github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
68,432 Commits 1 Branch 31 Tags 1,019 MiB
1fdb5d9722
Commit Graph

22 Commits

Author SHA1 Message Date
Michael Taufen
b5648c3f61 dynamic Kubelet config reconciles ConfigMap updates 2018-05-21 09:03:58 -07:00
Jordan Liggitt
736f5e2349
Revert "authz: nodes should not be able to delete themselves" 
This reverts commit 35de82094a.
 2018-05-11 09:37:21 -04:00
Jordan Liggitt
8161033be4
Make node restriction admission pod lookups use an informer 2018-05-10 07:53:46 -04:00
Michael Taufen
c41cf55a2c explicit kubelet config key in Node.Spec.ConfigSource.ConfigMap 
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.

As part of this change, we are retiring ConfigMapRef for ConfigMap.
 2018-05-08 15:37:26 -07:00
Mike Danese
35de82094a authz: nodes should not be able to delete themselves 2018-04-20 10:22:07 -07:00
Michael Taufen
ab8dc12333 node authorizer sets up access rules for dynamic config 
This PR makes the node authorizer automatically set up access rules for
dynamic Kubelet config.

I also added some validation to the node strategy, which I discovered we
were missing while writing this.
 2018-03-27 08:49:45 -07:00
Mike Danese
b43cd7307d noderestriction: restrict nodes TokenRequest permission 
nodes should only be able to create TokenRequests if:
* token is bound to a pod
* binding has uid and name
* the pod exists
* the pod is running on that node
 2018-02-26 13:46:19 -08:00
Dr. Stefan Schimanski
4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
NickrenREN
7b9d2c046f Use v1beta1 VolumeAttachment 2018-01-31 18:46:11 +08:00
Jordan Liggitt
ecfd18e2a6
Add get volumeattachments support to Node authorizer 2018-01-17 00:00:18 -05:00
Jordan Liggitt
ba09fadecf
Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Eric Chiang
ce0a8303d6 integration: add retries to node authorizer tests 2018-01-10 15:55:18 -08:00
Hemant Kumar
1b76b0b2ff Allow node to update PVC's status 
Implement node policy feature gates
Add tests for node policy update
 2017-11-22 14:32:50 -05:00
Dr. Stefan Schimanski
012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski
2452afffe0 admission: wire create+update validation func into kube registries 2017-11-02 09:29:16 +01:00
Dr. Stefan Schimanski
7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
xilabao
f14c138438 add selfsubjectrulesreview api 2017-09-01 19:09:43 +08:00
Huamin Chen
4525446af2 azure file volume: add secret namespace api 
Signed-off-by: Huamin Chen <hchen@redhat.com>
 2017-08-24 14:49:58 +00:00
Jordan Liggitt
d65610bf2f
Remove default binding of system:node role to system:nodes group 2017-07-26 13:53:14 -04:00
Daniel Fernandes Martins
81ba522bbe Make NodeRestriction admission allow evictions for bounded pods 2017-07-20 14:20:03 -03:00
Eric Chiang
e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jordan Liggitt
fc8e915a4b
Add Node authorization mode based on graph of node-related objects 2017-05-30 16:53:03 -04:00