github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
95,972 Commits 1 Branch 31 Tags 1,019 MiB
be131457ef
Commit Graph

3029 Commits

Author SHA1 Message Date
Sergey Kanzhelev
06da0e5e74 GA of RuntimeClass feature gate and API 2020-11-11 19:22:32 +00:00
Maciej Borsz
4d81f7e129 Improve observability of node authorizer: 
* Adding some metrics to the graph
* Adding log message when node authorizer has synced

Change-Id: I3447d6bc389a0b82ded1db2a7a4ae41d79486c2b
 2020-11-10 08:40:46 +01:00
Tim Hockin
819ff9b087
Use topology labels instead of old beta names (#96033) 
* Rename const for topology.../zone

* Rename const for topology.../region

* Rename const for failure-domain.../zone

* Rename const for failure-domain.../region

* Restore old names for compat
 2020-11-05 20:26:50 -08:00
Shihang Zhang
d40f0c43c4 separate RootCAConfigMap from BoundServiceAccountTokenVolume 2020-11-04 17:10:39 -08:00
Jan Chaloupka
a5920f7edb Move helpers from pkg/registry/rbac/reconciliation and pkg/registry/rbac/validation under k8s.io/component-helpers 2020-11-02 17:51:16 +01:00
Abu Kashem
53a1307f68
make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
 2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
cici37
95acec5a3b Move client_builder to k8s.io/controller-manager 2020-10-19 14:48:22 -07:00
shuang zhang
f0ea54070b Replace AreLabelsInWhiteList with isSubset 2020-10-05 22:07:47 +08:00
Kubernetes Prow Robot
ccfdc09f35
Merge pull request #91683 from tedyu/mirror-pod-owner-ref 
Mirror pod without OwnerReference should not be created
 2020-09-25 11:02:48 -07:00
Kubernetes Prow Robot
e7b9453972
Merge pull request #93537 from timuthy/enhancement.move-resourcequota 
Move ResourceQuota admission to k8s.io/apiserver lib
 2020-09-15 12:26:58 -07:00
David Eads
c0c033b12f generated 2020-09-14 09:24:41 -04:00
David Eads
c7911a384c remove pod presets 2020-09-14 09:24:40 -04:00
Michael Taufen
4f850f97de Graduate ServiceAccountIssuerDiscovery to beta 2020-09-11 12:01:47 -07:00
Tim Usner
70d440bc7e Move ResourceQuota admission to k8s.io/apiserver 2020-09-04 14:53:52 +02:00
Kubernetes Prow Robot
bb9ae50888
Merge pull request #93389 from fisherxu/return-err 
Return err directly when nodename in node object is not consistent with in cert
 2020-08-28 06:37:12 -07:00
Kubernetes Prow Robot
a9d1482710
Merge pull request #93311 from logicalhan/monitoring-role 
Add bootstrap policy for monitoring endpoints
 2020-08-28 06:36:52 -07:00
Davanum Srinivas
3421199494
Sign up dims for additional review roles 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-08-08 19:08:38 -04:00
David Eads
7c25f39eb8 add permissions required by endpoints controller for blockOwnerDeletion 2020-07-28 13:13:38 -04:00
xufei 00416946
f787db2508 return err directly when nodename is not consistent in cert 2020-07-25 09:10:32 +08:00
Han Kang
f57611970c add bootstrap policy for monitoring roles 
(we enable metrics and pprof by default, but that doesn't mean
 we should have full cluster-admin access to use those endpoints)

Change-Id: I20cf1a0c817ffe3b7fb8e5d3967f804dc063ab03

remove pprof but add read access to detailed health checks

Change-Id: I96c0997be2a538aa8c689dea25026bba638d6e7d

add base health check endpoints and remove the todo for flowcontrol, as there is an existing ticket

Change-Id: I8a7d6debeaf91e06d8ace3cb2bd04d71ef3e68a9

drop blank line

Change-Id: I691e72e9dee3cf7276c725a12207d64db88f4651
 2020-07-24 09:21:55 -07:00
Kubernetes Prow Robot
0cb7e320a5
Merge pull request #92784 from pohly/generic-ephemeral-inline-volumes 
generic ephemeral inline volumes
 2020-07-10 15:41:46 -07:00
Kubernetes Prow Robot
4efed03276
Merge pull request #91637 from robscott/endpointslice-mirroring 
Adding new EndpointSlice Mirroring Controller
 2020-07-10 10:19:48 -07:00
Patrick Ohly
ff3e5e06a7 GenericEphemeralVolume: initial implementation 
The implementation consists of
- identifying all places where VolumeSource.PersistentVolumeClaim has
  a special meaning and then ensuring that the same code path is taken
  for an ephemeral volume, with the ownership check
- adding a controller that produces the PVCs for each embedded
  VolumeSource.EphemeralVolume
- relaxing the PVC protection controller such that it removes
  the finalizer already before the pod is deleted (only
  if the GenericEphemeralVolume feature is enabled): this is
  needed to break a cycle where foreground deletion of the pod
  blocks on removing the PVC, which waits for deletion of the pod

