github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
120,136 Commits 1 Branch 31 Tags 1,019 MiB
ae185414f4
Commit Graph

524 Commits

Author SHA1 Message Date
Jordan Liggitt
1f40e0916e
Only default mode to AlwaysAllow when config file is unspecified 2023-11-08 11:24:28 -06:00
Jordan Liggitt
2e2f51a441
Plumb failure policy from config to webhook construction 2023-11-02 16:56:51 -04:00
Antonio Ojea
391b25197b add apis to apiserver storage 
Change-Id: I33dfbdad98695a6438c55d841139476cb1d740d7
 2023-10-31 21:05:04 +00:00
Kubernetes Prow Robot
dba565193c
Merge pull request #121104 from carlory/kep-3751-api-changes 
[KEP-3571] introduce the VolumeAttributesClass API
 2023-10-31 20:23:50 +01:00
Kubernetes Prow Robot
064e86b3d0
Merge pull request #121223 from ritazh/authz-cel 
[StructuredAuthorizationConfig] - CEL integration
 2023-10-31 13:13:56 +01:00
Rita Zhang
31c76e9abb
authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-10-30 21:48:00 -07:00
carlory
ae90a69677 volumeattributesclass and core api changes 2023-10-31 11:18:56 +08:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Kubernetes Prow Robot
b7e5cbf1cf
Merge pull request #121301 from sttts/sttts-validate-cloud-provider-2 
kubeapiserver/options: fix cloud provider validation
 2023-10-26 01:08:14 +02:00
Nabarun Pal
22e5a806a7
Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-18 11:58:47 +05:30
Kubernetes Prow Robot
d22e315c4a
Merge pull request #120910 from palnabarun/3221/fix-kubeconfig-file-type-name 
staging/apiserver: correct KubeConfig type name in authorization types
 2023-10-17 18:50:33 +02:00
Dr. Stefan Schimanski
72e67e0ef0
kubeapiserver/options: fix cloud provider validation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-17 17:50:25 +02:00
Nabarun Pal
2bf2c4f3a4
staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-17 20:01:27 +05:30
Kubernetes Prow Robot
91c172e670
Merge pull request #121108 from sttts/sttts-validate-cloud-provider 
kube-apiserver: move cloud provider validation into options
 2023-10-17 16:14:10 +02:00
Kubernetes Prow Robot
ac66f3d466
Merge pull request #121010 from Jefftree/decouple-openapi-v2v3-config 
Decouple openapi v2v3 config
 2023-10-16 23:41:11 +02:00
Jefftree
b30c6bdff8 Fix v3 spec 2023-10-16 15:05:13 -04:00
Antonio Ojea
c2d473f0d4 remove ClusterCIDR 
KEP-2593 proposed to expand the existing node-ipam controller
to be configurable via a ClusterCIDR objects, however, there
were reasonable doubts on the SIG about the feature and after
several months of dicussions we decided to not move forward
with the KEP intree, hence, we are going to remove the existing
code, that is still in alpha.

https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ

Change-Id: Ieaf2007b0b23c296cde333247bfb672441fe6dfc
 2023-10-14 19:06:22 +00:00
Dr. Stefan Schimanski
0f989046d0
kube-apiserver: move cloud provider validation into options 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-10 22:43:23 +02:00
Nabarun Pal
3de0d9afbb
pkg/kubeapiserver: pass authorizer in top level while building from legacy options 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-04 14:17:16 +05:30
Kubernetes Prow Robot
26c3f66887
Merge pull request #120903 from dims/deprecate-cloud-provider-and-config-cli-params 
Deprecate cloud-provider/cloud-config in apiserver CLI
 2023-09-27 18:17:33 -07:00
Dr. Stefan Schimanski
6395049176
controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-09-27 11:22:37 +02:00
Davanum Srinivas
4d2d9947bf
Deprecate cloud-provider/cloud-config in apiserver CLI 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2023-09-26 16:05:01 -04:00
Nabarun Pal
108d195595
use AuthorizationConfiguration in kube-apiserver for storing authorizer config 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-09-18 11:33:18 +05:30
Anish Ramasekar
9e1ff1e512
add loading config and wire feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-30 23:14:56 +00:00
Kubernetes Prow Robot
0e86fa5115
Merge pull request #118984 from aramase/aramase/c/kep_3331_wiring_flag_with_api 
[StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it
 2023-08-25 11:52:55 -07:00
Anish Ramasekar
1bad3cbbf5
wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-25 17:15:33 +00:00
Jordan Liggitt
09fa21ab87
Store validating admission policies and bindings as v1beta1 2023-08-17 10:35:45 -04:00
Jiahui Feng
049614f884
ValidatingAdmissionPolicy controller for Type Checking (#117377) 
* [API REVIEW] ValidatingAdmissionPolicyStatucController config.

worker count.

