github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
85,461 Commits 1 Branch 31 Tags
1234290adfa11eb3dd34242c296e1f1dbe211c19
Commit Graph

406 Commits

Author SHA1 Message Date
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
wojtekt
fafbad45aa Update bootstrappolicy RBAC rules for migration to lease API 2019-10-28 09:09:03 +01:00
Kubernetes Prow Robot
a3560d3ad9 Merge pull request #84282 from yutedz/rm-csi-rbac-roles 
Remove deprecated CSI RBAC roles
 2019-10-24 22:56:14 -07:00
Ted Yu
13596e5249 Remove obsolete CSI RBAC roles 2019-10-24 05:33:02 -07:00
Jacek Kaniuk
e6e026f1ad Allow pod-garbage-collector to get nodes 2019-10-23 16:54:38 +02:00
Jordan Liggitt
92eb072989 Propagate context to Authorize() calls 2019-09-24 11:14:54 -04:00
Kubernetes Prow Robot
0ff92e36f2 Merge pull request #82153 from robscott/endpointslice-rbac 
Adding EndpointSlice RBAC for node-proxier/kube-proxy
 2019-08-30 13:05:14 -07:00
Kubernetes Prow Robot
7acb066dbc Merge pull request #81969 from logicalhan/livez 
add `/livez` endpoint for liveness probing on the kube-apiserver
 2019-08-29 19:56:31 -07:00
Rob Scott
1f5070e81c Adding EndpointSlice RBAC for node-proxier/kube-proxy 2019-08-29 16:55:18 -07:00
Han Kang
aa1b2d6d35 add /livez as a liveness endpoint for kube-apiserver 
go fmt

make func private

refactor config_test

Two primary refactorings:

1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)

2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).

go fmt

modify and simplify existing integration test for readyz/livez

simplify integration test

set default rbac policy rules for livez

rename a few functions and the entrypoint command line argument (and etcetera)

simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check

untangle some of the nested functions, restructure the code
 2019-08-29 14:13:19 -07:00
Rob Scott
75f6c24923 Adding EndpointSlice controller 2019-08-28 21:13:27 -07:00
Jordan Liggitt
8b155e82d8 Use the escalate verb for clusterroleaggregator rather than cluster-admin permissions 2019-08-08 17:59:12 -04:00
Kirill Shirinkin
5e9da75df2 Allow aggregate-to-view roles to get jobs status (#77866) 
* Allow aggregate-to-edit roles to get jobs status

Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create.  This change extends `aggregate-to-edit` rules to include `jobs/status`.

* Move jobs/status to aggregate-to-view rules

* Add aggregate-to-view policy to view PVCs status

* Update fixtures to include new read permissions

* Add more status subresources

* Update cluster-roles.yaml

* Re-order deployment permissions

* Run go fmt

* Add more permissions

* Fix tests

* Re-order permissions in test data

* Automatically update yamls
 2019-07-26 11:59:22 -07:00
Yassine TIJANI
a024d48eba add rbac for events.k8s.io apiGroup to system:kube-scheduler 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-07-11 16:10:32 +02:00
Fabio Bertinatto
00b0ab86af Update scheduler to use volume limits from CSINode 2019-06-25 16:30:54 +02:00
Kubernetes Prow Robot
ad095324bf Merge pull request #79309 from draveness/feature/cleanup-CSIPersistentVolume-feature-gates 
feat: cleanup feature gates for CSIPersistentVolume
 2019-06-25 01:15:03 -07:00
draveness
8e9472ba79 feat: cleanup feature gates for CSIPersistentVolume 2019-06-25 09:00:12 +08:00
draveness
35bc5dc6b6 feat: cleanup feature gates for KubeletPluginsWatcher 2019-06-23 16:59:36 +08:00
Han Kang
54dcf5c9c4 add readyz endpoint for kube-apiserver readiness checks 
add startup sequence duration and readyz endpoint

add rbac bootstrapping policy for readyz

add integration test around grace period and readyz

rename startup sequence duration flag

copy health checks to fields

rename health-check installed boolean, refactor clock injection logic

cleanup clock injection code

remove todo about poststarthook url registration from healthz
 2019-06-17 11:16:13 -07:00
Morten Torkildsen
f1883c9e8c Support scale subresource for PDBs (#76294) 
* Support scale subresource for PDBs

