github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
102,324 Commits 1 Branch 31 Tags 1,019 MiB
995278c9fb
Commit Graph

209 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
e1acbbd8fd
Merge pull request #99961 from margocrawf/master 
Introduce Impersonate-UID header
 2021-07-06 18:46:43 -07:00
Margo Crawford
74f5ed6b17 This introduces an Impersonate-Uid header to server side code. 
UserInfo contains a uid field alongside groups, username and extra.
This change makes it possible to pass a UID through as an impersonation header like you
can with Impersonate-Group, Impersonate-User and Impersonate-Extra.

This PR contains:

* Changes to impersonation.go to parse the Impersonate-Uid header and authorize uid impersonation
* Unit tests for allowed and disallowed impersonation cases
* An integration test that creates a CertificateSigningRequest using impersonation,
  and ensures that the API server populates the correct impersonated spec.uid upon creation.
 2021-07-06 10:13:16 -07:00
Jordan Liggitt
49d31c45b1 PodSecurity: baseline hostProcess check 2021-07-01 15:49:33 -04:00
Jordan Liggitt
ba6b4c5a18 PodSecurity: test GA-only cases and alpha/beta fields separately 2021-06-30 22:08:11 -04:00
Anish Ramasekar
5bd3334ad6
[PodSecurity] Add privileged containers baseline check 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2021-06-30 16:39:28 -04:00
Jordan Liggitt
42dc070b47 PodSecurity: kube-apiserver integration test 2021-06-28 17:45:36 -04:00
Mengjiao Liu
4eab19ae7d Clean up the master term in test/integration comments 2021-06-18 16:31:05 +08:00
Kubernetes Prow Robot
51cbebab1f
Merge pull request #102687 from mengjiao-liu/rename-master-to-controlplane 
test/integration: Rename master to controlplane
 2021-06-14 09:49:16 -07:00
Kubernetes Prow Robot
4aae71695a
Merge pull request #102366 from cndoit18/fix-time-format 
fix(timezone): Change the time zone in the api data to UTC
 2021-06-11 06:54:59 -07:00
Mengjiao Liu
257b494478 test/integration: Rename masterConfig to instanceConfig 2021-06-08 17:21:47 +08:00
Mengjiao Liu
6871b2b3c7 Rename masterConfig to controlPlaneConfig 2021-06-04 20:55:08 +08:00
cndoit18
51717256f9
fix(timezone): the timezone is standardized to UTC 
Signed-off-by: cndoit18 <cndoit18@outlook.com>
 2021-06-03 23:55:39 +08:00
Mengjiao Liu
387154f1a9 Part3: master to controlplane in test/integration 
Rename RunAMaster to RunAControlPlane
 2021-06-03 11:06:19 +08:00
Mengjiao Liu
c9ec486287 Part of master to controlplane in test/integration 
Rename NewIntegrationTestMasterConfig to NewIntegrationTestControlPlaneConfig
 2021-05-25 13:26:28 +08:00
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
Jordan Liggitt
33ad842480 allow evictions subresource to accept policy/v1 and policy/v1beta1 2021-04-13 21:22:25 -04:00
drfish
aa0b284ca1 Make integration tests not depend on e2e tests 2021-03-25 23:02:52 +08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
1095778dcc remove secret-based sa token client builder 2021-02-21 22:00:40 -08:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
 2021-02-01 11:44:23 -08:00
ialidzhikov
bc432124a2 Remove CSINodeInfo feature gate 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2020-12-10 09:58:22 +02:00
Abu Kashem
53a1307f68
make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
 2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Kubernetes Prow Robot
ccfdc09f35
Merge pull request #91683 from tedyu/mirror-pod-owner-ref 
Mirror pod without OwnerReference should not be created
 2020-09-25 11:02:48 -07:00
Daniel Smith
a86afc12df update scripts 2020-09-02 10:49:40 -07:00
Daniel Smith
15e0e3e90e rename 2020-09-02 10:48:26 -07:00
Ted Yu
9f95fdd3cd Mirror pod without OwnerReference should not be created 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-06-21 08:00:17 -07:00
Kevin
bd961781d7 prevent update handler being called on disallowed CreateOnUpdate 2020-06-12 13:04:17 +00:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Jordan Liggitt
d8abacba40 client-go: update expansions callers 2020-03-06 16:50:41 -05:00
Mike Danese
c58e69ec79 automated refactor 2020-03-05 14:59:46 -08:00
Jefftree
1b38199ea8 pass Dialer instead of egressselector to webhooks 2020-02-27 17:47:23 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
tanjunchen
264a1cf5f6 staticcheck:test/integration/auth/ 2020-01-07 15:23:19 +08:00
danielqsj
6596a14d39 add missing alias of api errors under test 2019-12-26 17:29:38 +08:00
Jordan Liggitt
5d5b444c4d Remove use of testapi codecs, selflink, resourcepath functions 2019-12-13 11:56:29 -05:00
tanjunchen
d2d68026fc Fix golint issues in test/e2e/lifecycle/ 2019-12-03 17:14:38 +08:00
Mike Danese
d16dde36a3 inline GC in expiring cache 
This allows us to drop the background goroutine with negligable
difference in performance.
 2019-11-15 17:50:31 -08:00
Mike Danese
3f194d5b41 migrate token cache to cache.Expiring 2019-11-14 13:50:15 -08:00
Jordan Liggitt
5ef4fe959a Switch kubelet/aggregated API servers to use v1 tokenreviews 2019-11-11 17:19:10 -05:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Michelle Au
2d467ed9d8 Update tests to use v1.CSINode 2019-10-28 13:41:13 -07:00
Jordan Liggitt
92eb072989 Propagate context to Authorize() calls 2019-09-24 11:14:54 -04:00