Commit Graph

1266 Commits

Author SHA1 Message Date
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-08-24 15:47:49 -04:00
Antonio Ojea
0cd75e8fec run hack/update-netparse-cve.sh 2021-08-20 10:42:09 +02:00
Kubernetes Prow Robot
3c72622a1f
Merge pull request #104229 from astraw99/fix_trivial_code
Fix single pointer variable parenthesis
2021-08-12 21:16:31 -07:00
astraw99
ff7307bf9c fix single pointer variable 2021-08-11 10:40:10 +08:00
Jordan Liggitt
39a1293cbc Drop beta REST APIs removed in 1.22 2021-08-09 11:10:16 -04:00
David Ashpole
9dd59017c4 add tracing to webhook requests 2021-07-09 06:30:05 -07:00
Kubernetes Prow Robot
694d6cd2b9
Merge pull request #103216 from dashpole/etcd_client_tracing
Add distributed tracing to the etcd client
2021-07-08 14:01:52 -07:00
maruiyan
da4aaf81cd Error should be checked first, then go to other steps. 2021-06-30 11:00:55 +08:00
David Ashpole
71f810bb71 Add distributed tracing to the etcd client 2021-06-26 09:19:39 -07:00
David Ashpole
79550ed40c Add distributed tracing to the apiserver using OpenTelemetry 2021-06-25 05:20:27 -07:00
Mike Spreitzer
0762f492c5 Add config checking for inflight limits
When API Priority and Fairness is enabled, the inflight limits must
add up to something positive.
This rejects the configuration that prompted
https://github.com/kubernetes/kubernetes/issues/102885

Update help for max inflight flags
2021-06-23 14:06:50 -04:00
Jordan Liggitt
2979c3325e Switch to go.etcd.io/etcd/client/v3 2021-06-15 09:53:06 -04:00
Mengjiao Liu
170c93bf05 JSON log format registration for kube-apiserver 2021-06-10 07:20:43 +08:00
Kubernetes Prow Robot
57fbeb8030
Merge pull request #101993 from wongma7/waitforetcd
Remove etcd connection apiserver preflight check
2021-06-08 12:26:20 -07:00
David Eads
84590fe27c remove --ssh- options, deprecated 13 releases, that only work on GCE 2021-06-03 13:54:35 -04:00
Danil-Grigorev
5d57b3794c Add DisableCloudProviders FG
FeatureGate acts as a secondary switch to disable cloud-controller loops
in KCM, Kubelet and KAPI.

