github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
99,343 Commits 1 Branch 31 Tags 1,019 MiB
d0882e69e2
Commit Graph

1046 Commits

Author SHA1 Message Date
Daniel Smith
a86afc12df update scripts 2020-09-02 10:49:40 -07:00
Daniel Smith
15e0e3e90e rename 2020-09-02 10:48:26 -07:00
Daniel Smith
75f835aa08 move port definitions to a common location 2020-09-02 10:48:25 -07:00
Jordan Liggitt
81144d6c9a Deprioritize extensions/v1beta1 in discovery 2020-08-28 10:58:32 -04:00
Jordan Liggitt
22c9236741 Allow integration test servers extra time to start 2020-07-23 17:46:59 -04:00
Kubernetes Prow Robot
429f968988
Merge pull request #92791 from p0lyn0mial/aggregator-dynamic-cert-reload 
adds dynamic certificate reloading for kube aggregator
 2020-07-10 15:42:10 -07:00
Kubernetes Prow Robot
2d327ac455
Merge pull request #91539 from andrewsykim/fix-cloud-provider-deprecation 
only log cloud provider deprecation warning for in-tree components
 2020-07-10 00:59:48 -07:00
Alena Varkockova
25f0ebc827 adds dynamic certificate reloading for kube aggregator 
Co-authored-by: Lukasz Szaszkiewicz <lukasz.szaszkiewicz@gmail.com>
Co-authored-by: David Eads <deads@redhat.com>
 2020-07-08 11:24:21 +02:00
Kubernetes Prow Robot
8ec5747fe5
Merge pull request #91501 from tahsinrahman/add-apiserver-logging-flag 
Add `--logging-format` flag for kube-apiserver
 2020-07-03 12:24:47 -07:00
Chelsey Chen
75612c1746 Promote new Event API to v1 2020-07-01 10:50:28 -04:00
Kubernetes Prow Robot
7151131d79
Merge pull request #73032 from liggitt/kubectl-warning 
surface server-side warnings in client-go / kubectl
 2020-06-12 17:09:56 -07:00
Jordan Liggitt
df6608dc99 Generated files 2020-06-11 16:04:19 -04:00
Jordan Liggitt
0d674c4edb cmd: silence warnings in kube-controller-manager/kube-apiserver, dedupe/color warnings in kubectl 2020-06-11 16:04:19 -04:00
Kubernetes Prow Robot
9ccf6f7de7
Merge pull request #91818 from wojtek-t/remove_cachesize 
Remove heuristic watchcache sizes
 2020-06-10 22:43:24 -07:00
wojtekt
5ceb53987b Remove heuristic watchcache sizes 2020-06-08 13:32:52 +02:00
Jordan Liggitt
e0f5cca410 Copy CSR v1beta1 to v1 
* Remove prerelease tags
* Update copyright, package, imports to v1
* Remove signerName, usages, and condition status defaulting
 2020-06-05 00:47:24 -04:00
Kubernetes Prow Robot
7bd4c53b27
Merge pull request #91630 from liggitt/kube-apiserver-kubelet-https 
Mark --kubelet-https deprecated, unconditionally use https for apiserver->kubelet connections
 2020-06-02 02:02:14 -07:00
Jordan Liggitt
2e8461a5bc Mark --kubelet-https deprecated, unconditionally use https for apiserver->kubelet connections 2020-06-01 20:54:49 -04:00
Kubernetes Prow Robot
774c9a6db6
Merge pull request #91349 from neolit123/1.19-fail-on-unrecognized-args 
cmd/*: fail on unrecognized flags/arguments for component CLI
 2020-05-30 00:27:53 -07:00
Kubernetes Prow Robot
d1586ea3f9
Merge pull request #91502 from deads2k/dyn-audit-removal-00 
remove --feature-gates=DynamicAuditing
 2020-05-29 11:56:20 -07:00
Monis Khan
fc4f91f10b cmd/*: fail on unrecognized flags/arguments for component CLI 
In case a malformed flag is passed to k8s components
such as "–foo", where "–" is not an ASCII dash character,
the components currently silently ignore the flag
and treat it as a positional argument.

