github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-19 09:52:49 +00:00
Code Issues Projects Releases Wiki Activity
115,151 Commits 42 Branches 7,874 Tags 1.3 GiB
master
Commit Graph

3197 Commits

Author SHA1 Message Date
Ted Yu
9f95fdd3cd Mirror pod without OwnerReference should not be created 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-06-21 08:00:17 -07:00
Christopher M. Luciano
92506a98fc
ingress: Update IngressClass feature and admission controller for v1 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-06-17 12:11:31 -04:00
Kubernetes Prow Robot
11fe6e815f
Merge pull request #91713 from liggitt/csr-v1-manager 
CSR v1 - switch controllers
 2020-06-09 14:49:30 -07:00
Andrew Keesler
a1de5a86ff
Migrate a single node_authorizer.go klog.Infof call to klog.InfoS (#91591) 
* Migrate a single node_authorizer.go klog.Infof call to klog.InfoS

We are starting with the log lines that show up most often.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* Remove quotes from error for readability

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* node_authorizer.go: use %s for node names for log uniformity

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

* node_authorizer.go: single-quote node name for readability++

This is good because:
1) the node name is clear in the log line
2) the node names shows up the same in {un-,}structured logs

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-06-09 14:49:01 -07:00
Jordan Liggitt
db4ca87d9d Switch CSR approver/signer/cleaner controllers to v1 2020-06-05 18:45:34 -04:00
Jordan Liggitt
0e062981d1 Detect PSP enablement more accurately 2020-06-03 13:14:19 -04:00
Jordan Liggitt
7049149181 Generated files 2020-05-28 16:53:23 -04:00
Jordan Liggitt
377adfa2b7 Make signer admission plugin check on condition update 2020-05-28 12:20:40 -04:00
Kubernetes Prow Robot
9f5d9a9bef
Merge pull request #91315 from jherrera123/master 
Fix runtime admission flaky test due to race condition
 2020-05-22 10:45:11 -07:00
Jesus Herrera
a5800ab4cb Fix linter and bazel errors 2020-05-21 23:06:56 -04:00
Jesus Herrera
6b8e2cc24e Fix runtime admission flaky test due to race condition 2020-05-20 20:29:51 -04:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Jordan Liggitt
fd78947489 Indicate node authorizer does not support rule resolution 2020-05-12 20:34:13 -04:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Jordan Liggitt
ba4d2aa076 Restrict node labels on Node create 2020-04-20 16:26:24 -04:00
Kubernetes Prow Robot
8a4bf39884
Merge pull request #82814 from porridge/patch-1 
Fix a couple of typos
 2020-04-14 06:20:13 -07:00
Kubernetes Prow Robot
6239abe698
Merge pull request #89225 from andrewsykim/apparmor-api 
move apparmor annotation constants to k8s.io/api/core/v1
 2020-04-12 19:11:50 -07:00
Gaurav Sofat
ac0ce7338e
Reflect DecisionNoOpinion in RBAC authorizer logs (#89608) 
* Reflect DecisionNoOpinion in RBAC authorizer logs

* Modify RBAC authorizer log message
 2020-04-08 13:37:44 -07:00
Andrew Sy Kim
2e56866c97 move apparmor annotation constants to k8s.io/api/core/v1 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-04-06 10:22:04 -04:00
Kubernetes Prow Robot
561e86e241
Merge pull request #89696 from flant/service-account-volume-name-with-dot 
Fix service account names with a dot
 2020-04-01 19:26:25 -07:00
Maru Newby
76207fe3d2 Fix permissions for endpointslice controller 
The controller needs to be able to set a service's finalizers to be
able to create an EndpointSlice resource that is owned by the service
and sets blockOwnerDeletion=true in its ownerRef.
 2020-04-01 10:32:11 -07:00
m.nabokikh
ea32811cbd Fix service account names with a dot 
This fix provides the ability to mount service account tokens to pods. The core problem is the volumeName option can't contain any dots.
 2020-03-31 21:42:04 +04:00
Shihang Zhang
b56da85a77 sync api/v1/pod/util with api/pod/util and remove DefaultContainers 2020-03-24 16:42:32 -07:00
Kubernetes Prow Robot
0549d0e7db
Merge pull request #88943 from tedyu/visitor-container-type 
Visitors of Configmaps and Secrets should specify which containers to visit
 2020-03-20 09:20:36 -07:00
Ted Yu
e0dbbf0a65 Visitors of Configmaps and Secrets should specify which containers to visit 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-03-20 07:59:44 -07:00
Kubernetes Prow Robot
50d574bf7f
Merge pull request #88344 from enj/enj/i/sa_oidc_all_authenticated 
Allow system:serviceaccounts to read the SA discovery endpoints
 2020-03-17 16:20:47 -07:00
Monis Khan
a38071cc81
Allow system:serviceaccounts to read the SA discovery endpoints 
This change allows all service accounts to read the service account
issuer discovery endpoints.

This guarantees that in-cluster services can rely on this info being
available to them.

