Skip to content

Bugfix: record authentication latency before audit filter wraps up #132163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Bugfix: record authentication latency before audit filter wraps up #132163

wants to merge 2 commits into from
+30 −1

Conversation

yue9944882
Copy link
Member

Previously #130571 added additional annotation to audit events so that we can track authn & authz latency. However it's only able to record authz latency e.g.:

{"kind":"Event","..."annotations":{"apiserver.latency.k8s.io/authorization":"7 09ns","apiserver.latency.k8s.io/response-write":"167ns","apiserver.latency.k8s.io/serialize-response-object":"52.167µs","apiserver.latency.k8s.io/total":"52.424459ms","authorization.k8s.io/decision":"al low","authorization.k8s.io/reason":""}}

This is because kube-apiserver's filters are chained in such order:

authentication -> ... -> audit -> ... -> authorization

And we recorded authentication latency in a defer block which works after persisting the audit log. This PR fixes this issue by recording authn latency out of the defer block. After the fix, the audit event shall look like:

{"kind":"Event",...."annotations":{"apiserver.latency.k8s.io/authentication":"2.75µs","apiserver.latency.k8s.i o/authorization":"500ns","apiserver.latency.k8s.io/response-write":"250ns","apiserver.latency.k8s.io/serialize-response-object":"44.417µs","apiserver.latency.k8s.io/total":"12.113ms","apiserver.latency. k8s.io/transform-response-object":"209ns","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

/kind bug

NONE

/cc @hakuna-matatah @dims @mengqiy

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Jun 7, 2025
@k8s-ci-robot k8s-ci-robot requested a review from mengqiy June 7, 2025 00:55
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 7, 2025
@cartermckinnon
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 7, 2025
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 812a18d165a7d893990f6dd7dcd645a2c14064ba

@dims
Copy link
Member

dims commented Jun 8, 2025

/priority important-soon

/assign @jpbetz @liggitt

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 8, 2025
@dims
Copy link
Member

dims commented Jun 8, 2025

LGTM as well!

@mengqiy
Copy link
Member

mengqiy commented Jun 9, 2025

/lgtm

@hakuna-matatah
Copy link
Contributor

/lgtm

Thank you.

liggitt
liggitt reviewed Jun 10, 2025
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go
defer func() {
metrics(req.Context(), resp, ok, err, apiAuds, authenticationStart, authenticationFinish)
genericapirequest.TrackAuthenticationLatency(req.Context(), authenticationFinish.Sub(authenticationStart))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to make the same change for other Track*Latency calls? lots of those are made in defer calls

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is non-obvious and apparently fragile enough that some sort of test to demonstrate this works properly and prevent future regressions would be a good idea

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to make the same change for other Track*Latency calls? lots of those are made in defer calls

we don't need them for now because others are wrapped "inside" the audit filter so the defer block is called before we dump the latency

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is non-obvious and apparently fragile enough that some sort of test to demonstrate this works properly and prevent future regressions would be a good idea

agree, but it's tricky to add a unit-test for this. i tried adding one in my 2nd commit but it looks a bit odd to me because it's involving bunch of external types.

@cici37
Copy link
Contributor

cici37 commented Jun 10, 2025

/sig auth
/triage accepted

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jun 10, 2025
@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jun 10, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jun 10, 2025
@liggitt liggitt added this to the v1.34 milestone Jun 10, 2025
@enj enj moved this to Needs Triage in SIG Auth Jun 11, 2025
@yue9944882 yue9944882 force-pushed the fix-audit-authn-latency branch from f9614f5 to 66d3f32 Compare June 13, 2025 19:42
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jun 13, 2025
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: yue9944882
Once this PR has been reviewed and has the lgtm label, please ask for approval from jpbetz. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@yue9944882 yue9944882 force-pushed the fix-audit-authn-latency branch from 66d3f32 to cfd061f Compare June 13, 2025 21:55
@k8s-ci-robot
Copy link
Contributor

@yue9944882: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-e2e-gce cfd061f link true /test pull-kubernetes-e2e-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims Awaiting requested review from dims

@hakuna-matatah hakuna-matatah Awaiting requested review from hakuna-matatah

@mengqiy mengqiy Awaiting requested review from mengqiy

@cartermckinnon cartermckinnon Awaiting requested review from cartermckinnon

@jpbetz jpbetz Awaiting requested review from jpbetz

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@jpbetz jpbetz

@liggitt liggitt

@mengqiy mengqiy

@cartermckinnon cartermckinnon

@hakuna-matatah hakuna-matatah

Labels
area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Status: Needs Triage
[sig-release] Bug Triage
Status: No status
Milestone
v1.34
Development

Successfully merging this pull request may close these issues.
9 participants
@yue9944882 @cartermckinnon @k8s-ci-robot @dims @mengqiy @hakuna-matatah @cici37 @liggitt @jpbetz