kubernetes

mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 23:37:01 +00:00

Author	SHA1	Message	Date
wangyysde	ab66a38194	PodSecurity: promote config and feature gate to GA Signed-off-by: wangyysde <net_use@bzhy.com>	2022-06-15 09:29:47 +08:00
Jordan Liggitt	410ac59c0d	Remove PodSecurityPolicy admission plugin	2022-05-04 16:00:56 -04:00
Tim Allclair	bdebc62d49	Don't add audit annotations directly to the audit event	2022-03-28 17:03:53 -07:00
Davanum Srinivas	9405e9b55e	Check in OWNERS modified by update-yamlfmt.sh Signed-off-by: Davanum Srinivas <davanum@gmail.com>	2021-12-09 21:31:26 -05:00
Jordan Liggitt	1bff65e6f8	PodSecurity: benchmark large numbers of owned pods	2021-11-02 08:43:27 -04:00
Tim Allclair	6c273020d3	[PodSecurity] Avoid the LegcayRegistry for metrics serving	2021-11-01 14:23:00 -07:00
Tim Allclair	e46928c0b1	[PodSecurity] Fix up metrics & add tests Update pod security metrics to match the spec in the KEP.	2021-11-01 14:11:19 -07:00
Kubernetes Prow Robot	c592bd40f2	Merge pull request #105609 from pohly/generic-ephemeral-volume-ga generic ephemeral volume GA	2021-10-28 17:36:50 -07:00
Alkaid	ae9ca48f01	[PodSecurity] Implement metricRecorder for admission (#104217 ) * init Signed-off-by: jyz0309 <45495947@qq.com> go fmt Signed-off-by: jyz0309 <45495947@qq.com> remove useless code Signed-off-by: jyz0309 <45495947@qq.com> add metrics.Attributes interface Signed-off-by: jyz0309 <45495947@qq.com> address comment Signed-off-by: jyz0309 <45495947@qq.com> go fmt code Signed-off-by: jyz0309 <45495947@qq.com> resolve import cycle Signed-off-by: jyz0309 <45495947@qq.com> fix comment Signed-off-by: jyz0309 <45495947@qq.com> fix lints Signed-off-by: jyz0309 <45495947@qq.com> fix build error Signed-off-by: jyz0309 <45495947@qq.com> fix test Signed-off-by: jyz0309 <45495947@qq.com> try Signed-off-by: jyz0309 <45495947@qq.com> * try to compare version Signed-off-by: jyz0309 <45495947@qq.com> fix conflict Signed-off-by: jyz0309 <45495947@qq.com> remove unuse change Signed-off-by: jyz0309 <45495947@qq.com> * address comment Signed-off-by: jyz0309 <45495947@qq.com> * fix import error Signed-off-by: jyz0309 <45495947@qq.com> fix import Signed-off-by: jyz0309 <45495947@qq.com> address comment Signed-off-by: jyz0309 <45495947@qq.com> address comment Signed-off-by: jyz0309 <45495947@qq.com> * address comment Signed-off-by: jyz0309 <45495947@qq.com> * format code Signed-off-by: jyz0309 <45495947@qq.com> * remove exempt and error record Signed-off-by: jyz0309 <45495947@qq.com> * ignore pod Signed-off-by: jyz0309 <45495947@qq.com> * add decision default value Signed-off-by: jyz0309 <45495947@qq.com> * address comment Signed-off-by: jyz0309 <45495947@qq.com> * remore useless import Signed-off-by: jyz0309 <45495947@qq.com> * remove policy vaild check Signed-off-by: jyz0309 <45495947@qq.com> use init to register metric Signed-off-by: jyz0309 <45495947@qq.com> fix test Signed-off-by: jyz0309 <45495947@qq.com> remove check Signed-off-by: jyz0309 <45495947@qq.com> remove blank line Signed-off-by: jyz0309 <45495947@qq.com> add allowedImports Signed-off-by: jyz0309 <45495947@qq.com> Add mock recorder Signed-off-by: jyz0309 <45495947@qq.com> format code Signed-off-by: jyz0309 <45495947@qq.com> separe record into 3 function Signed-off-by: jyz0309 <45495947@qq.com> * fix comment Signed-off-by: jyz0309 <45495947@qq.com>	2021-10-20 20:02:08 -07:00