Signed-off-by: Monis Khan <mok@vmware.com>
 2020-03-09 13:40:46 -04:00
Christian Huffman
c6fd25d100 Updated CSIDriver references 2020-03-06 08:21:26 -05:00
Rob Scott
132d2afca0
Adding IngressClass to networking/v1beta1 
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-03-01 18:17:09 -08:00
Kubernetes Prow Robot
03b7f272c8
Merge pull request #88246 from munnerz/csr-signername-controllers 
Update CSR controllers & kubelet to respect signerName field
 2020-02-28 23:38:39 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Jordan Liggitt
57ea7a11a6 Remove global variable dependency from runtimeclass admission 2020-02-27 15:23:52 -05:00
James Munnelly
d7e10f9869 Add Certificate signerName admission plugins 2020-02-27 15:50:14 +00:00
Kubernetes Prow Robot
8ca96f3e07
Merge pull request #80724 from cceckman/provider-info-e2e 
Provide OIDC discovery for service account token issuer
 2020-02-13 01:38:35 -08:00
Kubernetes Prow Robot
d5ea2f15b5
Merge pull request #87234 from KobayashiD27/fix-golint 
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
 2020-02-12 02:23:05 -08:00
Manuel Rüger
eb6c716927 PodTolerationRestriction: Mention Whitelist Scope in Error 
Currently it's not clear if the issue came from the namespace whitelist
of if the namespace whitelist was not applied at all (i.e. via a misspelled
annotation). This makes the error more explicit if the pod tolerations
caused a conflict with cluster-level or namespace-level whitelist.

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
 2020-02-12 11:06:59 +01:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Jordan Liggitt
8a3f587b04 Add fast path to node authorizer for node/edge removal 2020-02-10 13:51:33 -05:00
Jordan Liggitt
3e0c0792d7 Switch node authorizer index to refcounts 2020-02-10 13:24:13 -05:00
Jordan Liggitt
6d335372b2 Add configmap->node destination edges to the node authorizer index 2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031
Merge pull request #87688 from mborsz/node2 
Add a fast path for adding new node in node_authorizer
 2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230 Add a fast path for adding new node in node_autorizer. 
This seems to improve WriteIndexMaintenance benchmark:

Before:
BenchmarkWriteIndexMaintenance-12    	    1034	   1157922 ns/op	    1906 B/op	      41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12    	    4891	    239821 ns/op	    1572 B/op	      37 allocs/op
 2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde
Merge pull request #87693 from liggitt/node-authz-index 
Fix node authorizer index recomputation
 2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52 Fix node authorizer index recomputation 2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993 cleanup req.Context() and ResponseWrapper 2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
Kubernetes Prow Robot
9633dd63b2
Merge pull request #87239 from lemonli/cleanup/node-authorizer 
clean up node_authorizer code: verb judgement
 2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25
Enabling EndpointSlice feature gate by default 
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
 2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3 fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy 2020-01-16 09:23:16 +09:00
lemonli
2498dbf636 clean node_authorizer code: verb judgement 2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45 Do not require token secrets when using bound service account tokens 2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb Extend authorization benchmark 2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f
Merge pull request #85375 from liggitt/delegated-list-watch 
Add single-item list/watch to delegated authentication reader role
 2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945
Merge pull request #85365 from robscott/endpointslice-default-off 
Disabling EndpointSlice feature gate by default
 2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2 Add single-item list/watch to delegated authentication reader role 2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff
Disabling EndpointSlice feature gate by default 
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
 2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631 Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration 2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72 Service Topology implementation 
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
 2019-11-15 13:36:43 +08:00
Tim Allclair (St. Clair)
581d3e26c9 Restrict mirror pod owner references (#84657) 
* Restrict mirror pod owners.

See http://git.k8s.io/enhancements/keps/sig-auth/20190916-noderestriction-pods.md

