github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
105,503 Commits 1 Branch 31 Tags 1,019 MiB
5bae9b9288
Commit Graph

3102 Commits

Author SHA1 Message Date
Davanum Srinivas
497e9c1971
Cleanup OWNERS files (No Activity in the last year) 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-12-15 10:34:02 -05:00
Davanum Srinivas
9405e9b55e
Check in OWNERS modified by update-yamlfmt.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-12-09 21:31:26 -05:00
Kubernetes Prow Robot
39b45fb040
Merge pull request #106381 from dims/update-dims-as-approver 
Update `dims` as approver for some top level dirs
 2021-12-07 17:26:48 -08:00
Matthew Cary
bce87a3e4f controller change for statefulset auto-delete (implementation) 2021-11-17 16:48:50 -08:00
Davanum Srinivas
b956055771
Update dims as approver for some top level dirs 
- `staging`
- `plugin`
- `pkg`
- `cmd`

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-11-12 08:50:24 -05:00
Konstantin Misyutin
808c8f42d5 Remove StorageObjectInUseProtection feature gate logic 
This feature has graduated to GA in v1.11 and will always be
enabled. So no longe need to check if enabled.

Signed-off-by: Konstantin Misyutin <konstantin.misyutin@huawei.com>
 2021-11-03 00:13:50 +03:00
Jordan Liggitt
1bff65e6f8 PodSecurity: benchmark large numbers of owned pods 2021-11-02 08:43:27 -04:00
Tim Allclair
6c273020d3 [PodSecurity] Avoid the LegcayRegistry for metrics serving 2021-11-01 14:23:00 -07:00
Tim Allclair
e46928c0b1 [PodSecurity] Fix up metrics & add tests 
Update pod security metrics to match the spec in the KEP.
 2021-11-01 14:11:19 -07:00
Kubernetes Prow Robot
c592bd40f2
Merge pull request #105609 from pohly/generic-ephemeral-volume-ga 
generic ephemeral volume GA
 2021-10-28 17:36:50 -07:00
Alkaid
ae9ca48f01
[PodSecurity] Implement metricRecorder for admission (#104217) 
* init

