github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
121,390 Commits 1 Branch 31 Tags 1,019 MiB
fcd6c19c24
Commit Graph

80 Commits

Author SHA1 Message Date
Michael Taufen
ab1eb8ff24 Add comment in noderestriction on Node-bound-tokens 
Explains why we don't explicitly prevent cross-node bindings in noderestriction (it's already implicitly enforced).
 2023-11-06 18:04:16 +00:00
Taahir Ahmed
1ebe5774d0 kubelet: Support ClusterTrustBundlePEM projections 2023-11-03 11:40:48 -07:00
Patrick Ohly
2472291790 api: introduce separate VolumeResourceRequirements struct 
PVC and containers shared the same ResourceRequirements struct to define their
API. When resource claims were added, that struct got extended, which
accidentally also changed the PVC API. To avoid such a mistake from happening
again, PVC now uses its own VolumeResourceRequirements struct.

The `Claims` field gets removed because risk of breaking someone is low:
theoretically, YAML files which have a claims field for volumes now
get rejected when validating against the OpenAPI. Such files
have never made sense and should be fixed.

Code that uses the struct definitions needs to be updated.
 2023-08-21 15:31:28 +02:00
Kubernetes Prow Robot
f55f2785e2
Merge pull request #116254 from pohly/dra-node-authorizer 
node authorizer: limit kubelet access to ResourceClaim objects
 2023-07-18 13:44:04 -07:00
Hemant Kumar
e011187114 Update code to use new generic allocatedResourceStatus field 2023-07-17 15:30:35 -04:00
Patrick Ohly
4121c1fc79 auth: don't allow kubelet to from modify ResourceClaimStatuses 
The status determines which claims kubelet is allowed to access when claims get
created from a template. Therefore kubelet must not be allowed to modify that
part of the status, because otherwise it could add an entry and then gain
access to a claim it should have access to.
 2023-07-13 20:42:21 +02:00
Tim Hockin
bc302fa414
Replace uses of ObjectReflectDiff with cmp.Diff 
ObjectReflectDiff is already a shim over cmp.Diff, so no actual output
or behavior changes
 2023-04-12 08:48:03 -07:00
TommyStarK
d570ab8bc5 plugin/pkg/admission: Replace deprecated pointer function 
Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2023-01-04 14:12:32 +01:00
Hemant Kumar
9343cce20b remove ExpandPersistentVolume feature gate 2022-03-24 10:02:47 -04:00
Hemant Kumar
4d956f053a Fix bug with node restriction blocking pvc.status.resizestatus change 2022-01-21 10:03:26 -05:00
Davanum Srinivas
9405e9b55e
Check in OWNERS modified by update-yamlfmt.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-12-09 21:31:26 -05:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Michael Beaumont
a5a6762d33
Move pkg/kubelet/apis to k8s.io/kubelet/pkg/apis 2021-02-09 21:37:39 +01:00
ialidzhikov
bc432124a2 Remove CSINodeInfo feature gate 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2020-12-10 09:58:22 +02:00
Mike Danese
84995167d6 hoist error message change in token registry to noderestriction 
The token registry error message was changed in
5eefd7d012 to exclude some object details.
This error comes from noderestriction under some circumstances. Let's
make sure they match.

Change-Id: If9240f5c1a131d27dce389e2c6eca6c33d681f3b
 2020-12-02 10:58:25 -08:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Kubernetes Prow Robot
ccfdc09f35
Merge pull request #91683 from tedyu/mirror-pod-owner-ref 
Mirror pod without OwnerReference should not be created
 2020-09-25 11:02:48 -07:00
xufei 00416946
f787db2508 return err directly when nodename is not consistent in cert 2020-07-25 09:10:32 +08:00
Ted Yu
9f95fdd3cd Mirror pod without OwnerReference should not be created 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-06-21 08:00:17 -07:00
Jordan Liggitt
ba4d2aa076 Restrict node labels on Node create 2020-04-20 16:26:24 -04:00
Ted Yu
e0dbbf0a65 Visitors of Configmaps and Secrets should specify which containers to visit 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-03-20 07:59:44 -07:00
Tim Allclair (St. Clair)
581d3e26c9 Restrict mirror pod owner references (#84657) 
* Restrict mirror pod owners.