* Address feedback, refactor test

* Verify node owner UID
 2019-11-14 20:52:16 -08:00
Rob Scott
a7e589a8c6
Promoting EndpointSlices to beta 2019-11-13 14:20:19 -08:00
Kubernetes Prow Robot
195664db0e
Merge pull request #85099 from liggitt/quota-config-v1 
Promote apiserver.config.k8s.io/v1, kind=ResourceQuotaConfiguration
 2019-11-13 13:02:52 -08:00
draveness
5cb92260a6 feat: graduate ResourceQuotaScopeSelectors to GA 2019-11-13 14:07:22 +08:00
Kubernetes Prow Robot
bb55aa7c54
Merge pull request #76310 from ravisantoshgudimetla/fix-priority-quota 
Relax namespace restriction for critical pods
 2019-11-12 19:00:11 -08:00
ravisantoshgudimetla
f2cbbe228f BUILD files 2019-11-12 17:22:14 -05:00
ravisantoshgudimetla
fe4cac73c8 Relax namespace restriction for critical pods 2019-11-12 17:22:09 -05:00
Kubernetes Prow Robot
c580a12c8e
Merge pull request #83568 from bertinatto/volume_limits_ga 
Promote volume limits to GA
 2019-11-12 11:50:22 -08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
David Eads
83f6f2717e remove global variable dep in admission 2019-11-12 10:55:14 -05:00
Jordan Liggitt
7d3012f297 Promote resource quota admission configuration to v1 2019-11-12 09:03:55 -05:00
Fabio Bertinatto
affcd0128b Promote volume limits to GA 2019-11-12 09:43:53 +01:00
Kubernetes Prow Robot
9cf309ed59
Merge pull request #82049 from andrewsykim/ga-node-instance-type-label 
Promote Node Instance Type Label to GA
 2019-11-08 13:47:58 -08:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00
Kubernetes Prow Robot
ae15368355
Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA 
Promote node lease to GA
 2019-11-08 09:00:15 -08:00
Andrew Sy Kim
560b8efb79 noderestriction: update node restriction unit tests to use stable instance-type label 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-08 11:17:58 -05:00
Andrew Sy Kim
349749644f test/e2e: check both beta and zone label for getting cluster zone 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:05 -05:00
Andrew Sy Kim
4c194d52da kubelet: set both deprecated Beta and GA labels for zone/region topology from the cloud provider 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:04 -05:00
Wei Huang
019d7497a5
bazel files 2019-11-05 20:57:21 -08:00
Wei Huang
dd74205bcf
Move out const strings in pkg/scheduler/api/well_known_labels.go 2019-11-05 20:56:21 -08:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Kubernetes Prow Robot
1d1385af91
Merge pull request #83474 from msau42/topology-ga 
CSI Topology ga
 2019-11-04 15:28:27 -08:00
Kubernetes Prow Robot
0c88c4893f
Merge pull request #84275 from liggitt/beta-gate-runtimeclass-informers 
Feature-gate RuntimeClass informer starts
 2019-10-28 17:48:42 -07:00
Michelle Au
603a2aa8a9 Add CSINode to storage/v1 2019-10-28 13:41:13 -07:00
wojtekt
fafbad45aa Update bootstrappolicy RBAC rules for migration to lease API 2019-10-28 09:09:03 +01:00
Kubernetes Prow Robot
a3560d3ad9
Merge pull request #84282 from yutedz/rm-csi-rbac-roles 
Remove deprecated CSI RBAC roles
 2019-10-24 22:56:14 -07:00
Kubernetes Prow Robot
06252a4630
Merge pull request #84260 from tallclair/status-restrict 
Forbid label updates by nodes through pod/status
 2019-10-24 16:56:43 -07:00
Ted Yu
13596e5249 Remove obsolete CSI RBAC roles 2019-10-24 05:33:02 -07:00
Kubernetes Prow Robot
2c4cba8aa0
Merge pull request #82365 from jkaniuk/pod-gc 
Pod GC controller - use node lister
 2019-10-24 03:13:06 -07:00
Jordan Liggitt
20b2439457 Feature-gate RuntimeClass informer starts 2019-10-24 01:18:07 -04:00
Tim Allclair
ac2b300ed9 Update bazel 2019-10-23 16:43:03 -07:00
Tim Allclair
fea3111554 Forbid label updates by nodes through pod/status 2019-10-23 15:54:40 -07:00
yue9944882
09cf42d67c switch system priority class to versioned (v1) api 
move all the helpers to scheduling v1 helpers

less explicit conversion
 2019-10-24 00:51:57 +08:00
Jacek Kaniuk
e6e026f1ad Allow pod-garbage-collector to get nodes 2019-10-23 16:54:38 +02:00
draveness
1163a1d51e feat: update taint nodes by condition to GA 2019-10-19 09:17:41 +08:00
Kubernetes Prow Robot
4f1c5b8cac
Merge pull request #81940 from carlory/fix-appserver 
fix static check failures
 2019-10-10 12:07:21 -07:00
carlory
f6bb24129e fix static check failures 2019-10-10 22:59:09 +08:00
Jordan Liggitt
92ea33efc5 Clean up TODOs 2019-10-03 09:23:10 -04:00
Mahendra Kariya
3698100224 Fix golint errors in pkg/apis/core (#82919) 
* Fix lint errors related to receiver name

Ref #68026

* Fix lint errors related to comments

Ref #68026

* Fix package name in comments

Ref #68026

* Rename Cpu to CPU

Ref #68026

* Fix lint errors related to naming convention

Ref #68026

* Remove deprecated field

DoNotUse_ExternalID has been deprecated and is not in use anymore.
It has been removed to fix lint errors related to underscores in field
names.

Ref #68026, #61966

* Include pkg/apis/core in golint check

Ref #68026

* Rename var to fix lint errors

Ref #68026

* Revert "Remove deprecated field"

This reverts commit 75e9bfc168077fcb9346e334b59d60a2c997735b.

