Jordan Liggitt
1bff65e6f8
PodSecurity: benchmark large numbers of owned pods
2021-11-02 08:43:27 -04:00
Tim Allclair
6c273020d3
[PodSecurity] Avoid the LegcayRegistry for metrics serving
2021-11-01 14:23:00 -07:00
Tim Allclair
e46928c0b1
[PodSecurity] Fix up metrics & add tests
...
Update pod security metrics to match the spec in the KEP.
2021-11-01 14:11:19 -07:00
Kubernetes Prow Robot
c592bd40f2
Merge pull request #105609 from pohly/generic-ephemeral-volume-ga
...
generic ephemeral volume GA
2021-10-28 17:36:50 -07:00
Alkaid
ae9ca48f01
[PodSecurity] Implement metricRecorder for admission ( #104217 )
...
* init
Signed-off-by: jyz0309 <45495947@qq.com>
go fmt
Signed-off-by: jyz0309 <45495947@qq.com>
remove useless code
Signed-off-by: jyz0309 <45495947@qq.com>
add metrics.Attributes interface
Signed-off-by: jyz0309 <45495947@qq.com>
address comment
Signed-off-by: jyz0309 <45495947@qq.com>
go fmt code
Signed-off-by: jyz0309 <45495947@qq.com>
resolve import cycle
Signed-off-by: jyz0309 <45495947@qq.com>
fix comment
Signed-off-by: jyz0309 <45495947@qq.com>
fix lints
Signed-off-by: jyz0309 <45495947@qq.com>
fix build error
Signed-off-by: jyz0309 <45495947@qq.com>
fix test
Signed-off-by: jyz0309 <45495947@qq.com>
try
Signed-off-by: jyz0309 <45495947@qq.com>
* try to compare version
Signed-off-by: jyz0309 <45495947@qq.com>
fix conflict
Signed-off-by: jyz0309 <45495947@qq.com>
remove unuse change
Signed-off-by: jyz0309 <45495947@qq.com>
* address comment
Signed-off-by: jyz0309 <45495947@qq.com>
* fix import error
Signed-off-by: jyz0309 <45495947@qq.com>
fix import
Signed-off-by: jyz0309 <45495947@qq.com>
address comment
Signed-off-by: jyz0309 <45495947@qq.com>
address comment
Signed-off-by: jyz0309 <45495947@qq.com>
* address comment
Signed-off-by: jyz0309 <45495947@qq.com>
* format code
Signed-off-by: jyz0309 <45495947@qq.com>
* remove exempt and error record
Signed-off-by: jyz0309 <45495947@qq.com>
* ignore pod
Signed-off-by: jyz0309 <45495947@qq.com>
* add decision default value
Signed-off-by: jyz0309 <45495947@qq.com>
* address comment
Signed-off-by: jyz0309 <45495947@qq.com>
* remore useless import
Signed-off-by: jyz0309 <45495947@qq.com>
* remove policy vaild check
Signed-off-by: jyz0309 <45495947@qq.com>
use init to register metric
Signed-off-by: jyz0309 <45495947@qq.com>
fix test
Signed-off-by: jyz0309 <45495947@qq.com>
remove check
Signed-off-by: jyz0309 <45495947@qq.com>
remove blank line
Signed-off-by: jyz0309 <45495947@qq.com>
add allowedImports
Signed-off-by: jyz0309 <45495947@qq.com>
Add mock recorder
Signed-off-by: jyz0309 <45495947@qq.com>
format code
Signed-off-by: jyz0309 <45495947@qq.com>
separe record into 3 function
Signed-off-by: jyz0309 <45495947@qq.com>
* fix comment
Signed-off-by: jyz0309 <45495947@qq.com>
2021-10-20 20:02:08 -07:00
Patrick Ohly
a8c930ef46
generic ephemeral volume: graduation to GA
...
The feature gate gets locked to "true", with the goal to remove it in two
releases.
All code now can assume that the feature is enabled. Tests for "feature
disabled" are no longer needed and get removed.