Patrick Ohly	a8c930ef46	generic ephemeral volume: graduation to GA The feature gate gets locked to "true", with the goal to remove it in two releases. All code now can assume that the feature is enabled. Tests for "feature disabled" are no longer needed and get removed. Some code wasn't using the new helper functions yet. That gets changed while touching those lines.	2021-10-11 20:54:20 +02:00
Jordan Liggitt	77d65dca44	PodSecurity: add namespace update verify benchmark	2021-10-04 12:26:30 -04:00
Jordan Liggitt	13e0887c4c	PodSecurity: add admission benchmark go test ./plugin/pkg/admission/security/podsecurity -bench /pod -benchmem goos: darwin goarch: amd64 pkg: k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz BenchmarkVerifyPod/enforce-implicit_pod-12 702789 1585 ns/op 2120 B/op 12 allocs/op BenchmarkVerifyPod/enforce-privileged_pod-12 737588 1607 ns/op 2120 B/op 12 allocs/op BenchmarkVerifyPod/enforce-baseline_pod-12 409818 2974 ns/op 3368 B/op 17 allocs/op BenchmarkVerifyPod/enforce-restricted_pod-12 370262 3385 ns/op 3368 B/op 17 allocs/op BenchmarkVerifyPod/warn-baseline_pod-12 391808 3101 ns/op 3368 B/op 17 allocs/op BenchmarkVerifyPod/warn-restricted_pod-12 349411 3452 ns/op 3368 B/op 17 allocs/op BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 208221 5735 ns/op 5864 B/op 27 allocs/op BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 249662 4849 ns/op 4616 B/op 22 allocs/op PASS ok k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity 10.707s	2021-09-21 16:20:11 -04:00
Jordan Liggitt	1dfacd3c70	PodSecurity: use code/reason/details from admission library	2021-07-07 16:25:16 -04:00
Tim Allclair	cf6ba6096f	Move pod-security-admission to an external Attributes interface	2021-07-06 15:15:15 -07:00
Jordan Liggitt	f39bddd767	PodSecurity: kube-apiserver: admission wiring	2021-06-28 17:45:35 -04:00
Benjamin Elder	56e092e382	hack/update-bazel.sh	2021-02-28 15:17:29 -08:00
cici37	95acec5a3b	Move client_builder to k8s.io/controller-manager	2020-10-19 14:48:22 -07:00
Patrick Ohly	c05c8e915b	GenericEphemeralVolume: feature gate, API, documentation As explained in https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1698-generic-ephemeral-volumes, CSI inline volumes are not suitable for more "normal" kinds of storage systems. For those a new approach is needed: "generic ephemeral inline volumes".	2020-07-09 11:02:59 +02:00
Jordan Liggitt	0e062981d1	Detect PSP enablement more accurately	2020-06-03 13:14:19 -04:00
Davanum Srinivas	07d88617e5	Run hack/update-vendor.sh Signed-off-by: Davanum Srinivas <davanum@gmail.com>	2020-05-16 07:54:33 -04:00
Davanum Srinivas	442a69c3bd	switch over k/k to use klog v2 Signed-off-by: Davanum Srinivas <davanum@gmail.com>	2020-05-16 07:54:27 -04:00
Andrew Sy Kim	2e56866c97	move apparmor annotation constants to k8s.io/api/core/v1 Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>	2020-04-06 10:22:04 -04:00
Jordan Liggitt	92ea33efc5	Clean up TODOs	2019-10-03 09:23:10 -04:00