* ValidatingAdmissionPolicyStatus controller.

* remove CEL typechecking from API server.

* fix initializer tests.

* remove type checking integration tests

from API server integration tests.

* validatingadmissionpolicy-status options.

* grant access to VAP controller.

* add defaulting unit test.

* generated: ./hack/update-codegen.sh

* add OWNERS for VAP status controller.

* type checking test case.
 2023-07-13 13:41:50 -07:00
Joe Betz
f0f92853ad Add api-machinery TL owners permissions for jpbetz 2023-05-15 11:09:54 -04:00
Daniel Smith
1ffe3f467e lavalamp is taking a long break 2023-05-11 16:43:38 +00:00
Kubernetes Prow Robot
a2e2df61a1
Merge pull request #117198 from charles-chenzz/deprecated_function 
replace ioutil with os, update doc in kubelet
 2023-05-02 08:18:14 -07:00
charles-chenzz
ccf7ddacfc replace ioutil with os, update doc 2023-04-13 09:02:46 +08:00
Kubernetes Prow Robot
8d244d3e66
Merge pull request #116721 from enj/enj/i/bootstrap_authn_lister 
Wire bootstrap token authn secret lister only when it is enabled
 2023-04-11 18:19:30 -07:00
Kubernetes Prow Robot
61457b939d
Merge pull request #116648 from ncdc/admission-clients 
admission ApplyTo: take in clients
 2023-04-11 18:18:41 -07:00
Monis Khan
e9866d2794
Clear front proxy headers after authentication is complete 
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-21 10:51:22 -04:00
Monis Khan
94f2d35164
Wire bootstrap token authn secret lister only when it is enabled 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-17 11:17:20 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types 
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
 2023-03-15 20:10:18 -07:00
Andy Goldstein
364b66ddd6
admission ApplyTo: take in clients 
Change admission ApplyTo() to take in clients instead of a rest.Config.

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
 2023-03-15 11:15:49 -04:00
Antonio Ojea
d9cc625538 add apis to apiserver storage 
Change-Id: Iea1263ad612c13b93baf8a07641265bf56f08728
 2023-03-14 22:58:11 +00:00
Jiahui Feng
501976cc34 fix broken tests after dependency injection. 2023-03-13 14:40:47 -07:00
Jiahui Feng
feb18b3f5f implmementing type checking 
with multi-type support.
 2023-03-07 15:49:19 -08:00
Stanislav Laznicka
4ae4266c91
authenticator config: use static CA reader for OIDC CA 2023-02-14 13:43:58 +01:00
Kubernetes Prow Robot
4b2b4e19cc
Merge pull request #114523 from zshihang/token 
graduate LegacyServiceAccountTokenTracking to beta
 2023-01-18 07:12:33 -08:00
Paco Xu
25686a2c77 remove psp in extensions api/apis 2023-01-06 17:07:02 +08:00
Shihang Zhang
0852a49020 graduate LegacyServiceAccountTokenTracking to beta 2022-12-16 10:34:17 -08:00
TommyStarK
bd6a86471b kubeapiserver/admission: Improving test coverage 
Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2022-12-15 19:01:52 +01:00
Thomas Milox
3ad2ab18fa
pkg/kubeapiserver/options: Improving test coverage (#114234) 
* pkg/kubeapiserver/options: Improving test coverage

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

* pkg/kubeapiserver/options: Improving test coverage

Add a snippet of the expected error string related to the aspect being tested

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2022-12-14 17:51:35 -08:00
Cici Huang
2973712486 Rename FG to ValidatingAdmissionPolicy 2022-11-10 03:37:35 +00:00
Cici Huang
40c21dafcd Rename admission cel package to validatingadmissionpolicy 2022-11-10 03:37:30 +00:00
Cici Huang
e7d83a1fb7 Integrate cel admission with API. 
Co-authored-by: Alexander Zielenski <zielenski@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
 2022-11-07 21:38:55 +00:00