Di Xu
48388fec7e
fix all the typos across the project
2018-02-11 11:04:14 +08:00
Cao Shufeng
4b738a7b40
[PSP] always check validated policy first for update operation
...
When update a pod with `kubernetes.io/psp` annotation set, we should
check this policy first. Because this saved policy is `usually` the
one we are looking for.
2018-01-03 11:08:37 +08:00
Slava Semushin
b1ae1d67b2
admission_test.go(TestAdmitPreferNonmutating): simplify test by replacing shouldPassAdmit by a constant value.
2017-11-24 17:12:53 +01:00
Slava Semushin
2b95212ad3
admission_test.go(TestAdmitPreferNonmutating): simplify test by replacing expectedPodUser by a constant value.
2017-11-24 17:12:48 +01:00
Tim Allclair
9673235583
Optimize PSP authorization
2017-11-22 11:13:07 -08:00
Dr. Stefan Schimanski
3d5849fd54
admission: don't update psp annotation on update
2017-11-13 17:10:17 +01:00
Dr. Stefan Schimanski
b9efab0eb2
admission: split PodSecurityPolicy into mutating and validating part
2017-11-09 15:41:25 +01:00
Dr. Stefan Schimanski
012b085ac8
pkg/apis/core: mechanical import fixes in dependencies
2017-11-09 12:14:08 +01:00
Mike Danese
12125455d8
move authorizers over to new interface
2017-11-03 13:46:28 -07:00
Dr. Stefan Schimanski
2452afffe0
admission: wire create+update validation func into kube registries
2017-11-02 09:29:16 +01:00
Kubernetes Submit Queue
2d914ee703
Merge pull request #53984 from sttts/sttts-legacyscheme
...
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md ">here</a>.
pkg/api: extract Scheme/Registry/Codecs into pkg/api/legacyscheme
This serves as
- a preparation for the pkg/api->pkg/apis/core move
- and makes the dependency to the scheme explicit when vizualizing
left depenncies.
The later helps with our our efforts to split up the monolithic repo
into self-contained sub-repos, e.g. for kubectl, controller-manager
and kube-apiserver in the future.
2017-10-18 10:49:10 -07:00
Dr. Stefan Schimanski
7773a30f67
pkg/api/legacyscheme: fixup imports
2017-10-18 17:23:55 +02:00
Slava Semushin
1a3a2d47c8
admission_test.go: remove unused createNamespaceForTest() and createSAForTest() functions.
2017-10-17 12:03:46 +02:00
Jordan Liggitt
8c5b01376a
PodSecurityPolicy: Order by name, prefer non-mutating policies, require *api.Pod, allow GC updates
2017-10-16 02:22:11 -04:00
Jordan Liggitt
abc7c077e1
PodSecurityPolicy: avoid unnecessary mutation of supplemental groups
2017-10-16 02:21:10 -04:00
Jordan Liggitt
b45b809f4c
PodSecurityPolicy: Do not mutate nil privileged field to false
2017-10-16 02:21:10 -04:00
Slava Semushin
9015a82692
PodSecurityPolicy.allowedCapabilities: add support for using * to allow to request any capabilities.
...
Also modify "privileged" PSP to use it and allow privileged users to use
any capabilities.
2017-09-06 12:18:09 +02:00
mbohlool
c91a12d205
Remove all references to types.UnixUserID and types.UnixGroupID
2017-06-21 04:09:07 -07:00
p0lyn0mial
d0e89577db
Simply changed the names of packages of some admission plugins.
2017-06-05 22:23:42 +02:00
Jamie Hannaford
9440a68744
Use dedicated Unix User and Group ID types
2017-05-05 14:07:38 +02:00
Chao Xu
08aa712a6c
move helpers.go to helper
2017-04-11 15:49:11 -07:00
Jordan Liggitt
5d839d0d0b
Avoid nil user special-casing in unsecured endpoint
2017-03-31 13:28:59 -04:00
Jordan Liggitt
829e6f6cfb
Include pod namespace in PSP 'use' authorization check
2017-03-24 15:14:52 -04:00
Jordan Liggitt
dd7561801a
Authorize PSP usage for pods without service accounts
2017-03-21 19:54:39 -04:00
Andy Goldstein
022bff7fbe
Switch admission to use shared informers
2017-02-23 11:16:09 -05:00
deads2k
b0b156b381
make tools/cache authoritative
2017-01-25 08:29:45 -05:00
deads2k
01b3b2b461
move admission to genericapiserver
2017-01-18 08:15:19 -05:00
Clayton Coleman
9a2a50cda7
refactor: use metav1.ObjectMeta in other types
2017-01-17 16:17:19 -05:00
Clayton Coleman
36acd90aba
Move APIs and core code to use metav1.ObjectMeta
2017-01-17 16:17:18 -05:00
deads2k
6a4d5cd7cc
start the apimachinery repo
2017-01-11 09:09:48 -05:00
deads2k
4d7fcae85a
mechanicals
2017-01-05 11:14:27 -05:00
deads2k
ca58ec0237
mechanical changes for move
2017-01-04 10:27:05 -05:00
deads2k
2861509b6d
refactored admission to avoid internal client references
2017-01-03 15:50:12 -05:00
Chao Xu
1044aa4500
plugin/admission; including resourcequota admission
2016-11-23 15:53:09 -08:00
pweil-
bbe9c8f96d
add authz checks to allowed policies admission
2016-11-08 08:36:27 -05:00
pweil-
49e14744db
support seccomp in psp
2016-10-17 14:49:02 -04:00
Dr. Stefan Schimanski
4cc1e63856
Complete sysctl PSP tests
2016-09-30 17:56:11 +02:00
Dr. Stefan Schimanski
a62a64550c
Cosmetical fixes for sysctl psp
2016-09-30 17:56:11 +02:00
Dr. Stefan Schimanski
ed36baed20
Add sysctl PodSecurityPolicy support
2016-08-25 13:22:01 +02:00
Tim St. Clair
293770ef31
AppArmor PodSecurityPolicy implementation
2016-08-21 23:10:45 -07:00
Clayton Coleman
affd79fdc0
InitContainers are not checked for hostPort ranges
...
PodSecurityPolicy must verify that host port ranges are guarded on init
containers.
2016-07-20 23:19:34 -04:00
David McMahon
ef0c9f0c5b
Remove "All rights reserved" from all the headers.
2016-06-29 17:47:36 -07:00
Oleg Shaldybin
3b15d5be19
Use correct namespace in unit tests that use fake clientset
...
Fake clientset no longer needs to be prepopulated with records: keeping
them in leads to the name conflict on creates. Also, since fake
clientset now respects namespaces, we need to correctly populate them.
2016-06-28 11:26:34 -07:00
Jordan Liggitt
29252acd1a
Change rest storage Update interface to retrieve updated object
...
Add OldObject to admission attributes
Update resthandler Patch/Update admission plumbing
2016-05-23 21:09:26 -04:00
Clayton Coleman
e2afc97587
Add init containers to PSP admission
...
Treat them just like regular containers.
2016-05-18 22:32:22 -04:00
Paul Weil
4970f0c02d
PSP admission
2016-05-11 18:07:36 -04:00