github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 15:25:57 +00:00
Code Issues Projects Releases Wiki Activity
115,151 Commits 42 Branches 7,905 Tags 1.3 GiB
master
Commit Graph

662 Commits

Author SHA1 Message Date
k8s-merge-robot
015389eba1 Merge pull request #13672 from jayunit100/apiserver-cert-doc 
Auto commit by PR queue bot
 2015-09-08 11:42:28 -07:00
Ryan Fowler
d22a29cf66 Block apiserver startup on certificate 
With some regularity, if the root certificate file needs to be generated
the apiserver could come up on the non-secure port before the cert
was generated.

`hack/local-up-cluster.sh` requires that apiserver.crt exists
before the replication controller starts. Otherwise service accounts
and secrets don't work.

This change just takes the certificate handling code out of the `go`.
 2015-09-08 11:35:32 -05:00
jay vyas
4283201aea [minor] cert file cmd line string fix 2015-09-08 09:50:15 -04:00
Ruddarraju, Uday Kumar Raju
f8d6f13f7c Union of authorizers 2015-09-04 11:04:50 -07:00
derekwaynecarr
ab1f4c5c2c Fix typo in api server flag 2015-09-04 11:38:36 -04:00
Avesh Agarwal
f0d0e2a089 Remove unused api-rate and api-burst params. 2015-09-03 17:57:35 -04:00
Timothy St. Clair
2145371c45 Plumb through configuration option to disable watch cache 
because we are seeing anomolies on our cluster.
 2015-08-28 12:36:40 -05:00
Yu-Ju Hong
3bc2157889 Merge pull request #13100 from pweil-/cap-priv-sources 
use privileged source object
 2015-08-25 16:10:50 -07:00
Yifan Gu
aca6368e3c plugin/oidc: add minor documentation details. 2015-08-24 15:25:26 -07:00
Paul Weil
709e654686 use privileged source object 2015-08-24 16:53:43 -04:00
Yifan Gu
6376e41850 plugin/pkg/auth: add OpenID Connect token authenticator. 
Also add related new flags to apiserver:
"--oidc-issuer-url", "--oidc-client-id", "--oidc-ca-file", "--oidc-username-claim",
to enable OpenID Connect authentication.
 2015-08-21 15:27:08 -07:00
Saad Ali
c1a2c6dee7 Merge pull request #10713 from thockin/no-localhost-endpoints 
Check loopback and link-local multicast endpoints
 2015-08-19 12:48:33 -07:00
gmarek
3c907b33e1 Remove external function setting Kubelet flags 2015-08-19 13:20:41 +02:00
Tim Hockin
86f4535871 Check loopback and link-local multicast endpoints 
Previously we just disallowed link-local (unicast).  This disallows loopback
and link-local multicast.
 2015-08-18 21:50:27 -07:00
Kris Rousey
ae6c64d9bb Moving everyone to unversioned client 2015-08-18 10:23:03 -07:00
Bin Wang
0547c52c2c Enforce specified service-cluster-ip-range is not too large 2015-08-18 10:35:21 +08:00
Eric Paris
347c7b5b82 Mark some flags as deprecated so thus don't show up in help 2015-08-14 19:28:03 -04:00
Ruddarraju, Uday Kumar Raju
937db3f70d Keystone authentication plugin 2015-08-13 09:46:30 -07:00
Eric Paris
1333fad22a Remove BindClientConfigFlags entirely 
They are unused.
 2015-08-11 16:26:24 -04:00
Alex Robinson
11fcd3bb39 Merge pull request #12478 from eparis/use-pflag-network 
Use pflags for net.IP and net.IPNet instead of custom flag types
 2015-08-10 11:55:54 -07:00
Eric Paris
f3282ff4d2 Use pflag IPNet instead of our own helpers 
Since pflag can handle net.IPNet arguements use that code. This means
that our code no longer has casts back and forth and just natively uses
net.IPNet.
