github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
121,390 Commits 1 Branch 31 Tags 1,019 MiB
fcd6c19c24
Commit Graph

259 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
f139450e9b
Merge pull request #122885 from claudiubelu/unittests-10 
unittests: Fixes unit tests for Windows (part 10)
 2024-02-28 05:38:40 -08:00
Kubernetes Prow Robot
66d038d84d
Merge pull request #121946 from liggitt/reload-authz 
KEP-3221: Implement authorization configuration file reloading
 2024-02-15 18:37:13 -08:00
Kubernetes Prow Robot
72c3c7c924
Merge pull request #123282 from enj/enj/i/authn_config_algs 
Support all key algs with structured authn config
 2024-02-14 18:08:32 -08:00
Jordan Liggitt
5dc92ada06
Implement authz config file reloading 2024-02-14 18:09:15 -05:00
Jordan Liggitt
5f4cb8b09a
Move kube-apiserver authz validation functions 2024-02-14 10:00:11 -05:00
Monis Khan
b5e0068325
Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-02-14 09:40:25 -05:00
Alexander Zielenski
8b14116509 refactor: move vap into parent policy folder 
also renames to remove stutter

comment
 2024-02-12 10:58:24 -08:00
Claudiu Belu
b8df7e7684 unittests: Fixes unit tests for Windows (part 10) 
Currently, there are some unit tests that are failing on
Windows due to various reasons:

- Different "File not found" error messages on Windows.
- Files need to be closed on Windows before removing them.
- The default RootHnsEndpointName (root-hnsendpoint-name) flag value is 'cbr0'
- On Windows, Unix Domain sockets are not checked in the same way in golang, which is why
  hostutils_windows.go checks for it differently. GetFileType will return an error in this
  case. We need to check for it, and see if it's actually a Unix Domain Socket.
 2024-01-22 13:43:42 +00:00
Mahe Tardy
73bec0f6d9 api: remove SecurityContextDeny admission plugin 2024-01-05 15:11:18 +00:00
Jordan Liggitt
1f40e0916e
Only default mode to AlwaysAllow when config file is unspecified 2023-11-08 11:24:28 -06:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Kubernetes Prow Robot
b7e5cbf1cf
Merge pull request #121301 from sttts/sttts-validate-cloud-provider-2 
kubeapiserver/options: fix cloud provider validation
 2023-10-26 01:08:14 +02:00
Nabarun Pal
22e5a806a7
Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-18 11:58:47 +05:30
Kubernetes Prow Robot
d22e315c4a
Merge pull request #120910 from palnabarun/3221/fix-kubeconfig-file-type-name 
staging/apiserver: correct KubeConfig type name in authorization types
 2023-10-17 18:50:33 +02:00
Dr. Stefan Schimanski
72e67e0ef0
kubeapiserver/options: fix cloud provider validation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-17 17:50:25 +02:00
Nabarun Pal
2bf2c4f3a4
staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-17 20:01:27 +05:30
Kubernetes Prow Robot
91c172e670
Merge pull request #121108 from sttts/sttts-validate-cloud-provider 
kube-apiserver: move cloud provider validation into options
 2023-10-17 16:14:10 +02:00
Jefftree
b30c6bdff8 Fix v3 spec 2023-10-16 15:05:13 -04:00
Dr. Stefan Schimanski
0f989046d0
kube-apiserver: move cloud provider validation into options 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-10 22:43:23 +02:00
Nabarun Pal
3de0d9afbb
pkg/kubeapiserver: pass authorizer in top level while building from legacy options 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-04 14:17:16 +05:30
Kubernetes Prow Robot
26c3f66887
Merge pull request #120903 from dims/deprecate-cloud-provider-and-config-cli-params 
Deprecate cloud-provider/cloud-config in apiserver CLI
 2023-09-27 18:17:33 -07:00
Dr. Stefan Schimanski
6395049176
controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-09-27 11:22:37 +02:00
Davanum Srinivas
4d2d9947bf
Deprecate cloud-provider/cloud-config in apiserver CLI 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2023-09-26 16:05:01 -04:00
Nabarun Pal
108d195595
use AuthorizationConfiguration in kube-apiserver for storing authorizer config 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-09-18 11:33:18 +05:30
Anish Ramasekar
9e1ff1e512
add loading config and wire feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-30 23:14:56 +00:00
Anish Ramasekar
1bad3cbbf5
wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-08-25 17:15:33 +00:00
Kubernetes Prow Robot
8d244d3e66
Merge pull request #116721 from enj/enj/i/bootstrap_authn_lister 
Wire bootstrap token authn secret lister only when it is enabled
 2023-04-11 18:19:30 -07:00
Kubernetes Prow Robot
61457b939d
Merge pull request #116648 from ncdc/admission-clients 
admission ApplyTo: take in clients
 2023-04-11 18:18:41 -07:00
Monis Khan
e9866d2794
Clear front proxy headers after authentication is complete 
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-21 10:51:22 -04:00
Monis Khan
94f2d35164
Wire bootstrap token authn secret lister only when it is enabled 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-17 11:17:20 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types 
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
 2023-03-15 20:10:18 -07:00
Andy Goldstein
364b66ddd6
admission ApplyTo: take in clients 
Change admission ApplyTo() to take in clients instead of a rest.Config.

