github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
89,133 Commits 1 Branch 31 Tags 1,019 MiB
86fc6d5d4c
Commit Graph

699 Commits

Author SHA1 Message Date
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Jordan Liggitt
3df9e86a4e Remove ability to re-enable serving deprecated APIs 2019-12-13 12:21:33 -05:00
Han Kang
6de7082978 remove two unused metrics 2019-12-05 16:30:21 -08:00
Han Kang
aaac96c660 Two bug fixes: (1) at least log something out if we fail to register our health check, (2) actually register a prometheus metric. I delete the deprecated metric in this block because there isn't any point to it, since no one can be broken by changing a metric that doesn't get collected 2019-12-05 16:30:21 -08:00
hwdef
e7172b3dbf pkg/master: Fix static check failures 2019-11-27 09:15:57 +08:00
Rob Scott
a7e589a8c6
Promoting EndpointSlices to beta 2019-11-13 14:20:19 -08:00
yue9944882
3d1b5d0e9a flowcontrol rest storage implementation 2019-11-08 14:27:14 +08:00
David Eads
be8af0de1b remove exist client hooks 2019-11-06 10:17:19 -05:00
David Eads
7351c86860 publish cluster authentication trust via controller 2019-11-06 10:17:19 -05:00
mengyang02
ed8767cded fix golint errors for pkg/master, together with cheftako 2019-10-05 21:42:52 +08:00
Kubernetes Prow Robot
1d016cc1d3
Merge pull request #81668 from darshanime/remove_default_service_cidr 
Deprecate default service IP CIDR
 2019-09-10 14:31:45 -07:00
darshanime
aef96c34a9 Remove default service cidr 
Signed-off-by: darshanime <deathbullet@gmail.com>
 2019-08-30 11:14:25 +05:30
Rob Scott
d618452a97
Adding EndpointsAdapter for apiserver EndpointSlice support 2019-08-29 16:22:32 -07:00
Kubernetes Prow Robot
550fb1bfc3
Merge pull request #79386 from khenidak/phase2-dualstack 
Phase 2 dualstack
 2019-08-28 20:39:56 -07:00
Khaled Henidak(Kal)
93c06821e6 Phase 2: service and endpoint processing 2019-08-28 15:59:43 +00:00
Rob Scott
f80cee9280
Adding discovery/v1alpha1 API for EndpointSlices 2019-08-26 14:50:00 -07:00
Kubernetes Prow Robot
8dea3310e5
Merge pull request #81376 from logicalhan/health-checks 
rename healthz methodNames to be more consistent w/ present day usages
 2019-08-22 03:48:32 -07:00
Han Kang
2e23788fda rename healthz methodNames to be more consistent w/ present day usages 2019-08-13 12:52:30 -07:00
Ted Yu
87b2a3129b Propagate error from NewREST 2019-08-12 13:55:35 -07:00
Jordan Liggitt
e24377f190 Install/register v1 admission registration types 2019-07-08 09:49:29 -04:00
Jordan Liggitt
24f04b32c2 Stop serving apps/v1beta1, apps/v1beta2, and deprecated extensions/v1beta1 resources by default 2019-06-22 13:56:58 -07:00
Tim Allclair
820a1dc96b Add node.k8s.io/v1beta1 API 2019-03-07 11:57:12 -08:00
Tim Allclair
63f61a6714 Migrate RuntimeClass to internal API 2019-03-07 11:07:54 -08:00
Kubernetes Prow Robot
b1d4d40679
Merge pull request #74668 from sttts/sttts-kube-apiserver-endpoints-when-ready 
kube-apiserver: don't create endpoints before being ready
 2019-03-04 01:57:41 -08:00
Kubernetes Prow Robot
9b8c58644a
Merge pull request #74418 from danielqsj/duration 
convert latency/latencies in metrics name to duration
 2019-03-01 17:58:12 -08:00
Dr. Stefan Schimanski
2a9a9fa155 kube-apiserver: first remove endpoints, then add when ready 2019-03-01 10:46:18 +01:00
Kubernetes Prow Robot
