Commit Graph

79 Commits

Author SHA1 Message Date
Kubernetes Submit Queue
270148d7d9
Merge pull request #58684 from hzxuzhonghu/default-enabled-admission
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

set default enabled admission plugins by official document

**What this PR does / why we need it**:

https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use

recommend  running the following set of admission controllers 
```
If you previously had not set the `--admission-control` flag, your cluster behavior may change (to be more standard).  See [https://kubernetes.io/docs/admin/admission-controllers/] for explanation of admission control.
```

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
Set default enabled admission plugins `NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota`
```
2018-02-22 05:24:44 -08:00
hzxuzhonghu
27f3fd2d79 set default enabled admission plugins by official document 2018-02-22 11:02:02 +08:00
Mike Danese
8ad1c6655b add support for /token subresource in serviceaccount registry 2018-02-21 13:16:51 -08:00
Kubernetes Submit Queue
cdbc4fbe20
Merge pull request #58544 from ericchiang/oidc-v2
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

oidc authentication: switch to v2 of coreos/go-oidc

Switch to v2 of [coreos/go-oidc](https://github.com/coreos/go-oidc), which uses square/go-jose to verify tokens and supports more signing algorithms.

Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files.

This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex.

Closes https://github.com/kubernetes/kubernetes/issues/57806

```release-note
kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag.
kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.
```

cc @rithujohn191 @liggitt 
cc @kubernetes/sig-auth-pr-reviews
2018-02-21 09:07:23 -08:00
NickrenREN
dad0fa07b7 rename StorageProtection to StorageObjectInUseProtection 2018-02-21 10:48:56 +08:00
Kubernetes Submit Queue
b3099bcf53
Merge pull request #58097 from steveperry-53/ipv6
Automatic merge from submit-queue (batch tested with PRs 59391, 58097, 60057, 60090). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add IPv6 to command options.

**What this PR does / why we need it**:
This PR adds IPv6 information to the descriptions for several command options.

[Related PR in kubernetes/website](https://github.com/kubernetes/website/pull/6498)

**Release note**:

```release-note
NONE
```
2018-02-20 13:51:32 -08:00
Jeff Grafton
ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Eric Chiang
48c6d1abf5
oidc authentication: switch to v2 of coreos/go-oidc 2018-02-16 10:57:48 -08:00
steveperry-53
cc7cea74ae Merge branch 'master' into ipv6 2018-02-14 10:45:27 -08:00
Kubernetes Submit Queue
2a8049890a
Merge pull request #59492 from dims/remove-old-keystone-authenticator
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove experimental keystone authenticator

**What this PR does / why we need it**:

experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559

So we don't need this older style / hard coded / experimental code
anymore.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens.
```
2018-02-13 14:14:45 -08:00
Dr. Stefan Schimanski
4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
Davanum Srinivas
18590378c4 Remove experimental keystone authenticator
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559

So we don't need this older style / hard coded / experimental code
anymore.
2018-02-07 19:28:55 -05:00
steveperry-53
1a530d1884 Add IPv6 to ref page descriptions. 2018-02-01 19:29:54 +00:00
NickrenREN
cbfa0cc85a reuse PVC protection admission plugin for PV protection 2018-01-31 20:02:01 +08:00
hzxuzhonghu
24c687fdad deprecate insecure http flags and remove already deprecated public-address-override 2018-01-30 16:05:33 +08:00
Kubernetes Submit Queue
26c1a3a8ee
Merge pull request #58595 from CaoShuFeng/LimitPodHardAntiAffinityTopology
Automatic merge from submit-queue (batch tested with PRs 58595, 58689). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

