github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
123,424 Commits 1 Branch 31 Tags
3e037070bb541c3338d28267e1147313bb60d1aa
Commit Graph

87 Commits

Author SHA1 Message Date
Jordan Liggitt
3e037070bb Move public key getter to interface 2024-06-25 18:10:08 -04:00
Anish Ramasekar
62ac88b9ea Add metrics for authentication config reload 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-09 14:40:22 -08:00
Monis Khan
b4935d910d Add dynamic reload support for authentication configuration 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-09 14:29:33 -05:00
Monis Khan
05e1eff793 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-04 11:40:02 -05:00
Kubernetes Prow Robot
8845c4c657 Merge pull request #123135 from munnerz/4193-beta-promotion 
KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta
 2024-03-01 19:48:18 -08:00
Monis Khan
b5e0068325 Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-02-14 09:40:25 -05:00
James Munnelly
e087acc791 refuse to allow apiserver to startup if ServiceAccountTokenNodeBinding is enabled without ServiceAccountTokenNodeBindingValidation 2024-02-06 14:03:50 +00:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Jefftree
b30c6bdff8 Fix v3 spec 2023-10-16 15:05:13 -04:00
Dr. Stefan Schimanski
6395049176 controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-09-27 11:22:37 +02:00
Anish Ramasekar
9e1ff1e512 add loading config and wire feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-30 23:14:56 +00:00
Anish Ramasekar
1bad3cbbf5 wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-25 17:15:33 +00:00
Kubernetes Prow Robot
8d244d3e66 Merge pull request #116721 from enj/enj/i/bootstrap_authn_lister 
Wire bootstrap token authn secret lister only when it is enabled
 2023-04-11 18:19:30 -07:00
Monis Khan
e9866d2794 Clear front proxy headers after authentication is complete 
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-21 10:51:22 -04:00
Monis Khan
94f2d35164 Wire bootstrap token authn secret lister only when it is enabled 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-17 11:17:20 -04:00
Shihang Zhang
569cd70a52 track legacy service account tokens 2022-10-24 09:37:53 -07:00
Kubernetes Prow Robot
3051cb2ba1 Merge pull request #108624 from ialidzhikov/cleanup/service-account-api-audiences 
apiserver: Remove the deprecated `--service-account-api-audiences` flag
 2022-08-02 09:15:44 -07:00
Jefftree
67d3dbfaae Separate OpenAPI V2 and V3 Config 2022-03-29 17:49:56 -07:00
ialidzhikov
92707cafbb apiserver: Remove the deprecated --service-account-api-audiences flag 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2022-03-10 09:46:20 +02:00
bryfry
038ad9b3a5 correct references to service-account-signing-key-file flag 2022-01-30 04:24:25 +00:00
Shubham Kuchhal
ef2be5586e Add supported 'alg' header values. 2021-09-16 14:02:21 +05:30
Mengjiao Liu
7911a08fb3 Remove ServiceAccountIssuerDiscovery feature gate 2021-07-14 18:43:59 +08:00
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
xiongzhongliang
4a24a08f93 Optimize some codes 2021-03-05 18:23:39 +08:00
Shihang Zhang
cbf6e38bbd move RootCAConfigMap to ga 2021-02-22 15:59:27 -08:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
 2021-02-01 11:44:23 -08:00
Kubernetes Prow Robot
8d6829fe1e Merge pull request #95896 from zshihang/flag 
make flags of TokenRequest required
 2020-11-05 18:36:50 -08:00
Shihang Zhang
a5021a4ddf make flags of TokenRequest required 2020-11-05 10:40:56 -08:00
Shihang Zhang
4c593b268a default service-account-extend-token-expiration to true 2020-11-05 09:07:01 -08:00
Shihang Zhang
d40f0c43c4 separate RootCAConfigMap from BoundServiceAccountTokenVolume 2020-11-04 17:10:39 -08:00
Abu Kashem
53a1307f68 make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
 2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Andrew Sy Kim
a0aebf96ec apiserver: support egress selection name 'controlplane' and deprecate 'master' 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-10-26 10:24:16 -04:00
yiduyangyi
e6c4633232 fix golint failures in pkg/kubeapiserver/options, fix some incorrect replace of receiver name 2020-07-23 19:02:07 +08:00
yiduyangyi
e441c07fe2 fix golint failures in pkg/kubeapiserver/options, use API Server in commemts instead of APIServer 2020-07-23 18:41:37 +08:00
yiduyangyi
e2838df7c7 fix golint failures in pkg/kubeapiserver/options 2020-07-15 16:03:08 +08:00
Davanum Srinivas
442a69c3bd switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Tomas Nozicka
b22a170d46 Fix client-ca dynamic reload in apiserver 2020-04-29 16:03:09 +02:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Monis Khan
df292749c9 Remove support for basic authentication 
This change removes support for basic authn in v1.19 via the
--basic-auth-file flag.  This functionality was deprecated in v1.16
in response to ATR-K8S-002: Non-constant time password comparison.

Similar functionality is available via the --token-auth-file flag
for development purposes.

Signed-off-by: Monis Khan <mok@vmware.com>
 2020-03-11 20:55:47 -04:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Jin Hase
49b6e40461 Clean up kube-apiserver reference document 2019-12-24 21:21:06 +09:00
hwdef
b3377e61de pkg/kubeapiserver: fix staticcheck warning 2019-11-14 11:24:22 +08:00
Jordan Liggitt
5ef4fe959a Switch kubelet/aggregated API servers to use v1 tokenreviews 2019-11-11 17:19:10 -05:00
David Eads
6beb96261e wire up a means to dynamically reload ca bundles for kube-apiserver 2019-10-23 11:01:56 -04:00
David Eads
51195dd860 add ability to authenticators for dynamic update of certs 2019-10-01 09:50:20 -04:00
Ted Yu
3d2bc6f6ae Constant time password comparison 2019-08-07 22:07:57 -07:00
Marek Counts
7744f90830 Moved flag and globalflag 
Moved all flag code from `staging/src/k8s.io/apiserver/pkg/util/[flag|globalflag]` to `component-base/cli/[flag|globalflag]` except for the term function because of unwanted dependencies.
 2019-02-15 10:28:13 -05:00
k8s-ci-robot
bd2cb5a72d Merge pull request #70831 from mikedanese/securesvcacct 
add BoundServiceAccountTokenVolume feature
 2018-11-13 08:54:25 -08:00
Mike Danese
f4ff26679f add BoundServiceAccountTokenVolume feature 
* require TokenRequest to be enabled and configured
* bind ca.crt publisher to this feature rather than to TokenRequest
 2018-11-12 13:11:47 -08:00