Commit Graph

744 Commits

Author SHA1 Message Date
Ivan Shvedunov
02baa44948 Fix update validation for pods w/init containers. 2016-07-20 00:30:12 +03:00
k8s-merge-robot
1e9edfc5c3 Merge pull request #29045 from lixiaobing10051267/mastererrNotAcceptable
Automatic merge from submit-queue

Type define note "errNotAcceptable" should be "errUnsupportedMediaType"

In file "pkg\apiserver\errors.go", line 129:
"// errNotAcceptable indicates Content-Type is not recognized"
Here "errNotAcceptable" shuould be "errUnsupportedMediaType", thus consistent with line 131:
"type errUnsupportedMediaType struct"
2016-07-19 01:10:41 -07:00
k8s-merge-robot
8d46d9b0c7 Merge pull request #28281 from nhlfr/authorize-return-bool
Automatic merge from submit-queue

Return (bool, error) in Authorizer.Authorize()

Before this change, Authorize() method was just returning an error, regardless of whether the user is unauthorized or whether there is some other unrelated error. Returning boolean with information about user authorization and error (which should be unrelated to the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 21:40:26 -07:00
k8s-merge-robot
6108725869 Merge pull request #29047 from lixiaobing10051267/masterServe
Automatic merge from submit-queue

Apiserver ServeHTTP() modify

In File "pkg\apiserver\watch.go", line 123:
"// Serve serves a series of encoded events via HTTP with Transfer-Encoding: chunked"
Here "Serve" should be "ServeHTTP" because the func name is ServeHTTP:
"func (s *WatchServer) ServeHTTP(w http.ResponseWriter, req *http.Request)"
2016-07-18 12:43:04 -07:00
Michal Rostecki
fa0dd46ab7 Return (bool, error) in Authorizer.Authorize()
Before this change, Authorize() method was just returning an error,
regardless of whether the user is unauthorized or whether there
is some other unrelated error. Returning boolean with information
about user authorization and error (which should be unrelated to
the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 12:06:54 +02:00
Davanum Srinivas
2b0ed014b7 Use Go canonical import paths
Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-16 13:48:21 -04:00
lixiaobing10051267
97219275b1 Apiserver ServeHTTP() modify 2016-07-16 12:29:11 +08:00
lixiaobing10051267
7ecae85493 Type define note "errNotAcceptable indicates Content-Type is not recognized" wrong 2016-07-16 11:31:52 +08:00
Daniel Smith
78c02cd052 Stop eating panics 2016-07-13 11:12:59 -07:00
k8s-merge-robot
038ac428f4 Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable
Automatic merge from submit-queue

oidc auth plugin: don't hard fail if provider is unavailable

When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.

cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
2016-06-30 13:02:16 -07:00
Eric Chiang
2f6db37ff5 oidc auth plugin: don't hard fail if provider is unavailable
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.
2016-06-29 23:20:26 -07:00
David McMahon
ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
k8s-merge-robot
6fbf99b11a Merge pull request #26753 from ericchiang/rbac-authorizer-tests
Automatic merge from submit-queue

add unit and integration tests for rbac authorizer

This PR adds lots of tests for the RBAC authorizer. 

The plan over the next couple days is to add a lot more test cases.

Updates #23396

cc @erictune
2016-06-19 19:19:08 -07:00
k8s-merge-robot
ba771e7135 Merge pull request #27192 from smarterclayton/signature_change
Automatic merge from submit-queue

Remove EncodeToStream(..., []unversioned.GroupVersion)

Was not being used. Is a signature change and is necessary for post 1.3 work on Templates and other objects that nest objects.

Extracted from #26044
2016-06-19 16:13:07 -07:00
Eric Chiang
d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Clayton Coleman
36a5ffbe2f
Remove EncodeToStream(..., []unversioned.GroupVersion)
Was not being used.
2016-06-10 18:43:12 -04:00
Andy Goldstein
e3af3451c8
ObjectMeta, ListMeta, and TypeMeta should implement their interfaces
Make unversioned.ListMeta implement List. Update all the *List types so they implement GetListMeta.
This helps avoid using reflection to get list information.

Remove all unnecessary boilerplate, move the interfaces to the right
places, and add a test that verifies that objects implement one, the
other, but never both.
2016-06-10 13:28:54 -04:00
k8s-merge-robot
dfe5de3bcb Merge pull request #25731 from Pensu/master
Automatic merge from submit-queue

Adding version.Info in apiserver.go

Fixes #17176
2016-06-06 12:06:32 -07:00
Peeyush Gupta
1a9f7e9a0c Adding version.Info in apiserver.go 2016-06-06 14:15:24 +05:30
k8s-merge-robot
ce788c45ef Merge pull request #26085 from smarterclayton/delay_flush
Automatic merge from submit-queue

Delay flush if the watch queue has pending items

Simple deferral of flush can reduce Syscalls when watch queues build up.