 2015-08-10 10:15:08 -04:00
Eric Paris
fe6b633e2a Convert for util.IP to just use a net.IP 
pflag can handle IP addresses so use the pflag code instead of doing it
ourselves. This means our code just uses net.IP and we don't have all of
the useless casting back and forth!
 2015-08-10 10:15:05 -04:00
Veres Lajos
9f77e49109 typofix - https://github.com/vlajos/misspell_fixer 2015-08-08 22:31:48 +01:00
Eric Paris
7cbb52ce04 Use the pflag StringSlice instead of implementing it ourselves 
Saves code and makes our code easier to read because we just use normal
[]string instead of custom type.
 2015-08-06 19:16:13 -04:00
Mike Danese
17defc7383 run gofmt on everything we touched 2015-08-05 17:52:56 -07:00
Mike Danese
8e33cbfa28 rewrite go imports 2015-08-05 17:30:03 -07:00
Muhammed Uluyol
58a875ac2c Add (stopgap) support for an experimental API prefix. 2015-07-30 18:14:29 -07:00
Wojciech Tyczynski
99d6b0e9f4 Rename storage interfaces 2015-07-30 10:34:57 +02:00
Wojciech Tyczynski
d17985f1ad Move StorageInterface to pkg/storage. 2015-07-30 09:32:04 +02:00
Brendan Burns
99b02bfe73 Add optional throttling to the proxy/exec/attach methods 2015-07-29 13:51:20 -07:00
Marek Grabowski
7cc1855c27 Merge pull request #11806 from wojtek-t/private_etcd_helper 
Make EtcdHelper private - expose only StorageInterface
 2015-07-27 11:21:28 +02:00
Marek Grabowski
00cd52dd68 Merge pull request #10656 from krousey/timeouts 
Adding proper timeouts.
 2015-07-27 10:56:58 +02:00
Wojciech Tyczynski
9d943df397 Private EtcdHelper 2015-07-27 09:20:13 +02:00
Mike Danese
859f440f74 Merge pull request #11666 from wojtek-t/refactor_etcd_helper 
Extract EtcdHelper interface
 2015-07-24 11:07:46 -07:00
Mike Danese
ae1c8e55ef Merge pull request #11737 from thockin/cleanup-remove-v1beta3 
Remove v1beta3
 2015-07-24 10:25:56 -07:00
Wojciech Tyczynski
fdb3f45077 Extract EtcdHelper interface 2015-07-24 09:28:02 +02:00
Vish Kannan
2a5a6b99cb Merge pull request #10635 from smarterclayton/cloud_provider_should_err 
Cloud provider should return an error
 2015-07-23 17:50:45 -07:00
Tim Hockin
1c3233a1d4 Remove v1beta3 2015-07-23 17:21:27 -07:00
Wojciech Tyczynski
ee92aa3897 Prepare for extracting EtcdHelper interface 2015-07-23 09:37:39 +02:00
Kris Rousey
1d033b9912 Adding proper timeouts. 2015-07-10 14:42:59 -07:00
nikhiljindal
c465a50891 Stop exposing v1beta3 by default 2015-07-08 15:27:41 -07:00
Eric Paris
cde68d294b Do not create subject alt dns names for kubelet self signed certs 
PR #10643 Started adding the dns names for the kubernetes master to self
sign certs which were created. The kubelet uses this same code, and thus
the kubelet cert started saying it was valid for these name as well.
While hardless, the kubelet cert shouldn't claim to be these things. So
make the caller explicitly list both their ip and dns subject alt names.
 2015-07-04 23:01:01 -04:00
Eric Paris
7a29af4d2c Add Subject Alt Names to self signed apiserver certs 
A cert from GCE shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes,
- DNS:kubernetes.default
- DNS:kubernetes.default.svc
- DNS:kubernetes.default.svc.cluster.local
- DNS:e2e-test-zml-master

A similarly configured self signed cert shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes
- DNS:kubernetes.default
- DNS:kubernetes.default.svc

