github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity
115,151 Commits 42 Branches 7,905 Tags 1.3 GiB
master
Commit Graph

229 Commits

Author SHA1 Message Date
Monis Khan
e9866d2794
Clear front proxy headers after authentication is complete 
This matches the logic we have for the Authorization header as well
as the impersonation headers.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-21 10:51:22 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types 
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
 2023-03-15 20:10:18 -07:00
Thomas Milox
3ad2ab18fa
pkg/kubeapiserver/options: Improving test coverage (#114234) 
* pkg/kubeapiserver/options: Improving test coverage

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

* pkg/kubeapiserver/options: Improving test coverage

Add a snippet of the expected error string related to the aspect being tested

Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Signed-off-by: TommyStarK <thomasmilox@gmail.com>
 2022-12-14 17:51:35 -08:00
Cici Huang
2973712486 Rename FG to ValidatingAdmissionPolicy 2022-11-10 03:37:35 +00:00
Cici Huang
40c21dafcd Rename admission cel package to validatingadmissionpolicy 2022-11-10 03:37:30 +00:00
Cici Huang
e7d83a1fb7 Integrate cel admission with API. 
Co-authored-by: Alexander Zielenski <zielenski@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
 2022-11-07 21:38:55 +00:00
Shihang Zhang
569cd70a52 track legacy service account tokens 2022-10-24 09:37:53 -07:00
Kubernetes Prow Robot
85e7ddbcfb
Merge pull request #111313 from BinacsLee/binacs/use-len-in-options 
cleanup: use sets.Len() insead of len(sets.List())
 2022-10-04 07:34:16 -07:00
Kubernetes Prow Robot
3051cb2ba1
Merge pull request #108624 from ialidzhikov/cleanup/service-account-api-audiences 
apiserver: Remove the deprecated `--service-account-api-audiences` flag
 2022-08-02 09:15:44 -07:00
Davanum Srinivas
a9593d634c
Generate and format files 
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2022-07-26 13:14:05 -04:00
Kubernetes Prow Robot
37311a2eed
Merge pull request #103663 from bells17/fix-priority-plugin-comment 
Fix Priority plugin comment
 2022-07-25 07:40:35 -07:00
BinacsLee
80b43075c9 cleanup: use sets.Len() insead of len(sets.List()) 2022-07-21 20:13:30 +08:00
Jordan Liggitt
410ac59c0d Remove PodSecurityPolicy admission plugin 2022-05-04 16:00:56 -04:00
Jefftree
67d3dbfaae Separate OpenAPI V2 and V3 Config 2022-03-29 17:49:56 -07:00
ialidzhikov
92707cafbb apiserver: Remove the deprecated --service-account-api-audiences flag 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2022-03-10 09:46:20 +02:00
bryfry
038ad9b3a5 correct references to service-account-signing-key-file flag 2022-01-30 04:24:25 +00:00
Shubham Kuchhal
ef2be5586e Add supported 'alg' header values. 2021-09-16 14:02:21 +05:30
Monis Khan
b5ef684d90
admission: run PodSecurity before PodSecurityPolicy 
This change fixes the order in which the PodSecurity and
PodSecurityPolicy admission plugins are run.  The old code intended
for PSA to run before PSP, but attempted to enforce that via
registration order (which is irrelevant).  Now PSA is correctly
executed before PSP to allow for audit and warning modes to be
exercised even in the presence of a deny PSP policy.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-09-01 11:39:58 -04:00
Antonio Ojea
0cd75e8fec run hack/update-netparse-cve.sh 2021-08-20 10:42:09 +02:00
Mengjiao Liu
7911a08fb3 Remove ServiceAccountIssuerDiscovery feature gate 2021-07-14 18:43:59 +08:00
bells17
62c444b484 Fix Priority plugin comment 2021-07-13 20:37:05 +09:00
Jordan Liggitt
f39bddd767 PodSecurity: kube-apiserver: admission wiring 2021-06-28 17:45:35 -04:00
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
Kubernetes Prow Robot
42a4953c6e
Merge pull request #100186 from yangjunmyfm192085/run-test28 
test: fix the error case of TestAuthenticationValidate
 2021-04-08 20:28:34 -07:00
Kubernetes Prow Robot
26fba1403b
Merge pull request #99528 from pandaamanda/apiserver_validation_code_optimization 
fix log message and optimize log format check logic
 2021-04-08 14:28:34 -07:00
JunYang
4e72e41387 test: fix the error of TestAuthenticationValidate 
Signed-off-by: JunYang <yang.jun22@zte.com.cn>
 2021-03-12 23:10:21 +08:00
xiongzhongliang
4a24a08f93 Optimize some codes 2021-03-05 18:23:39 +08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
cbf6e38bbd move RootCAConfigMap to ga 2021-02-22 15:59:27 -08:00
Kubernetes Prow Robot
1119a505ac
Merge pull request #98669 from liggitt/denyexec 
Remove deprecated DenyEscalatingExec / DenyExecOnPrivileged admission
 2021-02-02 06:52:28 -08:00
Jordan Liggitt
3579f88e4d Remove deprecated DenyEscalatingExec / DenyExecOnPrivileged admission 2021-02-01 16:55:22 -05:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
 2021-02-01 11:44:23 -08:00
Tim Hockin
a8299079a5 Add denyserviceexternalips admission 2020-12-29 10:00:11 -08:00
Tim Hockin
02b77861ec Move defaultingressclass admission to net subdir 2020-12-28 09:58:30 -08:00
KeZhang
3562806d2d cleanup unused code for kubeapiserver 2020-12-09 09:29:34 +08:00
Sergey Kanzhelev
06da0e5e74 GA of RuntimeClass feature gate and API 2020-11-11 19:22:32 +00:00
Kubernetes Prow Robot
8d6829fe1e
Merge pull request #95896 from zshihang/flag 
make flags of TokenRequest required
 2020-11-05 18:36:50 -08:00
Shihang Zhang
a5021a4ddf make flags of TokenRequest required 2020-11-05 10:40:56 -08:00
Shihang Zhang
4c593b268a default service-account-extend-token-expiration to true 2020-11-05 09:07:01 -08:00
Shihang Zhang
d40f0c43c4 separate RootCAConfigMap from BoundServiceAccountTokenVolume 2020-11-04 17:10:39 -08:00
Abu Kashem
53a1307f68
make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
 2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Andrew Sy Kim
a0aebf96ec apiserver: support egress selection name 'controlplane' and deprecate 'master' 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-10-26 10:24:16 -04:00
Kubernetes Prow Robot
e7b9453972
Merge pull request #93537 from timuthy/enhancement.move-resourcequota 
Move ResourceQuota admission to k8s.io/apiserver lib
 2020-09-15 12:26:58 -07:00
David Eads
c0c033b12f generated 2020-09-14 09:24:41 -04:00
David Eads
c7911a384c remove pod presets 2020-09-14 09:24:40 -04:00
Tim Usner
70d440bc7e Move ResourceQuota admission to k8s.io/apiserver 2020-09-04 14:53:52 +02:00
yiduyangyi
e6c4633232 fix golint failures in pkg/kubeapiserver/options, fix some incorrect replace of receiver name 2020-07-23 19:02:07 +08:00
yiduyangyi
0520d75838 fix golint failures in pkg/kubeapiserver/options, rename receiver name of BuiltInAuthorizationOptions to o 2020-07-23 18:52:15 +08:00
yiduyangyi
e441c07fe2 fix golint failures in pkg/kubeapiserver/options, use API Server in commemts instead of APIServer 2020-07-23 18:41:37 +08:00