Signed-off-by: jyz0309 <45495947@qq.com>

go fmt

Signed-off-by: jyz0309 <45495947@qq.com>

remove useless code

Signed-off-by: jyz0309 <45495947@qq.com>

add metrics.Attributes interface

Signed-off-by: jyz0309 <45495947@qq.com>

address comment

Signed-off-by: jyz0309 <45495947@qq.com>

go fmt code

Signed-off-by: jyz0309 <45495947@qq.com>

resolve import cycle

Signed-off-by: jyz0309 <45495947@qq.com>

fix comment

Signed-off-by: jyz0309 <45495947@qq.com>

fix lints

Signed-off-by: jyz0309 <45495947@qq.com>

fix build error

Signed-off-by: jyz0309 <45495947@qq.com>

fix test

Signed-off-by: jyz0309 <45495947@qq.com>

try

Signed-off-by: jyz0309 <45495947@qq.com>

* try to compare version

Signed-off-by: jyz0309 <45495947@qq.com>

fix conflict

Signed-off-by: jyz0309 <45495947@qq.com>

remove unuse change

Signed-off-by: jyz0309 <45495947@qq.com>

* address comment

Signed-off-by: jyz0309 <45495947@qq.com>

* fix import error

Signed-off-by: jyz0309 <45495947@qq.com>

fix import

Signed-off-by: jyz0309 <45495947@qq.com>

address comment

Signed-off-by: jyz0309 <45495947@qq.com>

address comment

Signed-off-by: jyz0309 <45495947@qq.com>

* address comment

Signed-off-by: jyz0309 <45495947@qq.com>

* format code

Signed-off-by: jyz0309 <45495947@qq.com>

* remove exempt and error record

Signed-off-by: jyz0309 <45495947@qq.com>

* ignore pod

Signed-off-by: jyz0309 <45495947@qq.com>

* add decision default value

Signed-off-by: jyz0309 <45495947@qq.com>

* address comment

Signed-off-by: jyz0309 <45495947@qq.com>

* remore useless import

Signed-off-by: jyz0309 <45495947@qq.com>

* remove policy vaild check

Signed-off-by: jyz0309 <45495947@qq.com>

use init to register metric

Signed-off-by: jyz0309 <45495947@qq.com>

fix test

Signed-off-by: jyz0309 <45495947@qq.com>

remove check

Signed-off-by: jyz0309 <45495947@qq.com>

remove blank line

Signed-off-by: jyz0309 <45495947@qq.com>

add allowedImports

Signed-off-by: jyz0309 <45495947@qq.com>

Add mock recorder

Signed-off-by: jyz0309 <45495947@qq.com>

format code

Signed-off-by: jyz0309 <45495947@qq.com>

separe record into 3 function

Signed-off-by: jyz0309 <45495947@qq.com>

* fix comment

Signed-off-by: jyz0309 <45495947@qq.com>
 2021-10-20 20:02:08 -07:00
Patrick Ohly
a8c930ef46 generic ephemeral volume: graduation to GA 
The feature gate gets locked to "true", with the goal to remove it in two
releases.

All code now can assume that the feature is enabled. Tests for "feature
disabled" are no longer needed and get removed.

Some code wasn't using the new helper functions yet. That gets changed while
touching those lines.
 2021-10-11 20:54:20 +02:00
Patrick Ohly
466dcdfcf6 auth: use generic ephemeral volume helper functions 
The name concatenation and ownership check were originally considered small
enough to not warrant dedicated functions, but the intent of the code is more
readable with them.
 2021-10-11 17:33:57 +02:00
Sahil Vazirani
3988405c8d
GA TTLAfterFinish 2021-10-07 16:58:50 -07:00
Jordan Liggitt
77d65dca44 PodSecurity: add namespace update verify benchmark 2021-10-04 12:26:30 -04:00
Jordan Liggitt
13e0887c4c PodSecurity: add admission benchmark 
go test ./plugin/pkg/admission/security/podsecurity -bench /pod -benchmem
goos: darwin
goarch: amd64
pkg: k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
BenchmarkVerifyPod/enforce-implicit_pod-12         	  702789	      1585 ns/op	    2120 B/op	      12 allocs/op
BenchmarkVerifyPod/enforce-privileged_pod-12       	  737588	      1607 ns/op	    2120 B/op	      12 allocs/op
BenchmarkVerifyPod/enforce-baseline_pod-12         	  409818	      2974 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/enforce-restricted_pod-12       	  370262	      3385 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/warn-baseline_pod-12            	  391808	      3101 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/warn-restricted_pod-12          	  349411	      3452 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12         	  208221	      5735 ns/op	    5864 B/op	      27 allocs/op
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12      	  249662	      4849 ns/op	    4616 B/op	      22 allocs/op
PASS
ok  	k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity	10.707s
 2021-09-21 16:20:11 -04:00
Kubernetes Prow Robot
353f0a5eab
Merge pull request #105095 from wojtek-t/migrate_clock_3 
Unify towards k8s.io/utils/clock - part 3
 2021-09-20 12:46:45 -07:00
wojtekt
d9b08c611d Migrate to k8s.io/utils/clock 2021-09-17 15:19:08 +02:00
Madhav Jivrajani
b05b9ecbef replace package realClock impl. with clock.RealClock 
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
 2021-09-14 20:56:57 +05:30
Kubernetes Prow Robot
1a845ccd07
Merge pull request #103603 from mengjiao-liu/update-ingress-to-v1 
Promote `ingressclass.kubernetes.io/is-default-class` annotation to networking/v1
 2021-08-24 20:24:39 -07:00
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2021-08-24 15:47:49 -04:00
Jordan Liggitt
47859b7781 Ensure serviceaccount admission produces v1 Pod matching defaults after round-trip 2021-08-23 11:32:10 -04:00
Jordan Liggitt
ccbdf041a2 Fix slice type comparison bug 2021-08-18 11:30:34 -04:00
Kubernetes Prow Robot
e847b849c4
Merge pull request #103704 from robscott/endpoints-write-remove 
Remove Endpoints write access from aggregated edit role
 2021-07-19 20:57:31 -07:00
Kubernetes Prow Robot
7fd021ba6a
Merge pull request #103703 from robscott/endpointslice-role-revert 
Revert granting EndpointSlice write access to edit role
 2021-07-15 08:20:46 -07:00
Davanum Srinivas
26cc8e40a8
fix deadcode issues 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-07-14 08:41:21 -04:00
Rob Scott
416efdab26
Remove Endpoints write access from aggregated edit role 2021-07-13 22:17:12 -07:00
Rob Scott
6c61ee51b9
Revert granting EndpointSlice write access to edit role 
This reverts part of the change introduced by #101203.
 2021-07-13 22:13:07 -07:00
Mengjiao Liu
792665e1ea Promote ingressclass.kubernetes.io/is-default-class annotation to networking/v1 2021-07-09 15:48:13 +08:00
Aldo Culquicondor
2dd2622188 Track Job Pods completion in status 
Through Job.status.uncountedPodUIDs and a Pod finalizer

