github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
99,899 Commits 1 Branch 31 Tags 1,019 MiB
925900317e
Commit Graph

612 Commits

Author SHA1 Message Date
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
xiongzhongliang
e6d6409cf8 remove duplicated validation for service-cluster-ip-range 2021-03-19 11:17:07 +08:00
xiongzhongliang
00bfd28fbd fix some hardcoding 
fix some hardcoding
 2021-02-20 01:27:54 +08:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
 2021-02-01 11:44:23 -08:00
yue9944882
849be447f5 APF: graduate API and types to beta 
Signed-off-by: Adhityaa Chandrasekar <adtac@google.com>
 2020-11-13 23:20:39 +00:00
Kubernetes Prow Robot
281866b35c
Merge pull request #95533 from roycaihw/apiserver-lease-controller 
Add kube-apiserver lease controller
 2020-11-06 18:09:37 -08:00
Haowei Cai
3761a00e5b add kube-apiserver-lease-controller poststart hook 2020-11-06 13:33:08 -08:00
Kubernetes Prow Robot
d16112f76c
Merge pull request #96052 from wojtek-t/fix_watchcache_size 
Disable watchcache for events
 2020-11-02 07:30:53 -08:00
wojtekt
5a8f94cb30 Disable watchcache for events 2020-10-31 19:51:33 +01:00
Kubernetes Prow Robot
1968e96165
Merge pull request #95856 from knight42/refactor/disable-apiserver-insecure-port 
refactor(apiserver): disable insecure port
 2020-10-29 10:47:58 -07:00
knight42
cfc2b330a7
refactor(apiserver): ignore the insecure flags 
Leave the insecure flags intact but stop serving on insecure port.
 2020-10-29 23:20:17 +08:00
Andrew Sy Kim
a0aebf96ec apiserver: support egress selection name 'controlplane' and deprecate 'master' 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-10-26 10:24:16 -04:00
Daniel Smith
13b6a929bc It's an 'Instance' of apiserver 2020-09-24 16:14:29 -04:00
Daniel Smith
a86afc12df update scripts 2020-09-02 10:49:40 -07:00
Daniel Smith
15e0e3e90e rename 2020-09-02 10:48:26 -07:00
Kubernetes Prow Robot
2d327ac455
Merge pull request #91539 from andrewsykim/fix-cloud-provider-deprecation 
only log cloud provider deprecation warning for in-tree components
 2020-07-10 00:59:48 -07:00
Kubernetes Prow Robot
8ec5747fe5
Merge pull request #91501 from tahsinrahman/add-apiserver-logging-flag 
Add `--logging-format` flag for kube-apiserver
 2020-07-03 12:24:47 -07:00
Kubernetes Prow Robot
7151131d79
Merge pull request #73032 from liggitt/kubectl-warning 
surface server-side warnings in client-go / kubectl
 2020-06-12 17:09:56 -07:00
Jordan Liggitt
0d674c4edb cmd: silence warnings in kube-controller-manager/kube-apiserver, dedupe/color warnings in kubectl 2020-06-11 16:04:19 -04:00
wojtekt
5ceb53987b Remove heuristic watchcache sizes 2020-06-08 13:32:52 +02:00
Kubernetes Prow Robot
774c9a6db6
Merge pull request #91349 from neolit123/1.19-fail-on-unrecognized-args 
cmd/*: fail on unrecognized flags/arguments for component CLI
 2020-05-30 00:27:53 -07:00
Monis Khan
fc4f91f10b cmd/*: fail on unrecognized flags/arguments for component CLI 
In case a malformed flag is passed to k8s components
such as "–foo", where "–" is not an ASCII dash character,
the components currently silently ignore the flag
and treat it as a positional argument.

Make k8s components/commands exit with an error if a positional argument
that is not empty is found. Include a custom error message for all
components except kubeadm, as cobra.NoArgs is used in a lot of
places already (can be fixed in a followup).

