github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity
115,151 Commits 42 Branches 7,874 Tags 1.3 GiB
master
Commit Graph

3197 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
9633dd63b2
Merge pull request #87239 from lemonli/cleanup/node-authorizer 
clean up node_authorizer code: verb judgement
 2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25
Enabling EndpointSlice feature gate by default 
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
 2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3 fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy 2020-01-16 09:23:16 +09:00
lemonli
2498dbf636 clean node_authorizer code: verb judgement 2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45 Do not require token secrets when using bound service account tokens 2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb Extend authorization benchmark 2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f
Merge pull request #85375 from liggitt/delegated-list-watch 
Add single-item list/watch to delegated authentication reader role
 2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945
Merge pull request #85365 from robscott/endpointslice-default-off 
Disabling EndpointSlice feature gate by default
 2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2 Add single-item list/watch to delegated authentication reader role 2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff
Disabling EndpointSlice feature gate by default 
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
 2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631 Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration 2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72 Service Topology implementation 
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
 2019-11-15 13:36:43 +08:00
Tim Allclair (St. Clair)
581d3e26c9 Restrict mirror pod owner references (#84657) 
* Restrict mirror pod owners.

See http://git.k8s.io/enhancements/keps/sig-auth/20190916-noderestriction-pods.md

* Address feedback, refactor test

* Verify node owner UID
 2019-11-14 20:52:16 -08:00
Rob Scott
a7e589a8c6
Promoting EndpointSlices to beta 2019-11-13 14:20:19 -08:00
Kubernetes Prow Robot
195664db0e
Merge pull request #85099 from liggitt/quota-config-v1 
Promote apiserver.config.k8s.io/v1, kind=ResourceQuotaConfiguration
 2019-11-13 13:02:52 -08:00
draveness
5cb92260a6 feat: graduate ResourceQuotaScopeSelectors to GA 2019-11-13 14:07:22 +08:00
Kubernetes Prow Robot
bb55aa7c54
Merge pull request #76310 from ravisantoshgudimetla/fix-priority-quota 
Relax namespace restriction for critical pods
 2019-11-12 19:00:11 -08:00
ravisantoshgudimetla
f2cbbe228f BUILD files 2019-11-12 17:22:14 -05:00
ravisantoshgudimetla
fe4cac73c8 Relax namespace restriction for critical pods 2019-11-12 17:22:09 -05:00
Kubernetes Prow Robot
c580a12c8e
Merge pull request #83568 from bertinatto/volume_limits_ga 
Promote volume limits to GA
 2019-11-12 11:50:22 -08:00
Kubernetes Prow Robot
94efa988f4
Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
David Eads
83f6f2717e remove global variable dep in admission 2019-11-12 10:55:14 -05:00
Jordan Liggitt
7d3012f297 Promote resource quota admission configuration to v1 2019-11-12 09:03:55 -05:00
Fabio Bertinatto
affcd0128b Promote volume limits to GA 2019-11-12 09:43:53 +01:00
Kubernetes Prow Robot
9cf309ed59
Merge pull request #82049 from andrewsykim/ga-node-instance-type-label 
Promote Node Instance Type Label to GA
 2019-11-08 13:47:58 -08:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00
Kubernetes Prow Robot
ae15368355
Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA 
Promote node lease to GA
 2019-11-08 09:00:15 -08:00
Andrew Sy Kim
560b8efb79 noderestriction: update node restriction unit tests to use stable instance-type label 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-08 11:17:58 -05:00
Andrew Sy Kim
349749644f test/e2e: check both beta and zone label for getting cluster zone 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:05 -05:00
Andrew Sy Kim
4c194d52da kubelet: set both deprecated Beta and GA labels for zone/region topology from the cloud provider 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:04 -05:00
Wei Huang
019d7497a5
bazel files 2019-11-05 20:57:21 -08:00
Wei Huang
dd74205bcf
Move out const strings in pkg/scheduler/api/well_known_labels.go 2019-11-05 20:56:21 -08:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Kubernetes Prow Robot
1d1385af91
Merge pull request #83474 from msau42/topology-ga 
CSI Topology ga
 2019-11-04 15:28:27 -08:00
Kubernetes Prow Robot
0c88c4893f
Merge pull request #84275 from liggitt/beta-gate-runtimeclass-informers 
Feature-gate RuntimeClass informer starts
 2019-10-28 17:48:42 -07:00
Michelle Au
603a2aa8a9 Add CSINode to storage/v1 2019-10-28 13:41:13 -07:00
wojtekt
fafbad45aa Update bootstrappolicy RBAC rules for migration to lease API 2019-10-28 09:09:03 +01:00
Kubernetes Prow Robot
a3560d3ad9
Merge pull request #84282 from yutedz/rm-csi-rbac-roles 
Remove deprecated CSI RBAC roles
 2019-10-24 22:56:14 -07:00
Kubernetes Prow Robot
06252a4630
Merge pull request #84260 from tallclair/status-restrict 
Forbid label updates by nodes through pod/status
 2019-10-24 16:56:43 -07:00
Ted Yu
13596e5249 Remove obsolete CSI RBAC roles 2019-10-24 05:33:02 -07:00
Kubernetes Prow Robot
2c4cba8aa0
Merge pull request #82365 from jkaniuk/pod-gc 
Pod GC controller - use node lister
 2019-10-24 03:13:06 -07:00
Jordan Liggitt
20b2439457 Feature-gate RuntimeClass informer starts 2019-10-24 01:18:07 -04:00
Tim Allclair
ac2b300ed9 Update bazel 2019-10-23 16:43:03 -07:00
Tim Allclair
fea3111554 Forbid label updates by nodes through pod/status 2019-10-23 15:54:40 -07:00
yue9944882
09cf42d67c switch system priority class to versioned (v1) api 
move all the helpers to scheduling v1 helpers