See http://git.k8s.io/enhancements/keps/sig-auth/20190916-noderestriction-pods.md

* Address feedback, refactor test

* Verify node owner UID
 2019-11-14 20:52:16 -08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
David Eads
83f6f2717e remove global variable dep in admission 2019-11-12 10:55:14 -05:00
Kubernetes Prow Robot
9cf309ed59
Merge pull request #82049 from andrewsykim/ga-node-instance-type-label 
Promote Node Instance Type Label to GA
 2019-11-08 13:47:58 -08:00
Kubernetes Prow Robot
ae15368355
Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA 
Promote node lease to GA
 2019-11-08 09:00:15 -08:00
Andrew Sy Kim
560b8efb79 noderestriction: update node restriction unit tests to use stable instance-type label 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-08 11:17:58 -05:00
Andrew Sy Kim
4c194d52da kubelet: set both deprecated Beta and GA labels for zone/region topology from the cloud provider 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:04 -05:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Michelle Au
603a2aa8a9 Add CSINode to storage/v1 2019-10-28 13:41:13 -07:00
Tim Allclair
ac2b300ed9 Update bazel 2019-10-23 16:43:03 -07:00
Tim Allclair
fea3111554 Forbid label updates by nodes through pod/status 2019-10-23 15:54:40 -07:00
Jordan Liggitt
92ea33efc5 Clean up TODOs 2019-10-03 09:23:10 -04:00
Di Xu
34cab8f80a populate object name for admission attributes when CREATE 2019-08-22 11:46:12 +08:00
Jordan Liggitt
61774cd717 Plumb context to admission Admit/Validate 2019-08-20 11:11:00 -04:00
draveness
35bc5dc6b6 feat: cleanup feature gates for KubeletPluginsWatcher 2019-06-23 16:59:36 +08:00
Miguel Bernabeu
f47da8a75d Fix golint violations in several plugins 2019-05-23 20:00:06 +02:00
Joe Betz
900d652a9a Update tests for: Pass {Operation}Option to Webhooks 2019-05-14 10:49:43 -07:00
Andrew Kim
c919139245 update import of generic featuregate code from k8s.io/apiserver/pkg/util/feature -> k8s.io/component-base/featuregate 2019-05-08 10:01:50 -04:00
Antoine Pelisse
55f9eeed6c Ignore changes to managed field in noderestriction 
The validation is failing because the managedfields are changed when the
object is updated. We don't have a good way to verify that the changes
are only the ones that are supposed to happen, so we'll just ignore them
for now.
 2019-03-06 13:48:38 -08:00
Xing Yang
85867e5625 Modify node admission and node authorizer 2019-03-04 16:42:12 -08:00
Mehdy Bohlool
d08bc3774d Mechanical changes due to signature change for Admit and Validate functions 2019-02-16 13:28:47 -08:00
Kubernetes Prow Robot
b50c643be0
Merge pull request #73540 from rlenferink/patch-5 
Updated OWNERS files to include link to docs
 2019-02-08 09:05:56 -08:00
Davanum Srinivas
b975573385
move pkg/kubelet/apis/well_known_labels.go to staging/src/k8s.io/api/core/v1/ 
Co-Authored-By: Weibin Lin <linweibin1@huawei.com>

Change-Id: I163b2f2833e6b8767f72e2c815dcacd0f4e504ea
 2019-02-05 13:39:07 -05:00
Roy Lenferink
b43c04452f Updated OWNERS files to include link to docs 2019-02-04 22:33:12 +01:00
Jordan Liggitt
16e355791f Improve node authorizer and noderestriction forbidden messages 2018-11-24 09:31:10 -05:00
Jordan Liggitt
9fb2dcad5e Limit kubelets from updating their own labels 2018-11-13 23:48:47 -05:00
David Zhu
4621887037 Updated test files with new fields 2018-11-08 19:45:01 -08:00
Jordan Liggitt
4cbdc98df3 node-isolation approvers/reviewers 2018-11-06 00:57:39 -05:00
Cheng Xing
94d649b590 Rearranged feature flags 2018-09-07 17:45:27 -07:00