So we are missing the fqdn kubernetes.default.svc.cluster.local. The
apiserver does not even know the fqdn! it's defined entirely by the
kubelet! We also do not have the cluster name certificate. This may be
--cluster-name= argument to the apiserver but will take a bit more
research.
 2015-07-01 17:05:17 -04:00
Clayton Coleman
d8bb4552de Cloud provider should return an error 
Not fatal - makes cloud provider useful in methods that
can return error.
 2015-07-01 14:41:49 -04:00
Aaron Levy
e991a1543f Use blank default for old-etcd-prefix 2015-06-26 18:19:40 -07:00
Jordan Liggitt
64d61185eb Re-enable ECDSA private server key use 2015-06-16 23:03:29 -04:00
Mike Danese
677855f1a9 fix longRunningRequestRE to something that doesn'tt push -f orig match pretty much all requests. 2015-06-16 13:48:10 -07:00
Justin Santa Barbara
6f3879e3bb Actually pass down ServiceNodePortRange so it is used 
Also fix default range to match what we've documented (off-by-one)

Fix #9318
 2015-06-08 18:03:42 -04:00
krousey
5aa0219ada Merge pull request #9292 from cjcullen/test_pull_8946 
Add an ssh tunnel option to the /proxy endpoint
 2015-06-08 14:30:12 -07:00
CJ Cullen
cb317604ab Some refactoring. Only selectively use ssh proxy. 
Add NetworkName to gce.Config.
Add locking to uses of master.tunnels.
 2015-06-05 14:55:16 -07:00
Brendan Burns
5115fd5703 Add key generation. 2015-06-05 14:55:15 -07:00
Brendan Burns
30a89968a4 Initial proxy tunnelling. 2015-06-05 14:54:20 -07:00
Prashanth Balasubramanian
50eb9ad598 Use https only for the kubelet port 2015-06-05 14:06:38 -07:00
Chao Xu
ef61b031f5 make v1 enabled by default 2015-06-04 11:37:44 -07:00
Daniel Smith
1690617ee6 remove ro service 2015-06-03 16:45:54 -07:00
Prashanth Balasubramanian
0162529ea5 Default minRequestTimeout to 1800s 2015-06-03 08:47:45 -07:00
Prashanth Balasubramanian
448867073d Pipe minRequestTimeout as an arg to the apiserver 2015-06-03 08:44:14 -07:00
CJ Cullen
934c553c04 Clarify description/usage of --advertise-address, Master.PublicAddress 2015-06-02 15:23:32 -07:00
CJ Cullen
085a48a70e Add an advertise-address flag. This allows the address that the apiserver binds 
to (possibly 0.0.0.0) to be different than the address on which members of the cluster
can reach the apiserver (possibly not a local interface).
 2015-06-02 14:33:15 -07:00
Eric Tune
3db1f69eea Merge pull request #8764 from eparis/sd_notify 
API server explicitly notify systemd of successful startup
 2015-06-01 10:28:49 -07:00
Kris
f4e2c738f6 Delete deprecated API versions 
pkg/service:

There were a couple of references here just as a reminder to change the
behavior of findPort. As of v1beta3, TargetPort was always defaulted, so
we could remove findDefaultPort and related tests.

pkg/apiserver:

The tests were using versioned API codecs for some of their encoding
tests. Necessary API types had to be written and registered with the
fake versioned codecs.

pkg/kubectl:

Some tests were converted to current versions where it made sense.
 2015-05-29 17:17:35 -07:00
Tim Hockin
3005471100 Add new apiserver flags for clusterIP (nee portal) 
Leave old flags but marked as deprecated
 2015-05-28 16:10:44 -07:00
Tim Hockin
4318ca5a8b Rename 'portal IP' to 'cluster IP' most everywhere 
This covers obvious transforms, but not --portal_net, $PORTAL_NET and
similar.
 2015-05-28 16:10:44 -07:00
Eric Paris
9d304774d4 report glog error if unable to tell systemd things worked 2015-05-28 16:01:27 -04:00
Eric Paris
28ac1b3395 API server explicitly notify systemd of successful startup 
Use the systemd $NOTIFY_SOCKET convention for kube-apiserver
startup. This allows it to be part of dependency trees and for
consumers to wait until it is listening on its ports.