Provide comprehensive logging information to users, so they will be
guided in adoption of out-of-tree cloud provider implementation.
2021-05-21 16:09:44 +02:00
Matthew Wong
c201a78dff Remove etcd connection apiserver preflight check 2021-05-19 13:46:20 -07:00
Kubernetes Prow Robot
8365e2384c
Merge pull request #101187 from GreenApple10/feature/import_cleanup
remove duplicate packet import
2021-04-30 12:06:25 -07:00
Kubernetes Prow Robot
fbc93bd34c
Merge pull request #101403 from wangyx1992/redundant-silce-nilcheck
cleanup: omit redundant nil check around loop in apiserver
2021-04-27 12:31:38 -07:00
Kubernetes Prow Robot
e640a01219
Merge pull request #101068 from BinacsLee/binacs-apiserver-remove-useless-code-logic
code cleanup: apiserver remove useless code logic
2021-04-26 00:03:01 -07:00
wangyx1992
b9ea207ff7 cleanup: omit redundant nil check around loop in apiserver
Signed-off-by: wangyx1992 <wang.yixiang@zte.com.cn>
2021-04-23 11:38:28 +08:00
BinacsLee
75dde4dce4 code cleanup: Abstract repetitive codes in cmd as a function 2021-04-22 23:35:04 +08:00
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
Kubernetes Prow Robot
cbe41b4e76
Merge pull request #101178 from dcwbq/delete_kubeletHTTPS_flag
Remove kube-apiserver `--kubelet-https` flag
2021-04-16 10:02:42 -07:00
c00522440
a1335cba68 del duplicate import 2021-04-16 16:57:57 +08:00
dcwbq
5d186d0d0c This flag will be removed in 1.22
Signed-off-by: dcwbq <biqiang.wu@daocloud.io>
2021-04-16 11:20:52 +08:00
Monis Khan
91241eac9b
Prune stale entries from OWNERS files
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-13 20:54:50 -04:00
BinacsLee
802a50e4e9 code cleanup: apiserver remove useless code logic 2021-04-13 21:33:41 +08:00
Kubernetes Prow Robot
dc54027341
Merge pull request #100208 from songxiao-wang87/mytest
spelling mistake
2021-04-11 03:05:59 -07:00
Kubernetes Prow Robot
5c5aa98215
Merge pull request #99578 from pandaamanda/remove_duplicate_apiserverServiceRange_validation
remove duplicated validation for service-cluster-ip-range
2021-04-09 01:18:48 -07:00
Kubernetes Prow Robot
26fba1403b
Merge pull request #99528 from pandaamanda/apiserver_validation_code_optimization
fix log message and optimize log format check logic
2021-04-08 14:28:34 -07:00
Kubernetes Prow Robot
b11d0fbdd5
Merge pull request #100171 from chenyw1990/fixGlobalFlagChange
add normalize function to global FlagSet
2021-03-23 22:08:04 -07:00
xiongzhongliang
e6d6409cf8 remove duplicated validation for service-cluster-ip-range 2021-03-19 11:17:07 +08:00
Kevin Delgado
66d2f4359e Add ability to skip OpenAPI handler installation 2021-03-18 22:41:42 +00:00
chenyw1990
e2020f62ac add normalize function to global FlagSet 2021-03-18 09:23:52 +08:00
songxiao-wang87
d78f3cd47b spelling mistake
Signed-off-by: songxiao-wang87 <461870555@qq.com>
2021-03-13 04:56:39 -05:00
Kubernetes Prow Robot
08b11727f5
Merge pull request #99951 from deads2k/fix-decodableversions
provide directly decodable versions for storageversion API
2021-03-09 16:08:40 -08:00
Morten Torkildsen
21fba79d45 Promote PDBs to GA 2021-03-09 10:29:11 -05:00
David Eads
fa03dee68c provide directly decodable versions for storageversion API 2021-03-09 08:36:32 -05:00
chenyw1990
edff740386 fix json log format panic, change the flag names in flagIsSet 2021-03-09 14:14:25 +08:00
Kubernetes Prow Robot
b139db1539
Merge pull request #99573 from pandaamanda/apiserver_identity_validate
cleanup: wrap the apiserver identity validation
2021-03-08 19:23:19 -08:00
Swetha Repakula
108fd44f7c Graduate EndpointSlice feature gate to GA 2021-03-06 15:58:47 -08:00
Swetha Repakula
a9891b4b9b Graduate EndpointSlice API to GA
* Removes discovery v1alpha1 API
  * Replaces per Endpoint Topology with a read only DeprecatedTopology
  in GA API
  * Adds per Endpoint Zone field in GA API
2021-03-05 12:02:41 -08:00
xiongzhongliang
c7bf5506ee cleanup: wrap the apiserver identity validation 2021-03-06 00:57:02 +08:00
xiongzhongliang
4a24a08f93 Optimize some codes 2021-03-05 18:23:39 +08:00
David Eads
a473ef6c0a use direct etcd creation to verify migrated v1beta1 admissionwebhooks 2021-03-03 17:33:27 -05:00
Jordan Liggitt
4515889574 Prefer v1 storage versions 2021-03-02 12:06:13 -05:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
xiongzhongliang
00bfd28fbd fix some hardcoding
fix some hardcoding
2021-02-20 01:27:54 +08:00
Nikhita Raghunath
6cef3a4e33 *: remove nikhiljindal from OWNERS 2021-02-16 10:59:26 +05:30
Khaled (Kal) Henidak
3e56ddae67 upgrade IPv6DualStack feature to beta and turn on by default 2021-02-10 23:14:05 +00:00
Haowei Cai
dc047b183b storage version integration test: check the test server's health before running
we disabled the /healthz check because our test blocks one post-start
hook from finishing. Instead we should check all the other /healthz/...
endpoints before running the tests
2021-02-02 18:31:53 -08:00
Kubernetes Prow Robot
f81220975e
Merge pull request #98257 from lingsamuel/etcd-lease-max-count
lease manager limit max objects attached to a lease
2021-02-01 14:52:27 -08:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
2021-02-01 11:44:23 -08:00
Ling Samuel
c8db72c38c
api-server add --lease-max-object-count
Signed-off-by: Ling Samuel <lingsamuelgrace@gmail.com>
2021-02-01 18:20:59 +08:00
Kubernetes Prow Robot
1f5c1b6d91
Merge pull request #96722 from adtac/apfvalidation
APF: make command-line args validation error more descriptive
2021-01-11 18:38:37 -08:00
Ling Samuel
7e9fe39cd7
apiserver add metric etcd_lease_object_counts
Signed-off-by: Ling Samuel <lingsamuelgrace@gmail.com>
2021-01-11 21:22:07 +08:00
Antonio Ojea
2e4aed2d4a bind-address flag usage 2020-12-11 18:47:24 +01:00
Ling Samuel
c99567005d
apiserver add --lease-reuse-duration-seconds to config lease reuse duration
Signed-off-by: Ling Samuel <lingsamuelgrace@gmail.com>
2020-12-04 19:19:49 +08:00
Adhityaa Chandrasekar
39fb8ced93 APF: make command-line args validation error more descriptive
Signed-off-by: Adhityaa Chandrasekar <adtac@google.com>
2020-11-19 20:37:06 +00:00
yue9944882
849be447f5 APF: graduate API and types to beta
Signed-off-by: Adhityaa Chandrasekar <adtac@google.com>
2020-11-13 23:20:39 +00:00
Sergey Kanzhelev
06da0e5e74 GA of RuntimeClass feature gate and API 2020-11-11 19:22:32 +00:00
Haowei Cai
1c2d446648 require APIServerIdentity to be enabled to run StorageVersionAPI
without APIServerIdentity enabled, stale apiserver leases won't be GC'ed
and the same for stale storage version entries. In that case the storage
migrator won't operate correctly without manual intervention.
2020-11-08 19:06:30 -08:00
Haowei Cai
b5b93004b5 generated 2020-11-08 18:53:40 -08:00
Chao Xu
fa1805cc5c Add an integration test.
To make sure that the storage version filter can block certain requests until
the storage version updates are completed, and that the apiserver works
properly after the storage version updates are done.
2020-11-08 18:53:40 -08:00
Chao Xu
7218978716 Add a generic filter that blocks certain write requests before
StorageVersions are updated during apiserver bootstrap.

