Update comment for skipGroupRefresh

2026-01-07 05:57:02 +00:00 · 2022-02-16 10:33:22 -08:00
parent e2c6dcd6e6
commit b9582f864e
26 changed files with 540 additions and 116 deletions
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -120,13 +120,29 @@ spec:
                      it, you can set the filter to "(&(objectClass=group)(member={})"
                    type: string
                  skipGroupRefresh:
-                    description: SkipGroupRefresh skips the group refresh operation
-                      that occurs with each refresh (every 5 minutes). This can be
-                      done if group search is very slow or resource intensive for
-                      the AD server.
+                    description: "The user's group membership is refreshed as they
+                      interact with the supervisor to obtain new credentials (as their
+                      old credentials expire).  This allows group membership changes
+                      to be quickly reflected into Kubernetes clusters.  Since group
+                      membership is often used to bind authorization policies, it
+                      is important to keep the groups observed in Kubernetes clusters
+                      in-sync with the identity provider. \n In some environments,
+                      frequent group membership queries may result in a significant
+                      performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak
+                      the group query to be more performant, for example by disabling
+                      nested group search or by using a more targeted group search
+                      base. \n If the group search query cannot be made performant
+                      and you are willing to have group memberships remain static
+                      for approximately a day, then set skipGroupRefresh to true.
+                      \ This is an insecure configuration as authorization policies
+                      that are bound to group membership will not notice if a user
+                      has been removed from a particular group until their next login.
+                      \n This is an experimental feature that may be removed or significantly
+                      altered in the future.  Consumers of this configuration should
+                      carefully read all release notes before upgrading to ensure
+                      that the meaning of this field has not changed."
                    type: boolean
-                required:
-                - skipGroupRefresh
                type: object
              host:
                description: 'Host is the hostname of this Active Directory identity
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -112,13 +112,29 @@ spec:
                      the default will act as if the Filter were specified as "member={}".
                    type: string
                  skipGroupRefresh:
-                    description: SkipGroupRefresh skips the group refresh operation
-                      that occurs with each refresh (every 5 minutes). This can be
-                      done if group search is very slow or resource intensive for
-                      the LDAP server.
+                    description: "The user's group membership is refreshed as they
+                      interact with the supervisor to obtain new credentials (as their
+                      old credentials expire).  This allows group membership changes
+                      to be quickly reflected into Kubernetes clusters.  Since group
+                      membership is often used to bind authorization policies, it
+                      is important to keep the groups observed in Kubernetes clusters
+                      in-sync with the identity provider. \n In some environments,
+                      frequent group membership queries may result in a significant
+                      performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak
+                      the group query to be more performant, for example by disabling
+                      nested group search or by using a more targeted group search
+                      base. \n If the group search query cannot be made performant
+                      and you are willing to have group memberships remain static
+                      for approximately a day, then set skipGroupRefresh to true.
+                      \ This is an insecure configuration as authorization policies
+                      that are bound to group membership will not notice if a user
+                      has been removed from a particular group until their next login.
+                      \n This is an experimental feature that may be removed or significantly
+                      altered in the future.  Consumers of this configuration should
+                      carefully read all release notes before upgrading to ensure
+                      that the meaning of this field has not changed."
                    type: boolean
-                required:
-                - skipGroupRefresh
                type: object
              host:
                description: 'Host is the hostname of this LDAP identity provider,