Make k8s components/commands exit with an error if a positional argument
that is not empty is found. Include a custom error message for all
components except kubeadm, as cobra.NoArgs is used in a lot of
places already (can be fixed in a followup).

The kubelet already handles this properly - e.g.:
'unknown command: "–foo"'

This change affects:
- cloud-controller-manager
- kube-apiserver
- kube-controller-manager
- kube-proxy
- kubeadm {alpha|config|token|version}
- kubemark

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Lubomir I. Ivanov <lubomirivanov@vmware.com>
 2020-05-28 22:06:01 +03:00
Andrew Sy Kim
ed3feac74d only log cloud provider deprecation warning for in-tree components 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-05-28 11:55:56 -04:00
tahsinrahman
201f869c66 Add --logging-format flag for kube-apiserver 2020-05-28 11:39:04 +08:00
David Eads
e857adbdfd remove-api 2020-05-27 16:58:05 -04:00
David Eads
ed4e6f1026 remove dynamic audit 2020-05-27 15:18:53 -04:00
Johannes M. Scheuermann
bd42094d90 Update kube-apiserver flag comments 2020-05-25 15:43:56 +02:00
Jiajie Yang
ebbd455b24 Restrict service account token metrics to kube-apiserver only. 2020-05-21 15:34:57 -07:00
Kubernetes Prow Robot
7dafbe3ff3
Merge pull request #90391 from johscheuer/improve-error-message-svc-cidr 
Improve the error message for the service cidr check
 2020-05-18 11:05:37 -07:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Mike Danese
bd290e924f fix some fixture path calculations 
Current calculations assume that -trimpath is not passed to go tool
compile, which is not the case for test binaries built with bazel. This
causes issues for integration tests right now but is generally not
correct.

The approach taken here is a bit of a hack but it works on the
assumption that if and only if trimpath is passed, we are running under
bazel. I didn't see a good spot for pkgPath(), so I just copied it
around.
 2020-05-12 15:34:55 -07:00
Johannes M. Scheuermann
4c5b46d2ae Move validation in own function with tests 2020-05-08 08:52:34 +02:00
Tomas Nozicka
b22a170d46 Fix client-ca dynamic reload in apiserver 2020-04-29 16:03:09 +02:00
Johannes M. Scheuermann
889648d6e5 Improve the error message for the service cidr check 2020-04-24 07:46:31 +02:00
Kubernetes Prow Robot
15ed3b36d1
Merge pull request #90235 from cici37/addflag 
Remove CCM dependency pkg/util/flag
 2020-04-22 19:22:14 -07:00
Kubernetes Prow Robot
43cd2ff239
Merge pull request #89549 from happinesstaker/sa-rotate 
Monitoring safe rollout of time-bound service account token.
 2020-04-22 17:01:58 -07:00
Kubernetes Prow Robot
791b4bbeea
Merge pull request #85266 from serathius/refactor-show-hidden-metric 
Refactor show-hidden-metric-for-version flag
 2020-04-22 17:01:44 -07:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
cici37
15c844031f Remove CCM dependency pkg/util/flag 2020-04-22 10:06:11 -07:00
Kubernetes Prow Robot
8b0a7dea1d
Merge pull request #90297 from deads2k/silence-usage 
stop printing usage help when the server commands exit
 2020-04-20 14:05:49 -07:00
David Eads
871d6dd8bb stop printing usage help when the server commands exit 2020-04-20 08:29:52 -04:00
needkane
97d6f2cfd3 (return []error{} -> return nil) and (update annotation) 2020-04-14 00:05:35 -04:00
Marek Siarkowicz
24321b2d4e Refactor show-hidden-metric-for-version flag 2020-04-08 22:42:14 +02:00
David Eads
45c2f4534c add flag check to ensure that flowcontrol API is present 2020-04-07 15:08:50 -04:00
Kubernetes Prow Robot
0804667ff1
Merge pull request #89151 from jingyih/add_metric_etcd_db_size 
apiserver: add a metric exposing etcd database size
 2020-03-31 12:37:00 -07:00
jingyih
922ec728de Add a metric exposing etcd database size 2020-03-31 09:02:38 -07:00
Davanum Srinivas
1d057da2f7
Move k8s.io/apiserver/pkg/util/term to k8s.io/component-base/term 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-03-19 07:18:09 -04:00
Monis Khan
df292749c9
Remove support for basic authentication 
This change removes support for basic authn in v1.19 via the
--basic-auth-file flag.  This functionality was deprecated in v1.16
in response to ATR-K8S-002: Non-constant time password comparison.

