Rather than duplicating some of the KubeProxyConfiguration into
ProxyServer, just store the KubeProxyConfiguration itself so later
code can reference it directly.
For the fields that get platform-specific defaults (Mode,
DetectLocalMode), fill the defaults directly into the
KubeProxyConfiguration rather than keeping the original there and the
defaulted version in the ProxyServer.
Validate the --detect-local-mode value in the API object validation
rather than doing it separately later. Also, remove runtime checks and
unit tests for cases that would be blocked by validation
This commit syncs RBAC from coredns/deployment and removes a get nodes
RBAC.
Historically the federation CoreDNS plugin needed the nodes resource to
fetch zone and region labels.
However, the CoreDNS federation plugin was deprecated and cleaned up a
long time ago and removed the Nodes RBAC requirement here in
`coredns/deployment` coredns.yaml.sed:
https://github.com/coredns/deployment/pull/229
This change however, never made it to `kubernetes/kubernetes`.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
testing.T.Cleanup ensures the environment is restored after a test and
any of its parallel sub-tests. It's possible that some of these can be
simplified further to T.Setenv(key, ""), but I did not investigate.
T.Setenv ensures that the environment is returned to its prior state
when the test ends. It also panics when called from a parallel test to
prevent racy test interdependencies.
The winkernel proxy was originally created by copying+pasting from the
iptables code, but some iptables-specific things were never removed
(and one function got left behind after its functionality was moved
into the shared proxy code).
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).
This commit:
* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
ClusterTrustBundles:
- spec.pemTrustAnchors must always be non-empty.
- spec.signerName must be either empty or a valid signer name.
- Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
ClusterTrustBundles that include a signer name.
Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.
I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
Add an arg to ParseNodeIPArgument saying whether to allow dual-stack
IPs for external cloud providers. Update kubelet for the new API, but
always pass "false" for now.
The same code should be used to parse the command-line argument and
the annotation. Unfortunately, for compatiblity reasons, they have to
handle invalid inputs differently...
(It doesn't make sense to put this code in cloud-provider, since
ParseNodeIPArgument is used for the non-cloud-provider case too.)