fix invalid admission name LimitPodHardAntiAffinityTopology

@hzxuzhonghu 
@sttts 

**Release note**:

```release-note
NONE
```
2018-01-23 09:18:30 -08:00
Cao Shufeng
2a15776b41 fix invalid admission name LimitPodHardAntiAffinityTopology 2018-01-23 10:28:30 +08:00
hzxuzhonghu
eff1f20ff1 run update bazel and staging-godep 2018-01-22 19:10:28 +08:00
hzxuzhonghu
2f403b7ad1 pass APIEnablement through apiserver chain 2018-01-22 19:10:26 +08:00
David Eads
98eb592291 make kube-apiserver admission flag disable other plugins 2018-01-19 08:14:04 -05:00
hzxuzhonghu
5c9e020d7d run update bazel 2018-01-19 13:18:27 +08:00
hzxuzhonghu
82c3d2492c update admission test cases 2018-01-19 13:16:36 +08:00
hzxuzhonghu
7c5f9e0bba refactor admission flag: add two admission flags and make plugins auto in recommended order 2018-01-19 13:16:36 +08:00
Jordan Liggitt
ba09fadecf
Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Jeff Grafton
efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
Kubernetes Submit Queue
fd826d6e2d
Merge pull request #57257 from brendandburns/typo
Automatic merge from submit-queue (batch tested with PRs 57257, 55442). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix a typo and improve some documentation.

Fix a typo and add some better help docs.
2017-12-20 23:56:47 -08:00
Kubernetes Submit Queue
e0284fab0b
Merge pull request #56691 from sttts/sttts-fix-runtime-config-docs
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kube-apiserver: fix runtime-config flag docs

This `apis/<GV>` syntax must predate API groups? It's not what we support today at least.
2017-12-18 00:29:29 -08:00
Brendan Burns
57e7471729 Fix a typo and improve some documentation. 2017-12-15 20:05:21 +00:00
Davanum Srinivas
31332fa84a Drop using cloud provider to set host address feature
As part of the larger plan to drop --cloud-provider and --cloud-config
from kube-apiserver, we need to stop calling Cloud Provider API to
find the external ip address when one is not specified on the command
line.

When ExternalHost is not specified, we check if AdvertiseAddress is
specified and use that, if that is missing then we use os.Hostname().

When testing this feature, found a problem that when ExternalHost
is specified, the port was not added in the generated URL. So fixed
that as well.
2017-12-05 13:58:20 -06:00
Dr. Stefan Schimanski
fddbff25f6 kube-apiserver: fix runtime-config flag docs 2017-12-01 12:25:50 +01:00
Eric Chiang
df76402906 oidc auth: fix prefix flag plumbing 2017-11-21 14:22:25 -08:00
Davanum Srinivas
6ae7201d74 Deprecate using cloud provider to set host address feature
Long term plan is to remove all uses of cloud provider from kube api
server. As part of that, we need to remove the dependency on
figuring out the host address of the node running the kube api server
using the cloud provider. In this review, we log a warning that this
feature that is usually used for example with swagger generation
will go away in the future.
2017-10-24 17:39:33 -04:00
Dr. Stefan Schimanski
cad0364e73 Update bazel 2017-10-18 17:24:04 +02:00
Dr. Stefan Schimanski
7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Davanum Srinivas
26b11474ca Remove cmd/kubeadm from pkg/controller 2017-10-13 07:06:21 -04:00
Matt Moyer
9bb322f647 Drop --experimental-bootstrap-token-auth flag.
This flag was replaced by `--enable-bootstrap-token-auth` in 1.8 (https://github.com/kubernetes/kubernetes/pull/51198).
2017-09-15 09:54:53 -05:00
Kubernetes Submit Queue
d970eb8f94 Merge pull request #50875 from ericchiang/oidc-claims-prefix
Automatic merge from submit-queue (batch tested with PRs 50579, 50875, 51797, 51807, 51803)

oidc auth: make the OIDC claims prefix configurable

Add the following flags to control the prefixing of usernames and
groups authenticated using OpenID Connect tokens.

	--oidc-username-prefix
	--oidc-groups-prefix

```release-note
The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix.
```

Closes https://github.com/kubernetes/kubernetes/issues/50408
Ref https://github.com/kubernetes/kubernetes/issues/31380

cc @grillz @kubernetes/sig-auth-pr-reviews @thomastaylor312 @gtaylor
2017-09-03 08:46:23 -07:00
Kubernetes Submit Queue
432790df88 Merge pull request #51198 from mattmoyer/rename-experimental-bootstrap-token-auth
Automatic merge from submit-queue (batch tested with PRs 50713, 47660, 51198, 51159, 51195)

kubeapiserver: rename `--experimental-bootstrap-token-auth` to `--enable-bootstrap-token-auth`.

