Commit Graph

488 Commits

Author SHA1 Message Date
Monis Khan
e9866d2794
Clear front proxy headers after authentication is complete
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
2023-03-21 10:51:22 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
2023-03-15 20:10:18 -07:00
Antonio Ojea
d9cc625538 add apis to apiserver storage
Change-Id: Iea1263ad612c13b93baf8a07641265bf56f08728
2023-03-14 22:58:11 +00:00
Jiahui Feng
501976cc34 fix broken tests after dependency injection. 2023-03-13 14:40:47 -07:00
Jiahui Feng
feb18b3f5f implmementing type checking
with multi-type support.
2023-03-07 15:49:19 -08:00
Stanislav Laznicka
4ae4266c91
authenticator config: use static CA reader for OIDC CA 2023-02-14 13:43:58 +01:00
Kubernetes Prow Robot
4b2b4e19cc
Merge pull request #114523 from zshihang/token
graduate LegacyServiceAccountTokenTracking to beta
2023-01-18 07:12:33 -08:00
Paco Xu
25686a2c77 remove psp in extensions api/apis 2023-01-06 17:07:02 +08:00
Shihang Zhang
0852a49020 graduate LegacyServiceAccountTokenTracking to beta 2022-12-16 10:34:17 -08:00
TommyStarK
bd6a86471b kubeapiserver/admission: Improving test coverage
Signed-off-by: TommyStarK <thomasmilox@gmail.com>
2022-12-15 19:01:52 +01:00
Thomas Milox
3ad2ab18fa
pkg/kubeapiserver/options: Improving test coverage (#114234)
* pkg/kubeapiserver/options: Improving test coverage

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

* pkg/kubeapiserver/options: Improving test coverage

Add a snippet of the expected error string related to the aspect being tested

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Signed-off-by: TommyStarK <thomasmilox@gmail.com>
2022-12-14 17:51:35 -08:00
Cici Huang
2973712486 Rename FG to ValidatingAdmissionPolicy 2022-11-10 03:37:35 +00:00
Cici Huang
40c21dafcd Rename admission cel package to validatingadmissionpolicy 2022-11-10 03:37:30 +00:00
Cici Huang
e7d83a1fb7 Integrate cel admission with API.
Co-authored-by: Alexander Zielenski <zielenski@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
2022-11-07 21:38:55 +00:00
Cici Huang
c8a089de46 Update admission initializers.
Moved RestMapper and add DynamicClient
2022-11-07 21:24:46 +00:00
Cici Huang
0486e06261 Adding new api version of admissionregistration.k8s.io v1alpha1 for CEL in Admission Control 2022-11-07 20:51:51 +00:00
Shihang Zhang
569cd70a52 track legacy service account tokens 2022-10-24 09:37:53 -07:00
Mohammad Zuber Khan
f86acbad68
add superuser fallback to authorizer (#111558)
* add superuser fallback to authorizer

* change the order of authorizers

* change the order of authorizers

* remove the duplicate superuser authorizer

* add integration test for superuser permissions
2022-10-18 18:57:00 -07:00
Monis Khan
f507bc2553
Load encryption config once
This change updates the API server code to load the encryption
config once at start up instead of multiple times.  Previously the
code would set up the storage transformers and the etcd healthz
checks in separate parse steps.  This is problematic for KMS v2 key
ID based staleness checks which need to be able to assert that the
API server has a single view into the KMS plugin's current key ID.

Signed-off-by: Monis Khan <mok@microsoft.com>
2022-10-13 10:52:29 -04:00
Kubernetes Prow Robot
85e7ddbcfb
Merge pull request #111313 from BinacsLee/binacs/use-len-in-options
cleanup: use sets.Len() insead of len(sets.List())
2022-10-04 07:34:16 -07:00
Monis Khan
4e68e9b5ad
kms: fix go routine leak in gRPC connection
Signed-off-by: Monis Khan <mok@microsoft.com>
2022-09-08 11:46:57 -04:00
Kubernetes Prow Robot
759785ea14
Merge pull request #109090 from sarveshr7/multicidr-rangeallocator
Enhance NodeIPAM to support multiple ClusterCIDRs
2022-08-07 15:40:18 -07:00
Sarvesh Rangnekar
7093b10416 Introduce networking/v1alpha1 api, ClusterCIDR type
Introduce networking/v1alpha1 api group.