Some code wasn't using the new helper functions yet. That gets changed while
touching those lines.
2021-10-11 20:54:20 +02:00
Patrick Ohly
466dcdfcf6
auth: use generic ephemeral volume helper functions
...
The name concatenation and ownership check were originally considered small
enough to not warrant dedicated functions, but the intent of the code is more
readable with them.
2021-10-11 17:33:57 +02:00
Sahil Vazirani
3988405c8d
GA TTLAfterFinish
2021-10-07 16:58:50 -07:00
Jordan Liggitt
77d65dca44
PodSecurity: add namespace update verify benchmark
2021-10-04 12:26:30 -04:00
Jordan Liggitt
13e0887c4c
PodSecurity: add admission benchmark
...
go test ./plugin/pkg/admission/security/podsecurity -bench /pod -benchmem
goos: darwin
goarch: amd64
pkg: k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
BenchmarkVerifyPod/enforce-implicit_pod-12 702789 1585 ns/op 2120 B/op 12 allocs/op
BenchmarkVerifyPod/enforce-privileged_pod-12 737588 1607 ns/op 2120 B/op 12 allocs/op
BenchmarkVerifyPod/enforce-baseline_pod-12 409818 2974 ns/op 3368 B/op 17 allocs/op
BenchmarkVerifyPod/enforce-restricted_pod-12 370262 3385 ns/op 3368 B/op 17 allocs/op
BenchmarkVerifyPod/warn-baseline_pod-12 391808 3101 ns/op 3368 B/op 17 allocs/op
BenchmarkVerifyPod/warn-restricted_pod-12 349411 3452 ns/op 3368 B/op 17 allocs/op
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 208221 5735 ns/op 5864 B/op 27 allocs/op
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 249662 4849 ns/op 4616 B/op 22 allocs/op
PASS
ok k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity 10.707s
2021-09-21 16:20:11 -04:00
Kubernetes Prow Robot
353f0a5eab
Merge pull request #105095 from wojtek-t/migrate_clock_3
...
Unify towards k8s.io/utils/clock - part 3
2021-09-20 12:46:45 -07:00
wojtekt
d9b08c611d
Migrate to k8s.io/utils/clock
2021-09-17 15:19:08 +02:00
Madhav Jivrajani
b05b9ecbef
replace package realClock impl. with clock.RealClock
...
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
2021-09-14 20:56:57 +05:30
Kubernetes Prow Robot
1a845ccd07
Merge pull request #103603 from mengjiao-liu/update-ingress-to-v1
...
Promote `ingressclass.kubernetes.io/is-default-class` annotation to networking/v1
2021-08-24 20:24:39 -07:00
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-08-24 15:47:49 -04:00
Jordan Liggitt
47859b7781
Ensure serviceaccount admission produces v1 Pod matching defaults after round-trip
2021-08-23 11:32:10 -04:00
Jordan Liggitt
ccbdf041a2
Fix slice type comparison bug
2021-08-18 11:30:34 -04:00
Damien Grisonnet
f794c8bcd4
plugin: add bootstrap policy for external metrics
...
Since external metrics were added, we weren't running the HPA with
metrics REST clients by default, so we had no bootstrap policy to enable
the HPA controller to talk to the external metrics API.
This change adds permissions for the HPA controller to list and get
external.metrics.k8s.io by default as already done for the
custom.metrics.k8s.io API.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
2021-08-09 17:33:34 +02:00
Kubernetes Prow Robot
e847b849c4
Merge pull request #103704 from robscott/endpoints-write-remove
...
Remove Endpoints write access from aggregated edit role
2021-07-19 20:57:31 -07:00
Kubernetes Prow Robot
7fd021ba6a
Merge pull request #103703 from robscott/endpointslice-role-revert
...
Revert granting EndpointSlice write access to edit role
2021-07-15 08:20:46 -07:00
Davanum Srinivas
26cc8e40a8
fix deadcode issues
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-14 08:41:21 -04:00
Rob Scott
416efdab26
Remove Endpoints write access from aggregated edit role
2021-07-13 22:17:12 -07:00
Rob Scott
6c61ee51b9
Revert granting EndpointSlice write access to edit role
...
