github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
62,849 Commits 1 Branch 31 Tags 1,019 MiB
31b4719066
Commit Graph

91 Commits

Author SHA1 Message Date
Mike Danese
024f57affe implement token authenticator for new id tokens 2018-02-27 17:20:46 -08:00
Mike Danese
b43cd7307d noderestriction: restrict nodes TokenRequest permission 
nodes should only be able to create TokenRequests if:
* token is bound to a pod
* binding has uid and name
* the pod exists
* the pod is running on that node
 2018-02-26 13:46:19 -08:00
Mike Danese
b2ceeedd67 tokenrequest: tokens bound to pods running as other svcaccts 2018-02-24 22:18:24 -08:00
Mike Danese
32bf28daed integration: refactor, cleanup, and add more tests for TokenRequest 2018-02-23 14:59:35 -08:00
Kubernetes Submit Queue
8b94ae8ca8
Merge pull request #58111 from mikedanese/id-registry 
Automatic merge from submit-queue (batch tested with PRs 60158, 60156, 58111, 57583, 60055). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add support for /token subresource in serviceaccount registry

I'm planning on implementing the registry bits (this) in one PR and followup with an authenticator that supports new id tokens.

https://github.com/kubernetes/kubernetes/issues/58790

@kubernetes/sig-auth-pr-reviews 

```release-note
NONE
```
 2018-02-21 22:10:31 -08:00
Mike Danese
8ad1c6655b add support for /token subresource in serviceaccount registry 2018-02-21 13:16:51 -08:00
Mike Danese
7b4722964d remove deprecated /proxy paths 
These were depercated in v1.2.
 2018-02-20 14:42:19 -08:00
Jeff Grafton
ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Dr. Stefan Schimanski
4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
NickrenREN
7b9d2c046f Use v1beta1 VolumeAttachment 2018-01-31 18:46:11 +08:00
Kubernetes Submit Queue
621f3f3c0a
Merge pull request #58360 from liggitt/csi-node-authorizer 
Automatic merge from submit-queue (batch tested with PRs 58488, 58360). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add get volumeattachment to the node authorizer

Fixes #58355

Adds `get volumeattachment` authorization for nodes to the node authorizer when the CSI feature is enabled

```release-note
NONE
```
 2018-01-18 20:55:34 -08:00
Gavin
f653d02b05 create auto-gen files 2018-01-17 16:23:03 +08:00
Gavin
bb5e156aba Add generic Bootstrap Token constants and helpers to client-go 2018-01-17 16:22:37 +08:00
Jordan Liggitt
ecfd18e2a6
Add get volumeattachments support to Node authorizer 2018-01-17 00:00:18 -05:00
Jordan Liggitt
ba09fadecf
Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Eric Chiang
ce0a8303d6 integration: add retries to node authorizer tests 2018-01-10 15:55:18 -08:00
Hemant Kumar
1b76b0b2ff Allow node to update PVC's status 
Implement node policy feature gates
Add tests for node policy update
 2017-11-22 14:32:50 -05:00
Dr. Stefan Schimanski
bec617f3cc Update generated files 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski
012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Mike Danese
12125455d8 move authorizers over to new interface 2017-11-03 13:46:28 -07:00
Dr. Stefan Schimanski
2452afffe0 admission: wire create+update validation func into kube registries 2017-11-02 09:29:16 +01:00
Dr. Stefan Schimanski
cad0364e73 Update bazel 2017-10-18 17:24:04 +02:00
Dr. Stefan Schimanski
7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jordan Liggitt
e45ed2d5b9
fix typo in health check url 2017-10-03 16:44:38 -04:00
Dr. Stefan Schimanski
7d09148ad7 apiserver: separate apiserver specific configs into ExtraConfig 2017-09-08 14:16:09 +02:00
xilabao
f14c138438 add selfsubjectrulesreview api 2017-09-01 19:09:43 +08:00
Huamin Chen
4525446af2 azure file volume: add secret namespace api 
Signed-off-by: Huamin Chen <hchen@redhat.com>
 2017-08-24 14:49:58 +00:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jordan Liggitt
dd7be70a4a
Add rbac.authorization.k8s.io/v1 2017-08-09 17:04:54 -04:00
Jordan Liggitt
d65610bf2f
Remove default binding of system:node role to system:nodes group 2017-07-26 13:53:14 -04:00
Kubernetes Submit Queue
4d2a721223 Merge pull request #48707 from danielfm/node-restriction-pod-eviction-subresource 
Automatic merge from submit-queue

Allow nodes to create evictions for its own pods in NodeRestriction admission controller

**What this PR does / why we need it**: This PR adds support for `pods/eviction` sub-resource to the NodeRestriction admission controller so it allows a node to evict pods bound to itself.

**Which issue this PR fixes**: fixes #48666

**Special notes for your reviewer**: The NodeRestriction already allows nodes to delete pods bound to itself, so allowing nodes to also delete pods via the Eviction API probably makes sense.

```release-note
NodeRestriction allows a node to evict pods bound to itself
```
 2017-07-23 04:16:51 -07:00
Daniel Fernandes Martins
81ba522bbe Make NodeRestriction admission allow evictions for bounded pods 2017-07-20 14:20:03 -03:00
Haoran Wang
f02008338f add integration testing for bootstrap token auth 2017-07-20 22:34:21 +08:00
Eric Chiang
e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jacob Simpson
8bcbbd4d08 Migrate api.Registry to testapi.Groups in tests. 2017-07-17 15:05:38 -07:00
Mike Danese
6ae11fdc5d use testmain in integration tests 2017-07-12 17:34:55 -07:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
cde4772928 run ./root-rewrite-all-other-apis.sh, then run make all, pkg/... compiles 2017-06-22 11:30:52 -07:00
Jordan Liggitt
fc8e915a4b
Add Node authorization mode based on graph of node-related objects 2017-05-30 16:53:03 -04:00
deads2k
be39283923 plumb stopch to post start hook index since many of them are starting go funcs 2017-05-11 09:16:13 -04:00
Mike Danese
21617a60ae don't use build tags to mark integration tests 2017-04-28 14:19:39 -07:00
Jordan Liggitt
7f4e5c5676
Use namespace from context 2017-03-07 14:02:13 -05:00
Jordan Liggitt
2a76fa1c8f
Switch RBAC subject apiVersion to apiGroup in v1beta1 2017-02-13 15:33:09 -05:00
Dr. Stefan Schimanski
536460e1d9 Mechanical fixup imports: pkg/genericapiserver 2017-02-03 08:15:45 +01:00
deads2k
0d8e6b8500 move genericapiserver authenticator and authorizer factories 2017-01-26 08:50:47 -05:00
Dr. Stefan Schimanski
4077e0bba7 genericapiserver: move authn plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00
Clayton Coleman
469df12038
refactor: move ListOptions references to metav1 2017-01-23 17:52:46 -05:00
deads2k
ee6752ef20 find and replace 2017-01-20 08:04:53 -05:00