github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
92,976 Commits 1 Branch 31 Tags 1,019 MiB
ff33efc164
Commit Graph

3007 Commits

Author SHA1 Message Date
Jordan Liggitt
6d335372b2 Add configmap->node destination edges to the node authorizer index 2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031
Merge pull request #87688 from mborsz/node2 
Add a fast path for adding new node in node_authorizer
 2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230 Add a fast path for adding new node in node_autorizer. 
This seems to improve WriteIndexMaintenance benchmark:

Before:
BenchmarkWriteIndexMaintenance-12    	    1034	   1157922 ns/op	    1906 B/op	      41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12    	    4891	    239821 ns/op	    1572 B/op	      37 allocs/op
 2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde
Merge pull request #87693 from liggitt/node-authz-index 
Fix node authorizer index recomputation
 2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52 Fix node authorizer index recomputation 2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993 cleanup req.Context() and ResponseWrapper 2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
Kubernetes Prow Robot
9633dd63b2
Merge pull request #87239 from lemonli/cleanup/node-authorizer 
clean up node_authorizer code: verb judgement
 2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25
Enabling EndpointSlice feature gate by default 
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
 2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3 fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy 2020-01-16 09:23:16 +09:00
lemonli
2498dbf636 clean node_authorizer code: verb judgement 2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45 Do not require token secrets when using bound service account tokens 2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb Extend authorization benchmark 2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f
Merge pull request #85375 from liggitt/delegated-list-watch 
Add single-item list/watch to delegated authentication reader role
 2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945
Merge pull request #85365 from robscott/endpointslice-default-off 
Disabling EndpointSlice feature gate by default
 2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2 Add single-item list/watch to delegated authentication reader role 2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff
Disabling EndpointSlice feature gate by default 
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
 2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631 Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration 2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72 Service Topology implementation 
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
 2019-11-15 13:36:43 +08:00
Tim Allclair (St. Clair)
581d3e26c9 Restrict mirror pod owner references (#84657) 
* Restrict mirror pod owners.

See http://git.k8s.io/enhancements/keps/sig-auth/20190916-noderestriction-pods.md

