0 {
+		d.AllowCacheTTL = 30 * time.Second
+	}
+}
 
 // NewDelegatedAuthorizer returns a new authorizer for use in e.g. admission plugins that delegates
 // to the kube API server via SubjectAccessReview.
-func NewDelegatedAuthorizer(clusterName logicalcluster.Name, client kcpkubernetesclient.ClusterInterface) (authorizer.Authorizer, error) {
+func NewDelegatedAuthorizer(clusterName logicalcluster.Name, client kcpkubernetesclient.ClusterInterface, opts Options) (authorizer.Authorizer, error) {
+	opts.defaults()
+
 	delegatingAuthorizerConfig := &authorizerfactory.DelegatingAuthorizerConfig{
 		SubjectAccessReviewClient: client.Cluster(clusterName.Path()).AuthorizationV1(),
-		AllowCacheTTL:             5 * time.Minute,
-		DenyCacheTTL:              30 * time.Second,
+		AllowCacheTTL:             opts.AllowCacheTTL,
+		DenyCacheTTL:              opts.DenyCacheTTL,
 		WebhookRetryBackoff:       options.DefaultAuthWebhookRetryBackoff(),
 	}
 

diff --git a/pkg/authorization/delegated/caching_authorizer.go b/pkg/authorization/delegated/caching_authorizer.go
@@ -0,0 +1,109 @@
+/*
+Copyright 2022 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package delegated
+
+import (
+	"context"
+	"time"
+
+	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
+	"github.com/kcp-dev/logicalcluster/v3"
+
+	"k8s.io/apimachinery/pkg/util/cache"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+// CachingOptions contains options to create a new Delegated Caching Authorizer.
+type CachingOptions struct {
+	Options
+
+	// TTL is the default time-to-live when a delegated authorizer
+	// is stored in the internal cache.
+	TTL time.Duration
+}
+
+func (c *CachingOptions) defaults() {
+	c.Options.defaults()
+	if c.TTL == 0 {
+		c.TTL = 12 * time.Hour
+	}
+}
+
+// CachingAuthorizerFunc looks similar to authorizer.AuthorizerFunc with the
+// additional cache parameter for delegated authorizers.
+type CachingAuthorizerFunc func(ctx context.Context, cache Cache, a authorizer.Attributes) (authorizer.Decision, string, error)
+
+// Cache contains methods that define a delegated caching authorizer.
+type Cache interface {
+	// Get returns the delegated authorizer for the given logical cluster.
+	Get(clusterName logicalcluster.Name) (authorizer.Authorizer, error)
+}
+
+// NewCachingAuthorizer creates a new Authorizer that holds an internal cache of
+// Delegated Authorizer(s).
+func NewCachingAuthorizer(client kcpkubernetesclientset.ClusterInterface, auth CachingAuthorizerFunc, opts CachingOptions) *cachingAuthorizer {
+	opts.defaults()
+	return &cachingAuthorizer{
+		opts:   &opts,
+		auth:   auth,
+		cache:  cache.NewExpiring(),
+		client: client,
+	}
+}
+
+// cachingAuthorizer is a wrapper around authorizer.Authorize that uses
+// an internal expiring cache.
+type cachingAuthorizer struct {
+	opts  *CachingOptions
+	cache *cache.Expiring
+
+	auth   CachingAuthorizerFunc
+	client kcpkubernetesclientset.ClusterInterface
+}
+
+// load loads the authorizer from the cache, if any.
+func (c *cachingAuthorizer) load(clusterName logicalcluster.Name) authorizer.Authorizer {
+	value, ok := c.cache.Get(clusterName)
+	if !ok || value == nil {
+		return nil
+	}
+	authz, ok := value.(authorizer.Authorizer)
+	if !ok {
+		return nil
+	}
+	return authz
+}
+
+func (c *cachingAuthorizer) Get(clusterName logicalcluster.Name) (authorizer.Authorizer, error) {
+	if authz := c.load(clusterName); authz != nil {
+		return authz, nil
+	}
+
+	// Create the delegated authorizer.
+	authz, err := NewDelegatedAuthorizer(clusterName, c.client, c.opts.Options)
+	if err != nil {
+		return nil, err
+	}
+
+	// Store the cache and return.
+	c.cache.Set(clusterName, authz, c.opts.TTL)
+	return authz, nil
+}
+
+func (c *cachingAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+	return c.auth(ctx, c, attr)
+}
diff --git a/pkg/virtual/apiexport/authorizer/content.go b/pkg/virtual/apiexport/authorizer/content.go
@@ -44,7 +44,7 @@ type apiExportsContentAuthorizer struct {
 func NewAPIExportsContentAuthorizer(delegate authorizer.Authorizer, kubeClusterClient kcpkubernetesclientset.ClusterInterface) authorizer.Authorizer {
 	return &apiExportsContentAuthorizer{
 		newDelegatedAuthorizer: func(clusterName string) (authorizer.Authorizer, error) {
-			return delegated.NewDelegatedAuthorizer(logicalcluster.Name(clusterName), kubeClusterClient)
+			return delegated.NewDelegatedAuthorizer(logicalcluster.Name(clusterName), kubeClusterClient, delegated.Options{})
 		},
 		delegate: delegate,
 	}

diff --git a/pkg/virtual/apiexport/authorizer/maximal_permission_policy.go b/pkg/virtual/apiexport/authorizer/maximal_permission_policy.go
@@ -59,7 +59,7 @@ func NewMaximalPermissionAuthorizer(deepSARClient kcpkubernetesclientset.Cluster
 			return indexers.ByIndex[*apisv1alpha1.APIExport](apiExportIndexer, indexers.APIExportByIdentity, identityHash)
 		},
 		newDeepSARAuthorizer: func(clusterName logicalcluster.Name) (authorizer.Authorizer, error) {
-			return delegated.NewDelegatedAuthorizer(clusterName, deepSARClient)
+			return delegated.NewDelegatedAuthorizer(clusterName, deepSARClient, delegated.Options{})
 		},
 	}
 }

diff --git a/pkg/virtual/initializingworkspaces/builder/build.go b/pkg/virtual/initializingworkspaces/builder/build.go
@@ -87,6 +87,8 @@ func BuildVirtualWorkspace(
 		v.Schema.Raw = bs // wipe schemas. We don't want validation here.
 	}
 