Similar functionality is available via the --token-auth-file flag
for development purposes.

Signed-off-by: Monis Khan <mok@vmware.com>
 2020-03-11 20:55:47 -04:00
Kubernetes Prow Robot
268d0a1d3a
Merge pull request #85870 from Jefftree/authn-netproxy 
Use Network Proxy with Authentication & Authorizer Webhooks
 2020-02-28 18:44:39 -08:00
Jefftree
1b38199ea8 pass Dialer instead of egressselector to webhooks 2020-02-27 17:47:23 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Jonathan Tomer
711c1e1720 Rename --enable-inflight-quota-handler to --enable-priority-and-fairness. 
The old flag name doesn't make sense with the renamed API Priority and
Fairness feature, and it's still safe to change the flag since it hasn't done
anything useful in a released k8s version yet.
 2020-02-27 14:04:37 -08:00
Kubernetes Prow Robot
79b674d827
Merge pull request #84381 from Sh4d1/egress_selector_proxy_v2 
Use network proxy for proxy subresources
 2020-02-20 04:29:03 -08:00
Kubernetes Prow Robot
77e8c75f32
Merge pull request #87754 from MikeSpreitzer/apf-filter5 
Add twice refactored filter and config consumer for API Priority and Fairness
 2020-02-13 16:54:46 -08:00
Patrik Cyvoct
6729bfd648
use network proxy for proxy subresources 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-02-13 14:42:34 +01:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Mike Spreitzer
73614ddd4e Added API Priority and Fairness filter and config consumer 2020-02-10 22:54:40 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
Ted Yu
34f0767137 Add flowcontrol to apiVersionPriorities 2020-01-19 14:16:46 -08:00
Jefftree
1289bdaba4 network proxy with admission wh 2020-01-08 15:01:38 -08:00
Jordan Liggitt
3df9e86a4e Remove ability to re-enable serving deprecated APIs 2019-12-13 12:21:33 -05:00
darshanime
f4d1674827 Refactor parsing logic for service IP and ranges, add tests 
Signed-off-by: darshanime <deathbullet@gmail.com>
 2019-12-05 15:35:20 -05:00
darshanime
fdd25ec968 Fix bug in apiserver service cluster cidr split 
Signed-off-by: darshanime <deathbullet@gmail.com>
 2019-12-05 15:35:20 -05:00
yue9944882
81471c36b1 [generated] bazels and vendor/modules.txt 
[generated] bazels

bazel
 2019-12-04 00:49:28 +08:00
yue9944882
168f8f54f0 switch to v1 crd 
switch api helper functions to v1 CRD api

