github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
42,037 Commits 1 Branch 31 Tags
36acd90aba36c9af95999a55fb0eb49afab05e2e
Commit Graph

111 Commits

Author SHA1 Message Date
Clayton Coleman
36acd90aba Move APIs and core code to use metav1.ObjectMeta 2017-01-17 16:17:18 -05:00
Kubernetes Submit Queue
fc8e029f8f Merge pull request #40034 from liggitt/node-bootstrapper-role 
Automatic merge from submit-queue

Add node TLS bootstrapping role

Adds a role describing permissions needed to complete the kubelet client bootstrap flow. Needed by kubeadm in https://github.com/kubernetes/kubernetes/pull/39846#discussion_r96491471
 2017-01-17 12:44:24 -08:00
Jordan Liggitt
d11f5a0a20 Add node TLS bootstrapping role 2017-01-17 14:31:34 -05:00
deads2k
b2586830c3 add heapster role 2017-01-17 11:27:57 -05:00
Kubernetes Submit Queue
6cd0592a46 Merge pull request #39963 from deads2k/rbac-39-permissions 
Automatic merge from submit-queue

add patch RS to deployment controller

Found in http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gci-gce/2841/artifacts/bootstrap-e2e-master/, `RBAC DENY: user "system:serviceaccount:kube-system:deployment-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "replicasets.extensions/" in namespace "e2e-tests-deployment-3rj5g"
`

@kubernetes/sig-auth-misc
 2017-01-16 12:15:16 -08:00
Kubernetes Submit Queue
8ab0519160 Merge pull request #39961 from liggitt/patch-permissions 
Automatic merge from submit-queue

Give replicaset controller patch permission on pods

Needed for AdoptPod/ReleasePod

Fixes denials seen in autoscaling test log:
`RBAC DENY: user "system:serviceaccount:kube-system:replicaset-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "pods./"`
 2017-01-16 11:23:40 -08:00
deads2k
56c0ae6456 add patch RS to deployment controller 2017-01-16 12:44:25 -05:00
Jordan Liggitt
4eee0b2b41 Give replicaset controller patch permission on pods 
Needed for AdoptPod/ReleasePod
 2017-01-16 12:32:37 -05:00
Kubernetes Submit Queue
8fa23586cf Merge pull request #39918 from liggitt/e2e-examples-permissions 
Automatic merge from submit-queue

Fix examples e2e permission check

Ref #39382
Follow-up from #39896

Permission check should be done within the e2e test namespace, not cluster-wide

Also improved RBAC audit logging to make the scope of the permission check clearer
 2017-01-16 06:30:29 -08:00
Kubernetes Submit Queue
eb9f953496 Merge pull request #39876 from deads2k/generic-20-deps-03 
Automatic merge from submit-queue

move more things to apiserver

```
pkg/genericapiserver/api/handlers/negotiation/ -> apiserver/pkg/handlers/negotiation
pkg/genericapiserver/api/metrics -> apiserver/pkg/metrics
pkg/genericapiserver/api/request -> apiserver/pkg/request
pkg/util/wsstream -> apiserver/pkg/util/wsstream
plugin/pkg/auth/authenticator/request/headerrequest -> apiserver/pkg/authentication/request/headerrequest
plugin/pkg/webhook -> apiserver/pkg/webhook
```

and mechanicals.

`k8s.io/kubernetes/pkg/genericapiserver/routes/data/swagger` needs to be sorted out.
 2017-01-16 04:14:37 -08:00
Jordan Liggitt
7f81e2e4ac Improve RBAC denial audit logging 2017-01-14 17:31:58 -05:00
Kubernetes Submit Queue
f21a0f03c3 Merge pull request #39905 from mikedanese/cert-rbac 
Automatic merge from submit-queue

add rbac role for certificate-controller

@liggitt @jcbsmpsn @pipejakob
 2017-01-14 07:46:11 -08:00
Mike Danese
f3e97d522d add rbac role for certificate-controller 2017-01-13 17:40:24 -08:00
deads2k
31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k
633e9d98fc use apimachinery packages instead of client-go packages 2017-01-13 14:04:54 -05:00
deads2k
f1176d9c5c mechanical repercussions 2017-01-13 08:27:14 -05:00
Kubernetes Submit Queue
8d4cc53175 Merge pull request #39483 from deads2k/generic-15-deps-02-for-real 
Automatic merge from submit-queue

