github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
94,812 Commits 1 Branch 31 Tags 1,019 MiB
a4aa494cc1
Commit Graph

3021 Commits

Author SHA1 Message Date
shuang zhang
f0ea54070b Replace AreLabelsInWhiteList with isSubset 2020-10-05 22:07:47 +08:00
Kubernetes Prow Robot
ccfdc09f35
Merge pull request #91683 from tedyu/mirror-pod-owner-ref 
Mirror pod without OwnerReference should not be created
 2020-09-25 11:02:48 -07:00
Kubernetes Prow Robot
e7b9453972
Merge pull request #93537 from timuthy/enhancement.move-resourcequota 
Move ResourceQuota admission to k8s.io/apiserver lib
 2020-09-15 12:26:58 -07:00
David Eads
c0c033b12f generated 2020-09-14 09:24:41 -04:00
David Eads
c7911a384c remove pod presets 2020-09-14 09:24:40 -04:00
Michael Taufen
4f850f97de Graduate ServiceAccountIssuerDiscovery to beta 2020-09-11 12:01:47 -07:00
Tim Usner
70d440bc7e Move ResourceQuota admission to k8s.io/apiserver 2020-09-04 14:53:52 +02:00
Kubernetes Prow Robot
bb9ae50888
Merge pull request #93389 from fisherxu/return-err 
Return err directly when nodename in node object is not consistent with in cert
 2020-08-28 06:37:12 -07:00
Kubernetes Prow Robot
a9d1482710
Merge pull request #93311 from logicalhan/monitoring-role 
Add bootstrap policy for monitoring endpoints
 2020-08-28 06:36:52 -07:00
Davanum Srinivas
3421199494
Sign up dims for additional review roles 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-08-08 19:08:38 -04:00
David Eads
7c25f39eb8 add permissions required by endpoints controller for blockOwnerDeletion 2020-07-28 13:13:38 -04:00
xufei 00416946
f787db2508 return err directly when nodename is not consistent in cert 2020-07-25 09:10:32 +08:00
Han Kang
f57611970c add bootstrap policy for monitoring roles 
(we enable metrics and pprof by default, but that doesn't mean
 we should have full cluster-admin access to use those endpoints)

Change-Id: I20cf1a0c817ffe3b7fb8e5d3967f804dc063ab03

remove pprof but add read access to detailed health checks

Change-Id: I96c0997be2a538aa8c689dea25026bba638d6e7d

add base health check endpoints and remove the todo for flowcontrol, as there is an existing ticket

Change-Id: I8a7d6debeaf91e06d8ace3cb2bd04d71ef3e68a9

drop blank line

Change-Id: I691e72e9dee3cf7276c725a12207d64db88f4651
 2020-07-24 09:21:55 -07:00
Kubernetes Prow Robot
0cb7e320a5
Merge pull request #92784 from pohly/generic-ephemeral-inline-volumes 
generic ephemeral inline volumes
 2020-07-10 15:41:46 -07:00
Kubernetes Prow Robot
4efed03276
Merge pull request #91637 from robscott/endpointslice-mirroring 
Adding new EndpointSlice Mirroring Controller
 2020-07-10 10:19:48 -07:00
Patrick Ohly
ff3e5e06a7 GenericEphemeralVolume: initial implementation 
The implementation consists of
- identifying all places where VolumeSource.PersistentVolumeClaim has
  a special meaning and then ensuring that the same code path is taken
  for an ephemeral volume, with the ownership check
- adding a controller that produces the PVCs for each embedded
  VolumeSource.EphemeralVolume
- relaxing the PVC protection controller such that it removes
  the finalizer already before the pod is deleted (only
  if the GenericEphemeralVolume feature is enabled): this is
  needed to break a cycle where foreground deletion of the pod
  blocks on removing the PVC, which waits for deletion of the pod

The controller was derived from the endpointslices controller.
 2020-07-09 23:29:24 +02:00
Patrick Ohly
c05c8e915b GenericEphemeralVolume: feature gate, API, documentation 
As explained in
https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1698-generic-ephemeral-volumes,
CSI inline volumes are not suitable for more "normal" kinds of storage
systems. For those a new approach is needed: "generic ephemeral inline
volumes".
 2020-07-09 11:02:59 +02:00
Kubernetes Prow Robot
94a08e159a
Merge pull request #92387 from pohly/csi-storage-capacity 
CSI storage capacity check
 2020-07-09 00:04:59 -07:00
Rob Scott
e701cb0205
Enabling the EndpointSliceMirroring controller, adding related config 2020-07-06 12:43:34 -07:00
Patrick Ohly
0efbbe8555 CSIStorageCapacity: check for sufficient storage in volume binder 
This uses the information provided by a CSI driver deployment for
checking whether a node has access to enough storage to create the
currently unbound volumes, if the CSI driver opts into that checking
with CSIDriver.Spec.VolumeCapacity != false.

This resolves a TODO from commit 95b530366a.
 2020-07-06 19:20:10 +02:00
Paulo Gomes
8976e3620f
Add seccomp enforcement and validation based on new GA fields 
Adds seccomp validation.