The controller was derived from the endpointslices controller.
 2020-07-09 23:29:24 +02:00
Patrick Ohly
c05c8e915b GenericEphemeralVolume: feature gate, API, documentation 
As explained in
https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1698-generic-ephemeral-volumes,
CSI inline volumes are not suitable for more "normal" kinds of storage
systems. For those a new approach is needed: "generic ephemeral inline
volumes".
 2020-07-09 11:02:59 +02:00
Kubernetes Prow Robot
94a08e159a
Merge pull request #92387 from pohly/csi-storage-capacity 
CSI storage capacity check
 2020-07-09 00:04:59 -07:00
Rob Scott
e701cb0205
Enabling the EndpointSliceMirroring controller, adding related config 2020-07-06 12:43:34 -07:00
Patrick Ohly
0efbbe8555 CSIStorageCapacity: check for sufficient storage in volume binder 
This uses the information provided by a CSI driver deployment for
checking whether a node has access to enough storage to create the
currently unbound volumes, if the CSI driver opts into that checking
with CSIDriver.Spec.VolumeCapacity != false.

This resolves a TODO from commit 95b530366a.
 2020-07-06 19:20:10 +02:00
Paulo Gomes
8976e3620f
Add seccomp enforcement and validation based on new GA fields 
Adds seccomp validation.

This ensures that field and annotation values must match when present.

Co-authored-by: Sascha Grunert <sgrunert@suse.com>
 2020-07-06 09:13:25 +01:00
Alex Wang
209117413f
Promote NonPreempt feature gate to beta (#91899) 
* update nonpreempt featuregate to beta

* update
 2020-06-30 00:02:56 -07:00
Kubernetes Prow Robot
71c352dee3
Merge pull request #87582 from mrueg/ptr 
PodTolerationRestriction: Mention Whitelist Scope in Error
 2020-06-29 13:07:59 -07:00
Shihang Zhang
613a712717 default to add projected fstype in psp when boundedserviceaccounttoken is enabled 2020-06-24 09:09:27 -07:00
Ted Yu
9f95fdd3cd Mirror pod without OwnerReference should not be created 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-06-21 08:00:17 -07:00
Christopher M. Luciano
92506a98fc
ingress: Update IngressClass feature and admission controller for v1 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-06-17 12:11:31 -04:00
Kubernetes Prow Robot
11fe6e815f
Merge pull request #91713 from liggitt/csr-v1-manager 
CSR v1 - switch controllers
 2020-06-09 14:49:30 -07:00
Andrew Keesler
a1de5a86ff
Migrate a single node_authorizer.go klog.Infof call to klog.InfoS (#91591) 
* Migrate a single node_authorizer.go klog.Infof call to klog.InfoS

We are starting with the log lines that show up most often.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* Remove quotes from error for readability

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* node_authorizer.go: use %s for node names for log uniformity

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* node_authorizer.go: single-quote node name for readability++

This is good because:
1) the node name is clear in the log line
2) the node names shows up the same in {un-,}structured logs

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-06-09 14:49:01 -07:00
Jordan Liggitt
db4ca87d9d Switch CSR approver/signer/cleaner controllers to v1 2020-06-05 18:45:34 -04:00
Jordan Liggitt
0e062981d1 Detect PSP enablement more accurately 2020-06-03 13:14:19 -04:00
Jordan Liggitt
7049149181 Generated files 2020-05-28 16:53:23 -04:00
Jordan Liggitt
377adfa2b7 Make signer admission plugin check on condition update 2020-05-28 12:20:40 -04:00
Kubernetes Prow Robot
9f5d9a9bef
Merge pull request #91315 from jherrera123/master 
Fix runtime admission flaky test due to race condition
 2020-05-22 10:45:11 -07:00
Jesus Herrera
a5800ab4cb Fix linter and bazel errors 2020-05-21 23:06:56 -04:00
Jesus Herrera
6b8e2cc24e Fix runtime admission flaky test due to race condition 2020-05-20 20:29:51 -04:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Jordan Liggitt
fd78947489 Indicate node authorizer does not support rule resolution 2020-05-12 20:34:13 -04:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Jordan Liggitt
ba4d2aa076 Restrict node labels on Node create 2020-04-20 16:26:24 -04:00
Kubernetes Prow Robot
8a4bf39884
Merge pull request #82814 from porridge/patch-1 
Fix a couple of typos
 2020-04-14 06:20:13 -07:00
Kubernetes Prow Robot
6239abe698
Merge pull request #89225 from andrewsykim/apparmor-api 
move apparmor annotation constants to k8s.io/api/core/v1
 2020-04-12 19:11:50 -07:00