Ref #82919

* Remove math from godoc

Ref #82919, #68026

* Remove underscore from var name

Ref #68026

* Rename var in staging core api type

Ref #68026
 2019-09-25 11:06:51 -07:00
Kubernetes Prow Robot
327f53ba57
Merge pull request #83064 from liggitt/propagate-context 
Propagate context to remote authorize/authenticate webhook calls
 2019-09-25 09:32:01 -07:00
Jordan Liggitt
b78edd86b8 Plumb context to webhook calls 2019-09-24 21:59:59 -04:00
Jordan Liggitt
4c686ddc1c Propagate context to ExponentialBackoff 2019-09-24 21:59:59 -04:00
Jordan Liggitt
92eb072989 Propagate context to Authorize() calls 2019-09-24 11:14:54 -04:00
Kubernetes Prow Robot
ac8ac0fc17
Merge pull request #82830 from jsafrane/pv-admission-fix 
Do not query the cloud if dynamic PV has all the labels
 2019-09-20 12:27:38 -07:00
Kubernetes Prow Robot
c7619bd770
Merge pull request #80824 from damemi/preemption-e2e-to-integration 
Move PodPriorityResolution e2e to integration
 2019-09-20 12:27:25 -07:00
Mike Dame
ca18b48151 Move PodPriorityResolution e2e to integration 2019-09-19 20:25:03 -04:00
Jan Safranek
a160bf8a59 Do not query the cloud if PV has all the labels 
This saves one cloud API call.
 2019-09-18 14:56:28 +02:00
Marcin Owsiany
2a75058943
Fix a couple of typos 2019-09-18 09:45:10 +02:00
Yassine TIJANI
18b185b5e8 adding yastij as a reviewer for the runtimeclass admission controller 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-09-10 20:34:28 +02:00
Kubernetes Prow Robot
0ff92e36f2
Merge pull request #82153 from robscott/endpointslice-rbac 
Adding EndpointSlice RBAC for node-proxier/kube-proxy
 2019-08-30 13:05:14 -07:00
Kubernetes Prow Robot
7acb066dbc
Merge pull request #81969 from logicalhan/livez 
add `/livez` endpoint for liveness probing on the kube-apiserver
 2019-08-29 19:56:31 -07:00
Rob Scott
1f5070e81c
Adding EndpointSlice RBAC for node-proxier/kube-proxy 2019-08-29 16:55:18 -07:00
Han Kang
aa1b2d6d35 add /livez as a liveness endpoint for kube-apiserver 
go fmt

make func private

refactor config_test

Two primary refactorings:

1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)

2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).

go fmt

modify and simplify existing integration test for readyz/livez

simplify integration test

set default rbac policy rules for livez

rename a few functions and the entrypoint command line argument (and etcetera)

simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check

untangle some of the nested functions, restructure the code
 2019-08-29 14:13:19 -07:00
Rob Scott
75f6c24923
Adding EndpointSlice controller 2019-08-28 21:13:27 -07:00
Tim Allclair
2e08288144 Remove conflict logic from PodTolerationRestriction 2019-08-26 15:31:15 -07:00
Kubernetes Prow Robot
ce8cccb966
Merge pull request #81072 from draveness/feature/runtime-class-scheduling-admission-plugin 
[RuntimeClassScheduling] Update runtime class admission plugin - Part2
 2019-08-23 22:26:37 -07:00
Kubernetes Prow Robot
6b47754740
Merge pull request #81627 from tallclair/copy 
Delete duplicate resource.Quantity.Copy()
 2019-08-22 11:13:13 -07:00
Di Xu
34cab8f80a populate object name for admission attributes when CREATE 2019-08-22 11:46:12 +08:00
draveness
5732c6370a feat: update runtime class admission plugin 2019-08-22 09:06:58 +08:00
Jordan Liggitt
61774cd717 Plumb context to admission Admit/Validate 2019-08-20 11:11:00 -04:00
Tim Allclair
49f50484b8 Delete duplicate resource.Quantity.Copy() 2019-08-19 17:23:14 -07:00
Kubernetes Prow Robot
a6aea3fcd8
Merge pull request #81265 from jfbai/replace-status-too-many-request 
Replace self defined const StatusTooManyRequests with http.StatusTooM…
 2019-08-19 15:09:31 -07:00
Kubernetes Prow Robot
273e9262bb
Merge pull request #80342 from draveness/feature/remove-critical-pod-annotation 
feat: cleanup pod critical pod annotations feature
 2019-08-15 07:20:34 -07:00
Jianfei Bai
07077a8aa5 Replace self defined const StatusTooManyRequests with http.StatusTooManyRequests. 2019-08-12 20:52:12 +08:00
draveness
495faa22db feat: cleanup pod critical pod annotations feature 2019-08-09 08:41:23 +08:00
Jordan Liggitt
8b155e82d8 Use the escalate verb for clusterroleaggregator rather than cluster-admin permissions 2019-08-08 17:59:12 -04:00
Kirill Shirinkin
5e9da75df2 Allow aggregate-to-view roles to get jobs status (#77866) 
* Allow aggregate-to-edit roles to get jobs status

Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create.  This change extends `aggregate-to-edit` rules to include `jobs/status`.