* Address feedback, refactor test

* Verify node owner UID
 2019-11-14 20:52:16 -08:00
Rob Scott
a7e589a8c6
Promoting EndpointSlices to beta 2019-11-13 14:20:19 -08:00
Kubernetes Prow Robot
195664db0e
Merge pull request #85099 from liggitt/quota-config-v1 
Promote apiserver.config.k8s.io/v1, kind=ResourceQuotaConfiguration
 2019-11-13 13:02:52 -08:00
draveness
5cb92260a6 feat: graduate ResourceQuotaScopeSelectors to GA 2019-11-13 14:07:22 +08:00
Kubernetes Prow Robot
bb55aa7c54
Merge pull request #76310 from ravisantoshgudimetla/fix-priority-quota 
Relax namespace restriction for critical pods
 2019-11-12 19:00:11 -08:00
ravisantoshgudimetla
f2cbbe228f BUILD files 2019-11-12 17:22:14 -05:00
ravisantoshgudimetla
fe4cac73c8 Relax namespace restriction for critical pods 2019-11-12 17:22:09 -05:00
Kubernetes Prow Robot
c580a12c8e
Merge pull request #83568 from bertinatto/volume_limits_ga 
Promote volume limits to GA
 2019-11-12 11:50:22 -08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
David Eads
83f6f2717e remove global variable dep in admission 2019-11-12 10:55:14 -05:00
Jordan Liggitt
7d3012f297 Promote resource quota admission configuration to v1 2019-11-12 09:03:55 -05:00
Fabio Bertinatto
affcd0128b Promote volume limits to GA 2019-11-12 09:43:53 +01:00
Kubernetes Prow Robot
9cf309ed59
Merge pull request #82049 from andrewsykim/ga-node-instance-type-label 
Promote Node Instance Type Label to GA
 2019-11-08 13:47:58 -08:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00
Kubernetes Prow Robot
ae15368355
Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA 
Promote node lease to GA
 2019-11-08 09:00:15 -08:00
Andrew Sy Kim
560b8efb79 noderestriction: update node restriction unit tests to use stable instance-type label 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-08 11:17:58 -05:00
Andrew Sy Kim
349749644f test/e2e: check both beta and zone label for getting cluster zone 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:05 -05:00
Andrew Sy Kim
4c194d52da kubelet: set both deprecated Beta and GA labels for zone/region topology from the cloud provider 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:04 -05:00
Wei Huang
019d7497a5
bazel files 2019-11-05 20:57:21 -08:00
Wei Huang
dd74205bcf
Move out const strings in pkg/scheduler/api/well_known_labels.go 2019-11-05 20:56:21 -08:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Kubernetes Prow Robot
1d1385af91
Merge pull request #83474 from msau42/topology-ga 
CSI Topology ga
 2019-11-04 15:28:27 -08:00
Kubernetes Prow Robot
0c88c4893f
Merge pull request #84275 from liggitt/beta-gate-runtimeclass-informers 
Feature-gate RuntimeClass informer starts
 2019-10-28 17:48:42 -07:00
Michelle Au
603a2aa8a9 Add CSINode to storage/v1 2019-10-28 13:41:13 -07:00
wojtekt
fafbad45aa Update bootstrappolicy RBAC rules for migration to lease API 2019-10-28 09:09:03 +01:00
Kubernetes Prow Robot
a3560d3ad9
Merge pull request #84282 from yutedz/rm-csi-rbac-roles 
Remove deprecated CSI RBAC roles
 2019-10-24 22:56:14 -07:00
Kubernetes Prow Robot
06252a4630
Merge pull request #84260 from tallclair/status-restrict 
Forbid label updates by nodes through pod/status
 2019-10-24 16:56:43 -07:00
Ted Yu
13596e5249 Remove obsolete CSI RBAC roles 2019-10-24 05:33:02 -07:00
Kubernetes Prow Robot
2c4cba8aa0
Merge pull request #82365 from jkaniuk/pod-gc 
Pod GC controller - use node lister
 2019-10-24 03:13:06 -07:00
Jordan Liggitt
20b2439457 Feature-gate RuntimeClass informer starts 2019-10-24 01:18:07 -04:00
Tim Allclair
ac2b300ed9 Update bazel 2019-10-23 16:43:03 -07:00
Tim Allclair
fea3111554 Forbid label updates by nodes through pod/status 2019-10-23 15:54:40 -07:00
yue9944882
09cf42d67c switch system priority class to versioned (v1) api 
move all the helpers to scheduling v1 helpers

less explicit conversion
 2019-10-24 00:51:57 +08:00
Jacek Kaniuk
e6e026f1ad Allow pod-garbage-collector to get nodes 2019-10-23 16:54:38 +02:00
draveness
1163a1d51e feat: update taint nodes by condition to GA 2019-10-19 09:17:41 +08:00
Kubernetes Prow Robot
4f1c5b8cac
Merge pull request #81940 from carlory/fix-appserver 
fix static check failures
 2019-10-10 12:07:21 -07:00
carlory
f6bb24129e fix static check failures 2019-10-10 22:59:09 +08:00
Jordan Liggitt
92ea33efc5 Clean up TODOs 2019-10-03 09:23:10 -04:00
Mahendra Kariya
3698100224 Fix golint errors in pkg/apis/core (#82919) 
* Fix lint errors related to receiver name

Ref #68026

* Fix lint errors related to comments

Ref #68026

* Fix package name in comments

Ref #68026

* Rename Cpu to CPU

Ref #68026

* Fix lint errors related to naming convention

Ref #68026

* Remove deprecated field

DoNotUse_ExternalID has been deprecated and is not in use anymore.
It has been removed to fix lint errors related to underscores in field
names.

