Rob Scott
132d2afca0
Adding IngressClass to networking/v1beta1
...
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
2020-03-01 18:17:09 -08:00
Kubernetes Prow Robot
03b7f272c8
Merge pull request #88246 from munnerz/csr-signername-controllers
...
Update CSR controllers & kubelet to respect signerName field
2020-02-28 23:38:39 -08:00
Jefftree
d318e52ffe
authentication webhook via network proxy
2020-02-27 17:47:23 -08:00
Jordan Liggitt
57ea7a11a6
Remove global variable dependency from runtimeclass admission
2020-02-27 15:23:52 -05:00
James Munnelly
d7e10f9869
Add Certificate signerName admission plugins
2020-02-27 15:50:14 +00:00
Kubernetes Prow Robot
8ca96f3e07
Merge pull request #80724 from cceckman/provider-info-e2e
...
Provide OIDC discovery for service account token issuer
2020-02-13 01:38:35 -08:00
Kubernetes Prow Robot
d5ea2f15b5
Merge pull request #87234 from KobayashiD27/fix-golint
...
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
2020-02-12 02:23:05 -08:00
Charles Eckman
5a176ac772
Provide OIDC discovery endpoints
...
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc ) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io ,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
2020-02-11 16:23:31 -08:00
Jordan Liggitt
8a3f587b04
Add fast path to node authorizer for node/edge removal
2020-02-10 13:51:33 -05:00
Jordan Liggitt
3e0c0792d7
Switch node authorizer index to refcounts
2020-02-10 13:24:13 -05:00
Jordan Liggitt
6d335372b2
Add configmap->node destination edges to the node authorizer index
2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae
generated: run refactor
2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30
generated: run refactor
2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031
Merge pull request #87688 from mborsz/node2
...
Add a fast path for adding new node in node_authorizer
2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358
Ensure testing credentials are labeled as such
2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230
Add a fast path for adding new node in node_autorizer.
...
This seems to improve WriteIndexMaintenance benchmark:
Before:
BenchmarkWriteIndexMaintenance-12 1034 1157922 ns/op 1906 B/op 41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12 4891 239821 ns/op 1572 B/op 37 allocs/op
2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde
Merge pull request #87693 from liggitt/node-authz-index
...
Fix node authorizer index recomputation
2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52
Fix node authorizer index recomputation
2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993
cleanup req.Context() and ResponseWrapper
2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8
refactor
2020-01-29 08:50:45 -08:00
Kubernetes Prow Robot
9633dd63b2
Merge pull request #87239 from lemonli/cleanup/node-authorizer
...
clean up node_authorizer code: verb judgement
2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25
Enabling EndpointSlice feature gate by default
...
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
2020-01-16 09:23:16 +09:00
lemonli
2498dbf636
clean node_authorizer code: verb judgement
2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45
Do not require token secrets when using bound service account tokens
2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb
Extend authorization benchmark
2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f
Merge pull request #85375 from liggitt/delegated-list-watch
...
Add single-item list/watch to delegated authentication reader role
2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945
Merge pull request #85365 from robscott/endpointslice-default-off
...
Disabling EndpointSlice feature gate by default
2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2
Add single-item list/watch to delegated authentication reader role
2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff
Disabling EndpointSlice feature gate by default
...
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631
Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration
2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72
Service Topology implementation
...
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
2019-11-15 13:36:43 +08:00
Tim Allclair (St. Clair)
581d3e26c9
Restrict mirror pod owner references ( #84657 )
...
* Restrict mirror pod owners.
See http://git.k8s.io/enhancements/keps/sig-auth/20190916-noderestriction-pods.md
* Address feedback, refactor test
* Verify node owner UID
2019-11-14 20:52:16 -08:00
Rob Scott
a7e589a8c6
Promoting EndpointSlices to beta
2019-11-13 14:20:19 -08:00
Kubernetes Prow Robot
195664db0e
Merge pull request #85099 from liggitt/quota-config-v1
...
Promote apiserver.config.k8s.io/v1, kind=ResourceQuotaConfiguration
2019-11-13 13:02:52 -08:00
draveness
5cb92260a6
feat: graduate ResourceQuotaScopeSelectors to GA
2019-11-13 14:07:22 +08:00
Kubernetes Prow Robot
bb55aa7c54
Merge pull request #76310 from ravisantoshgudimetla/fix-priority-quota
...
Relax namespace restriction for critical pods
2019-11-12 19:00:11 -08:00
ravisantoshgudimetla
f2cbbe228f
BUILD files
2019-11-12 17:22:14 -05:00
ravisantoshgudimetla
fe4cac73c8
Relax namespace restriction for critical pods
2019-11-12 17:22:09 -05:00
Kubernetes Prow Robot
c580a12c8e
Merge pull request #83568 from bertinatto/volume_limits_ga
...
Promote volume limits to GA
2019-11-12 11:50:22 -08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates
...
remove global variable dependency from admission plugins
2019-11-12 10:23:14 -08:00
David Eads
83f6f2717e
remove global variable dep in admission
2019-11-12 10:55:14 -05:00
Jordan Liggitt
7d3012f297
Promote resource quota admission configuration to v1
2019-11-12 09:03:55 -05:00
Fabio Bertinatto
affcd0128b
Promote volume limits to GA
2019-11-12 09:43:53 +01:00
Kubernetes Prow Robot
9cf309ed59
Merge pull request #82049 from andrewsykim/ga-node-instance-type-label
...
Promote Node Instance Type Label to GA
2019-11-08 13:47:58 -08:00
David Eads
675c2fb924
add featuregate inspection as admission plugin initializer
2019-11-08 13:07:40 -05:00
Kubernetes Prow Robot
ae15368355
Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA
...
Promote node lease to GA
2019-11-08 09:00:15 -08:00
Andrew Sy Kim
560b8efb79
noderestriction: update node restriction unit tests to use stable instance-type label
...
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2019-11-08 11:17:58 -05:00
Andrew Sy Kim
349749644f
test/e2e: check both beta and zone label for getting cluster zone
...
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2019-11-07 21:22:05 -05:00
Andrew Sy Kim
4c194d52da
kubelet: set both deprecated Beta and GA labels for zone/region topology from the cloud provider
...
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2019-11-07 21:22:04 -05:00