Add `ClusterCIDR` type to networking/v1alpha1 api group, this type
will enable the NodeIPAM controller to support multiple ClusterCIDRs.
2022-08-05 00:54:00 +00:00
Kubernetes Prow Robot
d40bc18461
Merge pull request #105126 from sallyom/tracing-kubelet
kubelet tracing instrumentation
2022-08-02 11:38:06 -07:00
Kubernetes Prow Robot
3051cb2ba1
Merge pull request #108624 from ialidzhikov/cleanup/service-account-api-audiences
apiserver: Remove the deprecated `--service-account-api-audiences` flag
2022-08-02 09:15:44 -07:00
Sally O'Malley
47e7d8034f
kubelet tracing
Signed-off-by: Sally O'Malley <somalley@redhat.com>
Co-authored-by: David Ashpole <dashpole@google.com>
2022-08-01 12:55:02 -04:00
Davanum Srinivas
a9593d634c
Generate and format files
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-07-26 13:14:05 -04:00
Kubernetes Prow Robot
37311a2eed
Merge pull request #103663 from bells17/fix-priority-plugin-comment
Fix Priority plugin comment
2022-07-25 07:40:35 -07:00
BinacsLee
80b43075c9 cleanup: use sets.Len() insead of len(sets.List()) 2022-07-21 20:13:30 +08:00
Patrick Ohly
2e8fa3ee6b CSIStorageCapacity: use v1 as storage version
This can be done because downgrades are only supported down to 1.24 and that
release supports v1.
2022-07-08 10:06:06 +02:00
Jordan Liggitt
410ac59c0d Remove PodSecurityPolicy admission plugin 2022-05-04 16:00:56 -04:00
James Laverack
7d57d5c70d Revert "Introduce APIs to support multiple ClusterCIDRs (#108290)"
This reverts commit b9792a9dae.
2022-04-13 13:58:19 +01:00
Sarvesh Rangnekar
b9792a9dae
Introduce APIs to support multiple ClusterCIDRs (#108290)
* Introduce networking/v1alpha1 api, ClusterCIDRConfig type

Introduce networking/v1alpha1 api group.

Add `ClusterCIDRConfig` type to networking/v1alpha1 api group, this type
will enable the NodeIPAM controller to support multiple ClusterCIDRs.

* Change ClusterCIDRConfig.NodeSelector type in api

* Fix review comments for API

* Update ClusterCIDRConfig API Spec

Introduce PerNodeHostBits field, remove PerNodeMaskSize
2022-03-30 19:39:00 -07:00
Jefftree
67d3dbfaae Separate OpenAPI V2 and V3 Config 2022-03-29 17:49:56 -07:00
Kubernetes Prow Robot
24a71990e0
Merge pull request #108445 from pohly/storage-capacity-ga
storage capacity GA
2022-03-23 08:06:21 -07:00
Monis Khan
fef7d0ef1e
webhook: use rest.Config instead of kubeconfig file as input
This change updates the generic webhook logic to use a rest.Config
as its input instead of a kubeconfig file.  This exposes all of the
rest.Config knobs to the caller instead of the more limited set
available through the kubeconfig format.  This is useful when this
code is being used as a library outside of core Kubernetes. For
example, a downstream consumer may want to override the webhook's
internals such as its TLS configuration.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-17 20:47:42 -04:00
Patrick Ohly
921edae2b4 storage capacity: v1 API 2022-03-14 20:05:45 +01:00
ialidzhikov
92707cafbb apiserver: Remove the deprecated --service-account-api-audiences flag
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
2022-03-10 09:46:20 +02:00
bryfry
038ad9b3a5 correct references to service-account-signing-key-file flag 2022-01-30 04:24:25 +00:00
Davanum Srinivas
9405e9b55e
Check in OWNERS modified by update-yamlfmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-12-09 21:31:26 -05:00
Shubham Kuchhal
ef2be5586e Add supported 'alg' header values. 2021-09-16 14:02:21 +05:30
Monis Khan
b5ef684d90
admission: run PodSecurity before PodSecurityPolicy
This change fixes the order in which the PodSecurity and
PodSecurityPolicy admission plugins are run.  The old code intended
for PSA to run before PSP, but attempted to enforce that via
registration order (which is irrelevant).  Now PSA is correctly
executed before PSP to allow for audit and warning modes to be
exercised even in the presence of a deny PSP policy.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-01 11:39:58 -04:00
Antonio Ojea
0cd75e8fec run hack/update-netparse-cve.sh 2021-08-20 10:42:09 +02:00
Mengjiao Liu
7911a08fb3 Remove ServiceAccountIssuerDiscovery feature gate 2021-07-14 18:43:59 +08:00
bells17
62c444b484 Fix Priority plugin comment 2021-07-13 20:37:05 +09:00
David Ashpole
9dd59017c4 add tracing to webhook requests 2021-07-09 06:30:05 -07:00
Jordan Liggitt
f39bddd767 PodSecurity: kube-apiserver: admission wiring 2021-06-28 17:45:35 -04:00
Mengjiao Liu
c694b9f761 CronJob: switch storage version to batch/v1 in 1.22 2021-05-27 18:07:16 +08:00
Gautier Delorme
34b0fcef5f remove go-openapi/spec
Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>
2021-04-21 11:31:49 +02:00
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00