Ref #68026, #61966

* Include pkg/apis/core in golint check

Ref #68026

* Rename var to fix lint errors

Ref #68026

* Revert "Remove deprecated field"

This reverts commit 75e9bfc168077fcb9346e334b59d60a2c997735b.

Ref #82919

* Remove math from godoc

Ref #82919, #68026

* Remove underscore from var name

Ref #68026

* Rename var in staging core api type

Ref #68026
 2019-09-25 11:06:51 -07:00
Kubernetes Prow Robot
327f53ba57
Merge pull request #83064 from liggitt/propagate-context 
Propagate context to remote authorize/authenticate webhook calls
 2019-09-25 09:32:01 -07:00
Jordan Liggitt
b78edd86b8 Plumb context to webhook calls 2019-09-24 21:59:59 -04:00
Jordan Liggitt
4c686ddc1c Propagate context to ExponentialBackoff 2019-09-24 21:59:59 -04:00
Jordan Liggitt
92eb072989 Propagate context to Authorize() calls 2019-09-24 11:14:54 -04:00
Kubernetes Prow Robot
ac8ac0fc17
Merge pull request #82830 from jsafrane/pv-admission-fix 
Do not query the cloud if dynamic PV has all the labels
 2019-09-20 12:27:38 -07:00
Kubernetes Prow Robot
c7619bd770
Merge pull request #80824 from damemi/preemption-e2e-to-integration 
Move PodPriorityResolution e2e to integration
 2019-09-20 12:27:25 -07:00
Mike Dame
ca18b48151 Move PodPriorityResolution e2e to integration 2019-09-19 20:25:03 -04:00
Jan Safranek
a160bf8a59 Do not query the cloud if PV has all the labels 
This saves one cloud API call.
 2019-09-18 14:56:28 +02:00
Marcin Owsiany
2a75058943
Fix a couple of typos 2019-09-18 09:45:10 +02:00
Yassine TIJANI
18b185b5e8 adding yastij as a reviewer for the runtimeclass admission controller 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-09-10 20:34:28 +02:00
Kubernetes Prow Robot
0ff92e36f2
Merge pull request #82153 from robscott/endpointslice-rbac 
Adding EndpointSlice RBAC for node-proxier/kube-proxy
 2019-08-30 13:05:14 -07:00
Kubernetes Prow Robot
7acb066dbc
Merge pull request #81969 from logicalhan/livez 
add `/livez` endpoint for liveness probing on the kube-apiserver
 2019-08-29 19:56:31 -07:00
Rob Scott
1f5070e81c
Adding EndpointSlice RBAC for node-proxier/kube-proxy 2019-08-29 16:55:18 -07:00
Han Kang
aa1b2d6d35 add /livez as a liveness endpoint for kube-apiserver 
go fmt

make func private

refactor config_test

Two primary refactorings:

1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)

2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).

go fmt

modify and simplify existing integration test for readyz/livez

simplify integration test

set default rbac policy rules for livez

rename a few functions and the entrypoint command line argument (and etcetera)

simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check

untangle some of the nested functions, restructure the code
 2019-08-29 14:13:19 -07:00
Rob Scott
75f6c24923
Adding EndpointSlice controller 2019-08-28 21:13:27 -07:00
Tim Allclair
2e08288144 Remove conflict logic from PodTolerationRestriction 2019-08-26 15:31:15 -07:00
Kubernetes Prow Robot
ce8cccb966
Merge pull request #81072 from draveness/feature/runtime-class-scheduling-admission-plugin 
[RuntimeClassScheduling] Update runtime class admission plugin - Part2
 2019-08-23 22:26:37 -07:00
Kubernetes Prow Robot
6b47754740
Merge pull request #81627 from tallclair/copy 
Delete duplicate resource.Quantity.Copy()
 2019-08-22 11:13:13 -07:00
Di Xu
34cab8f80a populate object name for admission attributes when CREATE 2019-08-22 11:46:12 +08:00
draveness
5732c6370a feat: update runtime class admission plugin 2019-08-22 09:06:58 +08:00
Jordan Liggitt
61774cd717 Plumb context to admission Admit/Validate 2019-08-20 11:11:00 -04:00
Tim Allclair
49f50484b8 Delete duplicate resource.Quantity.Copy() 2019-08-19 17:23:14 -07:00
Kubernetes Prow Robot
a6aea3fcd8
Merge pull request #81265 from jfbai/replace-status-too-many-request 
Replace self defined const StatusTooManyRequests with http.StatusTooM…
 2019-08-19 15:09:31 -07:00
Kubernetes Prow Robot
273e9262bb
Merge pull request #80342 from draveness/feature/remove-critical-pod-annotation 
feat: cleanup pod critical pod annotations feature
 2019-08-15 07:20:34 -07:00
Jianfei Bai
07077a8aa5 Replace self defined const StatusTooManyRequests with http.StatusTooManyRequests. 2019-08-12 20:52:12 +08:00
draveness
495faa22db feat: cleanup pod critical pod annotations feature 2019-08-09 08:41:23 +08:00
Jordan Liggitt
8b155e82d8 Use the escalate verb for clusterroleaggregator rather than cluster-admin permissions 2019-08-08 17:59:12 -04:00
Kirill Shirinkin
5e9da75df2 Allow aggregate-to-view roles to get jobs status (#77866) 
* Allow aggregate-to-edit roles to get jobs status

Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create.  This change extends `aggregate-to-edit` rules to include `jobs/status`.

* Move jobs/status to aggregate-to-view rules

* Add aggregate-to-view policy to view PVCs status

* Update fixtures to include new read permissions

* Add more status subresources

* Update cluster-roles.yaml

* Re-order deployment permissions

* Run go fmt

* Add more permissions

* Fix tests

* Re-order permissions in test data

* Automatically update yamls
 2019-07-26 11:59:22 -07:00
Kubernetes Prow Robot
ab3bf7237d
Merge pull request #79565 from tedyu/runtime-cls 
Return the error from validateOverhead in RuntimeClass#Validate
 2019-07-19 12:37:24 -07:00
draveness
d83526d253 Revert "feat: cleanup pod critical pod annotations feature" 
This reverts commit b6d41ee5cc.
 2019-07-18 13:31:12 +08:00
Kubernetes Prow Robot
642a06e552
Merge pull request #79554 from draveness/feature/remove-critical-pod-annotation 
feat: cleanup pod critical pod annotations feature
 2019-07-11 22:03:04 -07:00
Kubernetes Prow Robot
2659b3755a
Merge pull request #80030 from yastij/bootstrap-policy 
add rbac for events.k8s.io apiGroup to system:kube-scheduler
 2019-07-11 11:25:20 -07:00
Yassine TIJANI
a024d48eba add rbac for events.k8s.io apiGroup to system:kube-scheduler 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-07-11 16:10:32 +02:00
Kubernetes Prow Robot
d11eb67c02
Merge pull request #79621 from egernst/admission-fixups 
RuntimeClass-admission: fixup comment, simplify nested ifs
 2019-07-11 05:36:55 -07:00
Jordan Liggitt
2899abb65c Populate API version in synthetic authorization requests 2019-07-10 21:29:25 -04:00
draveness
b6d41ee5cc feat: cleanup pod critical pod annotations feature 2019-07-11 08:54:19 +08:00
Ted Yu
059243fbd2 Return the error from validateOverhead in RuntimeClass#Validate 2019-07-10 17:32:53 -07:00
Eric Ernst
d409619284 RuntimeClass-admission: fixup comment, simplify nested ifs 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-07-02 10:49:49 -07:00
Kubernetes Prow Robot
64a2be8e44
Merge pull request #79387 from tedyu/cont-helper-early 
Restore early return for podSpecHasContainer
 2019-07-01 15:09:45 -07:00