Also add a poststarthook to the aggregator which updates the
StorageVersions via the storageversion.Manager
2020-11-08 18:53:40 -08:00
Kubernetes Prow Robot
281866b35c
Merge pull request #95533 from roycaihw/apiserver-lease-controller
Add kube-apiserver lease controller
2020-11-06 18:09:37 -08:00
Haowei Cai
3761a00e5b add kube-apiserver-lease-controller poststart hook 2020-11-06 13:33:08 -08:00
Kubernetes Prow Robot
8d6829fe1e
Merge pull request #95896 from zshihang/flag
make flags of TokenRequest required
2020-11-05 18:36:50 -08:00
Shihang Zhang
a5021a4ddf make flags of TokenRequest required 2020-11-05 10:40:56 -08:00
Shihang Zhang
4c593b268a default service-account-extend-token-expiration to true 2020-11-05 09:07:01 -08:00
Kubernetes Prow Robot
e0a51c9e6b
Merge pull request #93244 from Sh4d1/etcd_health_timeout
Allow configuration of etcd healthcheck timeout
2020-11-05 01:06:53 -08:00
Kubernetes Prow Robot
d16112f76c
Merge pull request #96052 from wojtek-t/fix_watchcache_size
Disable watchcache for events
2020-11-02 07:30:53 -08:00
Abu Kashem
53a1307f68
make backoff parameters configurable for webhook
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
2020-11-01 10:18:25 -05:00
wojtekt
5a8f94cb30 Disable watchcache for events 2020-10-31 19:51:33 +01:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Kubernetes Prow Robot
1968e96165
Merge pull request #95856 from knight42/refactor/disable-apiserver-insecure-port
refactor(apiserver): disable insecure port
2020-10-29 10:47:58 -07:00
knight42
cfc2b330a7
refactor(apiserver): ignore the insecure flags
Leave the insecure flags intact but stop serving on insecure port.
2020-10-29 23:20:17 +08:00
Kubernetes Prow Robot
8422116039
Merge pull request #95630 from masap/unit_test1
test: Add service cluster IP range unit test
2020-10-27 14:25:57 -07:00
Kubernetes Prow Robot
3d6026499b
Merge pull request #95235 from andrewsykim/controlplane-egress-selector
apiserver: support 'controlplane' as an egress selector type
2020-10-26 14:45:59 -07:00
Khaled Henidak (Kal)
6675eba3ef
dual stack services (#91824)
* api: structure change