Simpler version of #24768

Fixes #24729

@xiang90 @wojtek-t
2016-05-28 11:53:51 -07:00
k8s-merge-robot
e543bd6452 Merge pull request #26007 from smarterclayton/watch_opt
Automatic merge from submit-queue

Additional optimizations to the encode/decode paths

Builds on top of #25983 with a number of other optimizations.
2016-05-28 06:27:00 -07:00
Eric Chiang
ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
Jordan Liggitt
29252acd1a Change rest storage Update interface to retrieve updated object
Add OldObject to admission attributes

Update resthandler Patch/Update admission plumbing
2016-05-23 21:09:26 -04:00
Clayton Coleman
c4bec1585f Delay flush if the watch queue has pending items
Simple deferral of flush can reduce Syscalls when watch queues build up.
2016-05-23 12:35:36 -04:00
Clayton Coleman
c6961d6fd6
Remove runtime.Typer, reduce to ObjectKinds(1) (3)
Remove the unnecessary variants, which avoids allocations in several
core paths.
2016-05-21 23:55:42 -04:00
Clayton Coleman
b1a759cbbc
Avoid extra allocations in watch loop 2016-05-21 23:55:41 -04:00
Clayton Coleman
f670cc4652
Avoid multiple allocations during selfLink generation 2016-05-21 23:55:41 -04:00
Clayton Coleman
25a2a7d25a
Scope namer returns canonical paths already 2016-05-21 23:55:40 -04:00
Clayton Coleman
159797bac4
Watch benchmark should skip init containers for now 2016-05-21 23:55:40 -04:00
CJ Cullen
d03dbbcc14 Add LRU Expire cache to webhook authorizer. 2016-05-21 14:50:50 -07:00
k8s-merge-robot
346f965871 Merge pull request #25694 from cjcullen/authncache
Automatic merge from submit-queue

Cache Webhook Authentication responses

Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.

Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
2016-05-21 10:48:38 -07:00
Wojciech Tyczynski
f3c70ffeeb Log requests returning TooManyRequests error 2016-05-20 10:18:05 +02:00
Clayton Coleman
a8ce27709c
Print more data about an error for debugging
Sometimes clients send unintelligible data to the server, provide a bit
more debugging in the returned error to make it easier to pin down where
the problem is from the user side.
2016-05-19 09:08:57 -04:00
Clayton Coleman
88b39cadf8
Have the service account controller force retry
Service account controller, when API token not found, now sends 500 with
Retry-After: 1s. Also change the apiserver to actually write the error.
2016-05-19 09:08:57 -04:00
CJ Cullen
57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
Wojciech Tyczynski
c5147bdb16 Split request_count metric by contentType 2016-05-17 13:34:36 +02:00
Matt Liggett
2bc46d5085 It's 2016, yo. 2016-05-13 12:41:40 -07:00
Clayton Coleman
51b624103f
Change ConvertToVersion to use GroupVersion
Long delayed refactor, avoids a few more allocations.
2016-05-12 10:10:35 -04:00
Clayton Coleman
a84e62d9e6
Change ObjectKind signature to avoid allocations
We don't need to pass a pointer into SetGroupKindVersion() - a
struct works just as well.
2016-05-12 10:10:35 -04:00
k8s-merge-robot
0ef4c6407b Merge pull request #24902 from cjcullen/webhookAuthn
Automatic merge from submit-queue

Webhook Token Authenticator

Add a webhook token authenticator plugin to allow a remote service to make authentication decisions.
2016-05-11 22:08:58 -07:00
Fabio Yeon
6071540799 Merge pull request #25249 from mkumatag/typo_fix
Rename a function parameter name in authn.go
2016-05-10 19:42:50 -07:00
CJ Cullen
eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
k8s-merge-robot
1a1229e206 Merge pull request #24795 from deads2k/use-all-attributes
Automatic merge from submit-queue

enable resource name and service account cases for impersonation

Adds the resource name check since that attribute was added for authorization.  Also adds a check against a separate resource for service accounts.  Allowing impersonation of service accounts to use a different resource check places control of impersonation with the same users to have the power to get the SA tokens directly.

@kubernetes/kube-iam 
@sgallagher FYI
2016-05-09 04:58:19 -07:00
Manjunath A Kumatagi
00be597618 Rename a function parameter name in authn.go 2016-05-06 02:48:10 -04:00
k8s-merge-robot
4a7ec6034f Merge pull request #23928 from caesarxuchao/cascading-deletion-API-changes
Automatic merge from submit-queue

API changes for Cascading deletion 

This PR includes the necessary API changes to implement cascading deletion with finalizers as proposed is in #23656. Comments are welcome.

@lavalamp @derekwaynecarr @bgrant0607 @rata @hongchaodeng
2016-05-05 19:46:40 -07:00
Clayton Coleman
e0ebcf4216
Split the storage and negotiation parts of Codecs
The codec factory should support two distinct interfaces - negotiating
for a serializer with a client, vs reading or writing data to a storage
form (etcd, disk, etc). Make the EncodeForVersion and DecodeToVersion
methods only take Encoder and Decoder, and slight refactoring elsewhere.

In the storage factory, use a content type to control what serializer to
pick, and use the universal deserializer. This ensures that storage can
read JSON (which might be from older objects) while only writing
protobuf. Add exceptions for those resources that may not be able to
write to protobuf (specifically third party resources, but potentially
others in the future).
2016-05-05 12:08:23 -04:00
Chao Xu
4562a26d34 generated changes 2016-05-04 21:54:55 -07:00
k8s-merge-robot
c0fca43260 Merge pull request #24915 from wojtek-t/read_closer_in_streaming_decoder
Automatic merge from submit-queue

Support Close() in streaming decoder

[This would be useful for changes in clients to support protobufs.]
2016-04-29 07:21:23 -07:00
k8s-merge-robot
2347d0f047 Merge pull request #24601 from deads2k/qualify-admission-attributes
Automatic merge from submit-queue

fully qualify admission resources and kinds

Fully qualifies the `Kind` and `Resource` fields for admission attributes.  The information was getting filtered at the `RESTHandler` before.

@derekwaynecarr
2016-04-28 05:12:28 -07:00
k8s-merge-robot
d0b887e4e0 Merge pull request #24595 from zhouhaibing089/httpserverclose
Automatic merge from submit-queue

Uncomment the code that caused by #19254

Fix https://github.com/kubernetes/kubernetes/issues/24546.

@lavalamp
2016-04-28 01:41:16 -07:00