github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
124,571 Commits 1 Branch 31 Tags
2e33e0695f7f2d09d7a94e7d54a5cd3928ac39e6
Commit Graph

586 Commits

Author SHA1 Message Date
Darren Shepherd
1cd6f9968c Drop client-go cloud auth 2025-04-23 13:20:06 -03:00
Abhishek Kr Srivastav
9d10ddb060 Fix Go vet errors for master golang 
Co-authored-by: Rajalakshmi-Girish <rajalakshmi.girish1@ibm.com>
Co-authored-by: Abhishek Kr Srivastav <Abhishek.kr.srivastav@ibm.com>
 2025-01-08 15:11:34 +05:30
Jefftree
e3e56eb1e2 CLE storage and type registration changes 2024-07-24 14:38:11 +00:00
Kubernetes Prow Robot
c2fdeca4ab Merge pull request #126145 from carlory/kep-3751-api 
[KEP-3751] Promote VolumeAttributesClass to beta
 2024-07-23 13:31:05 -07:00
Kubernetes Prow Robot
e83fca8dd9 Merge pull request #124530 from sttts/sttts-controlplane-plumbing-split 
Step 12 - Add generic controlplane example
 2024-07-23 12:21:02 -07:00
carlory
0260c7d023 Promote VolumeAttributesClass to beta 2024-07-23 13:58:14 +08:00
Dr. Stefan Schimanski
b6aebb0e4b options/authentication: fix serviceaccount TokenGetter with ServiceAccountTokenNodeBindingValidation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-07-22 18:21:26 +02:00
Dr. Stefan Schimanski
dc0bcd62e3 options/authentication: revert extra serviceaccount TokenGetter function silently enabling serviceaccounts 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-07-22 18:21:26 +02:00
Patrick Ohly
b51d68bb87 DRA: bump API v1alpha2 -> v1alpha3 
This is in preparation for revamping the resource.k8s.io completely. Because
there will be no support for transitioning from v1alpha2 to v1alpha3, the
roundtrip test data for that API in 1.29 and 1.30 gets removed.

Repeating the version in the import name of the API packages is not really
required. It was done for a while to support simpler grepping for usage of
alpha APIs, but there are better ways for that now. So during this transition,
"resourceapi" gets used instead of "resourcev1alpha3" and the version gets
dropped from informer and lister imports. The advantage is that the next bump
to v1beta1 will affect fewer source code lines.

Only source code where the version really matters (like API registration)
retains the versioned import.
 2024-07-21 17:28:13 +02:00
Kubernetes Prow Robot
0c8b3e5f30 Merge pull request #125986 from vinayakankugoyal/typo 
Fix typo in error message for anonymous field in AuthenticationConfig…
 2024-07-09 20:45:05 -07:00
Vinayak Goyal
27e8923c70 Fix typo in error message for anonymous field in AuthenticationConfiguration. 2024-07-09 21:04:28 +00:00
Kubernetes Prow Robot
51bf5df54a Merge pull request #125836 from mjudeikis/mjudeikis/auth.token.getter 
Extend service accounts with optional tokenGetter provider
 2024-07-09 00:30:34 -07:00
Mangirdas Judeikis
a72266ff9d Add test for WithTokenGetter 2024-07-02 17:26:53 +03:00
Mangirdas Judeikis
a15b22cd98 wire in optional tokenGetter provider 2024-07-01 18:09:46 +03:00
Antonio Ojea
29f33bc21d enable networking v1beta1 features on apiserver storage 2024-06-28 13:16:33 +00:00
Kubernetes Prow Robot
522e2e5066 Merge pull request #124917 from vinayakankugoyal/kep4633 
KEP-4633: Only allow anonymous auth for configured endpoints.
 2024-06-27 20:39:51 -07:00
Vinayak Goyal
5e6a4937f5 KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 2024-06-28 00:30:05 +00:00
Kubernetes Prow Robot
ef1d28aa52 Merge pull request #125177 from liggitt/dynamic-public-key 
Move public key serviceaccount getter to interface, filter by key id
 2024-06-27 11:57:06 -07:00
Siyuan Zhang
403301bfdf apiserver: Add API emulation versioning. 
Co-authored-by: Siyuan Zhang <sizhang@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
Co-authored-by: Alex Zielenski <zielenski@google.com>

Signed-off-by: Siyuan Zhang <sizhang@google.com>
 2024-06-25 22:12:11 +00:00
Jordan Liggitt
3e037070bb Move public key getter to interface 2024-06-25 18:10:08 -04:00
Jordan Liggitt
c50f68d6ee Fix structured authorization webhook timeout wiring 2024-06-19 15:36:36 -04:00
Alexander Zielenski
cd41a7d8e1 store validatingadmissionpolicy and bindings at v1 2024-05-29 13:14:51 -07:00
John McGrath
e72788d58e Revert "DisableServiceLinks admission controller" 2024-05-20 12:20:46 -05:00
Mangirdas Judeikis
b14936f679 move to generics for sets in kubeapiserver 2024-05-12 11:49:42 +03:00
Jan Safranek
e7a6ed2e3d Remove PersistentVolumeLabel admission plugin 
Remove useless admission plugin.