This reverts part of the change introduced by #101203 .
2021-07-13 22:13:07 -07:00
Mengjiao Liu
792665e1ea
Promote ingressclass.kubernetes.io/is-default-class annotation to networking/v1
2021-07-09 15:48:13 +08:00
Aldo Culquicondor
2dd2622188
Track Job Pods completion in status
...
Through Job.status.uncountedPodUIDs and a Pod finalizer
An annotation marks if a job should be tracked with new behavior
A separate work queue is used to remove finalizers from orphan pods.
Change-Id: I1862e930257a9d1f7f1b2b0a526ed15bc8c248ad
2021-07-08 17:48:05 +00:00
Davanum Srinivas
79d0c6cdc1
switch from golang-lru to the one in k8s.io/utils
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:37 -04:00
Jordan Liggitt
1dfacd3c70
PodSecurity: use code/reason/details from admission library
2021-07-07 16:25:16 -04:00
Tim Allclair
cf6ba6096f
Move pod-security-admission to an external Attributes interface
2021-07-06 15:15:15 -07:00
Jordan Liggitt
f39bddd767
PodSecurity: kube-apiserver: admission wiring
2021-06-28 17:45:35 -04:00
Tomas Coufal
44cb4a63f6
Allow write on events to edit role
...
Signed-off-by: Tomas Coufal <tcoufal@redhat.com>
2021-06-14 23:13:29 +02:00
Shihang Zhang
88b31814f4
BoundServiceAccountTokenVolume ga
2021-05-13 20:45:47 -07:00
Kubernetes Prow Robot
6ede5ca95f
Merge pull request #101186 from jsafrane/fix-ephemeral-rbac
...
Fix RBAC of generic ephemeral volumes controller
2021-04-20 09:06:45 -07:00
Mike Tougeron
896bb932ef
Add endpointslices to default edit & view RBAC policies
2021-04-16 13:43:32 -07:00
Jan Safranek
cfbe5f1891
Fix RBAC of generic ephemeral volumes controller
...
The controller must be able to "update" finalizers of all pods to make
OwnerReferencesPermissionEnforcement admission plugin happy.
2021-04-16 11:01:54 +02:00
Kubernetes Prow Robot
d51f15ed0d
Merge pull request #100885 from enj/enj/i/auth_owners
...
Update sig-auth OWNERS
2021-04-12 22:18:49 -07:00
Monis Khan
bca4993004
Update auth OWNERS files to only use aliases
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-07 10:46:03 -04:00
Niekvdplas
fec272a7b2
Fixed several spelling mistakes
2021-03-30 23:02:09 +02:00
Patrick Ohly
c4311ae754
generic ephemeral volumes: refresh rbac testdata
...
This is the result of
UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true go test k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy
Apparently enabling the GenericEphemeralVolume feature by default
affect this test. The policy that it now tests against is indeed
the one needed for the controller.
2021-03-09 08:24:52 +01:00
Patrick Ohly
85bfd26c17
CSIStorageCapacity: update rbac test data
...
This is the result of
UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true go test k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy
after enabling the CSIStorageCapacity feature. This enables
additional RBAC entries for reading CSIDriver and
CSIStorageCapacity.
2021-03-08 20:52:50 +01:00
Swetha Repakula
108fd44f7c
Graduate EndpointSlice feature gate to GA
2021-03-06 15:58:47 -08:00
Abdullah Gharaibeh
3c5f018f8e
Add CrossNamespacePodAffinity quota scope and PodAffinityTerm.NamespaceSelector APIs, and CrossNamespacePodAffinity quota scope implementation.
2021-03-03 22:52:43 -05:00
Kubernetes Prow Robot
5498ee641b
Merge pull request #99561 from BenTheElder/remove-bazel
...