The kubelet already handles this properly - e.g.:
'unknown command: "–foo"'

This change affects:
- cloud-controller-manager
- kube-apiserver
- kube-controller-manager
- kube-proxy
- kubeadm {alpha|config|token|version}
- kubemark

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Lubomir I. Ivanov <lubomirivanov@vmware.com>
 2020-05-28 22:06:01 +03:00
Andrew Sy Kim
ed3feac74d only log cloud provider deprecation warning for in-tree components 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-05-28 11:55:56 -04:00
tahsinrahman
201f869c66 Add --logging-format flag for kube-apiserver 2020-05-28 11:39:04 +08:00
David Eads
ed4e6f1026 remove dynamic audit 2020-05-27 15:18:53 -04:00
Jiajie Yang
ebbd455b24 Restrict service account token metrics to kube-apiserver only. 2020-05-21 15:34:57 -07:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Tomas Nozicka
b22a170d46 Fix client-ca dynamic reload in apiserver 2020-04-29 16:03:09 +02:00
Kubernetes Prow Robot
15ed3b36d1
Merge pull request #90235 from cici37/addflag 
Remove CCM dependency pkg/util/flag
 2020-04-22 19:22:14 -07:00
Kubernetes Prow Robot
43cd2ff239
Merge pull request #89549 from happinesstaker/sa-rotate 
Monitoring safe rollout of time-bound service account token.
 2020-04-22 17:01:58 -07:00
Kubernetes Prow Robot
791b4bbeea
Merge pull request #85266 from serathius/refactor-show-hidden-metric 
Refactor show-hidden-metric-for-version flag
 2020-04-22 17:01:44 -07:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
cici37
15c844031f Remove CCM dependency pkg/util/flag 2020-04-22 10:06:11 -07:00
David Eads
871d6dd8bb stop printing usage help when the server commands exit 2020-04-20 08:29:52 -04:00
Marek Siarkowicz
24321b2d4e Refactor show-hidden-metric-for-version flag 2020-04-08 22:42:14 +02:00
Davanum Srinivas
1d057da2f7
Move k8s.io/apiserver/pkg/util/term to k8s.io/component-base/term 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-03-19 07:18:09 -04:00
Kubernetes Prow Robot
268d0a1d3a
Merge pull request #85870 from Jefftree/authn-netproxy 
Use Network Proxy with Authentication & Authorizer Webhooks
 2020-02-28 18:44:39 -08:00
Jefftree
1b38199ea8 pass Dialer instead of egressselector to webhooks 2020-02-27 17:47:23 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Jonathan Tomer
711c1e1720 Rename --enable-inflight-quota-handler to --enable-priority-and-fairness. 
The old flag name doesn't make sense with the renamed API Priority and
Fairness feature, and it's still safe to change the flag since it hasn't done
anything useful in a released k8s version yet.
 2020-02-27 14:04:37 -08:00
Kubernetes Prow Robot
79b674d827
Merge pull request #84381 from Sh4d1/egress_selector_proxy_v2 
Use network proxy for proxy subresources
 2020-02-20 04:29:03 -08:00
Kubernetes Prow Robot
77e8c75f32
Merge pull request #87754 from MikeSpreitzer/apf-filter5 
Add twice refactored filter and config consumer for API Priority and Fairness
 2020-02-13 16:54:46 -08:00
Patrik Cyvoct
6729bfd648
use network proxy for proxy subresources 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-02-13 14:42:34 +01:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Mike Spreitzer
73614ddd4e Added API Priority and Fairness filter and config consumer 2020-02-10 22:54:40 -05:00
Jefftree
1289bdaba4 network proxy with admission wh 2020-01-08 15:01:38 -08:00
darshanime
f4d1674827 Refactor parsing logic for service IP and ranges, add tests 
Signed-off-by: darshanime <deathbullet@gmail.com>
 2019-12-05 15:35:20 -05:00
darshanime
fdd25ec968 Fix bug in apiserver service cluster cidr split 
Signed-off-by: darshanime <deathbullet@gmail.com>
 2019-12-05 15:35:20 -05:00
RainbowMango
ac0562b00c Add metrics flag to show hidden metrics to kube-apiserver 2019-11-13 10:32:52 +08:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00