github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
53,546 Commits 1 Branch 31 Tags
7edab23997d012e142ff3e7a24fa24e69243575f
Commit Graph

329 Commits

Author SHA1 Message Date
Matthew Wong
caefe1a9ed Add bootstrap cluster role for external pv provisioners 2017-01-31 11:13:54 -05:00
Kubernetes Submit Queue
40d8e2adff Merge pull request #40579 from liggitt/rbac-v1beta1 
Automatic merge from submit-queue (batch tested with PRs 40392, 39242, 40579, 40628, 40713)

Update rbac role data to v1beta1
 2017-01-31 01:16:53 -08:00
Jordan Liggitt
07f14ebc6f Update authn/authz owners and reviewers 2017-01-27 08:55:44 -05:00
Jordan Liggitt
a65e042b06 Update rbac role data to v1beta1 2017-01-26 23:53:27 -05:00
Dr. Stefan Schimanski
2b8e938128 Update generated files 2017-01-24 20:56:03 +01:00
Dr. Stefan Schimanski
4beba154b4 genericapiserver: move authz webhook plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00
Dr. Stefan Schimanski
4077e0bba7 genericapiserver: move authn plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00
deads2k
5a8f075197 move authoritative client-go utils out of pkg 2017-01-24 08:59:18 -05:00
Antoine Pelisse
62af7dd33d OWNERS: Update latest OWNERS files 
These files have been created lately, so we don't have much information
about them anyway, so let's just:
- Remove assignees and make them approvers
- Copy approves as reviewers
 2017-01-23 10:05:48 -08:00
deads2k
ee6752ef20 find and replace 2017-01-20 08:04:53 -05:00
Kubernetes Submit Queue
ac857a5ade Merge pull request #40106 from deads2k/client-09-switch 
Automatic merge from submit-queue

make client-go more authoritative

Builds on https://github.com/kubernetes/kubernetes/pull/40103

This moves a few more support package to client-go for origination.  
 1. restclient/watch - nodep
 1. util/flowcontrol - used interface
 1. util/integer, util/clock - used in controllers and in support of util/flowcontrol
 2017-01-19 06:34:49 -08:00
deads2k
cdb2934bbc remove kubernetes copy of clientcmd types 2017-01-19 07:39:19 -05:00
Dr. Stefan Schimanski
3d9449a353 genericapiserver: fix imports 2017-01-19 13:06:47 +01:00
deads2k
68999bae22 add node problem detector role 2017-01-18 13:25:00 -05:00
deads2k
d1fec7068f generated 2017-01-18 10:35:46 -05:00
Kubernetes Submit Queue
c14fa94a4a Merge pull request #40042 from seh/add-ingress-to-rbac-roles 
Automatic merge from submit-queue

Include "ingresses" resource in RBAC bootstrap roles

The bootstrap RBAC roles "admin", "edit", and "view" should all be able to apply their respective access verbs to the "ingresses" resource in order to facilitate both publishing Ingress resources (for
service administrators) and consuming them (for ingress controllers).

Note that I alphabetized the resources listed in the role definitions that I changed to make it easier to decide later where to insert new entries. The original order looked like it may have started out alphabetized, but lost its way. If I missed an intended order there, please advise.

I am uncertain whether this change deserves mention in a release note, given the RBAC feature's alpha state. Regardless, it's possible that a cluster administrator could have been happy with the previous set of permissions afforded by these roles, and would be surprised to discover that bound subjects can now control _Ingress_ resources. However, in order to be afflicted, that administrator would have had to have applied these role definitions again which, if I understand it, would be a deliberate act, as bootstrapping should only occur once in a given cluster.
 2017-01-17 15:32:45 -08:00
Clayton Coleman
bcde05753b Correct import statements 2017-01-17 16:18:18 -05:00
Clayton Coleman
9a2a50cda7 refactor: use metav1.ObjectMeta in other types 2017-01-17 16:17:19 -05:00
Clayton Coleman
36acd90aba Move APIs and core code to use metav1.ObjectMeta 2017-01-17 16:17:18 -05:00
Kubernetes Submit Queue
fc8e029f8f Merge pull request #40034 from liggitt/node-bootstrapper-role 
Automatic merge from submit-queue