less explicit conversion
 2019-10-24 00:51:57 +08:00
Jacek Kaniuk
e6e026f1ad Allow pod-garbage-collector to get nodes 2019-10-23 16:54:38 +02:00
draveness
1163a1d51e feat: update taint nodes by condition to GA 2019-10-19 09:17:41 +08:00
Kubernetes Prow Robot
4f1c5b8cac
Merge pull request #81940 from carlory/fix-appserver 
fix static check failures
 2019-10-10 12:07:21 -07:00
carlory
f6bb24129e fix static check failures 2019-10-10 22:59:09 +08:00
Jordan Liggitt
92ea33efc5 Clean up TODOs 2019-10-03 09:23:10 -04:00
Mahendra Kariya
3698100224 Fix golint errors in pkg/apis/core (#82919) 
* Fix lint errors related to receiver name

Ref #68026

* Fix lint errors related to comments

Ref #68026

* Fix package name in comments

Ref #68026

* Rename Cpu to CPU

Ref #68026

* Fix lint errors related to naming convention

Ref #68026

* Remove deprecated field

DoNotUse_ExternalID has been deprecated and is not in use anymore.
It has been removed to fix lint errors related to underscores in field
names.

Ref #68026, #61966

* Include pkg/apis/core in golint check

Ref #68026

* Rename var to fix lint errors

Ref #68026

* Revert "Remove deprecated field"

This reverts commit 75e9bfc168077fcb9346e334b59d60a2c997735b.

Ref #82919

* Remove math from godoc

Ref #82919, #68026

* Remove underscore from var name

Ref #68026

* Rename var in staging core api type

Ref #68026
 2019-09-25 11:06:51 -07:00
Kubernetes Prow Robot
327f53ba57
Merge pull request #83064 from liggitt/propagate-context 
Propagate context to remote authorize/authenticate webhook calls
 2019-09-25 09:32:01 -07:00
Jordan Liggitt
b78edd86b8 Plumb context to webhook calls 2019-09-24 21:59:59 -04:00
Jordan Liggitt
4c686ddc1c Propagate context to ExponentialBackoff 2019-09-24 21:59:59 -04:00
Jordan Liggitt
92eb072989 Propagate context to Authorize() calls 2019-09-24 11:14:54 -04:00
Kubernetes Prow Robot
ac8ac0fc17
Merge pull request #82830 from jsafrane/pv-admission-fix 
Do not query the cloud if dynamic PV has all the labels
 2019-09-20 12:27:38 -07:00
Kubernetes Prow Robot
c7619bd770
Merge pull request #80824 from damemi/preemption-e2e-to-integration 
Move PodPriorityResolution e2e to integration
 2019-09-20 12:27:25 -07:00
Mike Dame
ca18b48151 Move PodPriorityResolution e2e to integration 2019-09-19 20:25:03 -04:00
Jan Safranek
a160bf8a59 Do not query the cloud if PV has all the labels 
This saves one cloud API call.
 2019-09-18 14:56:28 +02:00
Marcin Owsiany
2a75058943
Fix a couple of typos 2019-09-18 09:45:10 +02:00
Yassine TIJANI
18b185b5e8 adding yastij as a reviewer for the runtimeclass admission controller 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-09-10 20:34:28 +02:00
Kubernetes Prow Robot
0ff92e36f2
Merge pull request #82153 from robscott/endpointslice-rbac 
Adding EndpointSlice RBAC for node-proxier/kube-proxy
 2019-08-30 13:05:14 -07:00
Kubernetes Prow Robot
7acb066dbc
Merge pull request #81969 from logicalhan/livez 
add `/livez` endpoint for liveness probing on the kube-apiserver
 2019-08-29 19:56:31 -07:00
Rob Scott
1f5070e81c
Adding EndpointSlice RBAC for node-proxier/kube-proxy 2019-08-29 16:55:18 -07:00
Han Kang
aa1b2d6d35 add /livez as a liveness endpoint for kube-apiserver 
go fmt

make func private

refactor config_test

Two primary refactorings:

