github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
40,132 Commits 1 Branch 31 Tags
fbb35b72ed144ca98d88efce8cfc8832336d2a8d
Commit Graph

307 Commits

Author SHA1 Message Date
deads2k
fbb35b72ed update delegating auth to include front-proxy 2016-12-06 09:40:07 -05:00
deads2k
4f625db133 move client-ca to authentication args 2016-12-06 09:34:49 -05:00
Kubernetes Submit Queue
2c61d2f80c Merge pull request #38121 from deads2k/auth-09-remove-rbac-super 
Automatic merge from submit-queue (batch tested with PRs 38111, 38121)

remove rbac super user

Cleaning up cruft and duplicated capabilities as we transition from RBAC alpha to beta.  In 1.5, we added a secured loopback connection based on the `system:masters` group name.  `system:masters` have full power in the API, so the RBAC super user is superfluous.

The flag will stay in place so that the process can still launch, but it will be disconnected.

@kubernetes/sig-auth
 2016-12-05 14:14:41 -08:00
Kubernetes Submit Queue
55f13b5729 Merge pull request #36374 from hongchaodeng/e 
Automatic merge from submit-queue (batch tested with PRs 36352, 36538, 37976, 36374)

etcd3: have prefix always prepended

ref: #36290

Previously, the prefix behavior is "sometimes prefixing". If the prefix already exists for the resource path, it will ignore.
With this PR, we make sure that prefix is always prepended in etcd3 storage backend. See the discussion in #36290
 2016-12-05 11:08:49 -08:00
deads2k
2923d09091 remove rbac super user 2016-12-05 13:49:54 -05:00
Kubernetes Submit Queue
5e41d0904f Merge pull request #37830 from sttts/sttts-stratify-cert-generation 
Automatic merge from submit-queue

Stratify apiserver cert generation

- move self-signed cert generation to `SecureServingOptions.MaybeDefaultWithSelfSignedCerts`
- make cert generation only depend on `ServerRunOptions`, not on an unfinished `Config` (this breaks the chicken-egg problem of a finished config in https://github.com/kubernetes/kubernetes/pull/35387#pullrequestreview-5368176)
- move loopback client config code into `config_selfclient.go`

Replaces https://github.com/kubernetes/kubernetes/pull/35387#event-833649341 by getting rid of duplicated `Complete`.
 2016-12-05 10:15:47 -08:00
Dr. Stefan Schimanski
3f01c37b9d Update generated files 2016-12-05 16:05:52 +01:00
Dr. Stefan Schimanski
d647d0ee8b Make failed secure loopback client non-fatal if insecure port is open 2016-12-05 14:58:16 +01:00
Dr. Stefan Schimanski
5b1d45bc15 Stratify certificate loading and self-sign cert generation 
This removes all dependencies on Config during cert generation, only operating
on ServerRunOptions. This way we get rid of the repeated call of Config.Complete
and cleanly stratify the GenericApiServer bootstrapping.
 2016-12-05 14:58:15 +01:00
Dr. Stefan Schimanski
2dff13f332 Update generated files 2016-12-05 12:42:31 +01:00
Dr. Stefan Schimanski
458d2b2fe4 Add verb support for discovery client 2016-12-05 12:36:05 +01:00
Kubernetes Submit Queue
3a5fd6b6c1 Merge pull request #36064 from gmarek/inflight 
Automatic merge from submit-queue

Split inflight requests into read-only and mutating groups

cc @smarterclayton @lavalamp @caesarxuchao 

```release-note
API server have two separate limits for read-only and mutating inflight requests.
```
 2016-12-05 00:53:32 -08:00
Hongchao Deng
51d9bb1f2b etcd3: have prefix to always prepended 2016-12-04 21:45:07 -08:00
Kubernetes Submit Queue
81d788dd6e Merge pull request #37534 from smarterclayton/move_unversion 
Automatic merge from submit-queue (batch tested with PRs 36816, 37534)

Move pkg/api/unversioned to pkg/apis/meta/v1

This moves code from using pkg/api/unversioned to pkg/apis/meta/v1 with the `metav1` local package name.

Built on top of #37532 (the first three commits related to ExportOptions)

Part of #37530
 2016-12-03 18:30:48 -08:00
Kubernetes Submit Queue
71182d826d Merge pull request #36816 from deads2k/api-43-front-proxy 
Automatic merge from submit-queue

plumb in front proxy group header

Builds on https://github.com/kubernetes/kubernetes/pull/36662 and https://github.com/kubernetes/kubernetes/pull/36774, so only the last commit is unique.

This completes the plumbing for front proxy header information and makes it possible to add just the front proxy header authenticator.