The $NOTIFY_SOCKET protocol is described here:

http://www.freedesktop.org/software/systemd/man/sd_notify.html

Currently this is limited to the kube-apiserver process. Other
kube processes are internal kubernetes moving points. The API
server is the entry point relied on by callers.

100% stolen from Stef Walter from:
https://github.com/GoogleCloudPlatform/kubernetes/pull/8316
 2015-05-28 15:59:26 -04:00
Justin Santa Barbara
3bb2fe2425 Create port allocator, based on IP allocator mechanism 
Including some refactoring of IP allocator
 2015-05-22 19:14:28 -04:00
Prashanth Balasubramanian
8a5445d3db Randomize apiserver watch timeouts 2015-05-21 20:52:33 -07:00
Jordan Liggitt
d90e7409e4 Prevent auth recursion for service account tokens 2015-05-16 23:39:07 -04:00
nikhiljindal
fa9f864782 Adding a script to update etcd objects 2015-05-15 16:20:35 -07:00
Nikhil Jindal
d75bd8bf2a Merge pull request #7101 from liggitt/service_account 
ServiceAccounts
 2015-05-12 10:23:41 -07:00
Brendan Burns
d8f48290e9 Add a flag to disable legacy APIs 2015-05-11 16:09:25 -07:00
Jordan Liggitt
db1f0dc906 JWT token generation/verification 2015-05-11 17:18:06 -04:00
Clayton Coleman
e200d5a317 Make PortalIP alloc HA 
* Add an allocator which saves state in etcd
* Perform PortalIP allocation check on startup and periodically afterwards

Also expose methods in master for downstream components to handle IP allocation
/ master registration themselves.
 2015-05-08 13:34:16 -04:00
Karl Beecher
0473f652fd Add startup code to apiserver to migrate etcd keys 
Refs: #3476
 2015-05-05 12:28:14 +02:00
Eric Paris
6b3a6e6b98 Make copyright ownership statement generic 
Instead of saying "Google Inc." (which is not always correct) say "The
Kubernetes Authors", which is generic.
 2015-05-01 17:49:56 -04:00
Brian Grant
a4316aa638 Merge pull request #7454 from nikhiljindal/v1 
Cloning v1beta3 as v1 and exposing it in the apiserver
 2015-04-28 18:06:57 -07:00
nikhiljindal
c4d7e19c8c Cloning v1beta3 as v1 and exposing it in the apiserver 2015-04-28 16:06:03 -07:00
Brendan Burns
c9f4d8e57e Merge pull request #7425 from roberthbailey/basic-auth-headers 
Set the 'WWW-Authenticate' header on 401 responses when basic auth is enabled
 2015-04-28 11:10:05 -07:00
Daniel Smith
19ae113fe0 Merge pull request #7353 from wojtek-t/too_many_dials 
Increase maxIdleConnection limit when creating etcd client in apiserver.
 2015-04-28 11:03:12 -07:00
Robert Bailey
4304b1d24a Set the 'WWW-Authenticate' header on 401 responses when basic 
auth is enabled. This is required for basic auth to work with
web browsers.
 2015-04-28 11:00:05 -07:00
Robert Bailey
6d85dcb4a0 Add support for HTTP basic auth to the kube-apiserver. 2015-04-28 10:33:51 -07:00
Wojciech Tyczynski
07400f9d2b Increase maxIdleConnection limit in etcd client. 2015-04-28 09:50:56 +02:00
Tim Hockin
a3d45fada8 Change flags to use dashes in help 2015-04-27 15:11:03 -07:00
Karl Beecher
a7623ca6cc Adds ability to define a prefix for etcd paths 
The API server can be supplied (via a command line flag) with a custom
prefix that is prepended to etcd resources paths.