move no k8s.io/kubernetes dep packages for genericapiserver

Move the next set of no-dep packages for genericapiserver.  Feel the ratchet click!

```
k8s.io/kubernetes/pkg/auth/authenticator/bearertoken -> k8s.io/apiserver/pkg/authentication/request/bearertoken
k8s.io/kubernetes/pkg/auth/authorizer/union -> k8s.io/apiserver/pkg/authorization/union
k8s.io/kubernetes/pkg/auth/group -> k8s.io/apiserver/pkg/authentication/group
k8s.io/kubernetes/pkg/httplog -> k8s.io/apiserver/pkg/httplog
k8s.io/kubernetes/pkg/ssh -> k8s.io/apiserver/pkg/ssh
k8s.io/kubernetes/pkg/storage/etcd/metrics -> k8s.io/apiserver/pkg/storage/etcd/metrics
k8s.io/kubernetes/pkg/util/cache -> k8s.io/apiserver/pkg/util/cache
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/anonymous -> k8s.io/apiserver/pkg/authentication/request/anonymous
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union -> k8s.io/apiserver/pkg/authentication/request/union
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509 -> k8s.io/apiserver/pkg/authentication/request/x509
k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile -> k8s.io/apiserver/pkg/authentication/token/tokenfile
```

@sttts
 2017-01-11 15:16:13 -08:00
deads2k
c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
Dr. Stefan Schimanski
4a1d507756 Update bazel 2017-01-11 18:53:24 +01:00
Dr. Stefan Schimanski
cf60bec396 Split out server side code from pkg/apis/rbac/validation 2017-01-11 18:31:58 +01:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Kubernetes Submit Queue
49a0cf7f68 Merge pull request #39641 from liggitt/node-controller-status 
Automatic merge from submit-queue (batch tested with PRs 38212, 38792, 39641, 36390, 39005)

Allow node-controller to update node status

ref: #39639 

* adds required permissions to node-controller
 * fixes typo in role name for pod-garbage-collector role
* adds event watching permissions to persistent volume controller
* adds event permissions to node proxier
 2017-01-10 19:48:12 -08:00
Kubernetes Submit Queue
609e3e3890 Merge pull request #39619 from deads2k/fed-20-rename 
Automatic merge from submit-queue (batch tested with PRs 34488, 39511, 39619, 38342, 39491)

rename kubernetes-discovery to kube-aggregator

Rename `kubernetes-discovery` to `kube-aggregator`.  Move and bulk rename.

@kubernetes/sig-api-machinery-misc
 2017-01-10 16:07:14 -08:00
deads2k
453651cbfc rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
Jordan Liggitt
c6550af702 Allow proxier to write events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
6d3b06125e Allow the persistent volume binder to watch events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
c59c11eb0d fix role for pod-garbage-collector 2017-01-09 23:36:09 -05:00
Jordan Liggitt
bda95a59ad Allow node-controller to update node status 2017-01-09 23:36:09 -05:00
deads2k
1df5b658f2 switch webhook to clientgo 2017-01-09 16:53:24 -05:00
Anirudh
a8a65022b4 Update fixtures 2017-01-06 13:36:34 -08:00
Anirudh
2146f2f221 Allow disruption controller to read statefulsets 2017-01-06 13:03:44 -08:00
Jeff Grafton
20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
deads2k
4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Kubernetes Submit Queue
38d57e5a71 Merge pull request #39355 from kargakis/update-rc-manager 
Automatic merge from submit-queue

Share rc cache from the rc manager

@kubernetes/sig-apps-misc @hodovska
 2017-01-04 05:18:29 -08:00
Kubernetes Submit Queue
2bad7e6be1 Merge pull request #39219 from liggitt/swagger-discovery 
Automatic merge from submit-queue

Include swaggerapi urls in system:discovery role

Used by client side API validation and for client schema generation
 2017-01-04 00:09:41 -08:00
xilabao
9b38eaf98e omit the reason if we don't have an error when using rbac 2017-01-04 11:41:43 +08:00
Michail Kargakis
e5b586b5b0 Share rc cache from the rc manager 2017-01-03 16:59:09 +01:00
Mike Danese
161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Jordan Liggitt
a209040ac8 Include swaggerapi urls in system:discovery role 2016-12-24 12:36:38 -05:00
xilabao
2a77353164 extend err info when authorize failed 2016-12-22 14:47:56 +08:00
deads2k
17f600d671 rbac deny output for e2e tests 2016-12-21 13:51:50 -05:00
deads2k
8f1677b7c8 add service status detection to kubernetes-discovery 2016-12-19 14:56:20 -05:00
Maciej Szulik
9f064c57ce Remove extensions/v1beta1 Job 2016-12-17 00:07:24 +01:00
Mike Danese
8fdec87d19 bazel: fix some unit tests 2016-12-15 18:36:22 -08:00
deads2k
6ab6975983 update for controller RBAC roles 2016-12-15 09:18:48 -05:00
Chao Xu
03d8820edc rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
Mike Danese
c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00
deads2k
4aeb3f3ffe update pod RBAC roles to work against head 2016-12-12 08:55:47 -05:00
xilabao
1d475edd1c add default label <kubernetes.io/bootstrapping=rbac-defaults> to rbac bootstrap policy 2016-12-07 09:08:34 +08:00