github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
124,346 Commits 1 Branch 31 Tags
b8045f98a41f32051a167091eddd3a2d802608a2
Commit Graph

584 Commits

Author SHA1 Message Date
Jordan Liggitt
3a98e60a71 Move authz construction to reloader 2024-02-14 18:03:21 -05:00
Jordan Liggitt
2b00035b5f Split construction of authorizer / ruleResolver 2024-02-14 17:06:18 -05:00
Jordan Liggitt
1fddc948ed Split node/rbac/abac construction 2024-02-14 17:03:10 -05:00
Jordan Liggitt
49124293c3 Store constructed node/rbac/abac authorizers 2024-02-14 17:03:07 -05:00
Jordan Liggitt
5f4cb8b09a Move kube-apiserver authz validation functions 2024-02-14 10:00:11 -05:00
Monis Khan
b5e0068325 Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-02-14 09:40:25 -05:00
Alexander Zielenski
8b14116509 refactor: move vap into parent policy folder 
also renames to remove stutter

comment
 2024-02-12 10:58:24 -08:00
James Munnelly
e087acc791 refuse to allow apiserver to startup if ServiceAccountTokenNodeBinding is enabled without ServiceAccountTokenNodeBindingValidation 2024-02-06 14:03:50 +00:00
Claudiu Belu
b8df7e7684 unittests: Fixes unit tests for Windows (part 10) 
Currently, there are some unit tests that are failing on
Windows due to various reasons:

- Different "File not found" error messages on Windows.
- Files need to be closed on Windows before removing them.
- The default RootHnsEndpointName (root-hnsendpoint-name) flag value is 'cbr0'
- On Windows, Unix Domain sockets are not checked in the same way in golang, which is why
  hostutils_windows.go checks for it differently. GetFileType will return an error in this
  case. We need to check for it, and see if it's actually a Unix Domain Socket.
 2024-01-22 13:43:42 +00:00
Mahe Tardy
73bec0f6d9 api: remove SecurityContextDeny admission plugin 2024-01-05 15:11:18 +00:00
Jordan Liggitt
1f40e0916e Only default mode to AlwaysAllow when config file is unspecified 2023-11-08 11:24:28 -06:00
Jordan Liggitt
2e2f51a441 Plumb failure policy from config to webhook construction 2023-11-02 16:56:51 -04:00
Antonio Ojea
391b25197b add apis to apiserver storage 
Change-Id: I33dfbdad98695a6438c55d841139476cb1d740d7
 2023-10-31 21:05:04 +00:00
Kubernetes Prow Robot
dba565193c Merge pull request #121104 from carlory/kep-3751-api-changes 
[KEP-3571] introduce the VolumeAttributesClass API
 2023-10-31 20:23:50 +01:00
Kubernetes Prow Robot
064e86b3d0 Merge pull request #121223 from ritazh/authz-cel 
[StructuredAuthorizationConfig] - CEL integration
 2023-10-31 13:13:56 +01:00
Rita Zhang
31c76e9abb authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-10-30 21:48:00 -07:00
carlory
ae90a69677 volumeattributesclass and core api changes 2023-10-31 11:18:56 +08:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Kubernetes Prow Robot
b7e5cbf1cf Merge pull request #121301 from sttts/sttts-validate-cloud-provider-2 
kubeapiserver/options: fix cloud provider validation
 2023-10-26 01:08:14 +02:00
Nabarun Pal
22e5a806a7 Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-18 11:58:47 +05:30
Kubernetes Prow Robot
d22e315c4a Merge pull request #120910 from palnabarun/3221/fix-kubeconfig-file-type-name 
staging/apiserver: correct KubeConfig type name in authorization types
 2023-10-17 18:50:33 +02:00
Dr. Stefan Schimanski
72e67e0ef0 kubeapiserver/options: fix cloud provider validation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-17 17:50:25 +02:00
Nabarun Pal
2bf2c4f3a4 staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-17 20:01:27 +05:30
Kubernetes Prow Robot
91c172e670 Merge pull request #121108 from sttts/sttts-validate-cloud-provider 
kube-apiserver: move cloud provider validation into options
 2023-10-17 16:14:10 +02:00
Kubernetes Prow Robot
ac66f3d466 Merge pull request #121010 from Jefftree/decouple-openapi-v2v3-config 
Decouple openapi v2v3 config
 2023-10-16 23:41:11 +02:00
Jefftree
b30c6bdff8 Fix v3 spec 2023-10-16 15:05:13 -04:00
Antonio Ojea
c2d473f0d4 remove ClusterCIDR 
KEP-2593 proposed to expand the existing node-ipam controller
to be configurable via a ClusterCIDR objects, however, there
were reasonable doubts on the SIG about the feature and after
several months of dicussions we decided to not move forward
with the KEP intree, hence, we are going to remove the existing
code, that is still in alpha.