1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)

2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).

go fmt

modify and simplify existing integration test for readyz/livez

simplify integration test

set default rbac policy rules for livez

rename a few functions and the entrypoint command line argument (and etcetera)

simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check

untangle some of the nested functions, restructure the code
 2019-08-29 14:13:19 -07:00
Rob Scott
75f6c24923
Adding EndpointSlice controller 2019-08-28 21:13:27 -07:00
Tim Allclair
2e08288144 Remove conflict logic from PodTolerationRestriction 2019-08-26 15:31:15 -07:00
Kubernetes Prow Robot
ce8cccb966
Merge pull request #81072 from draveness/feature/runtime-class-scheduling-admission-plugin 
[RuntimeClassScheduling] Update runtime class admission plugin - Part2
 2019-08-23 22:26:37 -07:00
Kubernetes Prow Robot
6b47754740
Merge pull request #81627 from tallclair/copy 
Delete duplicate resource.Quantity.Copy()
 2019-08-22 11:13:13 -07:00
Di Xu
34cab8f80a populate object name for admission attributes when CREATE 2019-08-22 11:46:12 +08:00
draveness
5732c6370a feat: update runtime class admission plugin 2019-08-22 09:06:58 +08:00
Jordan Liggitt
61774cd717 Plumb context to admission Admit/Validate 2019-08-20 11:11:00 -04:00
Tim Allclair
49f50484b8 Delete duplicate resource.Quantity.Copy() 2019-08-19 17:23:14 -07:00
Kubernetes Prow Robot
a6aea3fcd8
Merge pull request #81265 from jfbai/replace-status-too-many-request 
Replace self defined const StatusTooManyRequests with http.StatusTooM…
 2019-08-19 15:09:31 -07:00
Kubernetes Prow Robot
273e9262bb
Merge pull request #80342 from draveness/feature/remove-critical-pod-annotation 
feat: cleanup pod critical pod annotations feature
 2019-08-15 07:20:34 -07:00
Jianfei Bai
07077a8aa5 Replace self defined const StatusTooManyRequests with http.StatusTooManyRequests. 2019-08-12 20:52:12 +08:00
draveness
495faa22db feat: cleanup pod critical pod annotations feature 2019-08-09 08:41:23 +08:00
Jordan Liggitt
8b155e82d8 Use the escalate verb for clusterroleaggregator rather than cluster-admin permissions 2019-08-08 17:59:12 -04:00
Kirill Shirinkin
5e9da75df2 Allow aggregate-to-view roles to get jobs status (#77866) 
* Allow aggregate-to-edit roles to get jobs status

Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create.  This change extends `aggregate-to-edit` rules to include `jobs/status`.

