github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
70,323 Commits 1 Branch 31 Tags 1,019 MiB
3d245e7cb1
Commit Graph

117 Commits

Author SHA1 Message Date
Jordan Liggitt
e45ed2d5b9
fix typo in health check url 2017-10-03 16:44:38 -04:00
Dr. Stefan Schimanski
7d09148ad7 apiserver: separate apiserver specific configs into ExtraConfig 2017-09-08 14:16:09 +02:00
xilabao
f14c138438 add selfsubjectrulesreview api 2017-09-01 19:09:43 +08:00
Huamin Chen
4525446af2 azure file volume: add secret namespace api 
Signed-off-by: Huamin Chen <hchen@redhat.com>
 2017-08-24 14:49:58 +00:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jordan Liggitt
dd7be70a4a
Add rbac.authorization.k8s.io/v1 2017-08-09 17:04:54 -04:00
Jordan Liggitt
d65610bf2f
Remove default binding of system:node role to system:nodes group 2017-07-26 13:53:14 -04:00
Kubernetes Submit Queue
4d2a721223 Merge pull request #48707 from danielfm/node-restriction-pod-eviction-subresource 
Automatic merge from submit-queue

Allow nodes to create evictions for its own pods in NodeRestriction admission controller

**What this PR does / why we need it**: This PR adds support for `pods/eviction` sub-resource to the NodeRestriction admission controller so it allows a node to evict pods bound to itself.

**Which issue this PR fixes**: fixes #48666

**Special notes for your reviewer**: The NodeRestriction already allows nodes to delete pods bound to itself, so allowing nodes to also delete pods via the Eviction API probably makes sense.

```release-note
NodeRestriction allows a node to evict pods bound to itself
```
 2017-07-23 04:16:51 -07:00
Daniel Fernandes Martins
81ba522bbe Make NodeRestriction admission allow evictions for bounded pods 2017-07-20 14:20:03 -03:00
Haoran Wang
f02008338f add integration testing for bootstrap token auth 2017-07-20 22:34:21 +08:00
Eric Chiang
e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jacob Simpson
8bcbbd4d08 Migrate api.Registry to testapi.Groups in tests. 2017-07-17 15:05:38 -07:00
Mike Danese
6ae11fdc5d use testmain in integration tests 2017-07-12 17:34:55 -07:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
cde4772928 run ./root-rewrite-all-other-apis.sh, then run make all, pkg/... compiles 2017-06-22 11:30:52 -07:00
Jordan Liggitt
fc8e915a4b
Add Node authorization mode based on graph of node-related objects 2017-05-30 16:53:03 -04:00
deads2k
be39283923 plumb stopch to post start hook index since many of them are starting go funcs 2017-05-11 09:16:13 -04:00
Mike Danese
21617a60ae don't use build tags to mark integration tests 2017-04-28 14:19:39 -07:00
Jordan Liggitt
7f4e5c5676
Use namespace from context 2017-03-07 14:02:13 -05:00
Jordan Liggitt
2a76fa1c8f
Switch RBAC subject apiVersion to apiGroup in v1beta1 2017-02-13 15:33:09 -05:00
Dr. Stefan Schimanski
536460e1d9 Mechanical fixup imports: pkg/genericapiserver 2017-02-03 08:15:45 +01:00
deads2k
0d8e6b8500 move genericapiserver authenticator and authorizer factories 2017-01-26 08:50:47 -05:00
Dr. Stefan Schimanski
4077e0bba7 genericapiserver: move authn plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00
Clayton Coleman
469df12038
refactor: move ListOptions references to metav1 2017-01-23 17:52:46 -05:00
deads2k
ee6752ef20 find and replace 2017-01-20 08:04:53 -05:00
Kubernetes Submit Queue
ac857a5ade Merge pull request #40106 from deads2k/client-09-switch 
Automatic merge from submit-queue

make client-go more authoritative

Builds on https://github.com/kubernetes/kubernetes/pull/40103

This moves a few more support package to client-go for origination.  
 1. restclient/watch - nodep
 1. util/flowcontrol - used interface
 1. util/integer, util/clock - used in controllers and in support of util/flowcontrol
 2017-01-19 06:34:49 -08:00
deads2k
cdb2934bbc remove kubernetes copy of clientcmd types 2017-01-19 07:39:19 -05:00
Dr. Stefan Schimanski
3d9449a353 genericapiserver: fix imports 2017-01-19 13:06:47 +01:00
Kubernetes Submit Queue
302d3ab1d7 Merge pull request #39625 from deads2k/rbac-36-beta 
Automatic merge from submit-queue (batch tested with PRs 39625, 39842)

Add RBAC v1beta1

Add `rbac.authorization.k8s.io/v1beta1`.  This scrubs `v1alpha1` to remove cruft, then add `v1beta1`.  We'll update other bits of infrastructure to code to `v1beta1` as a separate step.

```release-note
The `attributeRestrictions` field has been removed from the PolicyRule type in the rbac.authorization.k8s.io/v1alpha1 API. The field was not used by the RBAC authorizer.
```

