Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
Jordan Liggitt
fd78947489
Indicate node authorizer does not support rule resolution
2020-05-12 20:34:13 -04:00
Jiajie Yang
ae0e52d28c
Monitoring safe rollout of time-bound service account token.
2020-04-22 11:59:16 -07:00
Jordan Liggitt
ba4d2aa076
Restrict node labels on Node create
2020-04-20 16:26:24 -04:00
Kubernetes Prow Robot
8a4bf39884
Merge pull request #82814 from porridge/patch-1
...
Fix a couple of typos
2020-04-14 06:20:13 -07:00
Kubernetes Prow Robot
6239abe698
Merge pull request #89225 from andrewsykim/apparmor-api
...
move apparmor annotation constants to k8s.io/api/core/v1
2020-04-12 19:11:50 -07:00
Gaurav Sofat
ac0ce7338e
Reflect DecisionNoOpinion in RBAC authorizer logs ( #89608 )
...
* Reflect DecisionNoOpinion in RBAC authorizer logs
* Modify RBAC authorizer log message
2020-04-08 13:37:44 -07:00
Andrew Sy Kim
2e56866c97
move apparmor annotation constants to k8s.io/api/core/v1
...
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
2020-04-06 10:22:04 -04:00
Kubernetes Prow Robot
561e86e241
Merge pull request #89696 from flant/service-account-volume-name-with-dot
...
Fix service account names with a dot
2020-04-01 19:26:25 -07:00
Maru Newby
76207fe3d2
Fix permissions for endpointslice controller
...
The controller needs to be able to set a service's finalizers to be
able to create an EndpointSlice resource that is owned by the service
and sets blockOwnerDeletion=true in its ownerRef.
2020-04-01 10:32:11 -07:00
m.nabokikh
ea32811cbd
Fix service account names with a dot
...
This fix provides the ability to mount service account tokens to pods. The core problem is the volumeName option can't contain any dots.
2020-03-31 21:42:04 +04:00
Shihang Zhang
b56da85a77
sync api/v1/pod/util with api/pod/util and remove DefaultContainers
2020-03-24 16:42:32 -07:00
Kubernetes Prow Robot
0549d0e7db
Merge pull request #88943 from tedyu/visitor-container-type
...
Visitors of Configmaps and Secrets should specify which containers to visit
2020-03-20 09:20:36 -07:00
Ted Yu
e0dbbf0a65
Visitors of Configmaps and Secrets should specify which containers to visit
...
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
2020-03-20 07:59:44 -07:00
Kubernetes Prow Robot
50d574bf7f
Merge pull request #88344 from enj/enj/i/sa_oidc_all_authenticated
...
Allow system:serviceaccounts to read the SA discovery endpoints
2020-03-17 16:20:47 -07:00
Monis Khan
a38071cc81
Allow system:serviceaccounts to read the SA discovery endpoints
...
This change allows all service accounts to read the service account
issuer discovery endpoints.
This guarantees that in-cluster services can rely on this info being
available to them.
Signed-off-by: Monis Khan <mok@vmware.com>
2020-03-09 13:40:46 -04:00
Christian Huffman
c6fd25d100
Updated CSIDriver references
2020-03-06 08:21:26 -05:00
Rob Scott
132d2afca0
Adding IngressClass to networking/v1beta1
...
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
2020-03-01 18:17:09 -08:00
Kubernetes Prow Robot
03b7f272c8
Merge pull request #88246 from munnerz/csr-signername-controllers
...
Update CSR controllers & kubelet to respect signerName field
2020-02-28 23:38:39 -08:00
Jefftree
d318e52ffe
authentication webhook via network proxy
2020-02-27 17:47:23 -08:00
Jordan Liggitt
57ea7a11a6
Remove global variable dependency from runtimeclass admission
2020-02-27 15:23:52 -05:00
James Munnelly
d7e10f9869
Add Certificate signerName admission plugins
2020-02-27 15:50:14 +00:00
Kubernetes Prow Robot
8ca96f3e07
Merge pull request #80724 from cceckman/provider-info-e2e
...
Provide OIDC discovery for service account token issuer
2020-02-13 01:38:35 -08:00
Kubernetes Prow Robot
d5ea2f15b5
Merge pull request #87234 from KobayashiD27/fix-golint
...
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
2020-02-12 02:23:05 -08:00
Charles Eckman
5a176ac772
Provide OIDC discovery endpoints
...
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc ) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io ,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
2020-02-11 16:23:31 -08:00
Jordan Liggitt
8a3f587b04
Add fast path to node authorizer for node/edge removal
2020-02-10 13:51:33 -05:00
Jordan Liggitt
3e0c0792d7
Switch node authorizer index to refcounts
2020-02-10 13:24:13 -05:00
Jordan Liggitt
6d335372b2
Add configmap->node destination edges to the node authorizer index
2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae
generated: run refactor
2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30
generated: run refactor
2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031
Merge pull request #87688 from mborsz/node2
...
Add a fast path for adding new node in node_authorizer
2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358
Ensure testing credentials are labeled as such
2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230
Add a fast path for adding new node in node_autorizer.
...
This seems to improve WriteIndexMaintenance benchmark:
Before:
BenchmarkWriteIndexMaintenance-12 1034 1157922 ns/op 1906 B/op 41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12 4891 239821 ns/op 1572 B/op 37 allocs/op
2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde
Merge pull request #87693 from liggitt/node-authz-index
...
Fix node authorizer index recomputation
2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52
Fix node authorizer index recomputation
2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993
cleanup req.Context() and ResponseWrapper
2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8
refactor
2020-01-29 08:50:45 -08:00
Kubernetes Prow Robot
9633dd63b2
Merge pull request #87239 from lemonli/cleanup/node-authorizer
...
clean up node_authorizer code: verb judgement
2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25
Enabling EndpointSlice feature gate by default
...
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
2020-01-16 09:23:16 +09:00
lemonli
2498dbf636
clean node_authorizer code: verb judgement
2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45
Do not require token secrets when using bound service account tokens
2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb
Extend authorization benchmark
2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f
Merge pull request #85375 from liggitt/delegated-list-watch
...
Add single-item list/watch to delegated authentication reader role
2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945
Merge pull request #85365 from robscott/endpointslice-default-off
...
Disabling EndpointSlice feature gate by default
2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2
Add single-item list/watch to delegated authentication reader role
2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff
Disabling EndpointSlice feature gate by default
...
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631
Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration
2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72
Service Topology implementation
...
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
2019-11-15 13:36:43 +08:00