github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
120,408 Commits 1 Branch 31 Tags 1,019 MiB
c019b51be4
Commit Graph

250 Commits

Author SHA1 Message Date
Jordan Liggitt
1f40e0916e
Only default mode to AlwaysAllow when config file is unspecified 2023-11-08 11:24:28 -06:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Kubernetes Prow Robot
b7e5cbf1cf
Merge pull request #121301 from sttts/sttts-validate-cloud-provider-2 
kubeapiserver/options: fix cloud provider validation
 2023-10-26 01:08:14 +02:00
Nabarun Pal
22e5a806a7
Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-18 11:58:47 +05:30
Kubernetes Prow Robot
d22e315c4a
Merge pull request #120910 from palnabarun/3221/fix-kubeconfig-file-type-name 
staging/apiserver: correct KubeConfig type name in authorization types
 2023-10-17 18:50:33 +02:00
Dr. Stefan Schimanski
72e67e0ef0
kubeapiserver/options: fix cloud provider validation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-17 17:50:25 +02:00
Nabarun Pal
2bf2c4f3a4
staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-17 20:01:27 +05:30
Kubernetes Prow Robot
91c172e670
Merge pull request #121108 from sttts/sttts-validate-cloud-provider 
kube-apiserver: move cloud provider validation into options
 2023-10-17 16:14:10 +02:00
Jefftree
b30c6bdff8 Fix v3 spec 2023-10-16 15:05:13 -04:00
Dr. Stefan Schimanski
0f989046d0
kube-apiserver: move cloud provider validation into options 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-10 22:43:23 +02:00
Nabarun Pal
3de0d9afbb
pkg/kubeapiserver: pass authorizer in top level while building from legacy options 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-04 14:17:16 +05:30
Kubernetes Prow Robot
26c3f66887
Merge pull request #120903 from dims/deprecate-cloud-provider-and-config-cli-params 
Deprecate cloud-provider/cloud-config in apiserver CLI
 2023-09-27 18:17:33 -07:00
Dr. Stefan Schimanski
6395049176
controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-09-27 11:22:37 +02:00
Davanum Srinivas
4d2d9947bf
Deprecate cloud-provider/cloud-config in apiserver CLI 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2023-09-26 16:05:01 -04:00
Nabarun Pal
108d195595
use AuthorizationConfiguration in kube-apiserver for storing authorizer config 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-09-18 11:33:18 +05:30
Anish Ramasekar
9e1ff1e512
add loading config and wire feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-30 23:14:56 +00:00
Anish Ramasekar
1bad3cbbf5
wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-25 17:15:33 +00:00
Kubernetes Prow Robot
8d244d3e66
Merge pull request #116721 from enj/enj/i/bootstrap_authn_lister 
Wire bootstrap token authn secret lister only when it is enabled
 2023-04-11 18:19:30 -07:00
Kubernetes Prow Robot
61457b939d
Merge pull request #116648 from ncdc/admission-clients 
admission ApplyTo: take in clients
 2023-04-11 18:18:41 -07:00
Monis Khan
e9866d2794
Clear front proxy headers after authentication is complete 
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-21 10:51:22 -04:00
Monis Khan
94f2d35164
Wire bootstrap token authn secret lister only when it is enabled 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-17 11:17:20 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types 
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
 2023-03-15 20:10:18 -07:00
Andy Goldstein
364b66ddd6
admission ApplyTo: take in clients 
Change admission ApplyTo() to take in clients instead of a rest.Config.