* api: defaulting, conversion, and validation

* [FIX] validation: auto remove second ip/family when service changes to SingleStack

* [FIX] api: defaulting, conversion, and validation

* api-server: clusterIPs alloc, printers, storage and strategy

* [FIX] clusterIPs default on read

* alloc: auto remove second ip/family when service changes to SingleStack

* api-server: repair loop handling for clusterIPs

* api-server: force kubernetes default service into single stack

* api-server: tie dualstack feature flag with endpoint feature flag

* controller-manager: feature flag, endpoint, and endpointSlice controllers handling multi family service

* [FIX] controller-manager: feature flag, endpoint, and endpointSlicecontrollers handling multi family service

* kube-proxy: feature-flag, utils, proxier, and meta proxier

* [FIX] kubeproxy: call both proxier at the same time

* kubenet: remove forced pod IP sorting

* kubectl: modify describe to include ClusterIPs, IPFamilies, and IPFamilyPolicy

* e2e: fix tests that depends on IPFamily field AND add dual stack tests

* e2e: fix expected error message for ClusterIP immutability

* add integration tests for dualstack

the third phase of dual stack is a very complex change in the API,
basically it introduces Dual Stack services. Main changes are:

- It pluralizes the Service IPFamily field to IPFamilies,
and removes the singular field.
- It introduces a new field IPFamilyPolicyType that can take
3 values to express the "dual-stack(mad)ness" of the cluster:
SingleStack, PreferDualStack and RequireDualStack
- It pluralizes ClusterIP to ClusterIPs.

The goal is to add coverage to the services API operations,
taking into account the 6 different modes a cluster can have:

- single stack: IP4 or IPv6 (as of today)
- dual stack: IPv4 only, IPv6 only, IPv4 - IPv6, IPv6 - IPv4

* [FIX] add integration tests for dualstack

* generated data

* generated files

Co-authored-by: Antonio Ojea <aojea@redhat.com>
2020-10-26 13:15:59 -07:00
Andrew Sy Kim
a0aebf96ec apiserver: support egress selection name 'controlplane' and deprecate 'master'
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
2020-10-26 10:24:16 -04:00
Masashi Honma
b7630e4168 test: Add service cluster IP range unit test
This PR adds trailing unit tests to check the service cluster IP range and
improves the code coverage of k8s.io/kubernetes/cmd/kube-apiserver/app from
5.7% to 6.2%.