* Move jobs/status to aggregate-to-view rules

* Add aggregate-to-view policy to view PVCs status

* Update fixtures to include new read permissions

* Add more status subresources

* Update cluster-roles.yaml

* Re-order deployment permissions

* Run go fmt

* Add more permissions

* Fix tests

* Re-order permissions in test data

* Automatically update yamls
 2019-07-26 11:59:22 -07:00
Kubernetes Prow Robot
ab3bf7237d
Merge pull request #79565 from tedyu/runtime-cls 
Return the error from validateOverhead in RuntimeClass#Validate
 2019-07-19 12:37:24 -07:00
draveness
d83526d253 Revert "feat: cleanup pod critical pod annotations feature" 
This reverts commit b6d41ee5cc.
 2019-07-18 13:31:12 +08:00
Kubernetes Prow Robot
642a06e552
Merge pull request #79554 from draveness/feature/remove-critical-pod-annotation 
feat: cleanup pod critical pod annotations feature
 2019-07-11 22:03:04 -07:00
Kubernetes Prow Robot
2659b3755a
Merge pull request #80030 from yastij/bootstrap-policy 
add rbac for events.k8s.io apiGroup to system:kube-scheduler
 2019-07-11 11:25:20 -07:00
Yassine TIJANI
a024d48eba add rbac for events.k8s.io apiGroup to system:kube-scheduler 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-07-11 16:10:32 +02:00
Kubernetes Prow Robot
d11eb67c02
Merge pull request #79621 from egernst/admission-fixups 
RuntimeClass-admission: fixup comment, simplify nested ifs
 2019-07-11 05:36:55 -07:00
Jordan Liggitt
2899abb65c Populate API version in synthetic authorization requests 2019-07-10 21:29:25 -04:00
draveness
b6d41ee5cc feat: cleanup pod critical pod annotations feature 2019-07-11 08:54:19 +08:00
Ted Yu
059243fbd2 Return the error from validateOverhead in RuntimeClass#Validate 2019-07-10 17:32:53 -07:00
Eric Ernst
d409619284 RuntimeClass-admission: fixup comment, simplify nested ifs 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-07-02 10:49:49 -07:00
Kubernetes Prow Robot
64a2be8e44
Merge pull request #79387 from tedyu/cont-helper-early 
Restore early return for podSpecHasContainer
 2019-07-01 15:09:45 -07:00
Kubernetes Prow Robot
6a2d0f67d1
Merge pull request #79527 from wojtek-t/cleanup_etcd_dir_1 
Cleanup etcd code
 2019-06-29 07:37:22 -07:00
wojtekt
cba13eb9ad Autogenerate code 2019-06-29 15:26:09 +02:00
Kubernetes Prow Robot
e4f1588352
Merge pull request #78484 from egernst/runtimeclass-admission 
Runtimeclass admission
 2019-06-28 23:35:24 -07:00
wojtekt
fd819f8fdc Move APIObjectVersioner 2019-06-28 21:16:49 +02:00
Eric Ernst
824a9e592a runtimeclass-admissioN: add owners file 
add initial owners file for RuntimeClass admission controller

Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-06-27 15:59:59 -07:00
Ted Yu
cf7c164ae3 Restore early return for podSpecHasContainer 2019-06-26 14:17:13 +08:00
Kubernetes Prow Robot
07ee0c3e8b
Merge pull request #79378 from verb/alwayspull-aggregate-errs 
Return all errors in alwayspullimages admission plugin validation
 2019-06-25 17:01:41 -07:00
Kubernetes Prow Robot
22fb6fd174
Merge pull request #77595 from bertinatto/volume_limits 
Volume Scheduling Limits
 2019-06-25 17:01:16 -07:00
Lee Verberne
d88c928733 Generated build file for alwayspullimages 2019-06-25 18:45:30 +00:00
Lee Verberne
bd5f4117e5 Return all errors in alwayspullimages.Validate() 2019-06-25 18:11:51 +00:00
Kubernetes Prow Robot
1215aa73d2
Merge pull request #79176 from verb/debug-iterate-containers 
Add helpers for iterating containers in a pod
 2019-06-25 09:32:52 -07:00
Fabio Bertinatto
00b0ab86af Update scheduler to use volume limits from CSINode 2019-06-25 16:30:54 +02:00
Kubernetes Prow Robot
ad095324bf
Merge pull request #79309 from draveness/feature/cleanup-CSIPersistentVolume-feature-gates 
feat: cleanup feature gates for CSIPersistentVolume
 2019-06-25 01:15:03 -07:00
draveness
8e9472ba79 feat: cleanup feature gates for CSIPersistentVolume 2019-06-25 09:00:12 +08:00
Kubernetes Prow Robot
6f0f62b2c4
Merge pull request #77211 from dixudx/bootstrap_token_refactor 
Bootstrap token refactor
 2019-06-24 13:36:36 -07:00
Kubernetes Prow Robot
2109c1a7a3
Merge pull request #79310 from draveness/feature/cleanup-KubeletPluginsWatcher-feature-gates 
feat: cleanup feature gates for KubeletPluginsWatcher
 2019-06-23 23:04:09 -07:00
draveness
35bc5dc6b6 feat: cleanup feature gates for KubeletPluginsWatcher 2019-06-23 16:59:36 +08:00
draveness
ca6003bc75 feat: cleanup PodPriority features gate 2019-06-23 11:57:24 +08:00
Lee Verberne
a0b57ad3db Update BUILD files for container helper 2019-06-21 08:32:04 +00:00
Lee Verberne
ee821e2a04 Create helpers for iterating containers in a pod 2019-06-21 08:32:04 +00:00
Di Xu
5056161d4d auto-generated 2019-06-20 17:06:26 +08:00
Di Xu
af9ae4c11a refactor bootstrap token utils 2019-06-20 15:43:44 +08:00
Eric Ernst
e8608300c2 autogenerated code update based in new plugin 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-06-19 17:20:11 -07:00
Eric Ernst
247dab3578 introduce RuntimeClass admission controller 
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2019-06-19 17:20:11 -07:00
Han Kang
54dcf5c9c4 add readyz endpoint for kube-apiserver readiness checks 
add startup sequence duration and readyz endpoint