+	cachingAuthorizer := delegated.NewCachingAuthorizer(kubeClusterClient, authorizerWithCache, delegated.CachingOptions{})
+
 	wildcardLogicalClustersName := initializingworkspaces.VirtualWorkspaceName + "-wildcard-logicalclusters"
 	wildcardLogicalClusters := &virtualworkspacesdynamic.DynamicVirtualWorkspace{
 		RootPathResolver: framework.RootPathResolverFunc(func(urlPath string, requestContext context.Context) (accepted bool, prefixToStrip string, completedContext context.Context) {
@@ -104,7 +106,7 @@ func BuildVirtualWorkspace(
 			completedContext = dynamiccontext.WithAPIDomainKey(completedContext, apiDomain)
 			return true, prefixToStrip, completedContext
 		}),
-		Authorizer: newAuthorizer(kubeClusterClient),
+		Authorizer: cachingAuthorizer,
 		ReadyChecker: framework.ReadyFunc(func() error {
 			return nil
 		}),
@@ -141,7 +143,7 @@ func BuildVirtualWorkspace(
 			completedContext = dynamiccontext.WithAPIDomainKey(completedContext, apiDomain)
 			return true, prefixToStrip, completedContext
 		}),
-		Authorizer: newAuthorizer(kubeClusterClient),
+		Authorizer: cachingAuthorizer,
 		ReadyChecker: framework.ReadyFunc(func() error {
 			return nil
 		}),
@@ -183,7 +185,7 @@ func BuildVirtualWorkspace(
 			completedContext = dynamiccontext.WithAPIDomainKey(completedContext, apiDomain)
 			return true, prefixToStrip, completedContext
 		}),
-		Authorizer: newAuthorizer(kubeClusterClient),
+		Authorizer: cachingAuthorizer,
 		ReadyChecker: framework.ReadyFunc(func() error {
 			select {
 			case <-workspaceContentReadyCh:
@@ -403,29 +405,27 @@ func (a *singleResourceAPIDefinitionSetProvider) GetAPIDefinitionSet(ctx context
 
 var _ apidefinition.APIDefinitionSetGetter = &singleResourceAPIDefinitionSetProvider{}
 
-func newAuthorizer(client kcpkubernetesclientset.ClusterInterface) authorizer.AuthorizerFunc {
-	return func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
-		clusterName, name, err := initialization.TypeFrom(corev1alpha1.LogicalClusterInitializer(dynamiccontext.APIDomainKeyFrom(ctx)))
-		if err != nil {
-			klog.FromContext(ctx).V(2).Info(err.Error())
-			return authorizer.DecisionNoOpinion, "unable to determine initializer", fmt.Errorf("access not permitted")
-		}
-
-		authz, err := delegated.NewDelegatedAuthorizer(clusterName, client)
-		if err != nil {
-			return authorizer.DecisionNoOpinion, "error", err
-		}
+func authorizerWithCache(ctx context.Context, cache delegated.Cache, attr authorizer.Attributes) (authorizer.Decision, string, error) {
+	clusterName, name, err := initialization.TypeFrom(corev1alpha1.LogicalClusterInitializer(dynamiccontext.APIDomainKeyFrom(ctx)))
+	if err != nil {
+		klog.FromContext(ctx).V(2).Info(err.Error())
+		return authorizer.DecisionNoOpinion, "unable to determine initializer", fmt.Errorf("access not permitted")
+	}
 
-		SARAttributes := authorizer.AttributesRecord{
-			APIGroup:        tenancyv1alpha1.SchemeGroupVersion.Group,
-			APIVersion:      tenancyv1alpha1.SchemeGroupVersion.Version,
-			User:            attr.GetUser(),
-			Verb:            "initialize",
-			Name:            name,
-			Resource:        "workspacetypes",
-			ResourceRequest: true,
-		}
+	authz, err := cache.Get(clusterName)
+	if err != nil {
+		return authorizer.DecisionNoOpinion, "error", err
+	}
 
-		return authz.Authorize(ctx, SARAttributes)
+	SARAttributes := authorizer.AttributesRecord{
+		APIGroup:        tenancyv1alpha1.SchemeGroupVersion.Group,
+		APIVersion:      tenancyv1alpha1.SchemeGroupVersion.Version,
+		User:            attr.GetUser(),
+		Verb:            "initialize",
+		Name:            name,
+		Resource:        "workspacetypes",
+		ResourceRequest: true,
 	}
+
+	return authz.Authorize(ctx, SARAttributes)
 }
diff --git a/pkg/virtual/syncer/builder/template.go b/pkg/virtual/syncer/builder/template.go
@@ -186,7 +186,7 @@ func (t *template) authorize(ctx context.Context, a authorizer.Attributes) (auth
 		return authorizer.DecisionNoOpinion, "", err
 	}
 
-	authz, err := delegated.NewDelegatedAuthorizer(negotiationWorkspaceName, t.kubeClusterClient)
+	authz, err := delegated.NewDelegatedAuthorizer(negotiationWorkspaceName, t.kubeClusterClient, delegated.Options{})
 	if err != nil {
 		return authorizer.DecisionNoOpinion, "Error", err
 	}