1) Dual stack IPv4/IPv6
2) Invalid IPv4, IPv6 mask
3) missing IPv4, IPv6 mask
4) invalid IP address format

The tests 2, 3, 4 are suggsted by Antonio Ojea.
2020-10-22 11:42:21 +09:00
Patrik Cyvoct
2e430ba622
Allow configuration of etcd healthcheck timeout
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
2020-10-07 19:13:19 +02:00
Daniel Smith
13b6a929bc It's an 'Instance' of apiserver 2020-09-24 16:14:29 -04:00
David Eads
c7911a384c remove pod presets 2020-09-14 09:24:40 -04:00
Chao Xu
86dd4ce3b5 Let kube-apiserver host the storage version API
Co-authored-by: Haowei Cai <haoweic@google.com>
2020-09-08 19:14:36 -07:00
Daniel Smith
a86afc12df update scripts 2020-09-02 10:49:40 -07:00
Daniel Smith
15e0e3e90e rename 2020-09-02 10:48:26 -07:00
Daniel Smith
75f835aa08 move port definitions to a common location 2020-09-02 10:48:25 -07:00
Jordan Liggitt
81144d6c9a Deprioritize extensions/v1beta1 in discovery 2020-08-28 10:58:32 -04:00
Nikhita Raghunath
550ad25c0f apiserver: remove inactive members from OWNERS
As a part of cleaning up inactive members (who haven't been active since
beginning of 2019) from OWNERS files, this commit removes euank and
CaoShuFeng from the list of reviewers.
2020-08-10 15:07:34 +05:30
Kubernetes Prow Robot
54e2070722
Merge pull request #93410 from nikhita/apimachinery-triage-labels
Don't apply triage/needs-information on apimachinery and instrumentation PRs
2020-07-24 19:08:16 -07:00
Nikhita Raghunath
c00dae0607 Revert "Merge pull request #93156 from logicalhan/triage-api-machinery"
This reverts commit 32438cf269, reversing
changes made to bb6a6aa391.
2020-07-24 13:01:02 +05:30
Jordan Liggitt
22c9236741 Allow integration test servers extra time to start 2020-07-23 17:46:59 -04:00
Han Kang
9129dbc98b automatically assign triage labels to api-machinery tagged PRs
Change-Id: Ifcc8a85d190d6370423af27f6e6c4c90b8472981
2020-07-16 13:13:59 -07:00
Kubernetes Prow Robot
429f968988
Merge pull request #92791 from p0lyn0mial/aggregator-dynamic-cert-reload
adds dynamic certificate reloading for kube aggregator
2020-07-10 15:42:10 -07:00
Kubernetes Prow Robot
2d327ac455
Merge pull request #91539 from andrewsykim/fix-cloud-provider-deprecation
only log cloud provider deprecation warning for in-tree components
2020-07-10 00:59:48 -07:00
Alena Varkockova
25f0ebc827 adds dynamic certificate reloading for kube aggregator
Co-authored-by: Lukasz Szaszkiewicz <lukasz.szaszkiewicz@gmail.com>
Co-authored-by: David Eads <deads@redhat.com>
2020-07-08 11:24:21 +02:00
Kubernetes Prow Robot
8ec5747fe5
Merge pull request #91501 from tahsinrahman/add-apiserver-logging-flag
Add `--logging-format` flag for kube-apiserver
2020-07-03 12:24:47 -07:00
Chelsey Chen
75612c1746 Promote new Event API to v1 2020-07-01 10:50:28 -04:00
Kubernetes Prow Robot
7151131d79
Merge pull request #73032 from liggitt/kubectl-warning
surface server-side warnings in client-go / kubectl
2020-06-12 17:09:56 -07:00
Jordan Liggitt
df6608dc99 Generated files 2020-06-11 16:04:19 -04:00
Jordan Liggitt
0d674c4edb cmd: silence warnings in kube-controller-manager/kube-apiserver, dedupe/color warnings in kubectl 2020-06-11 16:04:19 -04:00
Kubernetes Prow Robot
9ccf6f7de7
Merge pull request #91818 from wojtek-t/remove_cachesize
Remove heuristic watchcache sizes
2020-06-10 22:43:24 -07:00
wojtekt
5ceb53987b Remove heuristic watchcache sizes 2020-06-08 13:32:52 +02:00
Jordan Liggitt
e0f5cca410 Copy CSR v1beta1 to v1
* Remove prerelease tags
* Update copyright, package, imports to v1
* Remove signerName, usages, and condition status defaulting
2020-06-05 00:47:24 -04:00
Kubernetes Prow Robot
7bd4c53b27
Merge pull request #91630 from liggitt/kube-apiserver-kubelet-https
Mark --kubelet-https deprecated, unconditionally use https for apiserver->kubelet connections
2020-06-02 02:02:14 -07:00
Jordan Liggitt
2e8461a5bc Mark --kubelet-https deprecated, unconditionally use https for apiserver->kubelet connections 2020-06-01 20:54:49 -04:00
Kubernetes Prow Robot
774c9a6db6
Merge pull request #91349 from neolit123/1.19-fail-on-unrecognized-args
cmd/*: fail on unrecognized flags/arguments for component CLI
2020-05-30 00:27:53 -07:00
Kubernetes Prow Robot
d1586ea3f9
Merge pull request #91502 from deads2k/dyn-audit-removal-00
remove --feature-gates=DynamicAuditing
2020-05-29 11:56:20 -07:00
Monis Khan
fc4f91f10b cmd/*: fail on unrecognized flags/arguments for component CLI
In case a malformed flag is passed to k8s components
such as "–foo", where "–" is not an ASCII dash character,
the components currently silently ignore the flag
and treat it as a positional argument.