add rbac bootstrapping policy for readyz

add integration test around grace period and readyz

rename startup sequence duration flag

copy health checks to fields

rename health-check installed boolean, refactor clock injection logic

cleanup clock injection code

remove todo about poststarthook url registration from healthz
 2019-06-17 11:16:13 -07:00
wangqingcan
52f3380ef3 change preempting to PreemptionPolicy 2019-05-31 12:42:05 +08:00
wangqingcan
5c9438c691 non-preempting-priorityclass 
Co-authored-by: Vallery Lancey <vallery@zeitgeistlabs.io>
Co-authored-by: Tan shanshan <tan.shanshan@zte.com.cn>
 2019-05-31 12:37:07 +08:00
Kubernetes Prow Robot
b8eecd671d
Merge pull request #69941 from miguelbernadi/fix-golint-issues-68026 
Fix golint issues in plugin/pkg/admission
 2019-05-30 08:38:26 -07:00
Vladimir Vivien
8e0cf65310 Enforce pod security policy for CSI inline 2019-05-29 15:38:21 -04:00
Joe Betz
cc2e3616f0 Add WithReinvocationTesting utility for ensuring that admission plugin reinvocation is idempotent 2019-05-28 15:10:22 -07:00
Joe Betz
9b504c474c Fix podpreset merging of envFrom to be idempontent 2019-05-28 11:16:56 -07:00
Morten Torkildsen
f1883c9e8c Support scale subresource for PDBs (#76294) 
* Support scale subresource for PDBs

* Check group in finder functions

* Small fixes and more tests
 2019-05-23 22:24:17 -07:00
Miguel Bernabeu
f47da8a75d Fix golint violations in several plugins 2019-05-23 20:00:06 +02:00
Kubernetes Prow Robot
d5876954e1
Merge pull request #76178 from humblec/endpoint 
Create endpoint/service early to avoid unwanted create/delete volume transaction.
 2019-05-22 09:58:09 -07:00
Zihong Zheng
bff5f08e19 Allow service controller role to patch service status 
Co-authored-by: Josh Horwitz <horwitzja@gmail.com>
 2019-05-16 17:30:43 -07:00
Joe Betz
900d652a9a Update tests for: Pass {Operation}Option to Webhooks 2019-05-14 10:49:43 -07:00
Kubernetes Prow Robot
09c4e10333
Merge pull request #74021 from andrewsykim/move-features-component-base 
Move feature gate package from k8s.io/apiserver to k8s.io/component-base
 2019-05-08 13:06:34 -07:00
Daniel (Shijun) Qian
5268f69405 fix duplicated imports of k8s code (#77484) 
* fix duplicated imports of api/core/v1