* Move jobs/status to aggregate-to-view rules

* Add aggregate-to-view policy to view PVCs status

* Update fixtures to include new read permissions

* Add more status subresources

* Update cluster-roles.yaml

* Re-order deployment permissions

* Run go fmt

* Add more permissions

* Fix tests

* Re-order permissions in test data

* Automatically update yamls
 2019-07-26 11:59:22 -07:00
Kubernetes Prow Robot
ab3bf7237d
Merge pull request #79565 from tedyu/runtime-cls 
Return the error from validateOverhead in RuntimeClass#Validate
 2019-07-19 12:37:24 -07:00
draveness
d83526d253 Revert "feat: cleanup pod critical pod annotations feature" 
This reverts commit b6d41ee5cc.
 2019-07-18 13:31:12 +08:00
Kubernetes Prow Robot
642a06e552
Merge pull request #79554 from draveness/feature/remove-critical-pod-annotation 
feat: cleanup pod critical pod annotations feature
 2019-07-11 22:03:04 -07:00
Kubernetes Prow Robot
2659b3755a
Merge pull request #80030 from yastij/bootstrap-policy 
add rbac for events.k8s.io apiGroup to system:kube-scheduler
 2019-07-11 11:25:20 -07:00
Yassine TIJANI
a024d48eba add rbac for events.k8s.io apiGroup to system:kube-scheduler 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-07-11 16:10:32 +02:00
Kubernetes Prow Robot
d11eb67c02
Merge pull request #79621 from egernst/admission-fixups 
RuntimeClass-admission: fixup comment, simplify nested ifs
 2019-07-11 05:36:55 -07:00
Jordan Liggitt
2899abb65c Populate API version in synthetic authorization requests 2019-07-10 21:29:25 -04:00
draveness
b6d41ee5cc feat: cleanup pod critical pod annotations feature 2019-07-11 08:54:19 +08:00
Ted Yu
059243fbd2 Return the error from validateOverhead in RuntimeClass#Validate 2019-07-10 17:32:53 -07:00
Eric Ernst
d409619284 RuntimeClass-admission: fixup comment, simplify nested ifs 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-07-02 10:49:49 -07:00
Kubernetes Prow Robot
64a2be8e44
Merge pull request #79387 from tedyu/cont-helper-early 
Restore early return for podSpecHasContainer
 2019-07-01 15:09:45 -07:00
Kubernetes Prow Robot
6a2d0f67d1
Merge pull request #79527 from wojtek-t/cleanup_etcd_dir_1 
Cleanup etcd code
 2019-06-29 07:37:22 -07:00
wojtekt
cba13eb9ad Autogenerate code 2019-06-29 15:26:09 +02:00
Kubernetes Prow Robot
e4f1588352
Merge pull request #78484 from egernst/runtimeclass-admission 
Runtimeclass admission
 2019-06-28 23:35:24 -07:00
wojtekt
fd819f8fdc Move APIObjectVersioner 2019-06-28 21:16:49 +02:00
Eric Ernst
824a9e592a runtimeclass-admissioN: add owners file 
add initial owners file for RuntimeClass admission controller

Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-06-27 15:59:59 -07:00
Ted Yu
cf7c164ae3 Restore early return for podSpecHasContainer 2019-06-26 14:17:13 +08:00
Kubernetes Prow Robot
07ee0c3e8b
Merge pull request #79378 from verb/alwayspull-aggregate-errs 
Return all errors in alwayspullimages admission plugin validation
 2019-06-25 17:01:41 -07:00
Kubernetes Prow Robot
22fb6fd174
Merge pull request #77595 from bertinatto/volume_limits 
Volume Scheduling Limits
 2019-06-25 17:01:16 -07:00
Lee Verberne
d88c928733 Generated build file for alwayspullimages 2019-06-25 18:45:30 +00:00
Lee Verberne
bd5f4117e5 Return all errors in alwayspullimages.Validate() 2019-06-25 18:11:51 +00:00
Kubernetes Prow Robot
1215aa73d2
Merge pull request #79176 from verb/debug-iterate-containers 
Add helpers for iterating containers in a pod
 2019-06-25 09:32:52 -07:00
Fabio Bertinatto
00b0ab86af Update scheduler to use volume limits from CSINode 2019-06-25 16:30:54 +02:00
Kubernetes Prow Robot
ad095324bf
Merge pull request #79309 from draveness/feature/cleanup-CSIPersistentVolume-feature-gates 
feat: cleanup feature gates for CSIPersistentVolume
 2019-06-25 01:15:03 -07:00
draveness
8e9472ba79 feat: cleanup feature gates for CSIPersistentVolume 2019-06-25 09:00:12 +08:00
Kubernetes Prow Robot
6f0f62b2c4
Merge pull request #77211 from dixudx/bootstrap_token_refactor 
Bootstrap token refactor
 2019-06-24 13:36:36 -07:00
Kubernetes Prow Robot
2109c1a7a3
Merge pull request #79310 from draveness/feature/cleanup-KubeletPluginsWatcher-feature-gates 
feat: cleanup feature gates for KubeletPluginsWatcher
 2019-06-23 23:04:09 -07:00
draveness
35bc5dc6b6 feat: cleanup feature gates for KubeletPluginsWatcher 2019-06-23 16:59:36 +08:00
draveness
ca6003bc75 feat: cleanup PodPriority features gate 2019-06-23 11:57:24 +08:00
Lee Verberne
a0b57ad3db Update BUILD files for container helper 2019-06-21 08:32:04 +00:00
Lee Verberne
ee821e2a04 Create helpers for iterating containers in a pod 2019-06-21 08:32:04 +00:00
Di Xu
5056161d4d auto-generated 2019-06-20 17:06:26 +08:00
Di Xu
af9ae4c11a refactor bootstrap token utils 2019-06-20 15:43:44 +08:00
Eric Ernst
e8608300c2 autogenerated code update based in new plugin 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-06-19 17:20:11 -07:00
Eric Ernst
247dab3578 introduce RuntimeClass admission controller 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-06-19 17:20:11 -07:00
Han Kang
54dcf5c9c4 add readyz endpoint for kube-apiserver readiness checks 
add startup sequence duration and readyz endpoint

