github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
100,357 Commits 1 Branch 31 Tags 1,019 MiB
040e9c8b51
Commit Graph

207 Commits

Author SHA1 Message Date
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
Kubernetes Prow Robot
42a4953c6e
Merge pull request #100186 from yangjunmyfm192085/run-test28 
test: fix the error case of TestAuthenticationValidate
 2021-04-08 20:28:34 -07:00
Kubernetes Prow Robot
26fba1403b
Merge pull request #99528 from pandaamanda/apiserver_validation_code_optimization 
fix log message and optimize log format check logic
 2021-04-08 14:28:34 -07:00
JunYang
4e72e41387 test: fix the error of TestAuthenticationValidate 
Signed-off-by: JunYang <yang.jun22@zte.com.cn>
 2021-03-12 23:10:21 +08:00
xiongzhongliang
4a24a08f93 Optimize some codes 2021-03-05 18:23:39 +08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
cbf6e38bbd move RootCAConfigMap to ga 2021-02-22 15:59:27 -08:00
Kubernetes Prow Robot
1119a505ac
Merge pull request #98669 from liggitt/denyexec 
Remove deprecated DenyEscalatingExec / DenyExecOnPrivileged admission
 2021-02-02 06:52:28 -08:00
Jordan Liggitt
3579f88e4d Remove deprecated DenyEscalatingExec / DenyExecOnPrivileged admission 2021-02-01 16:55:22 -05:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
 2021-02-01 11:44:23 -08:00
Tim Hockin
a8299079a5 Add denyserviceexternalips admission 2020-12-29 10:00:11 -08:00
Tim Hockin
02b77861ec Move defaultingressclass admission to net subdir 2020-12-28 09:58:30 -08:00
KeZhang
3562806d2d cleanup unused code for kubeapiserver 2020-12-09 09:29:34 +08:00
Sergey Kanzhelev
06da0e5e74 GA of RuntimeClass feature gate and API 2020-11-11 19:22:32 +00:00
Kubernetes Prow Robot
8d6829fe1e
Merge pull request #95896 from zshihang/flag 
make flags of TokenRequest required
 2020-11-05 18:36:50 -08:00
Shihang Zhang
a5021a4ddf make flags of TokenRequest required 2020-11-05 10:40:56 -08:00
Shihang Zhang
4c593b268a default service-account-extend-token-expiration to true 2020-11-05 09:07:01 -08:00
Shihang Zhang
d40f0c43c4 separate RootCAConfigMap from BoundServiceAccountTokenVolume 2020-11-04 17:10:39 -08:00
Abu Kashem
53a1307f68
make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
 2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Andrew Sy Kim
a0aebf96ec apiserver: support egress selection name 'controlplane' and deprecate 'master' 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-10-26 10:24:16 -04:00
Kubernetes Prow Robot
e7b9453972
Merge pull request #93537 from timuthy/enhancement.move-resourcequota 
Move ResourceQuota admission to k8s.io/apiserver lib
 2020-09-15 12:26:58 -07:00
David Eads
c0c033b12f generated 2020-09-14 09:24:41 -04:00
David Eads
c7911a384c remove pod presets 2020-09-14 09:24:40 -04:00
Tim Usner
70d440bc7e Move ResourceQuota admission to k8s.io/apiserver 2020-09-04 14:53:52 +02:00
yiduyangyi
e6c4633232 fix golint failures in pkg/kubeapiserver/options, fix some incorrect replace of receiver name 2020-07-23 19:02:07 +08:00
yiduyangyi
0520d75838 fix golint failures in pkg/kubeapiserver/options, rename receiver name of BuiltInAuthorizationOptions to o 2020-07-23 18:52:15 +08:00
yiduyangyi
e441c07fe2 fix golint failures in pkg/kubeapiserver/options, use API Server in commemts instead of APIServer 2020-07-23 18:41:37 +08:00
yiduyangyi
e2838df7c7 fix golint failures in pkg/kubeapiserver/options 2020-07-15 16:03:08 +08:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Tomas Nozicka
b22a170d46 Fix client-ca dynamic reload in apiserver 2020-04-29 16:03:09 +02:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Monis Khan
df292749c9
Remove support for basic authentication 
This change removes support for basic authn in v1.19 via the
--basic-auth-file flag.  This functionality was deprecated in v1.16
in response to ATR-K8S-002: Non-constant time password comparison.

Similar functionality is available via the --token-auth-file flag
for development purposes.

Signed-off-by: Monis Khan <mok@vmware.com>
 2020-03-11 20:55:47 -04:00
Rob Scott
132d2afca0
Adding IngressClass to networking/v1beta1 
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-03-01 18:17:09 -08:00
James Munnelly
d7e10f9869 Add Certificate signerName admission plugins 2020-02-27 15:50:14 +00:00
Jordan Liggitt
c80dcf56ee Ensure webhook/quota/deny admission comes last 2020-02-25 21:54:14 -05:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Jin Hase
49b6e40461 Clean up kube-apiserver reference document 2019-12-24 21:21:06 +09:00
Jordan Liggitt
dc0e51dd18 Plumb authorization webhook version from CLI to config 2019-11-18 23:58:05 -08:00
hwdef
b3377e61de pkg/kubeapiserver: fix staticcheck warning 2019-11-14 11:24:22 +08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
Jordan Liggitt
d54a70db5c Switch kubelet/aggregated API servers to use v1 subjectaccessreviews 2019-11-11 17:19:11 -05:00
Jordan Liggitt
5ef4fe959a Switch kubelet/aggregated API servers to use v1 tokenreviews 2019-11-11 17:19:10 -05:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00
Dan Winship
afa0b808f8 Fix apiserver to advertise IPv6 endpoints if bound to IPv6 
Also rename utilnet.ChooseBindAddress() to ResolveBindAddress(), to
better describe its functionality.
 2019-11-06 11:31:43 -05:00
Jordan Liggitt
20b2439457 Feature-gate RuntimeClass informer starts 2019-10-24 01:18:07 -04:00
David Eads
6beb96261e wire up a means to dynamically reload ca bundles for kube-apiserver 2019-10-23 11:01:56 -04:00
draveness
1163a1d51e feat: update taint nodes by condition to GA 2019-10-19 09:17:41 +08:00
David Eads
5825634669 add the ability for dynamic header names in delegated authentication 2019-10-11 11:50:37 -04:00