Make k8s components/commands exit with an error if a positional argument
that is not empty is found. Include a custom error message for all
components except kubeadm, as cobra.NoArgs is used in a lot of
places already (can be fixed in a followup).

The kubelet already handles this properly - e.g.:
'unknown command: "–foo"'

This change affects:
- cloud-controller-manager
- kube-apiserver
- kube-controller-manager
- kube-proxy
- kubeadm {alpha|config|token|version}
- kubemark

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Lubomir I. Ivanov <lubomirivanov@vmware.com>
2020-05-28 22:06:01 +03:00
Andrew Sy Kim
ed3feac74d only log cloud provider deprecation warning for in-tree components
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
2020-05-28 11:55:56 -04:00
tahsinrahman
201f869c66 Add --logging-format flag for kube-apiserver 2020-05-28 11:39:04 +08:00
David Eads
e857adbdfd remove-api 2020-05-27 16:58:05 -04:00
David Eads
ed4e6f1026 remove dynamic audit 2020-05-27 15:18:53 -04:00
Johannes M. Scheuermann
bd42094d90 Update kube-apiserver flag comments 2020-05-25 15:43:56 +02:00
Jiajie Yang
ebbd455b24 Restrict service account token metrics to kube-apiserver only. 2020-05-21 15:34:57 -07:00
Kubernetes Prow Robot
7dafbe3ff3
Merge pull request #90391 from johscheuer/improve-error-message-svc-cidr
Improve the error message for the service cidr check
2020-05-18 11:05:37 -07:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
Mike Danese
bd290e924f fix some fixture path calculations
Current calculations assume that -trimpath is not passed to go tool
compile, which is not the case for test binaries built with bazel. This
causes issues for integration tests right now but is generally not
correct.

