kubernetes

Author	SHA1	Message	Date
Kubernetes Prow Robot	268d0a1d3a	Merge pull request #85870 from Jefftree/authn-netproxy Use Network Proxy with Authentication & Authorizer Webhooks	2020-02-28 18:44:39 -08:00
Jefftree	1b38199ea8	pass Dialer instead of egressselector to webhooks	2020-02-27 17:47:23 -08:00
Jefftree	d318e52ffe	authentication webhook via network proxy	2020-02-27 17:47:23 -08:00
Jonathan Tomer	711c1e1720	Rename --enable-inflight-quota-handler to --enable-priority-and-fairness. The old flag name doesn't make sense with the renamed API Priority and Fairness feature, and it's still safe to change the flag since it hasn't done anything useful in a released k8s version yet.	2020-02-27 14:04:37 -08:00
Kubernetes Prow Robot	79b674d827	Merge pull request #84381 from Sh4d1/egress_selector_proxy_v2 Use network proxy for proxy subresources	2020-02-20 04:29:03 -08:00
Kubernetes Prow Robot	77e8c75f32	Merge pull request #87754 from MikeSpreitzer/apf-filter5 Add twice refactored filter and config consumer for API Priority and Fairness	2020-02-13 16:54:46 -08:00
Patrik Cyvoct	6729bfd648	use network proxy for proxy subresources Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>	2020-02-13 14:42:34 +01:00
Charles Eckman	5a176ac772	Provide OIDC discovery endpoints - Add handlers for service account issuer metadata. - Add option to manually override JWKS URI. - Add unit and integration tests. - Add a separate ServiceAccountIssuerDiscovery feature gate. Additional notes: - If not explicitly overridden, the JWKS URI will be based on the API server's external address and port. - The metadata server is configured with the validating key set rather than the signing key set. This allows for key rotation because tokens can still be validated by the keys exposed in the JWKs URL, even if the signing key has been rotated (note this may still be a short window if tokens have short lifetimes). - The trust model of OIDC discovery requires that the relying party fetch the issuer metadata via HTTPS; the trust of the issuer metadata comes from the server presenting a TLS certificate with a trust chain back to the from the relying party's root(s) of trust. For tests, we use a local issuer (https://kubernetes.default.svc) for the certificate so that workloads within the cluster can authenticate it when fetching OIDC metadata. An API server cannot validly claim https://kubernetes.io, but within the cluster, it is the authority for kubernetes.default.svc, according to the in-cluster config. Co-authored-by: Michael Taufen <mtaufen@google.com>	2020-02-11 16:23:31 -08:00
Mike Spreitzer	73614ddd4e	Added API Priority and Fairness filter and config consumer	2020-02-10 22:54:40 -05:00
Mike Danese	3aa59f7f30	generated: run refactor	2020-02-07 18:16:47 -08:00
Tim Allclair	9d3670f358	Ensure testing credentials are labeled as such	2020-02-04 10:36:05 -08:00
Mike Danese	d55d6175f8	refactor	2020-01-29 08:50:45 -08:00
Ted Yu	34f0767137	Add flowcontrol to apiVersionPriorities	2020-01-19 14:16:46 -08:00
Jefftree	1289bdaba4	network proxy with admission wh	2020-01-08 15:01:38 -08:00
Jordan Liggitt	3df9e86a4e	Remove ability to re-enable serving deprecated APIs	2019-12-13 12:21:33 -05:00
darshanime	f4d1674827	Refactor parsing logic for service IP and ranges, add tests Signed-off-by: darshanime <deathbullet@gmail.com>	2019-12-05 15:35:20 -05:00
darshanime	fdd25ec968	Fix bug in apiserver service cluster cidr split Signed-off-by: darshanime <deathbullet@gmail.com>	2019-12-05 15:35:20 -05:00
yue9944882	81471c36b1	[generated] bazels and vendor/modules.txt [generated] bazels bazel	2019-12-04 00:49:28 +08:00
yue9944882	168f8f54f0	switch to v1 crd switch api helper functions to v1 CRD api switch v1 CRD for apiserver internal switch to v1 CRD for internal controllers api storage/validation related changes move local-defaulting utils private to prevent spreading boilerplate keep the subresource status/scale spec nil unless it's enabled clean up empty space	2019-12-04 00:49:26 +08:00
David Eads	3c1dc89d98	fix kube-apiserver poststarthook additions to avoid duplicating them	2019-11-26 14:05:06 -05:00