* Check group in finder functions

* Small fixes and more tests
 2019-05-23 22:24:17 -07:00
Kubernetes Prow Robot
d5876954e1 Merge pull request #76178 from humblec/endpoint 
Create endpoint/service early to avoid unwanted create/delete volume transaction.
 2019-05-22 09:58:09 -07:00
Zihong Zheng
bff5f08e19 Allow service controller role to patch service status 
Co-authored-by: Josh Horwitz <horwitzja@gmail.com>
 2019-05-16 17:30:43 -07:00
Andrew Kim
c919139245 update import of generic featuregate code from k8s.io/apiserver/pkg/util/feature -> k8s.io/component-base/featuregate 2019-05-08 10:01:50 -04:00
Humble Chirammal
7544b53693 Create endpoint/service early to avoid unwanted create/delete volume transaction. 
At times, for some reason endpoint/service creation can fail in a setup. As we
currently create endpoint/service after volume creation, later we need rollback
of this volume transaction if endpoint/service creation failed. Considering
endpoint/service creation is light weight, this patch promote endpoint/service
creation to an early stage.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
 2019-04-10 19:06:27 +05:30
Guoliang Wang
128fd8843d Move cloud-specific roles out of RBAC bootstrap 2019-04-02 19:17:53 +08:00
Kubernetes Prow Robot
531dbd409f Merge pull request #75445 from shinytang6/enhance/fmt 
Replace all time.Now().Sub with time.Since
 2019-03-26 13:55:17 -07:00
WanLinghao
244b244f9d Migrate the controller to use TokenRequest and rotate token periodically 2019-03-25 14:54:22 +08:00
shinytang6
5c9f4d9dc6 replace time.Now().Sub with time.Since 2019-03-21 18:02:55 +08:00
Tim Allclair
0604256d6c Update tests for RuntimeClass beta 2019-03-08 13:21:52 -08:00
David Zhu
41b3579345 Address review comments 2019-03-07 17:17:09 -08:00
David Zhu
7d2f4e97b8 Add ADC Fallback if Node doesn't have driver installed 2019-03-07 14:47:38 -08:00
Kubernetes Prow Robot
6c31101257 Merge pull request #74283 from xing-yang/csi_crd_controller 
CSINodeInfo and CSIDriver Controller Changes
 2019-03-05 04:44:42 -08:00
Kubernetes Prow Robot
02bd34e7b0 Merge pull request #74531 from liggitt/ingress-rbac 
Update RBAC roles for networking.k8s.io ingresses
 2019-03-05 00:48:01 -08:00
Xing Yang
85867e5625 Modify node admission and node authorizer 2019-03-04 16:42:12 -08:00
Kubernetes Prow Robot
f16035600a Merge pull request #73807 from dekkagaijin/discovery-hardening 
harden the default RBAC discovery clusterrolebindings
 2019-03-01 21:49:30 -08:00
Jake Sanders
9c7d31928d harden the default RBAC discovery clusterrolebindings 2019-03-01 18:45:05 -08:00
Andrew Kim
01933b02a3 replace usage of v1beta1 VolumeAttachments with v1 2019-02-27 15:42:12 -05:00
Jordan Liggitt
85165b40fa Update RBAC roles for networking.k8s.io ingresses 2019-02-25 11:40:44 -05:00
Kubernetes Prow Robot
834c9a5e3d Merge pull request #72491 from liggitt/delegated-auth-permissions 
Ensure controller manager and scheduler can perform delegated auth checks
 2019-02-08 11:53:52 -08:00
Jordan Liggitt
4212a9a05a Ensure controller manager and scheduler can perform delegated auth checks 2019-02-08 11:15:52 -05:00
Roy Lenferink
b43c04452f Updated OWNERS files to include link to docs 2019-02-04 22:33:12 +01:00
Jordan Liggitt
52519ecb1c remove deprecated openapi paths in favor of /openapi/v2 2019-01-21 16:33:41 -05:00
Jordan Liggitt
9229399bd6 Remove build/verify scripts for swagger 1.2 API docs, API server swagger ui / swagger 1.2 config 2019-01-15 13:33:06 -05:00
Jordan Liggitt
73dcfe12da Stop checking VolumeScheduling feature gate 2018-12-27 17:45:45 -05:00
wojtekt
546ece7b2c Promote NodeLease to Beta and enable by default 2018-12-17 10:19:22 +01:00
k8s-ci-robot
5289fab2f6 Merge pull request #71396 from liggitt/forbidden-messages 
Improve node authorizer and noderestriction forbidden messages
 2018-11-30 00:04:46 -08:00
WanLinghao
0bab5ee5ad Currently the root-ca-cert-publisher was shadowed by BoundServiceAccountTokenVolume feature gate. 
But its corresponding bootstrap RBAC policy was shadowed by TokenRequest feature gate.
This patch fix it.
 2018-11-27 11:44:35 +08:00
Jordan Liggitt
16e355791f Improve node authorizer and noderestriction forbidden messages 2018-11-24 09:31:10 -05:00
Jordan Liggitt
8d7cc39031 Remove self-deletion permissions from kubelets 2018-11-14 00:42:06 -05:00
k8s-ci-robot
94c5953904 Merge pull request #70699 from liggitt/controllerrevisions 
Include read access to controllerrevisions for admin/edit/view roles
 2018-11-11 21:17:39 -08:00