* fix duplicated imports of client-go/kubernetes

* fix duplicated imports of rest code

* change import name to more reasonable
 2019-05-08 10:12:47 -07:00
Andrew Kim
c919139245 update import of generic featuregate code from k8s.io/apiserver/pkg/util/feature -> k8s.io/component-base/featuregate 2019-05-08 10:01:50 -04:00
Jordan Liggitt
58f2cdccf7 Add quota admission test for decreasing usage without covering quota 2019-05-02 10:29:08 -04:00
Mansi Agarwal
4466f97d0e Accept admission request if resource is being deleted 2019-04-30 10:59:27 -07:00
Jordan Liggitt
4e6a8fbd15 Short-circuit quota admission rejection on zero-delta updates 2019-04-26 17:30:20 -07:00
Humble Chirammal
7544b53693 Create endpoint/service early to avoid unwanted create/delete volume transaction. 
At times, for some reason endpoint/service creation can fail in a setup. As we
currently create endpoint/service after volume creation, later we need rollback
of this volume transaction if endpoint/service creation failed. Considering
endpoint/service creation is light weight, this patch promote endpoint/service
creation to an early stage.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
 2019-04-10 19:06:27 +05:30
Bobby (Babak) Salamat
16a7cbd320 generated files 2019-04-05 14:30:52 -07:00
Bobby (Babak) Salamat
8574e3e3f4 Use Scheduling V1 API instead of Scheduling v1beta1 2019-04-05 14:21:45 -07:00
Kubernetes Prow Robot
16db83b257
Merge pull request #75985 from ravisantoshgudimetla/fix-pod-toleration 
Fix besteffort pods for conflicting tolerations
 2019-04-05 07:43:20 -07:00
ravisantoshgudimetla
82ffd14c0d Fix besteffort pods for conflicting tolerations 
Signed-off-by: ravisantoshgudimetla <ravisantoshgudimetla@gmail.com>
 2019-04-02 10:37:27 -04:00
Guoliang Wang
128fd8843d Move cloud-specific roles out of RBAC bootstrap 2019-04-02 19:17:53 +08:00
Kubernetes Prow Robot
484043a6d1
Merge pull request #75627 from ialidzhikov/fix-lint-error 
Fix lint issues
 2019-03-29 14:48:59 -07:00
Kubernetes Prow Robot
a8cbb22506
Merge pull request #74747 from liggitt/quota-deadlock 
quota controller fixes
 2019-03-27 09:04:48 -07:00
Kubernetes Prow Robot
ccc90b2ba6
Merge pull request #75680 from tallclair/psp-refactor 
Clean up some PodSecurityPolicy code
 2019-03-26 21:59:01 -07:00
Jordan Liggitt
bef996d0a4 Only reject quota admission if status is missing relevant usage 2019-03-26 23:15:40 -04:00
Kubernetes Prow Robot
531dbd409f
Merge pull request #75445 from shinytang6/enhance/fmt 
Replace all time.Now().Sub with time.Since
 2019-03-26 13:55:17 -07:00
Tim Allclair
e5d2cad7b9 Refactor PSP provider 2019-03-25 11:46:36 -07:00
WanLinghao
244b244f9d Migrate the controller to use TokenRequest and rotate token periodically 2019-03-25 14:54:22 +08:00
ialidzhikov
8272fc54cb Fix lint issues 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2019-03-23 14:46:18 +02:00
shinytang6
5c9f4d9dc6 replace time.Now().Sub with time.Since 2019-03-21 18:02:55 +08:00
Tim Allclair
0604256d6c Update tests for RuntimeClass beta 2019-03-08 13:21:52 -08:00
David Zhu
41b3579345 Address review comments 2019-03-07 17:17:09 -08:00
David Zhu
7d2f4e97b8 Add ADC Fallback if Node doesn't have driver installed 2019-03-07 14:47:38 -08:00
Antoine Pelisse
55f9eeed6c Ignore changes to managed field in noderestriction 
The validation is failing because the managedfields are changed when the