add rbac bootstrapping policy for readyz

add integration test around grace period and readyz

rename startup sequence duration flag

copy health checks to fields

rename health-check installed boolean, refactor clock injection logic

cleanup clock injection code

remove todo about poststarthook url registration from healthz
 2019-06-17 11:16:13 -07:00
wangqingcan
52f3380ef3 change preempting to PreemptionPolicy 2019-05-31 12:42:05 +08:00
wangqingcan
5c9438c691 non-preempting-priorityclass 
Co-authored-by: Vallery Lancey <vallery@zeitgeistlabs.io>
Co-authored-by: Tan shanshan <tan.shanshan@zte.com.cn>
 2019-05-31 12:37:07 +08:00
Kubernetes Prow Robot
b8eecd671d
Merge pull request #69941 from miguelbernadi/fix-golint-issues-68026 
Fix golint issues in plugin/pkg/admission
 2019-05-30 08:38:26 -07:00
Vladimir Vivien
8e0cf65310 Enforce pod security policy for CSI inline 2019-05-29 15:38:21 -04:00
Joe Betz
cc2e3616f0 Add WithReinvocationTesting utility for ensuring that admission plugin reinvocation is idempotent 2019-05-28 15:10:22 -07:00
Joe Betz
9b504c474c Fix podpreset merging of envFrom to be idempontent 2019-05-28 11:16:56 -07:00
Morten Torkildsen
f1883c9e8c Support scale subresource for PDBs (#76294) 
* Support scale subresource for PDBs

* Check group in finder functions

* Small fixes and more tests
 2019-05-23 22:24:17 -07:00
Miguel Bernabeu
f47da8a75d Fix golint violations in several plugins 2019-05-23 20:00:06 +02:00
Kubernetes Prow Robot
d5876954e1
Merge pull request #76178 from humblec/endpoint 
Create endpoint/service early to avoid unwanted create/delete volume transaction.
 2019-05-22 09:58:09 -07:00
Zihong Zheng
bff5f08e19 Allow service controller role to patch service status 
Co-authored-by: Josh Horwitz <horwitzja@gmail.com>
 2019-05-16 17:30:43 -07:00
Joe Betz
900d652a9a Update tests for: Pass {Operation}Option to Webhooks 2019-05-14 10:49:43 -07:00
Kubernetes Prow Robot
09c4e10333
Merge pull request #74021 from andrewsykim/move-features-component-base 
Move feature gate package from k8s.io/apiserver to k8s.io/component-base
 2019-05-08 13:06:34 -07:00
Daniel (Shijun) Qian
5268f69405 fix duplicated imports of k8s code (#77484) 
* fix duplicated imports of api/core/v1

