github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
121,390 Commits 1 Branch 31 Tags 1,019 MiB
fcd6c19c24
Commit Graph

259 Commits

Author SHA1 Message Date
Tim Hockin
10c32b3e2f
Get rid of most references to GOPATH 2024-02-29 22:06:51 -08:00
Jordan Liggitt
d5d3eddb95
Add allowed/denied metrics for authorizers 2024-02-16 08:20:59 -05:00
Jordan Liggitt
5dc92ada06
Implement authz config file reloading 2024-02-14 18:09:15 -05:00
carlory
57a5db8da3 remove feature-gate APISelfSubjectReview 2023-11-24 16:59:21 +08:00
Jordan Liggitt
b53134f129
Test anonymous and RBAC handling via config file 2023-11-08 14:36:05 -06:00
Jordan Liggitt
0112d91a05
Add multi-webhook integration test 2023-11-02 19:21:06 -04:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Jordan Liggitt
a50d83c669
Add basic authz config integration test 2023-10-18 11:58:48 +05:30
Patrick Ohly
2472291790 api: introduce separate VolumeResourceRequirements struct 
PVC and containers shared the same ResourceRequirements struct to define their
API. When resource claims were added, that struct got extended, which
accidentally also changed the PVC API. To avoid such a mistake from happening
again, PVC now uses its own VolumeResourceRequirements struct.

The `Claims` field gets removed because risk of breaking someone is low:
theoretically, YAML files which have a claims field for volumes now
get rejected when validating against the OpenAPI. Such files
have never made sense and should be fixed.

Code that uses the struct definitions needs to be updated.
 2023-08-21 15:31:28 +02:00
Jordan Liggitt
39207dada2 Add integration test for node authorizer claim references 2023-07-13 20:42:21 +02:00
HirazawaUi
5289a7b029 fix fd leaks and failed file removing for test directory 2023-05-09 09:22:31 -05:00
Kante Yin
a7035f5459 Pass Context to StartTestServer 
Signed-off-by: Kante Yin <kerthcet@gmail.com>
 2023-05-04 10:25:09 +08:00
m.nabokikh
40de26dcff KEP-3325: Promote SelfSubjectReview to GA 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2023-05-02 14:50:40 +02:00
Patrick Ohly
a2fb32870f test/integration/auth: fix data race 
"username" gets read by one goroutine and written by another. Therefore it must
be protected by a mutex to avoid triggering the race detector.
 2023-04-05 16:11:38 +02:00
Maksim Nabokikh
c1431af4f8
KEP-3325: Promote SelfSubjectReview to Beta (#116274) 
* Promote SelfSubjectReview to Beta

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Fix whoami API

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Fixes according to code review

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

---------

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2023-03-08 15:42:33 -08:00
Max Goltzsche
df8fa2eab5
bump go-jose to v2.6.0 
Update go-jose from v2.2.2 to v2.6.0.
This is to make the kubernetes code compatible with newer go-jose versions that have a small breaking change (`jwt.NewNumericDate()` returns a pointer).

Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
 2023-03-02 02:53:17 +01:00
Alexander Zielenski
9ef1fc543f skip special features in TestPodSecurityGAOnly 
was causing some alpha/beta features to be disabled after running sometimes
 2023-02-28 13:21:35 -08:00
TommyStarK
9e885bce35 test/integration: Replace deprecated pointer function 
Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2023-01-05 18:38:40 +01:00
Mengjiao Liu
a3d00c15b6 Remove ExpandPersistentVolumes feature gate 2022-12-15 11:43:50 +08:00
Mark Rossetti
498d065cc5
Promoting WindowsHostProcessContainers to stable 
Signed-off-by: Mark Rossetti <marosset@microsoft.com>
 2022-11-01 14:06:25 -07:00
Kubernetes Prow Robot
525280d285
Merge pull request #112643 from SergeyKanzhelev/removeDynamicKubeletConfig 
remove DynamicKubeletConfig feature gate from the code
 2022-10-12 01:33:00 -07:00
Wojciech Tyczyński
57c95fbfa1 Lock ServerSideApply feature to true 2022-09-27 13:48:28 +02:00
Sergey Kanzhelev
39e49a91d7 remove DynamicKubeletConfig feature gate from the code 2022-09-23 23:14:19 +00:00
Jordan Liggitt
e5c4c9b2c0
Make auth integation tests coexist with default API server config 2022-09-21 12:42:49 -04:00
m.nabokikh
00dfba473b Add auth API to get self subject attributes 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2022-09-14 18:00:26 +02:00
Wojciech Tyczyński
ab1038f0e0 Clean shutdown of auth integration tests 2022-07-19 11:34:02 +02:00
Wojciech Tyczyński
690d2f0101 Clean(er) shutdown of auth integration tests 2022-07-14 11:25:57 +02:00
Kubernetes Prow Robot
4b024fc4ee
Merge pull request #110459 from wangyysde/promote-pod-security-to-ga 
PodSecurity: promote config and feature gate to GA
 2022-06-15 14:41:22 -07:00
wangyysde
ab66a38194 PodSecurity: promote config and feature gate to GA 
Signed-off-by: wangyysde <net_use@bzhy.com>
 2022-06-15 09:29:47 +08:00
Wojciech Tyczyński
ed442cc3dd Clean(er) shutdown of auth integration tests 2022-06-14 13:55:31 +02:00
Wojciech Tyczyński
8ef7dd49ee Clean shutdown of auth integration tests 2022-06-10 19:46:50 +02:00
Wojciech Tyczyński
6f706775bc Clean shutdown of test apiserver 2022-05-26 10:42:48 +02:00
Wojciech Tyczyński
deef9e40de Simplify Create/Delete-TestingNamespace functions 2022-05-15 23:06:26 +02:00
Wojciech Tyczyński
04b77f02ee Minor cleanup to use t.Run() in test/integration 2022-05-02 21:13:32 +02:00
Hemant Kumar
9343cce20b remove ExpandPersistentVolume feature gate 2022-03-24 10:02:47 -04:00
Monis Khan
fef7d0ef1e
webhook: use rest.Config instead of kubeconfig file as input 
This change updates the generic webhook logic to use a rest.Config
as its input instead of a kubeconfig file.  This exposes all of the
rest.Config knobs to the caller instead of the more limited set
available through the kubeconfig format.  This is useful when this
code is being used as a library outside of core Kubernetes. For
example, a downstream consumer may want to override the webhook's
internals such as its TLS configuration.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-03-17 20:47:42 -04:00
Jordan Liggitt
92422a7305 set/validate object namespace before admission 2022-02-23 11:12:27 -05:00
Jordan Liggitt
19d71bb5d5 Validate and populate metadata fields in token request 2022-02-09 14:05:53 -05:00
ahrtr
fe95aa614c io/ioutil has already been deprecated in golang 1.16, so replace all ioutil with io and os 2022-02-03 05:32:12 +08:00
Jyoti Mahapatra
a1b52fb17a
extend sa token if audience is apiserver (#105954) 
Signed-off-by: Jyoti Mahapatra <jyotima@amazon.com>
 2022-01-31 16:01:52 -08:00
Jeffrey Ying
ecb9b620fe
Revert "Populate OpenAPI in all integration tests" 2022-01-26 13:30:03 -05:00
Jefftree
eb8f6fe0f9 Populate OpenAPI in all integration tests 2022-01-25 14:16:31 -08:00
Jordan Liggitt
57e0c5969b Fix integration test authenticators to include AllAuthenticated group 2022-01-19 13:21:05 -05:00
jlsong01
3006aa534b fix flake on TestQuotaLimitService 2022-01-19 21:58:57 +08:00
Jordan Liggitt
01fa142ef5 PodSecurity: promote to beta 2021-11-02 09:43:24 -04:00
Tim Allclair
6c273020d3 [PodSecurity] Avoid the LegcayRegistry for metrics serving 2021-11-01 14:23:00 -07:00
Tim Allclair
21692e1683 [PodSecurity] Add error & exemption metrics 2021-11-01 14:22:58 -07:00
Tim Allclair
e46928c0b1 [PodSecurity] Fix up metrics & add tests 
Update pod security metrics to match the spec in the KEP.
 2021-11-01 14:11:19 -07:00
Margo Crawford
d9ddfb26e1 Introduces Impersonate-Uid to client-go. 
* Updates ImpersonationConfig in rest/config.go to include UID
  attribute, and pass it through when copying the config
* Updates ImpersonationConfig in transport/config.go to include UID
  attribute
* In transport/round_tripper.go, Set the "Impersonate-Uid" header in
  requests based on the UID value in the config
* Update auth_test.go integration test to specify a UID through the new
  rest.ImpersonationConfig field rather than manually setting the
  Impersonate-Uid header

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-09-24 14:06:30 -07:00
Tim Allclair
32783f7568 PodSecurity: Initial webhook implementation 2021-07-09 17:04:29 -07:00