Remove Bazel
2021-03-01 09:55:27 -08:00
Benjamin Elder
56e092e382
hack/update-bazel.sh
2021-02-28 15:17:29 -08:00
Jordan Liggitt
ec4d1b3821
Skip visiting empty secret and configmap names
2021-02-27 15:54:38 -05:00
Kubernetes Prow Robot
267e47f548
Merge pull request #99130 from ayberk/ebs_ga_labels
...
Use GA topology labels for EBS
2021-02-23 23:48:49 -08:00
Shihang Zhang
cbf6e38bbd
move RootCAConfigMap to ga
2021-02-22 15:59:27 -08:00
Kubernetes Prow Robot
031f2afbba
Merge pull request #98931 from michaelbeaumont/kubelet_well_known
...
Move pkg/kubelet/apis to k8s.io/kubelet/pkg/apis
2021-02-20 11:55:41 -08:00
Ayberk Yilmaz
339b8b450f
Use GA topoogy labels for EBS
2021-02-18 00:34:56 +00:00
Kubernetes Prow Robot
60a0740c95
Merge pull request #98678 from ahg-g/ahg-ttl-beta
...
Graduate TTLAfterFinished to beta
2021-02-09 15:10:59 -08:00
Michael Beaumont
a5a6762d33
Move pkg/kubelet/apis to k8s.io/kubelet/pkg/apis
2021-02-09 21:37:39 +01:00
Abdullah Gharaibeh
880bbdad23
Graduate TTLAfterFinished to beta
2021-02-07 17:23:14 -05:00
Kubernetes Prow Robot
34f138ff83
Merge pull request #97823 from Jiawei0227/translation-lib
...
Preparation for Topology migration to GA for CSI migration
2021-02-02 08:48:28 -08:00
Kubernetes Prow Robot
1119a505ac
Merge pull request #98669 from liggitt/denyexec
...
Remove deprecated DenyEscalatingExec / DenyExecOnPrivileged admission
2021-02-02 06:52:28 -08:00
Jordan Liggitt
3579f88e4d
Remove deprecated DenyEscalatingExec / DenyExecOnPrivileged admission
2021-02-01 16:55:22 -05:00
Michael Taufen
6aa80d9172
Graduate ServiceAccountIssuerDiscovery to GA
...
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
2021-02-01 11:44:23 -08:00
Kubernetes Prow Robot
3667e0e9f7
Merge pull request #98147 from deads2k/system-masters-delete
...
add check to gc_admission to allow super users to skip RESTMapping
2021-01-28 17:52:02 -08:00
Kubernetes Prow Robot
24f13032b3
Merge pull request #97395 from thockin/externalips-admission
...
Add denyserviceexternalips admission (KEP 2200)
2021-01-28 12:33:11 -08:00
David Eads
ff6684d90f
add check to gc_admission to allow super users to skip RESTMapping
2021-01-27 16:53:33 -05:00
Jiawei Wang
67fed317a1
Prepare for Topology migration to GA from CSI migration
...
This also includes a change on CSI migration TranslateCSIToInTree
where we remove the CSI topology and add Kubernetes Topology to
the NodeAffinity
2021-01-20 10:49:58 -08:00
Kubernetes Prow Robot
1f0ef8e679
Merge pull request #97293 from roycaihw/storage-version/gc-rbac
...
add rbac rule for storage version garbage collector
2021-01-11 08:39:07 -08:00
Haowei Cai
83b30bc92f
generated
2021-01-08 11:39:41 -08:00
Haowei Cai
be172d6900
add rbac role for storage version GC
2021-01-08 11:39:08 -08:00
Tim Hockin
a8299079a5
Add denyserviceexternalips admission
2020-12-29 10:00:11 -08:00
Tim Hockin
02b77861ec
Move defaultingressclass admission to net subdir
2020-12-28 09:58:30 -08:00
ialidzhikov
bc432124a2
Remove CSINodeInfo feature gate
...
