Jwks async fetching failed due to multiple requests per second. #4791
Comments
|
@zhaohuabing can we disable retry policy ? we already enable https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwksasyncfetch which has a |
Yes, I think retry can be removed as jwksasyncfetch has been enabled. |
|
Hello, I installed gateway 1.2.3 but still seeing the pattern as described above with appr. 200 rqs going to the OIDC server. <html>
<body>
<!--StartFragment-->
[2024-12-02 08:23:15.748][1][warning][jwt] [source/extensions/filters/http/jwt_authn/jwks_async_fetcher.cc:115] Jwks async fetching url=http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/: failed |
-- | --
| | [2024-12-02 08:23:15.748][1][error][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:51] fetch: fetch pubkey [uri = http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/] failed: [cluster = authentik-server_authentik_svc_cluster_local_80] is not configured |
| | [2024-12-02 08:23:15.748][1][warning][jwt] [source/extensions/filters/http/jwt_authn/jwks_async_fetcher.cc:115] Jwks async fetching url=http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/: failed |
| | [2024-12-02 08:23:15.748][1][error][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:51] fetch: fetch pubkey [uri = http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/] failed: [cluster = authentik-server_authentik_svc_cluster_local_80] is not configured |
| | [2024-12-02 08:23:15.748][1][warning][jwt] [source/extensions/filters/http/jwt_authn/jwks_async_fetcher.cc:115] Jwks async fetching url=http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/: failed |
| | [2024-12-02 08:23:15.748][1][error][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:51] fetch: fetch pubkey [uri = http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/] failed: [cluster = authentik-server_authentik_svc_cluster_local_80] is not configured |
| | [2024-12-02 08:23:15.748][1][warning][jwt] [source/extensions/filters/http/jwt_authn/jwks_async_fetcher.cc:115] Jwks async fetching url=http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/: failed |
| | [2024-12-02 08:23:15.748][1][error][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:51] fetch: fetch pubkey [uri = http://authentik-server.authentik.svc.cluster.local:80/application/o/kube-apiserver/jwks/] failed: [cluster = authentik-server_authentik_svc_cluster_local_80] is not configured
<!--EndFragment-->
</body>
</html>The policy enforcement works, until the OIDC becomes sometimes overloaded. I am using I have 8x policies in 6 namespaces running two proxies. Thank you and let me know if I can provide more information 👍 |
This seems like a different issue: the cluster doesn't exist. Can you get the lds and cds form envoy using |
|
Sure, will do that! |
|
@zhaohuabing I created "three" snapshots:
Same applies to |
Hello, I am using an Envoy Gateway
SecurityPolicywithJWTinspection. I have an OIDC provider in the cluster. Periodically, envoy-proxy fires a lot of requests to theremoteJWKS.uriendpoint, i.e. 30 req/s.I am running envoy gateway version
1.2.1w/ 2x proxies, 8x SecurityPolicies in various namespaces . This overwhelms the OIDC provider time to time, therefore, would it make sense to configure the JWT with a retry_policy? I think 1 req/s would be totally sufficient.Let me know what you think.
Thanks and have a great day
The text was updated successfully, but these errors were encountered: