Commit Graph

202 Commits

Author SHA1 Message Date
Kubernetes Submit Queue
270148d7d9
Merge pull request #58684 from hzxuzhonghu/default-enabled-admission
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

set default enabled admission plugins by official document

**What this PR does / why we need it**:

https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use

recommend  running the following set of admission controllers 
```
If you previously had not set the `--admission-control` flag, your cluster behavior may change (to be more standard).  See [https://kubernetes.io/docs/admin/admission-controllers/] for explanation of admission control.
```

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
Set default enabled admission plugins `NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota`
```
2018-02-22 05:24:44 -08:00
hzxuzhonghu
27f3fd2d79 set default enabled admission plugins by official document 2018-02-22 11:02:02 +08:00
Mike Danese
8ad1c6655b add support for /token subresource in serviceaccount registry 2018-02-21 13:16:51 -08:00
Kubernetes Submit Queue
cdbc4fbe20
Merge pull request #58544 from ericchiang/oidc-v2
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

oidc authentication: switch to v2 of coreos/go-oidc

Switch to v2 of [coreos/go-oidc](https://github.com/coreos/go-oidc), which uses square/go-jose to verify tokens and supports more signing algorithms.

Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files.

This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex.

Closes https://github.com/kubernetes/kubernetes/issues/57806

```release-note
kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag.
kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.
```

cc @rithujohn191 @liggitt 
cc @kubernetes/sig-auth-pr-reviews
2018-02-21 09:07:23 -08:00
NickrenREN
dad0fa07b7 rename StorageProtection to StorageObjectInUseProtection 2018-02-21 10:48:56 +08:00
Kubernetes Submit Queue
237007b615
Merge pull request #59934 from mikedanese/jwt-auth
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

svcacct: make token authenticator fully generic

so it can be used for both new and legacy svcacct tokens. Also move the
legacy validator into legacy.go.

part of https://github.com/kubernetes/kubernetes/issues/58790

```release-note
NONE
```
2018-02-20 18:40:59 -08:00
Kubernetes Submit Queue
f8298702ff
Merge pull request #54933 from php-coder/psp_introduce_new_api_group
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Introduce PodSecurityPolicy in the policy/v1beta1 API group

Types/constants are completely the same as in `extensions/v1beta1` except that they are located outside of the `extensions` API group.

**What this PR does / why we need it**:
This is the first step for migrating PSP-related stuff away of `extensions` group. See #43214 for more information.

Also it related to https://github.com/kubernetes/features/issues/5

**Example**:
```console
$ cat restricted2.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted2
...
$ kubectl create -f restricted.yaml 
podsecuritypolicy "restricted2" created
$ kubectl get psp restricted2 -o yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
...
```

**Release note**:
```release-note
The `PodSecurityPolicy` API has been moved to the `policy/v1beta1` API group. The `PodSecurityPolicy` API in the `extensions/v1beta1` API group is deprecated and will be removed in a future release.
```
2018-02-20 15:44:50 -08:00
Kubernetes Submit Queue
b3099bcf53
Merge pull request #58097 from steveperry-53/ipv6
Automatic merge from submit-queue (batch tested with PRs 59391, 58097, 60057, 60090). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add IPv6 to command options.

**What this PR does / why we need it**:
This PR adds IPv6 information to the descriptions for several command options.

[Related PR in kubernetes/website](https://github.com/kubernetes/website/pull/6498)

**Release note**:

```release-note
NONE
```
2018-02-20 13:51:32 -08:00
Mike Danese
2862fb333a svcacct: make token authenticator fully generic
so it can be used for both new and legacy svcacct tokens. Also move the
legacy validator into legacy.go.
2018-02-20 12:30:42 -08:00
Slava Semushin
379683d9f4 Introduce PodSecurityPolicy in the policy/v1beta1 API group.
PSP are completely the same as in extensions/v1beta1 except that they
are located outside of the extensions API group.
2018-02-19 20:14:28 +01:00
Jeff Grafton
ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Eric Chiang
48c6d1abf5
oidc authentication: switch to v2 of coreos/go-oidc 2018-02-16 10:57:48 -08:00
steveperry-53
cc7cea74ae Merge branch 'master' into ipv6 2018-02-14 10:45:27 -08:00
Kubernetes Submit Queue
2a8049890a
Merge pull request #59492 from dims/remove-old-keystone-authenticator
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove experimental keystone authenticator

**What this PR does / why we need it**:

experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559

So we don't need this older style / hard coded / experimental code
anymore.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens.
```
2018-02-13 14:14:45 -08:00
Dr. Stefan Schimanski
4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
Davanum Srinivas
18590378c4 Remove experimental keystone authenticator
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559

So we don't need this older style / hard coded / experimental code
anymore.
2018-02-07 19:28:55 -05:00
Kubernetes Submit Queue
d3b783d5ec
Merge pull request #58743 from NickrenREN/pv-protection
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Postpone PV deletion with finalizer when it is being used

Postpone PV deletion if it is bound to a PVC

xref: https://github.com/kubernetes/community/pull/1608


**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #33355

**Special notes for your reviewer**:

**Release note**:
```release-note
Postpone PV deletion when it is being bound to a PVC
```

WIP, assign to myself first

/assign @NickrenREN
2018-02-01 19:39:52 -08:00
steveperry-53
1a530d1884 Add IPv6 to ref page descriptions. 2018-02-01 19:29:54 +00:00
NickrenREN
cbfa0cc85a reuse PVC protection admission plugin for PV protection 2018-01-31 20:02:01 +08:00
NickrenREN
7b9d2c046f Use v1beta1 VolumeAttachment 2018-01-31 18:46:11 +08:00
hzxuzhonghu
24c687fdad deprecate insecure http flags and remove already deprecated public-address-override 2018-01-30 16:05:33 +08:00
Mike Danese
057b7af798 serviceaccount: check token is issued by correct iss before verifying
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.

This change helps us support multiple service account token
authenticators with different issuers.
2018-01-24 20:21:59 -08:00
Kubernetes Submit Queue
26c1a3a8ee
Merge pull request #58595 from CaoShuFeng/LimitPodHardAntiAffinityTopology
Automatic merge from submit-queue (batch tested with PRs 58595, 58689). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

fix invalid admission name LimitPodHardAntiAffinityTopology

@hzxuzhonghu 
@sttts 

**Release note**:

```release-note
NONE
```
2018-01-23 09:18:30 -08:00
Cao Shufeng
2a15776b41 fix invalid admission name LimitPodHardAntiAffinityTopology 2018-01-23 10:28:30 +08:00
hzxuzhonghu
eff1f20ff1 run update bazel and staging-godep 2018-01-22 19:10:28 +08:00
hzxuzhonghu
2f403b7ad1 pass APIEnablement through apiserver chain 2018-01-22 19:10:26 +08:00
David Eads
98eb592291 make kube-apiserver admission flag disable other plugins 2018-01-19 08:14:04 -05:00
hzxuzhonghu
5c9e020d7d run update bazel 2018-01-19 13:18:27 +08:00
hzxuzhonghu
82c3d2492c update admission test cases 2018-01-19 13:16:36 +08:00
hzxuzhonghu
7c5f9e0bba refactor admission flag: add two admission flags and make plugins auto in recommended order 2018-01-19 13:16:36 +08:00
Jordan Liggitt
ecfd18e2a6
Add get volumeattachments support to Node authorizer 2018-01-17 00:00:18 -05:00
Jordan Liggitt
ba09fadecf
Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Kubernetes Submit Queue
f9e4b6d025
Merge pull request #56608 from hzxuzhonghu/fix-typo
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

fix typo

**What this PR does / why we need it**:

fix typos in pkg/kubeapiserver/default_storage_factory_builder.go

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:
tiny fix typo 
**Release note**:

```release-note
NONE
```
2018-01-04 15:28:05 -08:00
Jeff Grafton
efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
Kubernetes Submit Queue
fd826d6e2d
Merge pull request #57257 from brendandburns/typo
Automatic merge from submit-queue (batch tested with PRs 57257, 55442). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix a typo and improve some documentation.

Fix a typo and add some better help docs.
2017-12-20 23:56:47 -08:00
Kubernetes Submit Queue
e0284fab0b
Merge pull request #56691 from sttts/sttts-fix-runtime-config-docs
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kube-apiserver: fix runtime-config flag docs

This `apis/<GV>` syntax must predate API groups? It's not what we support today at least.
2017-12-18 00:29:29 -08:00
Kubernetes Submit Queue
a162ec5307
Merge pull request #57148 from deads2k/rebase-01-storagelocation
Automatic merge from submit-queue (batch tested with PRs 57148, 57123, 57091, 57141, 57131). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

expose special storage locations for downstream consumption

Storage locations are public information and needed for congruent storage.  This exposes them in their new home.
2017-12-16 21:00:41 -08:00
Brendan Burns
57e7471729 Fix a typo and improve some documentation. 2017-12-15 20:05:21 +00:00
David Eads
3d65f4cbd3 expose special storage locations for downstream consumption 2017-12-13 08:23:25 -05:00
Davanum Srinivas
31332fa84a Drop using cloud provider to set host address feature
As part of the larger plan to drop --cloud-provider and --cloud-config
from kube-apiserver, we need to stop calling Cloud Provider API to
find the external ip address when one is not specified on the command
line.

When ExternalHost is not specified, we check if AdvertiseAddress is
specified and use that, if that is missing then we use os.Hostname().

When testing this feature, found a problem that when ExternalHost
is specified, the port was not added in the generated URL. So fixed
that as well.
2017-12-05 13:58:20 -06:00
Dr. Stefan Schimanski
fddbff25f6 kube-apiserver: fix runtime-config flag docs 2017-12-01 12:25:50 +01:00
hzxuzhonghu
be40a40ee0 fix typo 2017-11-30 14:10:54 +08:00
Kubernetes Submit Queue
1489d19443
Merge pull request #56175 from ericchiang/oidc-fix-prefixing
Automatic merge from submit-queue (batch tested with PRs 51494, 56097, 56072, 56175). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

oidc auth: fix prefix flag plumbing

Fixes https://github.com/kubernetes/kubernetes/issues/56169

Tested this with an full API server against Google. It works now.

:(

cc @kubernetes/sig-auth-bugs 

```release-note
kube-apiserver: fixed --oidc-username-prefix and --oidc-group-prefix flags which previously weren't correctly enabled
```

/assign @liggitt @deads2k 

Probably worth a cherry pick.
2017-11-21 19:49:33 -08:00
Eric Chiang
df76402906 oidc auth: fix prefix flag plumbing 2017-11-21 14:22:25 -08:00
Kubernetes Submit Queue
5337ff8009
Merge pull request #55859 from hzxuzhonghu/listener-genericapiserver
Automatic merge from submit-queue (batch tested with PRs 56021, 55843, 55088, 56117, 55859). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

apiserver:  pass a listener into genericapiserver bootstrapping 

**What this PR does / why we need it**:

>At the moment we pass a port via the options into the config. A zero port does not work because the loopback clients created during apiserver initialization need to know the port before. Passing a listener into the server instead would allow us to use a zero port beforehand and bootstrapping order should be fine.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #55784

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2017-11-21 12:16:59 -08:00
hzxuzhonghu
6ba30f678c pass listener to genericapiserver 2017-11-21 11:00:15 +08:00
Dr. Stefan Schimanski
e19257f2ec admission/webhook: move webhook initializer into plugin 2017-11-20 09:28:42 +01:00
Chao Xu
1adfacc7eb Reorganize the admission webhook code.
Moved client and kubeconfig related code to webhook/config;
Moved the rule matcher to webhook/rules;
Left TODOs saying we are going to move some other common utilities;
Other code is moved to webhook/validation.
2017-11-14 15:59:53 -08:00
Kubernetes Submit Queue
d12d711ba6
Merge pull request #54849 from hzxuzhonghu/audit-graceful-shutdown
Automatic merge from submit-queue (batch tested with PRs 46581, 55426, 54849). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

apiserver shutdown gracefully

**What this PR does / why we need it**:
apiserver shutdown gracefully and wait all non-long running requests finish before process exit.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #54793

**Special notes for your reviewer**:
remove waitGroup, use atomic to count. 
**Release note**:

```release-note
NONE
```
2017-11-10 03:30:21 -08:00
hzxuzhonghu
db4f0de280 gracefully shutdown apiserver after all non-long running requests finish 2017-11-10 14:06:52 +08:00