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
 2023-03-15 11:15:49 -04:00
Thomas Milox
3ad2ab18fa
pkg/kubeapiserver/options: Improving test coverage (#114234) 
* pkg/kubeapiserver/options: Improving test coverage

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

* pkg/kubeapiserver/options: Improving test coverage

Add a snippet of the expected error string related to the aspect being tested

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2022-12-14 17:51:35 -08:00
Cici Huang
2973712486 Rename FG to ValidatingAdmissionPolicy 2022-11-10 03:37:35 +00:00
Cici Huang
40c21dafcd Rename admission cel package to validatingadmissionpolicy 2022-11-10 03:37:30 +00:00
Cici Huang
e7d83a1fb7 Integrate cel admission with API. 
Co-authored-by: Alexander Zielenski <zielenski@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
 2022-11-07 21:38:55 +00:00
Shihang Zhang
569cd70a52 track legacy service account tokens 2022-10-24 09:37:53 -07:00
Kubernetes Prow Robot
85e7ddbcfb
Merge pull request #111313 from BinacsLee/binacs/use-len-in-options 
cleanup: use sets.Len() insead of len(sets.List())
 2022-10-04 07:34:16 -07:00
Kubernetes Prow Robot
3051cb2ba1
Merge pull request #108624 from ialidzhikov/cleanup/service-account-api-audiences 
apiserver: Remove the deprecated `--service-account-api-audiences` flag
 2022-08-02 09:15:44 -07:00
Davanum Srinivas
a9593d634c
Generate and format files 
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2022-07-26 13:14:05 -04:00
Kubernetes Prow Robot
37311a2eed
Merge pull request #103663 from bells17/fix-priority-plugin-comment 
Fix Priority plugin comment
 2022-07-25 07:40:35 -07:00
BinacsLee
80b43075c9 cleanup: use sets.Len() insead of len(sets.List()) 2022-07-21 20:13:30 +08:00
Jordan Liggitt
410ac59c0d Remove PodSecurityPolicy admission plugin 2022-05-04 16:00:56 -04:00
Jefftree
67d3dbfaae Separate OpenAPI V2 and V3 Config 2022-03-29 17:49:56 -07:00
ialidzhikov
92707cafbb apiserver: Remove the deprecated --service-account-api-audiences flag 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2022-03-10 09:46:20 +02:00
bryfry
038ad9b3a5 correct references to service-account-signing-key-file flag 2022-01-30 04:24:25 +00:00
Shubham Kuchhal
ef2be5586e Add supported 'alg' header values. 2021-09-16 14:02:21 +05:30
Monis Khan
b5ef684d90
admission: run PodSecurity before PodSecurityPolicy 
This change fixes the order in which the PodSecurity and
PodSecurityPolicy admission plugins are run.  The old code intended
for PSA to run before PSP, but attempted to enforce that via
registration order (which is irrelevant).  Now PSA is correctly
executed before PSP to allow for audit and warning modes to be
exercised even in the presence of a deny PSP policy.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-09-01 11:39:58 -04:00
Antonio Ojea
0cd75e8fec run hack/update-netparse-cve.sh 2021-08-20 10:42:09 +02:00
Mengjiao Liu
7911a08fb3 Remove ServiceAccountIssuerDiscovery feature gate 2021-07-14 18:43:59 +08:00
bells17
62c444b484 Fix Priority plugin comment 2021-07-13 20:37:05 +09:00
Jordan Liggitt
f39bddd767 PodSecurity: kube-apiserver: admission wiring 2021-06-28 17:45:35 -04:00
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
Kubernetes Prow Robot
42a4953c6e
Merge pull request #100186 from yangjunmyfm192085/run-test28 
test: fix the error case of TestAuthenticationValidate
 2021-04-08 20:28:34 -07:00
Kubernetes Prow Robot
26fba1403b
Merge pull request #99528 from pandaamanda/apiserver_validation_code_optimization 
fix log message and optimize log format check logic
 2021-04-08 14:28:34 -07:00
JunYang
4e72e41387 test: fix the error of TestAuthenticationValidate 
Signed-off-by: JunYang <yang.jun22@zte.com.cn>
 2021-03-12 23:10:21 +08:00
xiongzhongliang
4a24a08f93 Optimize some codes 2021-03-05 18:23:39 +08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
cbf6e38bbd move RootCAConfigMap to ga 2021-02-22 15:59:27 -08:00