#**What this PR does / why we need it**:
This change renames the API server `--experimental-bootstrap-token-auth` flag to `--enable-bootstrap-token-auth`. The old flag is accepted but generates a warning.

In 1.9, we will drop support for `--experimental-bootstrap-token-auth` entirely.

#### Example of the warning log:
```
$ kube-apiserver --experimental-bootstrap-token-auth --etcd-servers https://127.0.0.1:1234 --service-cluster-ip-range 10.0.1.0/24
Flag --experimental-bootstrap-token-auth has been deprecated, use --enable-bootstrap-token-auth instead.
[...]
```

**Which issue this PR fixes** fixes https://github.com/kubernetes/kubernetes/issues/50613

**Release note**:
```release-note
Renamed the API server flag `--experimental-bootstrap-token-auth` to `--enable-bootstrap-token-auth`. The old value is accepted with a warning in 1.8 and will be removed in 1.9.
```

/sig cli
/sig cluster-lifecycle

cc @luxas
2017-08-24 11:17:09 -07:00
Kubernetes Submit Queue
aef39e6f47 Merge pull request #50489 from yujunzhang/Fix-the-typo-of-WithAnonymous
Automatic merge from submit-queue (batch tested with PRs 50489, 51070, 51011, 51022, 51141)

Fix the method name of BuiltInAuthenticationOptions.WithAnyonymous

change the BuiltInAuthenticationOptions.WithAnyonymous to
WithAnonymous would be better.



**What this PR does / why we need it**:
The BuiltInAuthenticationOptions.WithAnyonymous method name should be a meaningful name of  WithAnonymous

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
None
```
2017-08-23 19:54:22 -07:00
Matt Moyer
9dad15e220 kubeapiserver: rename --experimental-bootstrap-token-auth to --enable-bootstrap-token-auth.
This change renames the `--experimental-bootstrap-token-auth` flag to `--enable-bootstrap-token-auth`. The old flag is accepted but generates a warning.

In 1.9, we will drop support for `--experimental-bootstrap-token-auth` entirely.
2017-08-23 11:04:54 -05:00
Eric Chiang
1f8ee7fe13 oidc auth: make the OIDC claims prefix configurable
Add the following flags to control the prefixing of usernames and
groups authenticated using OpenID Connect tokens.

	--oidc-username-prefix
	--oidc-groups-prefix
2017-08-18 09:49:32 -07:00
Kubernetes Submit Queue
42adb9ef25 Merge pull request #50258 from liggitt/token-cache
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)

Enable caching successful token authentication

Resolves #50472

To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.

This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication

```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
2017-08-11 14:14:06 -07:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
zhangyujun
4355d7014d Fix the method name of BuiltInAuthenticationOptions
change the BuiltInAuthenticationOptions.WithAnyonymous to
WithAnonymous would be better.
2017-08-11 14:54:59 +08:00
Jordan Liggitt
0458fac8c0
Simplify bearer token auth chain, cache successful authentications 2017-08-09 23:37:24 -04:00
Davanum Srinivas
f4011d485a Set external hostname in local-up-cluster
If we set --external-hostname, then the api server does not look
in the CloudProviderOptions.DefaultExternalHost method. While we
are at it, let's log an info message, so if there is a failure
the operator gets a hint that they can use --external-hostname
to bypass the lookup in the cloud provider. This will enable us
to set the CLOUD_PROVIDER to openstack for example and not have to
really run api server inside a openstack vm.
2017-07-24 07:58:46 -04:00
Eric Chiang
e2f2ab67f2 *: remove --insecure-allow-any-token option
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
2017-07-18 16:03:15 -07:00
Kubernetes Submit Queue
6acfb0f868 Merge pull request #47038 from yastij/DefaultExternalHost-for-registredCP
Automatic merge from submit-queue (batch tested with PRs 47038, 47105)

extending DefaultExternalHost for any registred cloud provider

**What this PR does / why we need it**: this PR enables DefaultExternalHost to work with any registered cloud provider.

**Which issue this PR fixes** : fixes #46567 

**Special notes for your reviewer**:

**Release note**:

```release-note
When determining the default external host of the kube apiserver, any configured cloud provider is now consulted
```
2017-06-27 08:29:25 -07:00