This ensures that field and annotation values must match when present.

Co-authored-by: Sascha Grunert <sgrunert@suse.com>
 2020-07-06 09:13:25 +01:00
Alex Wang
209117413f
Promote NonPreempt feature gate to beta (#91899) 
* update nonpreempt featuregate to beta

* update
 2020-06-30 00:02:56 -07:00
Kubernetes Prow Robot
71c352dee3
Merge pull request #87582 from mrueg/ptr 
PodTolerationRestriction: Mention Whitelist Scope in Error
 2020-06-29 13:07:59 -07:00
Shihang Zhang
613a712717 default to add projected fstype in psp when boundedserviceaccounttoken is enabled 2020-06-24 09:09:27 -07:00
Ted Yu
9f95fdd3cd Mirror pod without OwnerReference should not be created 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-06-21 08:00:17 -07:00
Christopher M. Luciano
92506a98fc
ingress: Update IngressClass feature and admission controller for v1 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-06-17 12:11:31 -04:00
Kubernetes Prow Robot
11fe6e815f
Merge pull request #91713 from liggitt/csr-v1-manager 
CSR v1 - switch controllers
 2020-06-09 14:49:30 -07:00
Andrew Keesler
a1de5a86ff
Migrate a single node_authorizer.go klog.Infof call to klog.InfoS (#91591) 
* Migrate a single node_authorizer.go klog.Infof call to klog.InfoS

We are starting with the log lines that show up most often.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* Remove quotes from error for readability

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* node_authorizer.go: use %s for node names for log uniformity

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* node_authorizer.go: single-quote node name for readability++

This is good because:
1) the node name is clear in the log line
2) the node names shows up the same in {un-,}structured logs

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-06-09 14:49:01 -07:00
Jordan Liggitt
db4ca87d9d Switch CSR approver/signer/cleaner controllers to v1 2020-06-05 18:45:34 -04:00
Jordan Liggitt
0e062981d1 Detect PSP enablement more accurately 2020-06-03 13:14:19 -04:00
Jordan Liggitt
7049149181 Generated files 2020-05-28 16:53:23 -04:00
Jordan Liggitt
377adfa2b7 Make signer admission plugin check on condition update 2020-05-28 12:20:40 -04:00
Kubernetes Prow Robot
9f5d9a9bef
Merge pull request #91315 from jherrera123/master 
Fix runtime admission flaky test due to race condition
 2020-05-22 10:45:11 -07:00
Jesus Herrera
a5800ab4cb Fix linter and bazel errors 2020-05-21 23:06:56 -04:00
Jesus Herrera
6b8e2cc24e Fix runtime admission flaky test due to race condition 2020-05-20 20:29:51 -04:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Jordan Liggitt
fd78947489 Indicate node authorizer does not support rule resolution 2020-05-12 20:34:13 -04:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Jordan Liggitt
ba4d2aa076 Restrict node labels on Node create 2020-04-20 16:26:24 -04:00
Kubernetes Prow Robot
8a4bf39884
Merge pull request #82814 from porridge/patch-1 
Fix a couple of typos
 2020-04-14 06:20:13 -07:00
Kubernetes Prow Robot
6239abe698
Merge pull request #89225 from andrewsykim/apparmor-api 
move apparmor annotation constants to k8s.io/api/core/v1
 2020-04-12 19:11:50 -07:00
Gaurav Sofat
ac0ce7338e
Reflect DecisionNoOpinion in RBAC authorizer logs (#89608) 
* Reflect DecisionNoOpinion in RBAC authorizer logs

* Modify RBAC authorizer log message
 2020-04-08 13:37:44 -07:00
Andrew Sy Kim
2e56866c97 move apparmor annotation constants to k8s.io/api/core/v1 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-04-06 10:22:04 -04:00
Kubernetes Prow Robot
561e86e241
Merge pull request #89696 from flant/service-account-volume-name-with-dot 
Fix service account names with a dot
 2020-04-01 19:26:25 -07:00
Maru Newby
76207fe3d2 Fix permissions for endpointslice controller 
The controller needs to be able to set a service's finalizers to be
able to create an EndpointSlice resource that is owned by the service
and sets blockOwnerDeletion=true in its ownerRef.
 2020-04-01 10:32:11 -07:00
m.nabokikh
ea32811cbd Fix service account names with a dot 
This fix provides the ability to mount service account tokens to pods. The core problem is the volumeName option can't contain any dots.
 2020-03-31 21:42:04 +04:00
Shihang Zhang
b56da85a77 sync api/v1/pod/util with api/pod/util and remove DefaultContainers 2020-03-24 16:42:32 -07:00
Kubernetes Prow Robot
0549d0e7db
Merge pull request #88943 from tedyu/visitor-container-type 
Visitors of Configmaps and Secrets should specify which containers to visit
 2020-03-20 09:20:36 -07:00
Ted Yu
e0dbbf0a65 Visitors of Configmaps and Secrets should specify which containers to visit 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-03-20 07:59:44 -07:00