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
2020-12-10 09:58:22 +02:00
Kubernetes Prow Robot
96efb71094
Merge pull request #97020 from mikedanese/errfix
...
hoist error message change in token registry to noderestriction
2020-12-08 21:06:42 -08:00
Mike Danese
84995167d6
hoist error message change in token registry to noderestriction
...
The token registry error message was changed in
5eefd7d012
to exclude some object details.
This error comes from noderestriction under some circumstances. Let's
make sure they match.
Change-Id: If9240f5c1a131d27dce389e2c6eca6c33d681f3b
2020-12-02 10:58:25 -08:00
pacoxu
dd3179ee93
AlwaysPullImages: ignore updates that don't change the images referenced by the pod spec
...
Signed-off-by: pacoxu <paco.xu@daocloud.io>
2020-12-01 06:59:57 +08:00
Sergey Kanzhelev
06da0e5e74
GA of RuntimeClass feature gate and API
2020-11-11 19:22:32 +00:00
Maciej Borsz
4d81f7e129
Improve observability of node authorizer:
...
* Adding some metrics to the graph
* Adding log message when node authorizer has synced
Change-Id: I3447d6bc389a0b82ded1db2a7a4ae41d79486c2b
2020-11-10 08:40:46 +01:00
Tim Hockin
819ff9b087
Use topology labels instead of old beta names ( #96033 )
...
* Rename const for topology.../zone
* Rename const for topology.../region
* Rename const for failure-domain.../zone
* Rename const for failure-domain.../region
* Restore old names for compat
2020-11-05 20:26:50 -08:00
Shihang Zhang
d40f0c43c4
separate RootCAConfigMap from BoundServiceAccountTokenVolume
2020-11-04 17:10:39 -08:00
Jan Chaloupka
a5920f7edb
Move helpers from pkg/registry/rbac/reconciliation and pkg/registry/rbac/validation under k8s.io/component-helpers
2020-11-02 17:51:16 +01:00
Abu Kashem
53a1307f68
make backoff parameters configurable for webhook
...
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2
mv TokenRequest and TokenRequestProjection to GA
2020-10-29 20:47:01 -07:00
cici37
95acec5a3b
Move client_builder to k8s.io/controller-manager
2020-10-19 14:48:22 -07:00
shuang zhang
f0ea54070b
Replace AreLabelsInWhiteList with isSubset
2020-10-05 22:07:47 +08:00
Kubernetes Prow Robot
ccfdc09f35
Merge pull request #91683 from tedyu/mirror-pod-owner-ref
...
Mirror pod without OwnerReference should not be created
2020-09-25 11:02:48 -07:00
Kubernetes Prow Robot
e7b9453972
Merge pull request #93537 from timuthy/enhancement.move-resourcequota
...
Move ResourceQuota admission to k8s.io/apiserver lib
2020-09-15 12:26:58 -07:00
David Eads
c0c033b12f
generated
2020-09-14 09:24:41 -04:00
David Eads
c7911a384c
remove pod presets
2020-09-14 09:24:40 -04:00
Michael Taufen
4f850f97de
Graduate ServiceAccountIssuerDiscovery to beta
2020-09-11 12:01:47 -07:00
Tim Usner
70d440bc7e
Move ResourceQuota admission to k8s.io/apiserver
2020-09-04 14:53:52 +02:00
Kubernetes Prow Robot
bb9ae50888
Merge pull request #93389 from fisherxu/return-err
...
Return err directly when nodename in node object is not consistent with in cert
2020-08-28 06:37:12 -07:00
Kubernetes Prow Robot
a9d1482710
Merge pull request #93311 from logicalhan/monitoring-role
...
Add bootstrap policy for monitoring endpoints
2020-08-28 06:36:52 -07:00
Davanum Srinivas
3421199494
Sign up dims for additional review roles
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-08-08 19:08:38 -04:00
David Eads
7c25f39eb8
add permissions required by endpoints controller for blockOwnerDeletion
2020-07-28 13:13:38 -04:00
xufei 00416946
f787db2508
return err directly when nodename is not consistent in cert
2020-07-25 09:10:32 +08:00
Han Kang
f57611970c
add bootstrap policy for monitoring roles
...