Add node TLS bootstrapping role

Adds a role describing permissions needed to complete the kubelet client bootstrap flow. Needed by kubeadm in https://github.com/kubernetes/kubernetes/pull/39846#discussion_r96491471
 2017-01-17 12:44:24 -08:00
Steven E. Harris
0016f7f2fc Include "ingresses" in RBAC bootstrap roles 
The bootstrap RBAC roles "admin", "edit", and "view" should all be
able to apply their respective access verbs to the "ingresses"
resource in order to facilitate both publishing Ingress resources (for
service administrators) and consuming them (for ingress controllers).
 2017-01-17 15:37:19 -05:00
Jordan Liggitt
d11f5a0a20 Add node TLS bootstrapping role 2017-01-17 14:31:34 -05:00
deads2k
b2586830c3 add heapster role 2017-01-17 11:27:57 -05:00
Kubernetes Submit Queue
6cd0592a46 Merge pull request #39963 from deads2k/rbac-39-permissions 
Automatic merge from submit-queue

add patch RS to deployment controller

Found in http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gci-gce/2841/artifacts/bootstrap-e2e-master/, `RBAC DENY: user "system:serviceaccount:kube-system:deployment-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "replicasets.extensions/" in namespace "e2e-tests-deployment-3rj5g"
`

@kubernetes/sig-auth-misc
 2017-01-16 12:15:16 -08:00
Kubernetes Submit Queue
8ab0519160 Merge pull request #39961 from liggitt/patch-permissions 
Automatic merge from submit-queue

Give replicaset controller patch permission on pods

Needed for AdoptPod/ReleasePod

Fixes denials seen in autoscaling test log:
`RBAC DENY: user "system:serviceaccount:kube-system:replicaset-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "pods./"`
 2017-01-16 11:23:40 -08:00
deads2k
56c0ae6456 add patch RS to deployment controller 2017-01-16 12:44:25 -05:00
Jordan Liggitt
4eee0b2b41 Give replicaset controller patch permission on pods 
Needed for AdoptPod/ReleasePod
 2017-01-16 12:32:37 -05:00
Kubernetes Submit Queue
8fa23586cf Merge pull request #39918 from liggitt/e2e-examples-permissions 
Automatic merge from submit-queue

Fix examples e2e permission check

Ref #39382
Follow-up from #39896

Permission check should be done within the e2e test namespace, not cluster-wide

Also improved RBAC audit logging to make the scope of the permission check clearer
 2017-01-16 06:30:29 -08:00
Kubernetes Submit Queue
eb9f953496 Merge pull request #39876 from deads2k/generic-20-deps-03 
Automatic merge from submit-queue

move more things to apiserver

```
pkg/genericapiserver/api/handlers/negotiation/ -> apiserver/pkg/handlers/negotiation
pkg/genericapiserver/api/metrics -> apiserver/pkg/metrics
pkg/genericapiserver/api/request -> apiserver/pkg/request
pkg/util/wsstream -> apiserver/pkg/util/wsstream
plugin/pkg/auth/authenticator/request/headerrequest -> apiserver/pkg/authentication/request/headerrequest
plugin/pkg/webhook -> apiserver/pkg/webhook
```

and mechanicals.

`k8s.io/kubernetes/pkg/genericapiserver/routes/data/swagger` needs to be sorted out.
 2017-01-16 04:14:37 -08:00
Jordan Liggitt
7f81e2e4ac Improve RBAC denial audit logging 2017-01-14 17:31:58 -05:00
Kubernetes Submit Queue
f21a0f03c3 Merge pull request #39905 from mikedanese/cert-rbac 
Automatic merge from submit-queue

add rbac role for certificate-controller

@liggitt @jcbsmpsn @pipejakob
 2017-01-14 07:46:11 -08:00
Mike Danese
f3e97d522d add rbac role for certificate-controller 2017-01-13 17:40:24 -08:00
deads2k
31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k
81b073a5f5 move no k8s.io/kubernetes deps to apiserver 2017-01-13 16:26:58 -05:00
deads2k
633e9d98fc use apimachinery packages instead of client-go packages 2017-01-13 14:04:54 -05:00
deads2k
f1176d9c5c mechanical repercussions 2017-01-13 08:27:14 -05:00
Kubernetes Submit Queue
8d4cc53175 Merge pull request #39483 from deads2k/generic-15-deps-02-for-real 
Automatic merge from submit-queue