WIP because I'm going to assess it in use downstream.
 2016-12-03 18:01:42 -08:00
Clayton Coleman
3454a8d52c refactor: update bazel, codec, and gofmt 2016-12-03 19:10:53 -05:00
Clayton Coleman
5df8cc39c9 refactor: generated 2016-12-03 19:10:46 -05:00
Dr. Stefan Schimanski
b2b0142b6f Update bazel 2016-12-03 18:35:18 +01:00
Dr. Stefan Schimanski
1f5511b131 Move RESTStorageProvider interface into pkg/master 2016-12-03 18:35:15 +01:00
Dr. Stefan Schimanski
eeb582e53f Move DefaultServiceIPRange into pkg/master 2016-12-03 18:34:22 +01:00
deads2k
fc46c31bc2 simplify the authorization attribute getter 2016-12-02 16:19:12 -05:00
Kubernetes Submit Queue
35808b39aa Merge pull request #36472 from xilabao/cert-key-coexist 
Automatic merge from submit-queue

fix apiserver start failed if lost one of cert and key
 2016-12-01 07:52:15 -08:00
deads2k
78f2958c0f add request header options for groups 2016-12-01 09:02:15 -05:00
gmarek
4762acbd1e Split inflight requests into read-only and mutating groups 2016-12-01 09:34:00 +01:00
xilabao
7016057ff7 fix apiserver start failed if lost one of cert and key, add a error message 2016-11-30 17:25:52 +08:00
deads2k
ab9a842f3c add loopback auth defaulting to generic apiserver 2016-11-29 11:02:35 -05:00
deads2k
6846855929 add delegating authorization flags and options 2016-11-29 10:59:43 -05:00
deads2k
ca2b5f136e split authorization from main options struct 2016-11-29 10:59:43 -05:00
deads2k
5cea15ac9f add delegating auth options 2016-11-29 10:59:43 -05:00
deads2k
7c0e48f544 split out authentication options 2016-11-29 10:59:43 -05:00
deads2k
56b7a8b02b remove some options from mega-struct 2016-11-29 10:59:43 -05:00
deads2k
18074d7606 split insecure serving options 2016-11-29 10:59:42 -05:00
deads2k
a08f3ba521 split secure serving options 2016-11-29 10:59:42 -05:00
deads2k
a9af8206cb split generic etcdoption out of main struct 2016-11-29 10:59:42 -05:00
Clayton Coleman
35a6bfbcee generated: refactor 2016-11-23 22:30:47 -06:00
Chao Xu
bcc783c594 run hack/update-all.sh 2016-11-23 15:53:09 -08:00
Chao Xu
d0a725a522 master, genericapiserver, registry 2016-11-23 15:53:09 -08:00
gmarek
c97633b1f5 Add a flag allowing contention profiling of the API server 2016-11-14 17:38:26 +01:00
Kubernetes Submit Queue
860cae0933 Merge pull request #35488 from dixudx/keystone-ca-cert 
Automatic merge from submit-queue

specify custom ca file to verify the keystone server

<!--  Thanks for sending a pull request!  Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->

**What this PR does / why we need it**:

Sometimes the keystone server's certificate is self-signed, mainly used for internal development, testing and etc.

For this kind of ca, we need a way to verify the keystone server.

Otherwise, below error will occur.

> x509: certificate signed by unknown authority

This patch provide a way to pass in a ca file to verify the keystone server when starting `kube-apiserver`.

**Which issue this PR fixes** : fixes #22695, #24984

**Special notes for your reviewer**:

**Release note**:

<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->

``` release-note
```
 2016-11-08 13:13:00 -08:00
Kubernetes Submit Queue
4dbc532c9a Merge pull request #33568 from justinsb/fix_33563 
Automatic merge from submit-queue

AWS: Support default value for ExternalHost
 2016-11-08 05:07:13 -08:00
Kubernetes Submit Queue
9b32a5d142 Merge pull request #36321 from gyuho/etcd-flag 
Automatic merge from submit-queue

options, kube-apiserver: clarify scheme on etcd endpoints

**What this PR does / why we need it**:

Fix typo in `kube-apiserver` flag.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

None
 2016-11-08 02:52:54 -08:00
Dr. Stefan Schimanski
893d041726 Update bazel 2016-11-07 06:49:50 +01:00
Dr. Stefan Schimanski
05d290e5be Restore old apiserver cert CN 2016-11-07 06:49:49 +01:00
Gyu-Ho Lee
ce26f21ee6 options, kube-apiserver: clarify scheme on etcd endpoints 
When etcd server uses TLS, the scheme should be https.
 2016-11-06 13:22:58 -08:00
Kubernetes Submit Queue
c04cab536b Merge pull request #36134 from liggitt/kubelet-auth-cleanup 
Automatic merge from submit-queue

Cleanup auth logging, allow starting secured kubelet in local-up-cluster.sh

Cleanup for https://github.com/kubernetes/features/issues/89
 2016-11-06 08:33:04 -08:00
Kubernetes Submit Queue
973685c006 Merge pull request #32309 from smarterclayton/generic_storage_factory 
Automatic merge from submit-queue

Storage factory should not hardcode special resources

Prepares for future movement

@deads2k
 2016-11-05 18:05:33 -07:00
Di Xu
dd6c980949 specify custom ca file to verify the keystone server 2016-11-04 15:11:41 +08:00
Jordan Liggitt
d3991aa7c6 Cleanup auth logging, allow starting secured kubelet in local-up-cluster.sh 2016-11-03 16:17:11 -04:00
deads2k
d82f98c9b3 remove non-generic options from genericapiserver.Config 2016-11-03 11:48:33 -04:00
deads2k
4c12c3b130 abstract out discovery IP determination 2016-11-03 11:45:51 -04:00