(we enable metrics and pprof by default, but that doesn't mean
we should have full cluster-admin access to use those endpoints)
Change-Id: I20cf1a0c817ffe3b7fb8e5d3967f804dc063ab03
remove pprof but add read access to detailed health checks
Change-Id: I96c0997be2a538aa8c689dea25026bba638d6e7d
add base health check endpoints and remove the todo for flowcontrol, as there is an existing ticket
Change-Id: I8a7d6debeaf91e06d8ace3cb2bd04d71ef3e68a9
drop blank line
Change-Id: I691e72e9dee3cf7276c725a12207d64db88f4651
2020-07-24 09:21:55 -07:00
Kubernetes Prow Robot
0cb7e320a5
Merge pull request #92784 from pohly/generic-ephemeral-inline-volumes
...
generic ephemeral inline volumes
2020-07-10 15:41:46 -07:00
Kubernetes Prow Robot
4efed03276
Merge pull request #91637 from robscott/endpointslice-mirroring
...
Adding new EndpointSlice Mirroring Controller
2020-07-10 10:19:48 -07:00
Patrick Ohly
ff3e5e06a7
GenericEphemeralVolume: initial implementation
...
The implementation consists of
- identifying all places where VolumeSource.PersistentVolumeClaim has
a special meaning and then ensuring that the same code path is taken
for an ephemeral volume, with the ownership check
- adding a controller that produces the PVCs for each embedded
VolumeSource.EphemeralVolume
- relaxing the PVC protection controller such that it removes
the finalizer already before the pod is deleted (only
if the GenericEphemeralVolume feature is enabled): this is
needed to break a cycle where foreground deletion of the pod
blocks on removing the PVC, which waits for deletion of the pod
The controller was derived from the endpointslices controller.
2020-07-09 23:29:24 +02:00
Patrick Ohly
c05c8e915b
GenericEphemeralVolume: feature gate, API, documentation
...
As explained in
https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1698-generic-ephemeral-volumes ,
CSI inline volumes are not suitable for more "normal" kinds of storage
systems. For those a new approach is needed: "generic ephemeral inline
volumes".
2020-07-09 11:02:59 +02:00
Kubernetes Prow Robot
94a08e159a
Merge pull request #92387 from pohly/csi-storage-capacity
...
CSI storage capacity check
2020-07-09 00:04:59 -07:00
Rob Scott
e701cb0205
Enabling the EndpointSliceMirroring controller, adding related config
2020-07-06 12:43:34 -07:00
Patrick Ohly
0efbbe8555
CSIStorageCapacity: check for sufficient storage in volume binder
...
This uses the information provided by a CSI driver deployment for
checking whether a node has access to enough storage to create the
currently unbound volumes, if the CSI driver opts into that checking
with CSIDriver.Spec.VolumeCapacity != false.
This resolves a TODO from commit 95b530366a
.
2020-07-06 19:20:10 +02:00
Paulo Gomes
8976e3620f
Add seccomp enforcement and validation based on new GA fields
...
Adds seccomp validation.
This ensures that field and annotation values must match when present.
Co-authored-by: Sascha Grunert <sgrunert@suse.com>
2020-07-06 09:13:25 +01:00
Alex Wang
209117413f
Promote NonPreempt feature gate to beta ( #91899 )
...
* update nonpreempt featuregate to beta
* update
2020-06-30 00:02:56 -07:00
Kubernetes Prow Robot
71c352dee3
Merge pull request #87582 from mrueg/ptr
...
PodTolerationRestriction: Mention Whitelist Scope in Error
2020-06-29 13:07:59 -07:00
Shihang Zhang
613a712717
default to add projected fstype in psp when boundedserviceaccounttoken is enabled
2020-06-24 09:09:27 -07:00
Ted Yu
9f95fdd3cd
Mirror pod without OwnerReference should not be created
...
