github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
63,789 Commits 1 Branch 31 Tags
76920d88b2b032c614e45ef36cb15a05adbbbce5
Commit Graph

93 Commits

Author SHA1 Message Date
Michael Taufen
ab8dc12333 node authorizer sets up access rules for dynamic config 
This PR makes the node authorizer automatically set up access rules for
dynamic Kubelet config.

I also added some validation to the node strategy, which I discovered we
were missing while writing this.
 2018-03-27 08:49:45 -07:00
xuzhonghu
70d5af6e7b stop using AlwaysAdmit admission 2018-03-13 20:02:56 +08:00
Mike Danese
024f57affe implement token authenticator for new id tokens 2018-02-27 17:20:46 -08:00
Mike Danese
b43cd7307d noderestriction: restrict nodes TokenRequest permission 
nodes should only be able to create TokenRequests if:
* token is bound to a pod
* binding has uid and name
* the pod exists
* the pod is running on that node
 2018-02-26 13:46:19 -08:00
Mike Danese
b2ceeedd67 tokenrequest: tokens bound to pods running as other svcaccts 2018-02-24 22:18:24 -08:00
Mike Danese
32bf28daed integration: refactor, cleanup, and add more tests for TokenRequest 2018-02-23 14:59:35 -08:00
Kubernetes Submit Queue
8b94ae8ca8 Merge pull request #58111 from mikedanese/id-registry 
Automatic merge from submit-queue (batch tested with PRs 60158, 60156, 58111, 57583, 60055). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add support for /token subresource in serviceaccount registry

I'm planning on implementing the registry bits (this) in one PR and followup with an authenticator that supports new id tokens.

https://github.com/kubernetes/kubernetes/issues/58790

@kubernetes/sig-auth-pr-reviews 

```release-note
NONE
```
 2018-02-21 22:10:31 -08:00
Mike Danese
8ad1c6655b add support for /token subresource in serviceaccount registry 2018-02-21 13:16:51 -08:00
Mike Danese
7b4722964d remove deprecated /proxy paths 
These were depercated in v1.2.
 2018-02-20 14:42:19 -08:00
Jeff Grafton
ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Dr. Stefan Schimanski
4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
NickrenREN
7b9d2c046f Use v1beta1 VolumeAttachment 2018-01-31 18:46:11 +08:00
Kubernetes Submit Queue
621f3f3c0a Merge pull request #58360 from liggitt/csi-node-authorizer 
Automatic merge from submit-queue (batch tested with PRs 58488, 58360). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add get volumeattachment to the node authorizer

Fixes #58355

Adds `get volumeattachment` authorization for nodes to the node authorizer when the CSI feature is enabled

```release-note
NONE
```
 2018-01-18 20:55:34 -08:00
Gavin
f653d02b05 create auto-gen files 2018-01-17 16:23:03 +08:00
Gavin
bb5e156aba Add generic Bootstrap Token constants and helpers to client-go 2018-01-17 16:22:37 +08:00
Jordan Liggitt
ecfd18e2a6 Add get volumeattachments support to Node authorizer 2018-01-17 00:00:18 -05:00
Jordan Liggitt
ba09fadecf Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Eric Chiang
ce0a8303d6 integration: add retries to node authorizer tests 2018-01-10 15:55:18 -08:00
Hemant Kumar
1b76b0b2ff Allow node to update PVC's status 
Implement node policy feature gates
Add tests for node policy update
 2017-11-22 14:32:50 -05:00
Dr. Stefan Schimanski
bec617f3cc Update generated files 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski
012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Mike Danese
12125455d8 move authorizers over to new interface 2017-11-03 13:46:28 -07:00
Dr. Stefan Schimanski
2452afffe0 admission: wire create+update validation func into kube registries 2017-11-02 09:29:16 +01:00
Dr. Stefan Schimanski
cad0364e73 Update bazel 2017-10-18 17:24:04 +02:00
Dr. Stefan Schimanski
7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jordan Liggitt
e45ed2d5b9 fix typo in health check url 2017-10-03 16:44:38 -04:00
Dr. Stefan Schimanski
7d09148ad7 apiserver: separate apiserver specific configs into ExtraConfig 2017-09-08 14:16:09 +02:00
xilabao
f14c138438 add selfsubjectrulesreview api 2017-09-01 19:09:43 +08:00
Huamin Chen
4525446af2 azure file volume: add secret namespace api 
Signed-off-by: Huamin Chen <hchen@redhat.com>
 2017-08-24 14:49:58 +00:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jordan Liggitt
dd7be70a4a Add rbac.authorization.k8s.io/v1 2017-08-09 17:04:54 -04:00
Jordan Liggitt
d65610bf2f Remove default binding of system:node role to system:nodes group 2017-07-26 13:53:14 -04:00
Kubernetes Submit Queue
4d2a721223 Merge pull request #48707 from danielfm/node-restriction-pod-eviction-subresource 
Automatic merge from submit-queue

Allow nodes to create evictions for its own pods in NodeRestriction admission controller

**What this PR does / why we need it**: This PR adds support for `pods/eviction` sub-resource to the NodeRestriction admission controller so it allows a node to evict pods bound to itself.

**Which issue this PR fixes**: fixes #48666

**Special notes for your reviewer**: The NodeRestriction already allows nodes to delete pods bound to itself, so allowing nodes to also delete pods via the Eviction API probably makes sense.

```release-note
NodeRestriction allows a node to evict pods bound to itself
```
 2017-07-23 04:16:51 -07:00
Daniel Fernandes Martins
81ba522bbe Make NodeRestriction admission allow evictions for bounded pods 2017-07-20 14:20:03 -03:00
Haoran Wang
f02008338f add integration testing for bootstrap token auth 2017-07-20 22:34:21 +08:00
Eric Chiang
e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jacob Simpson
8bcbbd4d08 Migrate api.Registry to testapi.Groups in tests. 2017-07-17 15:05:38 -07:00
Mike Danese
6ae11fdc5d use testmain in integration tests 2017-07-12 17:34:55 -07:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
cde4772928 run ./root-rewrite-all-other-apis.sh, then run make all, pkg/... compiles 2017-06-22 11:30:52 -07:00
Jordan Liggitt
fc8e915a4b Add Node authorization mode based on graph of node-related objects 2017-05-30 16:53:03 -04:00
deads2k
be39283923 plumb stopch to post start hook index since many of them are starting go funcs 2017-05-11 09:16:13 -04:00
Mike Danese
21617a60ae don't use build tags to mark integration tests 2017-04-28 14:19:39 -07:00
Jordan Liggitt
7f4e5c5676 Use namespace from context 2017-03-07 14:02:13 -05:00
Jordan Liggitt
2a76fa1c8f Switch RBAC subject apiVersion to apiGroup in v1beta1 2017-02-13 15:33:09 -05:00
Dr. Stefan Schimanski
536460e1d9 Mechanical fixup imports: pkg/genericapiserver 2017-02-03 08:15:45 +01:00
deads2k
0d8e6b8500 move genericapiserver authenticator and authorizer factories 2017-01-26 08:50:47 -05:00
Dr. Stefan Schimanski
4077e0bba7 genericapiserver: move authn plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00