object is updated. We don't have a good way to verify that the changes
are only the ones that are supposed to happen, so we'll just ignore them
for now.
 2019-03-06 13:48:38 -08:00
Kubernetes Prow Robot
890b5c1d9a
Merge pull request #74582 from SataQiu/fix-golint-2019022602 
fix some golint failures for plugin/pkg/admission/...
 2019-03-05 06:50:46 -08:00
Kubernetes Prow Robot
6c31101257
Merge pull request #74283 from xing-yang/csi_crd_controller 
CSINodeInfo and CSIDriver Controller Changes
 2019-03-05 04:44:42 -08:00
Kubernetes Prow Robot
02bd34e7b0
Merge pull request #74531 from liggitt/ingress-rbac 
Update RBAC roles for networking.k8s.io ingresses
 2019-03-05 00:48:01 -08:00
Xing Yang
85867e5625 Modify node admission and node authorizer 2019-03-04 16:42:12 -08:00
Kubernetes Prow Robot
f16035600a
Merge pull request #73807 from dekkagaijin/discovery-hardening 
harden the default RBAC discovery clusterrolebindings
 2019-03-01 21:49:30 -08:00
Jake Sanders
9c7d31928d harden the default RBAC discovery clusterrolebindings 2019-03-01 18:45:05 -08:00
Kubernetes Prow Robot
55a65763c0
Merge pull request #71479 from soggiest/podpreset-initcontainers 
PodPreset: Add same functionality for init containers as standard containers
 2019-02-28 20:35:45 -08:00
Andrew Kim
01933b02a3 replace usage of v1beta1 VolumeAttachments with v1 2019-02-27 15:42:12 -05:00
Jordan Liggitt
d1e865ee34 Update client callers to use explicit versions 2019-02-26 08:36:30 -05:00
SataQiu
f8c4aba0cb fix some golint failures for plugin/pkg/admission/... 2019-02-26 17:12:40 +08:00
Jordan Liggitt
85165b40fa Update RBAC roles for networking.k8s.io ingresses 2019-02-25 11:40:44 -05:00
danielqsj
3c9ba7f298 fix typo 2019-02-22 22:38:48 +08:00
danielqsj
5733241f7a fix shellcheck in plugin/pkg/admission/imagepolicy/gencerts.sh 2019-02-22 15:10:06 +08:00
Kubernetes Prow Robot
0ffd59e403
Merge pull request #74154 from mbohlool/gimli 
Use Request Object interfaces instead of static scheme that is more appropriate for CRDs
 2019-02-19 07:21:53 -08:00
Mehdy Bohlool
cebb4ee2ac Remove the propagated scheme from the Admission chain 2019-02-16 13:28:47 -08:00
Mehdy Bohlool
d08bc3774d Mechanical changes due to signature change for Admit and Validate functions 2019-02-16 13:28:47 -08:00
Subramanian Neelakantan
ba9a9cf7c3 Applies zone labels to newly created vsphere volumes 2019-02-15 15:06:01 +05:30
Kubernetes Prow Robot
808f2cf0ef
Merge pull request #72525 from justinsb/owners_should_not_be_executable 
Remove executable file permission from OWNERS files
 2019-02-14 23:55:45 -08:00
Andrew Kim
ca6a051b00 remove cloud provider dependencies to pkg/volume 
Co-authored-by: Weibin Lin <linweibin1@huawei.com>
 2019-02-09 01:16:55 -05:00
Kubernetes Prow Robot
834c9a5e3d
Merge pull request #72491 from liggitt/delegated-auth-permissions 
Ensure controller manager and scheduler can perform delegated auth checks
 2019-02-08 11:53:52 -08:00
Kubernetes Prow Robot
b50c643be0
Merge pull request #73540 from rlenferink/patch-5 
Updated OWNERS files to include link to docs
 2019-02-08 09:05:56 -08:00
Jordan Liggitt
4212a9a05a Ensure controller manager and scheduler can perform delegated auth checks 2019-02-08 11:15:52 -05:00
Davanum Srinivas
b975573385
move pkg/kubelet/apis/well_known_labels.go to staging/src/k8s.io/api/core/v1/ 
Co-Authored-By: Weibin Lin <linweibin1@huawei.com>