Jordan Liggitt	92eb072989	Propagate context to Authorize() calls	2019-09-24 11:14:54 -04:00
Jordan Liggitt	61774cd717	Plumb context to admission Admit/Validate	2019-08-20 11:11:00 -04:00
Jordan Liggitt	2899abb65c	Populate API version in synthetic authorization requests	2019-07-10 21:29:25 -04:00
Kubernetes Prow Robot	b8eecd671d	Merge pull request #69941 from miguelbernadi/fix-golint-issues-68026 Fix golint issues in plugin/pkg/admission	2019-05-30 08:38:26 -07:00
Vladimir Vivien	8e0cf65310	Enforce pod security policy for CSI inline	2019-05-29 15:38:21 -04:00
Joe Betz	cc2e3616f0	Add WithReinvocationTesting utility for ensuring that admission plugin reinvocation is idempotent	2019-05-28 15:10:22 -07:00
Miguel Bernabeu	f47da8a75d	Fix golint violations in several plugins	2019-05-23 20:00:06 +02:00
Joe Betz	900d652a9a	Update tests for: Pass {Operation}Option to Webhooks	2019-05-14 10:49:43 -07:00
Kubernetes Prow Robot	ccc90b2ba6	Merge pull request #75680 from tallclair/psp-refactor Clean up some PodSecurityPolicy code	2019-03-26 21:59:01 -07:00
Tim Allclair	e5d2cad7b9	Refactor PSP provider	2019-03-25 11:46:36 -07:00
SataQiu	f8c4aba0cb	fix some golint failures for plugin/pkg/admission/...	2019-02-26 17:12:40 +08:00
Mehdy Bohlool	d08bc3774d	Mechanical changes due to signature change for Admit and Validate functions	2019-02-16 13:28:47 -08:00
Roy Lenferink	b43c04452f	Updated OWNERS files to include link to docs	2019-02-04 22:33:12 +01:00
Davanum Srinivas	954996e231	Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135	2018-11-10 07:50:31 -05:00
Jordan Liggitt	35178d352d	auth policy subproject approvers/reviewers	2018-11-06 00:57:39 -05:00
yue9944882	e2c61169b1	externalize psp admission controller	2018-10-24 00:22:07 +08:00
Slava Semushin	14c969b604	Remove myself from OWNERS files.	2018-10-16 22:47:44 +01:00
Mayank Kumar	bc3e3afc46	api changes for psp runasgroup policy	2018-10-09 17:32:09 -07:00
jennybuckley	adafb1365e	Support dry run in admission plugins	2018-08-06 10:37:44 -07:00
stewart-yu	f1343af5d7	auto-generated file	2018-07-28 07:54:17 +08:00
stewart-yu	55251c716a	update the import file for move util/pointer to k8s.io/utils	2018-07-27 19:47:02 +08:00
Tim Allclair	5ace0f03d8	Cleanup & fix PodSecurityPolicy field path usage	2018-07-18 17:47:32 -07:00
Jeff Grafton	23ceebac22	Run hack/update-bazel.sh	2018-06-22 16:22:57 -07:00
Jan Chaloupka	3cc15363bc	Run make update	2018-06-06 00:12:40 +02:00
Jan Chaloupka	ab616a88b9	Promote sysctl annotations to API fields	2018-06-05 23:17:00 +02:00
Cao Shufeng	241422879d	Log policy name from pod security policy	2018-06-04 19:24:25 +08:00
Slava Semushin	f49a0fbd5f	Replace UserIDRange/GroupIDRange by IDRange in internal type to reduce difference with external type. We had IDRange in both types prior `9440a68744` commit that splitted it into UserIDRange/GroupIDRange. Later, in `c91a12d205` commit we had to revert this changes because they broke backward compatibility but UserIDRange/GroupIDRange struct left in the internal type. This commit removes these leftovers and reduces the differences between internal and external types.	2018-05-04 18:31:42 +02:00

1 2 3

141 Commits