@kubernetes/sig-auth-misc @liggitt @erictune
 2017-01-18 10:19:11 -08:00
deads2k
e74efe41a0 add rbac v1beta1 2017-01-18 09:49:33 -05:00
deads2k
4f915039e4 move pkg/client/transport to client-go 2017-01-18 07:56:01 -05:00
Clayton Coleman
9a2a50cda7
refactor: use metav1.ObjectMeta in other types 2017-01-17 16:17:19 -05:00
Dr. Stefan Schimanski
bf307d9948 genericapiserver: cut off pkg/serviceaccount dependency 2017-01-17 09:36:10 +01:00
deads2k
f1176d9c5c mechanical repercussions 2017-01-13 08:27:14 -05:00
Timothy St. Clair
fbc5323dad Refactor registry to use store vs. etcd 2017-01-12 09:23:38 -06:00
deads2k
c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Jordan Liggitt
a2670d3b9d
Allow rolebinding/clusterrolebinding with explicit bind permission check 2017-01-10 14:34:33 -05:00
deads2k
4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Jordan Liggitt
742ef34484
Convert user/group * to match authenticated users only in ABAC 2016-12-19 13:41:35 -05:00
Monis Khan
a6bafbacbf
Refactor REST storage to use generic defaults 
Signed-off-by: Monis Khan <mkhan@redhat.com>
 2016-12-08 17:24:21 -05:00
deads2k
2923d09091 remove rbac super user 2016-12-05 13:49:54 -05:00
Jordan Liggitt
d3991aa7c6
Cleanup auth logging, allow starting secured kubelet in local-up-cluster.sh 2016-11-03 16:17:11 -04:00
deads2k
f56cbfa8d5 add healthz to genericapiserver 2016-11-01 14:39:33 -04:00
deads2k
ceaf026881 slim down authorization listing interfaces 2016-10-13 07:50:01 -04:00
deads2k
518d5500c7 remove testapi.Default.GroupVersion 2016-10-07 10:10:54 -04:00
deads2k
9f4f6a1cba fix integration tests for loopback client 2016-10-04 08:40:59 -04:00
Dr. Stefan Schimanski
61409c821b Turn embedding into composition: master.Config.{Config -> GenericConfig} 2016-09-29 08:09:39 +02:00
Dr. Stefan Schimanski
b4c6a68036 Unify genericapiserver Config.New() and master Config.New() 2016-09-28 19:19:54 +02:00
deads2k
b330b0a220 start creating controller SA roles. start with just one 2016-09-26 09:31:36 -04:00
deads2k
a2a6423574 separate RESTStorage by API group 2016-09-20 08:00:50 -04:00
deads2k
7d1f13d3e0 add GenericAPIServer posthooks for initialization 2016-09-19 14:58:27 -04:00
deads2k
8fac64b43f add localSAR 2016-09-13 08:54:23 -04:00
deads2k
8c788233e7 change rbac roleref type 2016-09-09 09:55:51 -04:00
deads2k
97529e3687 add selfsubjectaccessreview API 2016-08-29 09:51:54 -04:00
Eric Chiang
b4eaf625a0 pkg/genericapiserver/options: don't import pkg/apiserver 
Refactor the authorization options for the API server so
pkg/apiserver isn't directly imported by the options package.
 2016-08-18 13:01:50 -07:00
Hongchao Deng
d0938094d9 move new etcd storage into cacher 2016-08-12 18:40:20 -07:00
deads2k
32920b5617 add subjectaccessreviews resource 2016-08-05 11:20:56 -04:00
deads2k
60dd4a5d26 interesting changes to add tokenreviews endpoint to implement webhook 2016-08-03 08:37:45 -04:00
deads2k
aa3db4d995 make the resource prefix in etcd configurable for cohabitation 2016-07-27 07:51:40 -04:00
Wojciech Tyczynski
4d0d115690 Revert "add tokenreviews endpoint to implement webhook" 2016-07-21 09:40:35 +02:00
deads2k
2c4a9f2e8d interesting changes to add tokenreviews endpoint to implement webhook 2016-07-20 15:11:56 -04:00
Michal Rostecki
fa0dd46ab7 Return (bool, error) in Authorizer.Authorize() 
Before this change, Authorize() method was just returning an error,
regardless of whether the user is unauthorized or whether there
is some other unrelated error. Returning boolean with information
about user authorization and error (which should be unrelated to
the authorization) separately will make it easier to debug.

Fixes #27974
 2016-07-18 12:06:54 +02:00
deads2k
f6f1ab34aa authorize based on user.Info 2016-07-14 07:48:42 -04:00
Mike Danese
f3de21bdf0
move integration tests into individual pacakges 
Signed-off-by: Mike Danese <mikedanese@google.com>
 2016-07-07 00:54:15 -07:00