3afa003126
Merge pull request #73555 from bsalamat/priority_to_ga 
Graduate PriorityClass API to GA
 2019-02-22 16:14:49 -08:00
Bobby (Babak) Salamat
453498fe2c Graduate PriorityClass to GA 2019-02-22 10:51:13 -08:00
danielqsj
f7b437cae0 convert latency in mertics name to duration 2019-02-22 21:40:13 +08:00
Jordan Liggitt
8c28d3f63c Add networking.k8s.io/v1beta1 Ingress 2019-02-20 16:41:14 -05:00
Antoine Pelisse
0e1d50e70f API Machinery, Kubectl and tests 2019-02-04 13:51:48 -08:00
Jordan Liggitt
dc1fa870bf Remove alpha InitializerConfiguration types, Initializers admission plugin 2019-01-23 11:37:39 -05:00
Jordan Liggitt
e016e132f5 Allow enabling/disabling specific extensions/v1beta1 resources 2019-01-02 10:15:21 -05:00
wojtekt
73d14dede6 Promote Lease API to v1 2018-12-20 15:39:57 +01:00
Walter Fender
d92ee41e44 Fix issue where missing external IP address breaks SSH Tunnel. 
Added unit test to cover missing external IP case.
Justin's feedback.
Lint fix.
Lavalmap's feedback.
 2018-12-12 10:59:32 -08:00
Mike Danese
ed17876e52 plumb apiAudience to TokenReview registry 2018-11-16 19:30:42 -05:00
Mike Danese
766aab509a dedup APIAudiences config in kube-apiserver, use GenericConfig field 2018-11-13 11:07:31 -08:00
Davanum Srinivas
954996e231
Move from glog to klog 
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
 2018-11-10 07:50:31 -05:00
zuoxiu.jm
9c33a913de use loopback client connection instead of direct etcd call in master lease 2018-11-01 12:22:09 +08:00
zuoxiu.jm
7f608eb5df prune internal informer from kubeapiserver constructor 2018-10-29 11:30:44 +08:00
Mike Danese
bcd492e86e use more specific authenticator.Audiences type in TokenRequest registry 2018-10-23 00:16:17 -07:00
Mike Danese
371b1e7fed promote --service-account-api-audiences to top level kube-apiserver config 
The service account authenticator isn't the only authenticator that
should respect API audience. The authentication config structure should
reflect that.
 2018-10-22 18:21:37 -07:00
Patrick Barker
381d0a5d14 adds dynamic audit api 2018-10-16 06:46:34 -06:00
Mike Dame
f407700af9 Add autoscaling/v2beta2 and custom_metrics/v1beta2 to necessary files 2018-08-27 11:07:52 -04:00
yue9944882
6bac6fafa0 promote informers into master.Config 
review:

1. move informers into master extra config
2. move one post start hook into New()

fixes npe from master integration test
 2018-08-08 09:35:45 +08:00
Jordan Liggitt
3cb771a866
Use storage directly for scale subresources 2018-07-13 11:40:52 -04:00
Kubernetes Submit Queue
6d3bba7391
Merge pull request #64246 from wojtek-t/lease_object_type 
Automatic merge from submit-queue (batch tested with PRs 64246, 65489, 65443). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Create "Lease" API in the new "coordination.k8s.io" api group

Part of "Efficient Node heartbeats" KEP:
https://github.com/kubernetes/community/blob/master/keps/0009-node-heartbeat.md

Part of: https://github.com/kubernetes/kubernetes/issues/14733

```release-note
NONE
```
 2018-06-27 08:17:10 -07:00
wojtekt
c79b54db9f Enable coordination api group 2018-06-27 13:30:13 +02:00
WanLinghao
f16470c3f1 This patch adds limit to the TokenRequest expiration time. It constrains a TokenRequest's expiration time to avoid extreme value which could harm the cluster. 2018-06-14 09:31:50 +08:00