* fix duplicated imports of client-go/kubernetes

* fix duplicated imports of rest code

* change import name to more reasonable
 2019-05-08 10:12:47 -07:00
Andrew Kim
c919139245 update import of generic featuregate code from k8s.io/apiserver/pkg/util/feature -> k8s.io/component-base/featuregate 2019-05-08 10:01:50 -04:00
Jordan Liggitt
58f2cdccf7 Add quota admission test for decreasing usage without covering quota 2019-05-02 10:29:08 -04:00
Mansi Agarwal
4466f97d0e Accept admission request if resource is being deleted 2019-04-30 10:59:27 -07:00
Jordan Liggitt
4e6a8fbd15 Short-circuit quota admission rejection on zero-delta updates 2019-04-26 17:30:20 -07:00
Humble Chirammal
7544b53693 Create endpoint/service early to avoid unwanted create/delete volume transaction. 
At times, for some reason endpoint/service creation can fail in a setup. As we
currently create endpoint/service after volume creation, later we need rollback
of this volume transaction if endpoint/service creation failed. Considering
endpoint/service creation is light weight, this patch promote endpoint/service
creation to an early stage.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
 2019-04-10 19:06:27 +05:30
Bobby (Babak) Salamat
16a7cbd320 generated files 2019-04-05 14:30:52 -07:00
Bobby (Babak) Salamat
8574e3e3f4 Use Scheduling V1 API instead of Scheduling v1beta1 2019-04-05 14:21:45 -07:00
Kubernetes Prow Robot
16db83b257
Merge pull request #75985 from ravisantoshgudimetla/fix-pod-toleration 
Fix besteffort pods for conflicting tolerations
 2019-04-05 07:43:20 -07:00
ravisantoshgudimetla
82ffd14c0d Fix besteffort pods for conflicting tolerations 
Signed-off-by: ravisantoshgudimetla <ravisantoshgudimetla@gmail.com>
 2019-04-02 10:37:27 -04:00
Guoliang Wang
128fd8843d Move cloud-specific roles out of RBAC bootstrap 2019-04-02 19:17:53 +08:00
Kubernetes Prow Robot
484043a6d1
Merge pull request #75627 from ialidzhikov/fix-lint-error 
Fix lint issues
 2019-03-29 14:48:59 -07:00
Kubernetes Prow Robot
a8cbb22506
Merge pull request #74747 from liggitt/quota-deadlock 
quota controller fixes
 2019-03-27 09:04:48 -07:00
Kubernetes Prow Robot
ccc90b2ba6
Merge pull request #75680 from tallclair/psp-refactor 
Clean up some PodSecurityPolicy code
 2019-03-26 21:59:01 -07:00
Jordan Liggitt
bef996d0a4 Only reject quota admission if status is missing relevant usage 2019-03-26 23:15:40 -04:00
Kubernetes Prow Robot
531dbd409f
Merge pull request #75445 from shinytang6/enhance/fmt 
Replace all time.Now().Sub with time.Since
 2019-03-26 13:55:17 -07:00
Tim Allclair
e5d2cad7b9 Refactor PSP provider 2019-03-25 11:46:36 -07:00
WanLinghao
244b244f9d Migrate the controller to use TokenRequest and rotate token periodically 2019-03-25 14:54:22 +08:00
ialidzhikov
8272fc54cb Fix lint issues 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2019-03-23 14:46:18 +02:00
shinytang6
5c9f4d9dc6 replace time.Now().Sub with time.Since 2019-03-21 18:02:55 +08:00
Tim Allclair
0604256d6c Update tests for RuntimeClass beta 2019-03-08 13:21:52 -08:00
David Zhu
41b3579345 Address review comments 2019-03-07 17:17:09 -08:00
David Zhu
7d2f4e97b8 Add ADC Fallback if Node doesn't have driver installed 2019-03-07 14:47:38 -08:00
Antoine Pelisse
55f9eeed6c Ignore changes to managed field in noderestriction 
The validation is failing because the managedfields are changed when the
object is updated. We don't have a good way to verify that the changes
are only the ones that are supposed to happen, so we'll just ignore them
for now.
 2019-03-06 13:48:38 -08:00
Kubernetes Prow Robot
890b5c1d9a
Merge pull request #74582 from SataQiu/fix-golint-2019022602 
fix some golint failures for plugin/pkg/admission/...
 2019-03-05 06:50:46 -08:00
Kubernetes Prow Robot
6c31101257
Merge pull request #74283 from xing-yang/csi_crd_controller 
CSINodeInfo and CSIDriver Controller Changes
 2019-03-05 04:44:42 -08:00
Kubernetes Prow Robot
02bd34e7b0
Merge pull request #74531 from liggitt/ingress-rbac 
Update RBAC roles for networking.k8s.io ingresses
 2019-03-05 00:48:01 -08:00
Xing Yang
85867e5625 Modify node admission and node authorizer 2019-03-04 16:42:12 -08:00
Kubernetes Prow Robot
f16035600a
Merge pull request #73807 from dekkagaijin/discovery-hardening 
harden the default RBAC discovery clusterrolebindings
 2019-03-01 21:49:30 -08:00
Jake Sanders
9c7d31928d harden the default RBAC discovery clusterrolebindings 2019-03-01 18:45:05 -08:00
Kubernetes Prow Robot
55a65763c0
Merge pull request #71479 from soggiest/podpreset-initcontainers 
PodPreset: Add same functionality for init containers as standard containers
 2019-02-28 20:35:45 -08:00
Andrew Kim
01933b02a3 replace usage of v1beta1 VolumeAttachments with v1 2019-02-27 15:42:12 -05:00
Jordan Liggitt
d1e865ee34 Update client callers to use explicit versions 2019-02-26 08:36:30 -05:00
SataQiu
f8c4aba0cb fix some golint failures for plugin/pkg/admission/... 2019-02-26 17:12:40 +08:00
Jordan Liggitt
85165b40fa Update RBAC roles for networking.k8s.io ingresses 2019-02-25 11:40:44 -05:00
danielqsj
3c9ba7f298 fix typo 2019-02-22 22:38:48 +08:00
danielqsj
5733241f7a fix shellcheck in plugin/pkg/admission/imagepolicy/gencerts.sh 2019-02-22 15:10:06 +08:00
Kubernetes Prow Robot
0ffd59e403
Merge pull request #74154 from mbohlool/gimli 
Use Request Object interfaces instead of static scheme that is more appropriate for CRDs
 2019-02-19 07:21:53 -08:00
Mehdy Bohlool
cebb4ee2ac Remove the propagated scheme from the Admission chain 2019-02-16 13:28:47 -08:00
Mehdy Bohlool
d08bc3774d Mechanical changes due to signature change for Admit and Validate functions 2019-02-16 13:28:47 -08:00
Subramanian Neelakantan
ba9a9cf7c3 Applies zone labels to newly created vsphere volumes 2019-02-15 15:06:01 +05:30
Kubernetes Prow Robot
808f2cf0ef
Merge pull request #72525 from justinsb/owners_should_not_be_executable 
Remove executable file permission from OWNERS files
 2019-02-14 23:55:45 -08:00
Andrew Kim
ca6a051b00 remove cloud provider dependencies to pkg/volume 
Co-authored-by: Weibin Lin <linweibin1@huawei.com>
 2019-02-09 01:16:55 -05:00
Kubernetes Prow Robot
834c9a5e3d
Merge pull request #72491 from liggitt/delegated-auth-permissions 
Ensure controller manager and scheduler can perform delegated auth checks
 2019-02-08 11:53:52 -08:00
Kubernetes Prow Robot
b50c643be0
Merge pull request #73540 from rlenferink/patch-5 
Updated OWNERS files to include link to docs
 2019-02-08 09:05:56 -08:00
Jordan Liggitt
4212a9a05a Ensure controller manager and scheduler can perform delegated auth checks 2019-02-08 11:15:52 -05:00
Davanum Srinivas
b975573385
move pkg/kubelet/apis/well_known_labels.go to staging/src/k8s.io/api/core/v1/ 
Co-Authored-By: Weibin Lin <linweibin1@huawei.com>