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
2020-06-21 08:00:17 -07:00
Christopher M. Luciano
92506a98fc
ingress: Update IngressClass feature and admission controller for v1
...
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
2020-06-17 12:11:31 -04:00
Kubernetes Prow Robot
11fe6e815f
Merge pull request #91713 from liggitt/csr-v1-manager
...
CSR v1 - switch controllers
2020-06-09 14:49:30 -07:00
Andrew Keesler
a1de5a86ff
Migrate a single node_authorizer.go klog.Infof call to klog.InfoS ( #91591 )
...
* Migrate a single node_authorizer.go klog.Infof call to klog.InfoS
We are starting with the log lines that show up most often.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
* Remove quotes from error for readability
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
* node_authorizer.go: use %s for node names for log uniformity
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
* node_authorizer.go: single-quote node name for readability++
This is good because:
1) the node name is clear in the log line
2) the node names shows up the same in {un-,}structured logs
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-06-09 14:49:01 -07:00
Jordan Liggitt
db4ca87d9d
Switch CSR approver/signer/cleaner controllers to v1
2020-06-05 18:45:34 -04:00
Jordan Liggitt
0e062981d1
Detect PSP enablement more accurately
2020-06-03 13:14:19 -04:00
Jordan Liggitt
7049149181
Generated files
2020-05-28 16:53:23 -04:00
Jordan Liggitt
377adfa2b7
Make signer admission plugin check on condition update
2020-05-28 12:20:40 -04:00
Kubernetes Prow Robot
9f5d9a9bef
Merge pull request #91315 from jherrera123/master
...
Fix runtime admission flaky test due to race condition
2020-05-22 10:45:11 -07:00
Jesus Herrera
a5800ab4cb
Fix linter and bazel errors
2020-05-21 23:06:56 -04:00
Jesus Herrera
6b8e2cc24e
Fix runtime admission flaky test due to race condition
2020-05-20 20:29:51 -04:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
Jordan Liggitt
fd78947489
Indicate node authorizer does not support rule resolution
2020-05-12 20:34:13 -04:00
Jiajie Yang
ae0e52d28c
Monitoring safe rollout of time-bound service account token.
2020-04-22 11:59:16 -07:00
Jordan Liggitt
ba4d2aa076
Restrict node labels on Node create
2020-04-20 16:26:24 -04:00
Kubernetes Prow Robot
8a4bf39884
Merge pull request #82814 from porridge/patch-1
...
Fix a couple of typos
2020-04-14 06:20:13 -07:00
Kubernetes Prow Robot
6239abe698
Merge pull request #89225 from andrewsykim/apparmor-api
...
move apparmor annotation constants to k8s.io/api/core/v1
2020-04-12 19:11:50 -07:00
Gaurav Sofat
ac0ce7338e
Reflect DecisionNoOpinion in RBAC authorizer logs ( #89608 )
...
* Reflect DecisionNoOpinion in RBAC authorizer logs
* Modify RBAC authorizer log message
2020-04-08 13:37:44 -07:00
Andrew Sy Kim
2e56866c97
move apparmor annotation constants to k8s.io/api/core/v1
...
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
2020-04-06 10:22:04 -04:00
Kubernetes Prow Robot
561e86e241
Merge pull request #89696 from flant/service-account-volume-name-with-dot
...
Fix service account names with a dot
2020-04-01 19:26:25 -07:00
Maru Newby
76207fe3d2
Fix permissions for endpointslice controller
...
The controller needs to be able to set a service's finalizers to be
able to create an EndpointSlice resource that is owned by the service
and sets blockOwnerDeletion=true in its ownerRef.
2020-04-01 10:32:11 -07:00
m.nabokikh
ea32811cbd
Fix service account names with a dot
...
This fix provides the ability to mount service account tokens to pods. The core problem is the volumeName option can't contain any dots.