move no k8s.io/kubernetes dep packages for genericapiserver

Move the next set of no-dep packages for genericapiserver.  Feel the ratchet click!

```
k8s.io/kubernetes/pkg/auth/authenticator/bearertoken -> k8s.io/apiserver/pkg/authentication/request/bearertoken
k8s.io/kubernetes/pkg/auth/authorizer/union -> k8s.io/apiserver/pkg/authorization/union
k8s.io/kubernetes/pkg/auth/group -> k8s.io/apiserver/pkg/authentication/group
k8s.io/kubernetes/pkg/httplog -> k8s.io/apiserver/pkg/httplog
k8s.io/kubernetes/pkg/ssh -> k8s.io/apiserver/pkg/ssh
k8s.io/kubernetes/pkg/storage/etcd/metrics -> k8s.io/apiserver/pkg/storage/etcd/metrics
k8s.io/kubernetes/pkg/util/cache -> k8s.io/apiserver/pkg/util/cache
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/anonymous -> k8s.io/apiserver/pkg/authentication/request/anonymous
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union -> k8s.io/apiserver/pkg/authentication/request/union
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509 -> k8s.io/apiserver/pkg/authentication/request/x509
k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile -> k8s.io/apiserver/pkg/authentication/token/tokenfile
```

@sttts
 2017-01-11 15:16:13 -08:00
deads2k
c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
deads2k
5280c8d3ac moves of genericapiserver packages without dependencies 2017-01-11 15:06:38 -05:00
Dr. Stefan Schimanski
4a1d507756 Update bazel 2017-01-11 18:53:24 +01:00
Dr. Stefan Schimanski
cf60bec396 Split out server side code from pkg/apis/rbac/validation 2017-01-11 18:31:58 +01:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Kubernetes Submit Queue
959687543a Merge pull request #39651 from liggitt/passwordfile-groups 
Automatic merge from submit-queue (batch tested with PRs 39694, 39383, 39651, 39691, 39497)

Add support for groups to passwordfile

As we move deployment methods to using RBAC, it is useful to be able to place the admin user in the bootstrap kubeconfig files in a superuser group. The tokencsv file supports specifying group membership, but the basicauth file does not. This adds it for parity.

I plan to update the generated password file to put the admin user in a group (similar to the way https://github.com/kubernetes/kubernetes/pull/39537 puts that user in a group in the token file)

```release-note
--basic-auth-file supports optionally specifying groups in the fourth column of the file
```
 2017-01-10 21:25:15 -08:00
Kubernetes Submit Queue
49a0cf7f68 Merge pull request #39641 from liggitt/node-controller-status 
Automatic merge from submit-queue (batch tested with PRs 38212, 38792, 39641, 36390, 39005)

Allow node-controller to update node status

ref: #39639 

* adds required permissions to node-controller
 * fixes typo in role name for pod-garbage-collector role
* adds event watching permissions to persistent volume controller
* adds event permissions to node proxier
 2017-01-10 19:48:12 -08:00
Kubernetes Submit Queue
609e3e3890 Merge pull request #39619 from deads2k/fed-20-rename 
Automatic merge from submit-queue (batch tested with PRs 34488, 39511, 39619, 38342, 39491)

rename kubernetes-discovery to kube-aggregator

Rename `kubernetes-discovery` to `kube-aggregator`.  Move and bulk rename.

@kubernetes/sig-api-machinery-misc
 2017-01-10 16:07:14 -08:00
deads2k
453651cbfc rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
Jordan Liggitt
caca81b1b5 Add support for groups to passwordfile 2017-01-10 00:04:26 -05:00
Jordan Liggitt
c6550af702 Allow proxier to write events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
6d3b06125e Allow the persistent volume binder to watch events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
c59c11eb0d fix role for pod-garbage-collector 2017-01-09 23:36:09 -05:00