Change-Id: I163b2f2833e6b8767f72e2c815dcacd0f4e504ea
 2019-02-05 13:39:07 -05:00
Roy Lenferink
b43c04452f Updated OWNERS files to include link to docs 2019-02-04 22:33:12 +01:00
Kubernetes Prow Robot
d654b49c0e
Merge pull request #73097 from bsalamat/fix_taint_nodes 
Add NotReady taint to new nodes during admission
 2019-01-24 23:46:23 -08:00
Kubernetes Prow Robot
5fc286fb3c
Merge pull request #73102 from andrewsykim/add-openstack-pvl-admission 
Add Cinder to PersistentVolumeLabel Admission Controller
 2019-01-24 14:55:12 -08:00
Kubernetes Prow Robot
e28c757e87
Merge pull request #72972 from liggitt/remove-alpha-initializers 
Remove use of alpha initializers
 2019-01-24 14:54:52 -08:00
Andrew Kim
467a3e5f20 add andrewsykim, dims and msau42 as PVL admission OWNERS 2019-01-24 13:32:01 -05:00
Bobby (Babak) Salamat
763cb708d1 Autogenerated files 2019-01-24 10:31:23 -08:00
Bobby (Babak) Salamat
c2a4d2cbdf Add a default admission controller to taint new nodes on creation. 2019-01-24 10:31:23 -08:00
andrewsykim
32b6225c72 refactor PVL unit tests to use test tables & add test cases for remaining cloud providers 2019-01-24 13:29:56 -05:00
andrewsykim
22fce22a7e add support for Cinder volumes in PersistentVolumeLabel admission controller 2019-01-24 13:29:56 -05:00
andrewsykim
1a316015e3 refactor persistent volume labeler admission controller to use cloudprovider.PVLabler 2019-01-24 13:29:56 -05:00
Kubernetes Prow Robot
4cd759dbe0
Merge pull request #73001 from shivnagarajan/remove_deprecated_taints 
remove remaining deprecated taints from 1.9
 2019-01-24 05:18:57 -08:00
Jordan Liggitt
1a15d80967 generated 2019-01-23 16:34:44 -05:00
Jordan Liggitt
17aa60686e Deprecate and remove use of alpha metadata.initializers field, remove IncludeUninitialized options 2019-01-23 16:34:43 -05:00
Jordan Liggitt
52519ecb1c remove deprecated openapi paths in favor of /openapi/v2 2019-01-21 16:33:41 -05:00
Shiv Nagarajan
36ee154243 remove deprecated taints from 1.9 2019-01-16 21:20:57 -05:00
Jordan Liggitt
9229399bd6 Remove build/verify scripts for swagger 1.2 API docs, API server swagger ui / swagger 1.2 config 2019-01-15 13:33:06 -05:00
Justin SB
dd19b923b7
Remove executable file permission from OWNERS files 2019-01-11 16:42:59 -08:00
Kubernetes Prow Robot
33a9c6e892
Merge pull request #72737 from liggitt/deprecate-deny-exec-admission 
Deprecate DenyEscalatingExec and DenyExecOnPrivileged admission plugins
 2019-01-11 03:30:48 -08:00
Jordan Liggitt
61be3683f3 Deprecate DenyEscalatingExec and DenyExecOnPrivileged admission plugins 2019-01-10 11:57:12 -05:00
Kubernetes Prow Robot
cc67ccfd7f
Merge pull request #71731 from cheftako/leaseMetric 
Add gauge metric for master of leader election.
 2019-01-08 08:57:53 -08:00
Jordan Liggitt
73dcfe12da Stop checking VolumeScheduling feature gate 2018-12-27 17:45:45 -05:00
Walter Fender
f192657380 Add gauge metric for master of leader election. 
Fixes #71730
0 indicates standby, 1 indicates master, label indicates which lease.
Tweaked name and documentation
Factored in Mike Danese feedback.
Removed dependency on prometheus from client-go using adapter.
Centralized adapter import.
Fixed godeps
Fixed boilerplate.
Put in fixes for caesarxuchao
 2018-12-27 09:40:33 -08:00
Jordan Liggitt
0ff455e340 generated files 2018-12-19 11:19:12 -05:00
Jordan Liggitt
fd9e9b01b1 Remove uses of extensions/v1beta1 clients 2018-12-19 11:18:53 -05:00
wojtekt
546ece7b2c Promote NodeLease to Beta and enable by default 2018-12-17 10:19:22 +01:00
k8s-ci-robot
5289fab2f6
Merge pull request #71396 from liggitt/forbidden-messages 
Improve node authorizer and noderestriction forbidden messages
 2018-11-30 00:04:46 -08:00