The approach taken here is a bit of a hack but it works on the
assumption that if and only if trimpath is passed, we are running under
bazel. I didn't see a good spot for pkgPath(), so I just copied it
around.
2020-05-12 15:34:55 -07:00
Johannes M. Scheuermann
4c5b46d2ae Move validation in own function with tests 2020-05-08 08:52:34 +02:00
Tomas Nozicka
b22a170d46 Fix client-ca dynamic reload in apiserver 2020-04-29 16:03:09 +02:00
Johannes M. Scheuermann
889648d6e5 Improve the error message for the service cidr check 2020-04-24 07:46:31 +02:00
Kubernetes Prow Robot
15ed3b36d1
Merge pull request #90235 from cici37/addflag
Remove CCM dependency pkg/util/flag
2020-04-22 19:22:14 -07:00
Kubernetes Prow Robot
43cd2ff239
Merge pull request #89549 from happinesstaker/sa-rotate
Monitoring safe rollout of time-bound service account token.
2020-04-22 17:01:58 -07:00
Kubernetes Prow Robot
791b4bbeea
Merge pull request #85266 from serathius/refactor-show-hidden-metric
Refactor show-hidden-metric-for-version flag
2020-04-22 17:01:44 -07:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
cici37
15c844031f Remove CCM dependency pkg/util/flag 2020-04-22 10:06:11 -07:00
Kubernetes Prow Robot
8b0a7dea1d
Merge pull request #90297 from deads2k/silence-usage
stop printing usage help when the server commands exit
2020-04-20 14:05:49 -07:00
David Eads
871d6dd8bb stop printing usage help when the server commands exit 2020-04-20 08:29:52 -04:00
needkane
97d6f2cfd3 (return []error{} -> return nil) and (update annotation) 2020-04-14 00:05:35 -04:00
Kubernetes Prow Robot
d58224e4bc
Merge pull request #89929 from deads2k/flag-check
add flag check to ensure that flowcontrol API is present
2020-04-08 22:13:43 -07:00
Kubernetes Prow Robot
9d74a1e3db
Merge pull request #89724 from zhouya0/add_missing_build_info_metric
Add missing kube build version info metrics
2020-04-08 20:11:44 -07:00
Marek Siarkowicz
24321b2d4e Refactor show-hidden-metric-for-version flag 2020-04-08 22:42:14 +02:00
David Eads
45c2f4534c add flag check to ensure that flowcontrol API is present 2020-04-07 15:08:50 -04:00
zhouya0
4d3d722ebc Add missing kube build info metric 2020-04-01 17:04:45 +08:00
Kubernetes Prow Robot
0804667ff1
Merge pull request #89151 from jingyih/add_metric_etcd_db_size
apiserver: add a metric exposing etcd database size
2020-03-31 12:37:00 -07:00
jingyih
922ec728de Add a metric exposing etcd database size 2020-03-31 09:02:38 -07:00
Davanum Srinivas
1d057da2f7
Move k8s.io/apiserver/pkg/util/term to k8s.io/component-base/term
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-03-19 07:18:09 -04:00
Monis Khan
df292749c9
Remove support for basic authentication
This change removes support for basic authn in v1.19 via the
--basic-auth-file flag.  This functionality was deprecated in v1.16
in response to ATR-K8S-002: Non-constant time password comparison.

Similar functionality is available via the --token-auth-file flag
for development purposes.

Signed-off-by: Monis Khan <mok@vmware.com>
2020-03-11 20:55:47 -04:00
Kubernetes Prow Robot
268d0a1d3a
Merge pull request #85870 from Jefftree/authn-netproxy
Use Network Proxy with Authentication & Authorizer Webhooks
2020-02-28 18:44:39 -08:00
Jefftree
1b38199ea8 pass Dialer instead of egressselector to webhooks 2020-02-27 17:47:23 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Jonathan Tomer
711c1e1720 Rename --enable-inflight-quota-handler to --enable-priority-and-fairness.
The old flag name doesn't make sense with the renamed API Priority and
Fairness feature, and it's still safe to change the flag since it hasn't done
anything useful in a released k8s version yet.
2020-02-27 14:04:37 -08:00
Kubernetes Prow Robot
79b674d827
Merge pull request #84381 from Sh4d1/egress_selector_proxy_v2
Use network proxy for proxy subresources
2020-02-20 04:29:03 -08:00
Kubernetes Prow Robot
77e8c75f32
Merge pull request #87754 from MikeSpreitzer/apf-filter5
Add twice refactored filter and config consumer for API Priority and Fairness
2020-02-13 16:54:46 -08:00
Patrik Cyvoct
6729bfd648
use network proxy for proxy subresources
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
2020-02-13 14:42:34 +01:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
2020-02-11 16:23:31 -08:00