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
 2023-03-15 11:15:49 -04:00
Thomas Milox
3ad2ab18fa
pkg/kubeapiserver/options: Improving test coverage (#114234) 
* pkg/kubeapiserver/options: Improving test coverage

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

* pkg/kubeapiserver/options: Improving test coverage

Add a snippet of the expected error string related to the aspect being tested

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2022-12-14 17:51:35 -08:00
Cici Huang
2973712486 Rename FG to ValidatingAdmissionPolicy 2022-11-10 03:37:35 +00:00
Cici Huang
40c21dafcd Rename admission cel package to validatingadmissionpolicy 2022-11-10 03:37:30 +00:00
Cici Huang
e7d83a1fb7 Integrate cel admission with API. 
Co-authored-by: Alexander Zielenski <zielenski@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
 2022-11-07 21:38:55 +00:00
Shihang Zhang
569cd70a52 track legacy service account tokens 2022-10-24 09:37:53 -07:00
Kubernetes Prow Robot
85e7ddbcfb
Merge pull request #111313 from BinacsLee/binacs/use-len-in-options 
cleanup: use sets.Len() insead of len(sets.List())
 2022-10-04 07:34:16 -07:00
Kubernetes Prow Robot
3051cb2ba1
Merge pull request #108624 from ialidzhikov/cleanup/service-account-api-audiences 
apiserver: Remove the deprecated `--service-account-api-audiences` flag
 2022-08-02 09:15:44 -07:00
Davanum Srinivas
a9593d634c
Generate and format files 
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2022-07-26 13:14:05 -04:00
Kubernetes Prow Robot
37311a2eed
Merge pull request #103663 from bells17/fix-priority-plugin-comment 
Fix Priority plugin comment
 2022-07-25 07:40:35 -07:00
BinacsLee
80b43075c9 cleanup: use sets.Len() insead of len(sets.List()) 2022-07-21 20:13:30 +08:00
Jordan Liggitt
410ac59c0d Remove PodSecurityPolicy admission plugin 2022-05-04 16:00:56 -04:00
Jefftree
67d3dbfaae Separate OpenAPI V2 and V3 Config 2022-03-29 17:49:56 -07:00
ialidzhikov
92707cafbb apiserver: Remove the deprecated --service-account-api-audiences flag 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2022-03-10 09:46:20 +02:00
bryfry
038ad9b3a5 correct references to service-account-signing-key-file flag 2022-01-30 04:24:25 +00:00
Shubham Kuchhal
ef2be5586e Add supported 'alg' header values. 2021-09-16 14:02:21 +05:30
Monis Khan
b5ef684d90
admission: run PodSecurity before PodSecurityPolicy 
This change fixes the order in which the PodSecurity and
PodSecurityPolicy admission plugins are run.  The old code intended
for PSA to run before PSP, but attempted to enforce that via
registration order (which is irrelevant).  Now PSA is correctly
executed before PSP to allow for audit and warning modes to be
exercised even in the presence of a deny PSP policy.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-09-01 11:39:58 -04:00
Antonio Ojea
0cd75e8fec run hack/update-netparse-cve.sh 2021-08-20 10:42:09 +02:00
Mengjiao Liu
7911a08fb3 Remove ServiceAccountIssuerDiscovery feature gate 2021-07-14 18:43:59 +08:00