Commit Graph

46 Commits

Author SHA1 Message Date
Di Xu
48388fec7e fix all the typos across the project 2018-02-11 11:04:14 +08:00
Cao Shufeng
4b738a7b40 [PSP] always check validated policy first for update operation
When update a pod with `kubernetes.io/psp` annotation set, we should
check this policy first. Because this saved policy is `usually` the
one we are looking for.
2018-01-03 11:08:37 +08:00
Slava Semushin
b1ae1d67b2 admission_test.go(TestAdmitPreferNonmutating): simplify test by replacing shouldPassAdmit by a constant value. 2017-11-24 17:12:53 +01:00
Slava Semushin
2b95212ad3 admission_test.go(TestAdmitPreferNonmutating): simplify test by replacing expectedPodUser by a constant value. 2017-11-24 17:12:48 +01:00
Tim Allclair
9673235583
Optimize PSP authorization 2017-11-22 11:13:07 -08:00
Dr. Stefan Schimanski
3d5849fd54 admission: don't update psp annotation on update 2017-11-13 17:10:17 +01:00
Dr. Stefan Schimanski
b9efab0eb2 admission: split PodSecurityPolicy into mutating and validating part 2017-11-09 15:41:25 +01:00
Dr. Stefan Schimanski
012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Mike Danese
12125455d8 move authorizers over to new interface 2017-11-03 13:46:28 -07:00
Dr. Stefan Schimanski
2452afffe0 admission: wire create+update validation func into kube registries 2017-11-02 09:29:16 +01:00
Kubernetes Submit Queue
2d914ee703 Merge pull request #53984 from sttts/sttts-legacyscheme
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

pkg/api: extract Scheme/Registry/Codecs into pkg/api/legacyscheme

This serves as

- a preparation for the pkg/api->pkg/apis/core move
- and makes the dependency to the scheme explicit when vizualizing
  left depenncies.

The later helps with our our efforts to split up the monolithic repo
into self-contained sub-repos, e.g. for kubectl, controller-manager
and kube-apiserver in the future.
2017-10-18 10:49:10 -07:00
Dr. Stefan Schimanski
7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
Slava Semushin
1a3a2d47c8 admission_test.go: remove unused createNamespaceForTest() and createSAForTest() functions. 2017-10-17 12:03:46 +02:00
Jordan Liggitt
8c5b01376a
PodSecurityPolicy: Order by name, prefer non-mutating policies, require *api.Pod, allow GC updates 2017-10-16 02:22:11 -04:00
Jordan Liggitt
abc7c077e1
PodSecurityPolicy: avoid unnecessary mutation of supplemental groups 2017-10-16 02:21:10 -04:00
Jordan Liggitt
b45b809f4c
PodSecurityPolicy: Do not mutate nil privileged field to false 2017-10-16 02:21:10 -04:00
Slava Semushin
9015a82692 PodSecurityPolicy.allowedCapabilities: add support for using * to allow to request any capabilities.
Also modify "privileged" PSP to use it and allow privileged users to use
any capabilities.
2017-09-06 12:18:09 +02:00
mbohlool
c91a12d205 Remove all references to types.UnixUserID and types.UnixGroupID 2017-06-21 04:09:07 -07:00
p0lyn0mial
d0e89577db Simply changed the names of packages of some admission plugins. 2017-06-05 22:23:42 +02:00
Jamie Hannaford
9440a68744 Use dedicated Unix User and Group ID types 2017-05-05 14:07:38 +02:00
Chao Xu
08aa712a6c move helpers.go to helper 2017-04-11 15:49:11 -07:00
Jordan Liggitt
5d839d0d0b
Avoid nil user special-casing in unsecured endpoint 2017-03-31 13:28:59 -04:00
Jordan Liggitt
829e6f6cfb
Include pod namespace in PSP 'use' authorization check 2017-03-24 15:14:52 -04:00
Jordan Liggitt
dd7561801a
Authorize PSP usage for pods without service accounts 2017-03-21 19:54:39 -04:00
Andy Goldstein
022bff7fbe Switch admission to use shared informers 2017-02-23 11:16:09 -05:00
deads2k
b0b156b381 make tools/cache authoritative 2017-01-25 08:29:45 -05:00
deads2k
01b3b2b461 move admission to genericapiserver 2017-01-18 08:15:19 -05:00
Clayton Coleman
9a2a50cda7
refactor: use metav1.ObjectMeta in other types 2017-01-17 16:17:19 -05:00
Clayton Coleman
36acd90aba
Move APIs and core code to use metav1.ObjectMeta 2017-01-17 16:17:18 -05:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
deads2k
4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
deads2k
2861509b6d refactored admission to avoid internal client references 2017-01-03 15:50:12 -05:00
Chao Xu
1044aa4500 plugin/admission; including resourcequota admission 2016-11-23 15:53:09 -08:00
pweil-
bbe9c8f96d add authz checks to allowed policies admission 2016-11-08 08:36:27 -05:00
pweil-
49e14744db support seccomp in psp 2016-10-17 14:49:02 -04:00
Dr. Stefan Schimanski
4cc1e63856 Complete sysctl PSP tests 2016-09-30 17:56:11 +02:00
Dr. Stefan Schimanski
a62a64550c Cosmetical fixes for sysctl psp 2016-09-30 17:56:11 +02:00
Dr. Stefan Schimanski
ed36baed20 Add sysctl PodSecurityPolicy support 2016-08-25 13:22:01 +02:00
Tim St. Clair
293770ef31
AppArmor PodSecurityPolicy implementation 2016-08-21 23:10:45 -07:00
Clayton Coleman
affd79fdc0
InitContainers are not checked for hostPort ranges
PodSecurityPolicy must verify that host port ranges are guarded on init
containers.
2016-07-20 23:19:34 -04:00
David McMahon
ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
Oleg Shaldybin
3b15d5be19 Use correct namespace in unit tests that use fake clientset
Fake clientset no longer needs to be prepopulated with records: keeping
them in leads to the name conflict on creates. Also, since fake
clientset now respects namespaces, we need to correctly populate them.
2016-06-28 11:26:34 -07:00
Jordan Liggitt
29252acd1a Change rest storage Update interface to retrieve updated object
Add OldObject to admission attributes

Update resthandler Patch/Update admission plumbing
2016-05-23 21:09:26 -04:00
Clayton Coleman
e2afc97587
Add init containers to PSP admission
Treat them just like regular containers.
2016-05-18 22:32:22 -04:00
Paul Weil
4970f0c02d PSP admission 2016-05-11 18:07:36 -04:00