An annotation marks if a job should be tracked with new behavior

A separate work queue is used to remove finalizers from orphan pods.

Change-Id: I1862e930257a9d1f7f1b2b0a526ed15bc8c248ad
 2021-07-08 17:48:05 +00:00
Davanum Srinivas
79d0c6cdc1
switch from golang-lru to the one in k8s.io/utils 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-07-07 22:31:37 -04:00
Jordan Liggitt
1dfacd3c70 PodSecurity: use code/reason/details from admission library 2021-07-07 16:25:16 -04:00
Tim Allclair
cf6ba6096f Move pod-security-admission to an external Attributes interface 2021-07-06 15:15:15 -07:00
Jordan Liggitt
f39bddd767 PodSecurity: kube-apiserver: admission wiring 2021-06-28 17:45:35 -04:00
Tomas Coufal
44cb4a63f6
Allow write on events to edit role 
Signed-off-by: Tomas Coufal <tcoufal@redhat.com>
 2021-06-14 23:13:29 +02:00
Shihang Zhang
88b31814f4 BoundServiceAccountTokenVolume ga 2021-05-13 20:45:47 -07:00
Kubernetes Prow Robot
6ede5ca95f
Merge pull request #101186 from jsafrane/fix-ephemeral-rbac 
Fix RBAC of generic ephemeral volumes controller
 2021-04-20 09:06:45 -07:00
Mike Tougeron
896bb932ef Add endpointslices to default edit & view RBAC policies 2021-04-16 13:43:32 -07:00
Jan Safranek
cfbe5f1891 Fix RBAC of generic ephemeral volumes controller 
The controller must be able to "update" finalizers of all pods to make
OwnerReferencesPermissionEnforcement admission plugin happy.
 2021-04-16 11:01:54 +02:00
Kubernetes Prow Robot
d51f15ed0d
Merge pull request #100885 from enj/enj/i/auth_owners 
Update sig-auth OWNERS
 2021-04-12 22:18:49 -07:00
Monis Khan
bca4993004
Update auth OWNERS files to only use aliases 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-04-07 10:46:03 -04:00
Niekvdplas
fec272a7b2 Fixed several spelling mistakes 2021-03-30 23:02:09 +02:00
Patrick Ohly
c4311ae754 generic ephemeral volumes: refresh rbac testdata 
This is the result of
  UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true go test k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy

Apparently enabling the GenericEphemeralVolume feature by default
affect this test. The policy that it now tests against is indeed
the one needed for the controller.
 2021-03-09 08:24:52 +01:00
Patrick Ohly
85bfd26c17 CSIStorageCapacity: update rbac test data 
This is the result of
  UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true go test k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy
after enabling the CSIStorageCapacity feature. This enables
additional RBAC entries for reading CSIDriver and
CSIStorageCapacity.
 2021-03-08 20:52:50 +01:00
Swetha Repakula
108fd44f7c Graduate EndpointSlice feature gate to GA 2021-03-06 15:58:47 -08:00
Abdullah Gharaibeh
3c5f018f8e Add CrossNamespacePodAffinity quota scope and PodAffinityTerm.NamespaceSelector APIs, and CrossNamespacePodAffinity quota scope implementation. 2021-03-03 22:52:43 -05:00
Kubernetes Prow Robot
5498ee641b
Merge pull request #99561 from BenTheElder/remove-bazel 
Remove Bazel
 2021-03-01 09:55:27 -08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Jordan Liggitt
ec4d1b3821 Skip visiting empty secret and configmap names 2021-02-27 15:54:38 -05:00
Kubernetes Prow Robot
267e47f548
Merge pull request #99130 from ayberk/ebs_ga_labels 
Use GA topology labels for EBS
 2021-02-23 23:48:49 -08:00