- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
StorageObjectInUseProtection plugin of admission controller adds
the flag `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection`
to newly created PVCs or PV. In case a user deletes a PVC or PV the PVC
or PV is not removed until the finalizer is removed from the PVC or PV
by PVC or PV Protection Controller.
We are testing this plugin on the e2e tests of "PV Protection" because
most setup scripts enable that like:
* cluster/centos/config-default.sh: Enabled
* cluster/gce/config-default.sh: Enabled
* cluster/gce/config-test.sh: Enabled
* cluster/kubemark/gce/config-default.sh: Enabled
* hack/local-up-cluster.sh: Enabled
* cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py: Disabled
As we are testing it normally, it is nice to enable the plugin by
default.
Moved all flag code from `staging/src/k8s.io/apiserver/pkg/util/[flag|globalflag]` to `component-base/cli/[flag|globalflag]` except for the term function because of unwanted dependencies.
The storage version now is solely decided by the
scheme.PrioritizedVersionsForGroup(). For cohabitating resources, the storage
version will be that of the overriding group as returned by
storageFactory.getStorageGroupResource().
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Fixes lint errors in kubeapiserver/admission, kubeapiserver/authorizer,
kubeapiserver/authenticator. Also enables lint testing of these
directories.
Fixed go format.
Fixed changes from config.
The service account authenticator isn't the only authenticator that
should respect API audience. The authentication config structure should
reflect that.
