(we enable metrics and pprof by default, but that doesn't mean
we should have full cluster-admin access to use those endpoints)
Change-Id: I20cf1a0c817ffe3b7fb8e5d3967f804dc063ab03
remove pprof but add read access to detailed health checks
Change-Id: I96c0997be2a538aa8c689dea25026bba638d6e7d
add base health check endpoints and remove the todo for flowcontrol, as there is an existing ticket
Change-Id: I8a7d6debeaf91e06d8ace3cb2bd04d71ef3e68a9
drop blank line
Change-Id: I691e72e9dee3cf7276c725a12207d64db88f4651
The implementation consists of
- identifying all places where VolumeSource.PersistentVolumeClaim has
a special meaning and then ensuring that the same code path is taken
for an ephemeral volume, with the ownership check
- adding a controller that produces the PVCs for each embedded
VolumeSource.EphemeralVolume
- relaxing the PVC protection controller such that it removes
the finalizer already before the pod is deleted (only
if the GenericEphemeralVolume feature is enabled): this is
needed to break a cycle where foreground deletion of the pod
blocks on removing the PVC, which waits for deletion of the pod
The controller was derived from the endpointslices controller.
This uses the information provided by a CSI driver deployment for
checking whether a node has access to enough storage to create the
currently unbound volumes, if the CSI driver opts into that checking
with CSIDriver.Spec.VolumeCapacity != false.
This resolves a TODO from commit 95b530366a.
* Migrate a single node_authorizer.go klog.Infof call to klog.InfoS
We are starting with the log lines that show up most often.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
* Remove quotes from error for readability
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
* node_authorizer.go: use %s for node names for log uniformity
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
* node_authorizer.go: single-quote node name for readability++
This is good because:
1) the node name is clear in the log line
2) the node names shows up the same in {un-,}structured logs
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
The controller needs to be able to set a service's finalizers to be
able to create an EndpointSlice resource that is owned by the service
and sets blockOwnerDeletion=true in its ownerRef.
This change allows all service accounts to read the service account
issuer discovery endpoints.
This guarantees that in-cluster services can rely on this info being
available to them.
Signed-off-by: Monis Khan <mok@vmware.com>
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