Refs: #3476
 2015-04-24 12:12:39 +02:00
Kenjiro Nakayama
c7d3a72c6a Fix gofmt complaint 2015-04-21 09:36:41 +09:00
Kenjiro Nakayama
5e2e59e728 Add more help description to cert_dir flag 2015-04-20 00:35:56 +09:00
Kenjiro Nakayama
51d0443dde Add cert_dir option to kube-apiserver 2015-04-19 17:40:08 +09:00
Alex Robinson
2b14fc1d14 Remove the cloud provider field from the services REST handler and the master 
now that load balancers are handled by the ServiceController.
 2015-04-14 18:56:47 +00:00
Timothy St. Clair
2b60111fca Performance change to option enable client.QPS, client.Burst 
and change default on max_requests_inflight.
 2015-04-10 07:53:54 -05:00
Timothy St. Clair
9177baa64c Enable profiling by default re: #6623 2015-04-09 10:52:37 -05:00
Tim Hockin
f2c8decffe Clarify network-related flags in the master 
Rename and rejigger flags to make it more obvious what is happening.  Change
the default listen from ChooseHostInterface() to 0.0.0.0.
 2015-04-07 15:55:51 -07:00
Eric Tune
e49424785e Merge pull request #6380 from roberthbailey/kubelet-ssl 
Configure the kubelet to use HTTPS (take 2)
 2015-04-03 13:43:00 -07:00
Quinton Hoole
4a2000c4aa Merge pull request #6207 from brendandburns/server 
Add a limit to the number of in-flight requests that a server processes.
 2015-04-02 15:46:54 -07:00
Robert Bailey
f15e34a1bf Revert "Merge pull request #6309 from GoogleCloudPlatform/revert-6243-kubelet-ssl" 
This reverts commit 96a0a0d618, reversing
changes made to 2af9b54147.
 2015-04-02 10:44:37 -07:00
Brendan Burns
f327e97661 Add a limit to the number of in-flight requests that a server processes. 2015-04-01 15:06:15 -07:00
Robert Bailey
22d9c67cb7 Merge pull request #6190 from liggitt/client_cert_auth 
Add client cert authentication
 2015-04-01 14:11:29 -07:00
Robert Bailey
32a1c052dc Revert "Configure the kubelet to use HTTPS" 2015-04-01 13:59:31 -07:00
Jordan Liggitt
c797a91e36 Add client cert authentication 2015-04-01 13:42:26 -04:00
Robert Bailey
58bc792e68 Configure the master to connect to the kubelet using HTTPS. 2015-04-01 09:09:29 -07:00
nikhiljindal
478b7d5edf Repurposing enableV1beta3 to disableV1beta3 in master config to enable v1beta3 by default 2015-03-30 11:50:10 -07:00
Brian Grant
984bc8d5f6 Merge pull request #5635 from ravigadde/master 
Add timeout to kubelet client
 2015-03-26 14:55:24 -07:00
Brendan Burns
7c684e4331 Pipe through the ability to set the external hostname for swagger URLs. 2015-03-25 21:08:05 -07:00
Victor Marmol
cf7e2756b5 Add HostNetworkSources capability to limit use of HostNetwork. 2015-03-25 11:23:06 -07:00
Filip Grzadkowski
74da3b14b0 Delete pod_cache and rely on updating pod status by kublet. 2015-03-25 15:08:09 +01:00
Ravi Gadde
5871e53060 Add timeout to kubelet client 2015-03-20 18:46:45 -07:00
nikhiljindal
7e36bbab3c Updating integration tests to test both API versions - v1beta1 and 3 2015-03-18 15:24:11 -07:00
Timothy St. Clair
7eebf674d4 Update to option enable profiling on the master daemon processes. 
--profiling=true , default is false
 2015-03-13 10:45:01 -05:00
saadali
7e258b85bd Reduce TTL for events in etcd from 48hrs to 1hr 2015-03-11 12:41:45 -07:00
Filip Grzadkowski
86b1c90097 Add flag to control probing pods statuses from kubelets. 2015-03-02 16:06:14 +01:00
Satnam Singh
19b927ea57 Name a cluster and use it to make forwarding rules for GCE 2015-02-23 17:04:33 -08:00
Tim Hockin
cb09571768 keep hyperkube noise in one place 2015-02-20 08:49:12 -08:00
Tim Hockin
899d30f16a move pkg/master/server to cmd/kube-apiserver/app 2015-02-20 08:49:12 -08:00