* It has been deprecated for years.
* All in-tree cloud providers were removed, so the admission plugin does not have
  any way to get PV labels.
* There is a replacement in https://github.com/kubernetes-sigs/cloud-pv-admission-labeler
 2024-05-09 11:10:14 +02:00
Dr. Stefan Schimanski
acbb89d9b9 kube-apiserver: split admission initializers into generic and non-generic 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-04-29 23:28:42 +02:00
Marek Siarkowicz
3ee8178768 Cleanup defer from SetFeatureGateDuringTest function call 2024-04-24 20:25:29 +02:00
Kubernetes Prow Robot
6faeecc87d Merge pull request #122631 from jmcgrath207/disable-service-links 
DisableServiceLinks admission controller
 2024-04-18 00:00:28 -07:00
Kubernetes Prow Robot
8f80e01467 Merge pull request #123719 from enj/enj/f/authn_config_beta 
Mark StructuredAuthenticationConfiguration feature gate as beta
 2024-03-09 17:09:56 -08:00
Anish Ramasekar
62ac88b9ea Add metrics for authentication config reload 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-09 14:40:22 -08:00
Monis Khan
b4935d910d Add dynamic reload support for authentication configuration 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-09 14:29:33 -05:00
Nilekh Chaudhari
91a7708cdc feat: implements Storage Version Migration API in-tree 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2024-03-08 04:18:56 +00:00
Patrick Ohly
0b6a0d686a dra api: rename NodeResourceSlice -> ResourceSlice 
While currently those objects only get published by the kubelet for node-local
resources, this could change once we also support network-attached
resources. Dropping the "Node" prefix enables such a future extension.

The NodeName in ResourceSlice and StructuredResourceHandle then becomes
optional. The kubelet still needs to provide one and it must match its own node
name, otherwise it doesn't have permission to access ResourceSlice objects.
 2024-03-07 22:22:55 +01:00
Patrick Ohly
2e34e187c9 node authorizer: lock down access for NodeResourceSlice 
The kubelet running on one node should not be allowed to access
NodeResourceSlice objects belonging to some other node, as defined by the
NodeResourceSlice.NodeName field.
 2024-03-07 16:15:52 +01:00
Kubernetes Prow Robot
05cb0a55c8 Merge pull request #123696 from aramase/aramase/f/kep_3331_v1beta1_api 
Duplicate v1alpha1 AuthenticationConfiguration to v1beta1
 2024-03-06 15:35:28 -08:00
John Mcgrath
edb0287cb1 DisableServiceLinks admission controller 2024-03-06 00:39:23 -06:00
cici37
de506ce7ac Promote ValidatingAdmissionPolicy to GA. 2024-03-05 16:00:21 -08:00
Jiahui Feng
6b03166bed update to inject only the list of excluded resources. 2024-03-05 11:11:10 -08:00
Anish Ramasekar
b502aa6f31 Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-05 09:10:34 -08:00
Monis Khan
bc7aa13bf7 Mark StructuredAuthenticationConfiguration feature gate as beta 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-05 11:34:30 -05:00
Kubernetes Prow Robot
26600b17ab Merge pull request #123561 from enj/enj/i/validate_jwt_sa_iss 
Prevent conflicts between service account and jwt issuers
 2024-03-04 20:07:24 -08:00
Jordan Liggitt
79b344d85e Add authorization webhook duration/count/failopen metrics 2024-03-04 14:01:15 -05:00
Monis Khan
05e1eff793 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-04 11:40:02 -05:00
Kubernetes Prow Robot
8845c4c657 Merge pull request #123135 from munnerz/4193-beta-promotion 
KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta
 2024-03-01 19:48:18 -08:00
Rita Zhang
e76fce7566 add authz webhook matchcondition metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>
 2024-03-01 14:41:27 -08:00
Jiahui Feng
b115df227a update tests due to change of NewPluginInitializer. 2024-02-28 15:56:14 -08:00
Jiahui Feng
5b1fffa3e4 add resource filter to admission initializer. 2024-02-28 15:31:18 -08:00
Kubernetes Prow Robot
f139450e9b Merge pull request #122885 from claudiubelu/unittests-10 
unittests: Fixes unit tests for Windows (part 10)
 2024-02-28 05:38:40 -08:00
Jordan Liggitt
d5d3eddb95 Add allowed/denied metrics for authorizers 2024-02-16 08:20:59 -05:00
Kubernetes Prow Robot
66d038d84d Merge pull request #121946 from liggitt/reload-authz 
KEP-3221: Implement authorization configuration file reloading
 2024-02-15 18:37:13 -08:00