https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ

Change-Id: Ieaf2007b0b23c296cde333247bfb672441fe6dfc
 2023-10-14 19:06:22 +00:00
Dr. Stefan Schimanski
0f989046d0 kube-apiserver: move cloud provider validation into options 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-10 22:43:23 +02:00
Nabarun Pal
3de0d9afbb pkg/kubeapiserver: pass authorizer in top level while building from legacy options 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-04 14:17:16 +05:30
Kubernetes Prow Robot
26c3f66887 Merge pull request #120903 from dims/deprecate-cloud-provider-and-config-cli-params 
Deprecate cloud-provider/cloud-config in apiserver CLI
 2023-09-27 18:17:33 -07:00
Dr. Stefan Schimanski
6395049176 controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-09-27 11:22:37 +02:00
Davanum Srinivas
4d2d9947bf Deprecate cloud-provider/cloud-config in apiserver CLI 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2023-09-26 16:05:01 -04:00
Nabarun Pal
108d195595 use AuthorizationConfiguration in kube-apiserver for storing authorizer config 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-09-18 11:33:18 +05:30
Anish Ramasekar
9e1ff1e512 add loading config and wire feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-30 23:14:56 +00:00
Kubernetes Prow Robot
0e86fa5115 Merge pull request #118984 from aramase/aramase/c/kep_3331_wiring_flag_with_api 
[StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it
 2023-08-25 11:52:55 -07:00
Anish Ramasekar
1bad3cbbf5 wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-25 17:15:33 +00:00
Jordan Liggitt
09fa21ab87 Store validating admission policies and bindings as v1beta1 2023-08-17 10:35:45 -04:00
Jiahui Feng
049614f884 ValidatingAdmissionPolicy controller for Type Checking (#117377) 
* [API REVIEW] ValidatingAdmissionPolicyStatucController config.

worker count.

* ValidatingAdmissionPolicyStatus controller.

* remove CEL typechecking from API server.

* fix initializer tests.

* remove type checking integration tests

from API server integration tests.

* validatingadmissionpolicy-status options.

* grant access to VAP controller.

* add defaulting unit test.

* generated: ./hack/update-codegen.sh

* add OWNERS for VAP status controller.

* type checking test case.
 2023-07-13 13:41:50 -07:00
Joe Betz
f0f92853ad Add api-machinery TL owners permissions for jpbetz 2023-05-15 11:09:54 -04:00
Daniel Smith
1ffe3f467e lavalamp is taking a long break 2023-05-11 16:43:38 +00:00
Kubernetes Prow Robot
a2e2df61a1 Merge pull request #117198 from charles-chenzz/deprecated_function 
replace ioutil with os, update doc in kubelet
 2023-05-02 08:18:14 -07:00
charles-chenzz
ccf7ddacfc replace ioutil with os, update doc 2023-04-13 09:02:46 +08:00
Kubernetes Prow Robot
8d244d3e66 Merge pull request #116721 from enj/enj/i/bootstrap_authn_lister 
Wire bootstrap token authn secret lister only when it is enabled
 2023-04-11 18:19:30 -07:00
Kubernetes Prow Robot
61457b939d Merge pull request #116648 from ncdc/admission-clients 
admission ApplyTo: take in clients
 2023-04-11 18:18:41 -07:00
Monis Khan
e9866d2794 Clear front proxy headers after authentication is complete 
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-21 10:51:22 -04:00
Monis Khan
94f2d35164 Wire bootstrap token authn secret lister only when it is enabled 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-17 11:17:20 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types 
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
 2023-03-15 20:10:18 -07:00
Andy Goldstein
364b66ddd6 admission ApplyTo: take in clients 
Change admission ApplyTo() to take in clients instead of a rest.Config.

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
 2023-03-15 11:15:49 -04:00
Antonio Ojea
d9cc625538 add apis to apiserver storage 
Change-Id: Iea1263ad612c13b93baf8a07641265bf56f08728
 2023-03-14 22:58:11 +00:00
Jiahui Feng
501976cc34 fix broken tests after dependency injection. 2023-03-13 14:40:47 -07:00