2020-03-31 21:42:04 +04:00
Shihang Zhang
b56da85a77
sync api/v1/pod/util with api/pod/util and remove DefaultContainers
2020-03-24 16:42:32 -07:00
Kubernetes Prow Robot
0549d0e7db
Merge pull request #88943 from tedyu/visitor-container-type
...
Visitors of Configmaps and Secrets should specify which containers to visit
2020-03-20 09:20:36 -07:00
Ted Yu
e0dbbf0a65
Visitors of Configmaps and Secrets should specify which containers to visit
...
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
2020-03-20 07:59:44 -07:00
Kubernetes Prow Robot
50d574bf7f
Merge pull request #88344 from enj/enj/i/sa_oidc_all_authenticated
...
Allow system:serviceaccounts to read the SA discovery endpoints
2020-03-17 16:20:47 -07:00
Monis Khan
a38071cc81
Allow system:serviceaccounts to read the SA discovery endpoints
...
This change allows all service accounts to read the service account
issuer discovery endpoints.
This guarantees that in-cluster services can rely on this info being
available to them.
Signed-off-by: Monis Khan <mok@vmware.com>
2020-03-09 13:40:46 -04:00
Christian Huffman
c6fd25d100
Updated CSIDriver references
2020-03-06 08:21:26 -05:00
Rob Scott
132d2afca0
Adding IngressClass to networking/v1beta1
...
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
2020-03-01 18:17:09 -08:00
Kubernetes Prow Robot
03b7f272c8
Merge pull request #88246 from munnerz/csr-signername-controllers
...
Update CSR controllers & kubelet to respect signerName field
2020-02-28 23:38:39 -08:00
Jefftree
d318e52ffe
authentication webhook via network proxy
2020-02-27 17:47:23 -08:00
Jordan Liggitt
57ea7a11a6
Remove global variable dependency from runtimeclass admission
2020-02-27 15:23:52 -05:00
James Munnelly
d7e10f9869
Add Certificate signerName admission plugins
2020-02-27 15:50:14 +00:00
Kubernetes Prow Robot
8ca96f3e07
Merge pull request #80724 from cceckman/provider-info-e2e
...
Provide OIDC discovery for service account token issuer
2020-02-13 01:38:35 -08:00
Kubernetes Prow Robot
d5ea2f15b5
Merge pull request #87234 from KobayashiD27/fix-golint
...
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
2020-02-12 02:23:05 -08:00
Manuel Rüger
eb6c716927
PodTolerationRestriction: Mention Whitelist Scope in Error
...
Currently it's not clear if the issue came from the namespace whitelist
of if the namespace whitelist was not applied at all (i.e. via a misspelled
annotation). This makes the error more explicit if the pod tolerations
caused a conflict with cluster-level or namespace-level whitelist.
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2020-02-12 11:06:59 +01:00
Charles Eckman
5a176ac772
Provide OIDC discovery endpoints
...
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc ) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io ,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
2020-02-11 16:23:31 -08:00
Jordan Liggitt
8a3f587b04
Add fast path to node authorizer for node/edge removal
2020-02-10 13:51:33 -05:00
Jordan Liggitt
3e0c0792d7
Switch node authorizer index to refcounts
2020-02-10 13:24:13 -05:00
Jordan Liggitt
6d335372b2
Add configmap->node destination edges to the node authorizer index
2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae
generated: run refactor
2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30
generated: run refactor
2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031
Merge pull request #87688 from mborsz/node2
...
Add a fast path for adding new node in node_authorizer
2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358
Ensure testing credentials are labeled as such
2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230
Add a fast path for adding new node in node_autorizer.
...
This seems to improve WriteIndexMaintenance benchmark:
Before:
BenchmarkWriteIndexMaintenance-12 1034 1157922 ns/op 1906 B/op 41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12 4891 239821 ns/op 1572 B/op 37 allocs/op
2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde
Merge pull request #87693 from liggitt/node-authz-index
...
Fix node authorizer index recomputation
2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52
Fix node authorizer index recomputation
2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993
cleanup req.Context() and ResponseWrapper
2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8
refactor
2020-01-29 08:50:45 -08:00