github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
91,239 Commits 1 Branch 31 Tags 1,019 MiB
f6246aba6e
Commit Graph

2985 Commits

Author SHA1 Message Date
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Jordan Liggitt
fd78947489 Indicate node authorizer does not support rule resolution 2020-05-12 20:34:13 -04:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Jordan Liggitt
ba4d2aa076 Restrict node labels on Node create 2020-04-20 16:26:24 -04:00
Kubernetes Prow Robot
8a4bf39884
Merge pull request #82814 from porridge/patch-1 
Fix a couple of typos
 2020-04-14 06:20:13 -07:00
Kubernetes Prow Robot
6239abe698
Merge pull request #89225 from andrewsykim/apparmor-api 
move apparmor annotation constants to k8s.io/api/core/v1
 2020-04-12 19:11:50 -07:00
Gaurav Sofat
ac0ce7338e
Reflect DecisionNoOpinion in RBAC authorizer logs (#89608) 
* Reflect DecisionNoOpinion in RBAC authorizer logs

* Modify RBAC authorizer log message
 2020-04-08 13:37:44 -07:00
Andrew Sy Kim
2e56866c97 move apparmor annotation constants to k8s.io/api/core/v1 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-04-06 10:22:04 -04:00
Kubernetes Prow Robot
561e86e241
Merge pull request #89696 from flant/service-account-volume-name-with-dot 
Fix service account names with a dot
 2020-04-01 19:26:25 -07:00
Maru Newby
76207fe3d2 Fix permissions for endpointslice controller 
The controller needs to be able to set a service's finalizers to be
able to create an EndpointSlice resource that is owned by the service
and sets blockOwnerDeletion=true in its ownerRef.
 2020-04-01 10:32:11 -07:00
m.nabokikh
ea32811cbd Fix service account names with a dot 
This fix provides the ability to mount service account tokens to pods. The core problem is the volumeName option can't contain any dots.
 2020-03-31 21:42:04 +04:00
Shihang Zhang
b56da85a77 sync api/v1/pod/util with api/pod/util and remove DefaultContainers 2020-03-24 16:42:32 -07:00
Kubernetes Prow Robot
0549d0e7db
Merge pull request #88943 from tedyu/visitor-container-type 
Visitors of Configmaps and Secrets should specify which containers to visit
 2020-03-20 09:20:36 -07:00
Ted Yu
e0dbbf0a65 Visitors of Configmaps and Secrets should specify which containers to visit 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-03-20 07:59:44 -07:00
Kubernetes Prow Robot
50d574bf7f
Merge pull request #88344 from enj/enj/i/sa_oidc_all_authenticated 
Allow system:serviceaccounts to read the SA discovery endpoints
 2020-03-17 16:20:47 -07:00
Monis Khan
a38071cc81
Allow system:serviceaccounts to read the SA discovery endpoints 
This change allows all service accounts to read the service account
issuer discovery endpoints.

This guarantees that in-cluster services can rely on this info being
available to them.

Signed-off-by: Monis Khan <mok@vmware.com>
 2020-03-09 13:40:46 -04:00
Christian Huffman
c6fd25d100 Updated CSIDriver references 2020-03-06 08:21:26 -05:00
Rob Scott
132d2afca0
Adding IngressClass to networking/v1beta1 
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-03-01 18:17:09 -08:00
Kubernetes Prow Robot
03b7f272c8
Merge pull request #88246 from munnerz/csr-signername-controllers 
Update CSR controllers & kubelet to respect signerName field
 2020-02-28 23:38:39 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Jordan Liggitt
57ea7a11a6 Remove global variable dependency from runtimeclass admission 2020-02-27 15:23:52 -05:00
James Munnelly
d7e10f9869 Add Certificate signerName admission plugins 2020-02-27 15:50:14 +00:00
Kubernetes Prow Robot
8ca96f3e07
Merge pull request #80724 from cceckman/provider-info-e2e 
Provide OIDC discovery for service account token issuer
 2020-02-13 01:38:35 -08:00
Kubernetes Prow Robot
d5ea2f15b5
Merge pull request #87234 from KobayashiD27/fix-golint 
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
 2020-02-12 02:23:05 -08:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Jordan Liggitt
8a3f587b04 Add fast path to node authorizer for node/edge removal 2020-02-10 13:51:33 -05:00
Jordan Liggitt
3e0c0792d7 Switch node authorizer index to refcounts 2020-02-10 13:24:13 -05:00
Jordan Liggitt
6d335372b2 Add configmap->node destination edges to the node authorizer index 2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031
Merge pull request #87688 from mborsz/node2 
Add a fast path for adding new node in node_authorizer
 2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230 Add a fast path for adding new node in node_autorizer. 
This seems to improve WriteIndexMaintenance benchmark:

Before:
BenchmarkWriteIndexMaintenance-12    	    1034	   1157922 ns/op	    1906 B/op	      41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12    	    4891	    239821 ns/op	    1572 B/op	      37 allocs/op
 2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde
Merge pull request #87693 from liggitt/node-authz-index 
Fix node authorizer index recomputation
 2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52 Fix node authorizer index recomputation 2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993 cleanup req.Context() and ResponseWrapper 2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
Kubernetes Prow Robot
9633dd63b2
Merge pull request #87239 from lemonli/cleanup/node-authorizer 
clean up node_authorizer code: verb judgement
 2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25
Enabling EndpointSlice feature gate by default 
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
 2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3 fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy 2020-01-16 09:23:16 +09:00
lemonli
2498dbf636 clean node_authorizer code: verb judgement 2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45 Do not require token secrets when using bound service account tokens 2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb Extend authorization benchmark 2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f
Merge pull request #85375 from liggitt/delegated-list-watch 
Add single-item list/watch to delegated authentication reader role
 2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945
Merge pull request #85365 from robscott/endpointslice-default-off 
Disabling EndpointSlice feature gate by default
 2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2 Add single-item list/watch to delegated authentication reader role 2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff
Disabling EndpointSlice feature gate by default 
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
 2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631 Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration 2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72 Service Topology implementation 
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
 2019-11-15 13:36:43 +08:00