Jordan Liggitt	a5760dee81	Add support for --runtime-config=api/beta=false, --feature-gates=AllBeta=false Allow disabling all beta features and APIs	2019-11-14 14:37:55 -05:00
Kubernetes Prow Robot	64f4be5b32	Merge pull request #84390 from robscott/endpointslice-beta Promoting EndpointSlices to beta	2019-11-13 17:27:50 -08:00
Kubernetes Prow Robot	02af1dd62c	Merge pull request #85004 from deads2k/dynamic-agg-cert dynamic reload cluster authentication info for aggregated API servers	2019-11-13 14:50:54 -08:00
Rob Scott	a7e589a8c6	Promoting EndpointSlices to beta	2019-11-13 14:20:19 -08:00
David Eads	3fbfe60ed2	make client authentication optional for test kube-apiserver	2019-11-13 10:25:28 -05:00
David Eads	3aede35b3b	dynamic reload cluster authentication info for aggregated API servers	2019-11-13 07:54:27 -05:00
RainbowMango	b2fbdee9bb	Deal with auto-generated files. - Update bazel by hack/update-bazel.sh	2019-11-13 10:32:53 +08:00
RainbowMango	ac0562b00c	Add metrics flag to show hidden metrics to kube-apiserver	2019-11-13 10:32:52 +08:00
Kubernetes Prow Robot	94efa988f4	Merge pull request #84813 from deads2k/admission-feature-gates remove global variable dependency from admission plugins	2019-11-12 10:23:14 -08:00
Jordan Liggitt	7349a824df	generated	2019-11-11 17:19:12 -05:00
Jordan Liggitt	d54a70db5c	Switch kubelet/aggregated API servers to use v1 subjectaccessreviews	2019-11-11 17:19:11 -05:00
Jordan Liggitt	5ef4fe959a	Switch kubelet/aggregated API servers to use v1 tokenreviews	2019-11-11 17:19:10 -05:00
David Eads	675c2fb924	add featuregate inspection as admission plugin initializer	2019-11-08 13:07:40 -05:00
David Eads	be8af0de1b	remove exist client hooks	2019-11-06 10:17:19 -05:00
David Eads	7351c86860	publish cluster authentication trust via controller	2019-11-06 10:17:19 -05:00
Igor Zibarev	03dfa1a641	Fix golint issues in pkg/kubeapiserver	2019-11-05 22:25:32 +03:00
Wenjia Zhang	9ead9373f3	Resolve uncompatibility from update: etcd CAFile -> TrustedCAFIle	2019-10-24 14:09:24 -07:00
Kubernetes Prow Robot	46a29a0cc3	Merge pull request #71674 from grayluck/firewall-event-msg Change XPN firewall change msg. Should be required by security admin	2019-10-14 21:09:51 -07:00
Kubernetes Prow Robot	7ac65858bb	Merge pull request #82371 from deads2k/cert-reload-delegated add ability to authenticators for dynamic update of certs for delegated authn	2019-10-04 08:50:04 -07:00
Kubernetes Prow Robot	5fbda60c14	Merge pull request #82077 from deads2k/poststart add ability to pre-configure poststarthooks for apiservers	2019-10-03 08:16:10 -07:00
Jordan Liggitt	8ef4566cef	Limit YAML/JSON decode size	2019-10-02 21:52:19 -04:00
David Eads	51195dd860	add ability to authenticators for dynamic update of certs	2019-10-01 09:50:20 -04:00
David Eads	f14f4c933e	add ability to pre-configure poststarthooks for apiservers	2019-10-01 09:08:18 -04:00
yankaiz	bd03c3a096	Change XPN firewall change message, should be required by security admin. Add l7lbSrcRngsFlag to gce_loadbalancer.go so that ingress can have fewer source ranges for l7 health checks.	2019-09-30 11:19:42 -07:00
Kubernetes Prow Robot	478c26c0dc	Merge pull request #82033 from logicalhan/reviewers add logicalhan to reviewers for api-machinery directories	2019-09-26 16:55:37 -07:00
Kubernetes Prow Robot	67d928acdc	Merge pull request #82096 from logicalhan/version-deletion remove pkg/version and some of redundant copies of it	2019-09-17 14:27:16 -07:00
Kubernetes Prow Robot	3a19f1e80b	Merge pull request #82472 from draveness/feature/remove-feature-gates-in-1-17 feat: cleanup several GA feature flags which should be removed in 1.17	2019-09-17 06:58:24 -07:00
Han Kang	866ea74326	remove pkg/version and some of redundant copies of it Change-Id: Ia58367c1b1274bfb49c8a4784051463abaf795de	2019-09-16 16:24:35 -07:00
Kubernetes Prow Robot	7ec4f4b4a6	Merge pull request #82391 from jiachengxu/apiserver-typo Fix a typo in cmd/kube-apiserver.	2019-09-11 15:27:23 -07:00
Kubernetes Prow Robot	1d016cc1d3	Merge pull request #81668 from darshanime/remove_default_service_cidr Deprecate default service IP CIDR	2019-09-10 14:31:45 -07:00

1 2 3 4 5 ...

1024 Commits