switch v1 CRD for apiserver internal

switch to v1 CRD for internal controllers

api storage/validation related changes

move local-defaulting utils private to prevent spreading

boilerplate

keep the subresource status/scale spec nil unless it's enabled

clean up empty space
 2019-12-04 00:49:26 +08:00
David Eads
3c1dc89d98 fix kube-apiserver poststarthook additions to avoid duplicating them 2019-11-26 14:05:06 -05:00
Jordan Liggitt
a5760dee81 Add support for --runtime-config=api/beta=false, --feature-gates=AllBeta=false 
Allow disabling all beta features and APIs
 2019-11-14 14:37:55 -05:00
Kubernetes Prow Robot
64f4be5b32
Merge pull request #84390 from robscott/endpointslice-beta 
Promoting EndpointSlices to beta
 2019-11-13 17:27:50 -08:00
Kubernetes Prow Robot
02af1dd62c
Merge pull request #85004 from deads2k/dynamic-agg-cert 
dynamic reload cluster authentication info for aggregated API servers
 2019-11-13 14:50:54 -08:00
Rob Scott
a7e589a8c6
Promoting EndpointSlices to beta 2019-11-13 14:20:19 -08:00
David Eads
3fbfe60ed2 make client authentication optional for test kube-apiserver 2019-11-13 10:25:28 -05:00
David Eads
3aede35b3b dynamic reload cluster authentication info for aggregated API servers 2019-11-13 07:54:27 -05:00
RainbowMango
b2fbdee9bb Deal with auto-generated files. 
- Update bazel by hack/update-bazel.sh
 2019-11-13 10:32:53 +08:00
RainbowMango
ac0562b00c Add metrics flag to show hidden metrics to kube-apiserver 2019-11-13 10:32:52 +08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
Jordan Liggitt
7349a824df generated 2019-11-11 17:19:12 -05:00
Jordan Liggitt
d54a70db5c Switch kubelet/aggregated API servers to use v1 subjectaccessreviews 2019-11-11 17:19:11 -05:00
Jordan Liggitt
5ef4fe959a Switch kubelet/aggregated API servers to use v1 tokenreviews 2019-11-11 17:19:10 -05:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00
David Eads
be8af0de1b remove exist client hooks 2019-11-06 10:17:19 -05:00
David Eads
7351c86860 publish cluster authentication trust via controller 2019-11-06 10:17:19 -05:00
Igor Zibarev
03dfa1a641 Fix golint issues in pkg/kubeapiserver 2019-11-05 22:25:32 +03:00
Wenjia Zhang
9ead9373f3 Resolve uncompatibility from update: etcd CAFile -> TrustedCAFIle 2019-10-24 14:09:24 -07:00
Kubernetes Prow Robot
46a29a0cc3
Merge pull request #71674 from grayluck/firewall-event-msg 
Change XPN firewall change msg. Should be required by security admin
 2019-10-14 21:09:51 -07:00
Kubernetes Prow Robot
7ac65858bb
Merge pull request #82371 from deads2k/cert-reload-delegated 
add ability to authenticators for dynamic update of certs for delegated authn
 2019-10-04 08:50:04 -07:00
Kubernetes Prow Robot
5fbda60c14
Merge pull request #82077 from deads2k/poststart 
add ability to pre-configure poststarthooks for apiservers
 2019-10-03 08:16:10 -07:00
Jordan Liggitt
8ef4566cef Limit YAML/JSON decode size 2019-10-02 21:52:19 -04:00
David Eads
51195dd860 add ability to authenticators for dynamic update of certs 2019-10-01 09:50:20 -04:00
David Eads
f14f4c933e add ability to pre-configure poststarthooks for apiservers 2019-10-01 09:08:18 -04:00
yankaiz
bd03c3a096 Change XPN firewall change message, should be required by security admin. 
Add l7lbSrcRngsFlag to gce_loadbalancer.go so that ingress can have
fewer source ranges for l7 health checks.
 2019-09-30 11:19:42 -07:00
Kubernetes Prow Robot
67d928acdc
Merge pull request #82096 from logicalhan/version-deletion 
remove pkg/version and some of redundant copies of it
 2019-09-17 14:27:16 -07:00
Kubernetes Prow Robot
3a19f1e80b
Merge pull request #82472 from draveness/feature/remove-feature-gates-in-1-17 
feat: cleanup several GA feature flags which should be removed in 1.17
 2019-09-17 06:58:24 -07:00
Han Kang
866ea74326 remove pkg/version and some of redundant copies of it 
Change-Id: Ia58367c1b1274bfb49c8a4784051463abaf795de
 2019-09-16 16:24:35 -07:00
Kubernetes Prow Robot
7ec4f4b4a6
Merge pull request #82391 from jiachengxu/apiserver-typo 
Fix a typo in cmd/kube-apiserver.
 2019-09-11 15:27:23 -07:00
Kubernetes Prow Robot
1d016cc1d3
Merge pull request #81668 from darshanime/remove_default_service_cidr 
Deprecate default service IP CIDR
 2019-09-10 14:31:45 -07:00
draveness
14dc59ee54 feat: remove EnableAggregatedDiscoveryTimeout feature gate 2019-09-09 09:55:54 +08:00
Jiacheng Xu
637badc1f0
fix a typo in cmd/kube-apiserver. 2019-09-05 23:00:36 +02:00
Kubernetes Prow Robot
c86da8e2c1
Merge pull request #82048 from cheftako/kas-np4 
Add support for konnectivity service to the etcd3 client.
 2019-08-30 16:15:28 -07:00