Change-Id: I163b2f2833e6b8767f72e2c815dcacd0f4e504ea
 2019-02-05 13:39:07 -05:00
Roy Lenferink
b43c04452f Updated OWNERS files to include link to docs 2019-02-04 22:33:12 +01:00
Kubernetes Prow Robot
d654b49c0e
Merge pull request #73097 from bsalamat/fix_taint_nodes 
Add NotReady taint to new nodes during admission
 2019-01-24 23:46:23 -08:00
Kubernetes Prow Robot
5fc286fb3c
Merge pull request #73102 from andrewsykim/add-openstack-pvl-admission 
Add Cinder to PersistentVolumeLabel Admission Controller
 2019-01-24 14:55:12 -08:00
Kubernetes Prow Robot
e28c757e87
Merge pull request #72972 from liggitt/remove-alpha-initializers 
Remove use of alpha initializers
 2019-01-24 14:54:52 -08:00
Andrew Kim
467a3e5f20 add andrewsykim, dims and msau42 as PVL admission OWNERS 2019-01-24 13:32:01 -05:00
Bobby (Babak) Salamat
763cb708d1 Autogenerated files 2019-01-24 10:31:23 -08:00
Bobby (Babak) Salamat
c2a4d2cbdf Add a default admission controller to taint new nodes on creation. 2019-01-24 10:31:23 -08:00
andrewsykim
32b6225c72 refactor PVL unit tests to use test tables & add test cases for remaining cloud providers 2019-01-24 13:29:56 -05:00
andrewsykim
22fce22a7e add support for Cinder volumes in PersistentVolumeLabel admission controller 2019-01-24 13:29:56 -05:00
andrewsykim
1a316015e3 refactor persistent volume labeler admission controller to use cloudprovider.PVLabler 2019-01-24 13:29:56 -05:00
Kubernetes Prow Robot
4cd759dbe0
Merge pull request #73001 from shivnagarajan/remove_deprecated_taints 
remove remaining deprecated taints from 1.9
 2019-01-24 05:18:57 -08:00
Jordan Liggitt
1a15d80967 generated 2019-01-23 16:34:44 -05:00
Jordan Liggitt
17aa60686e Deprecate and remove use of alpha metadata.initializers field, remove IncludeUninitialized options 2019-01-23 16:34:43 -05:00
Jordan Liggitt
52519ecb1c remove deprecated openapi paths in favor of /openapi/v2 2019-01-21 16:33:41 -05:00
Shiv Nagarajan
36ee154243 remove deprecated taints from 1.9 2019-01-16 21:20:57 -05:00
Jordan Liggitt
9229399bd6 Remove build/verify scripts for swagger 1.2 API docs, API server swagger ui / swagger 1.2 config 2019-01-15 13:33:06 -05:00
Justin SB
dd19b923b7
Remove executable file permission from OWNERS files 2019-01-11 16:42:59 -08:00
Kubernetes Prow Robot
33a9c6e892
Merge pull request #72737 from liggitt/deprecate-deny-exec-admission 
Deprecate DenyEscalatingExec and DenyExecOnPrivileged admission plugins
 2019-01-11 03:30:48 -08:00
Jordan Liggitt
61be3683f3 Deprecate DenyEscalatingExec and DenyExecOnPrivileged admission plugins 2019-01-10 11:57:12 -05:00
Kubernetes Prow Robot
cc67ccfd7f
Merge pull request #71731 from cheftako/leaseMetric 
Add gauge metric for master of leader election.
 2019-01-08 08:57:53 -08:00
Jordan Liggitt
73dcfe12da Stop checking VolumeScheduling feature gate 2018-12-27 17:45:45 -05:00
Walter Fender
f192657380 Add gauge metric for master of leader election. 
Fixes #71730
0 indicates standby, 1 indicates master, label indicates which lease.
Tweaked name and documentation
Factored in Mike Danese feedback.
Removed dependency on prometheus from client-go using adapter.
Centralized adapter import.
Fixed godeps
Fixed boilerplate.
Put in fixes for caesarxuchao
 2018-12-27 09:40:33 -08:00
Jordan Liggitt
0ff455e340 generated files 2018-12-19 11:19:12 -05:00
Jordan Liggitt
fd9e9b01b1 Remove uses of extensions/v1beta1 clients 2018-12-19 11:18:53 -05:00
wojtekt
546ece7b2c Promote NodeLease to Beta and enable by default 2018-12-17 10:19:22 +01:00
k8s-ci-robot
5289fab2f6
Merge pull request #71396 from liggitt/forbidden-messages 
Improve node authorizer and noderestriction forbidden messages
 2018-11-30 00:04:46 -08:00
k8s-ci-robot
79e5cb2cb7
Merge pull request #71302 from liggitt/verify-unit-test-feature-gates 
Split mutable and read-only access to feature gates, limit tests to readonly access
 2018-11-29 21:45:12 -08:00
soggiest
1ec6672580 Added similar functionality for init containers as standard containers in PodPreset admission controller 2018-11-27 14:31:32 -08:00
WanLinghao
0bab5ee5ad Currently the root-ca-cert-publisher was shadowed by BoundServiceAccountTokenVolume feature gate. 
But its corresponding bootstrap RBAC policy was shadowed by TokenRequest feature gate.
This patch fix it.
 2018-11-27 11:44:35 +08:00
Jordan Liggitt
16e355791f Improve node authorizer and noderestriction forbidden messages 2018-11-24 09:31:10 -05:00
Jordan Liggitt
2498ca7606 drop VerifyFeatureGatesUnchanged 2018-11-21 11:51:33 -05:00
k8s-ci-robot
ca696fef26
Merge pull request #69848 from mikedanese/projadmission 
migrate service account volume to a projected volume when BoundServiceAccountTokenVolumes are enabled
 2018-11-16 22:46:23 -08:00
Mike Danese
1244ee6651 migrate service account volume to a projected volume 
When BoundServiceAccountTokenVolume feature is enabled.
 2018-11-16 19:32:44 +00:00
Jordan Liggitt
733dd9dfd7 Add tests to ensure feature gate changes don't escape kubelet/scheduler packages 2018-11-16 10:52:53 -05:00
Jordan Liggitt
de8bf9b63d fix scheduler and kubelet unit tests leaking feature flag changes 2018-11-16 10:52:53 -05:00
Jordan Liggitt
248d661327 Add tests to ensure storage feature gate changes don't escape packages 2018-11-16 10:52:53 -05:00
Jordan Liggitt
358c092abe fix storage unit tests leaking feature flag changes 2018-11-16 10:52:52 -05:00
Michelle Au
fd64c08240 Fix storage feature gate test setting 2018-11-16 10:49:40 -05:00
k8s-ci-robot
1a54fd4319
Merge pull request #71021 from liggitt/node-self-deletion 
Remove self-deletion permissions from kubelets
 2018-11-16 01:53:31 -08:00
Jordan Liggitt
8d7cc39031 Remove self-deletion permissions from kubelets 2018-11-14 00:42:06 -05:00
Jordan Liggitt
9fb2dcad5e Limit kubelets from updating their own labels 2018-11-13 23:48:47 -05:00
k8s-ci-robot
94c5953904
Merge pull request #70699 from liggitt/controllerrevisions 
Include read access to controllerrevisions for admin/edit/view roles
 2018-11-11 21:17:39 -08:00
Davanum Srinivas
954996e231
Move from glog to klog 
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
 2018-11-10 07:50:31 -05:00
k8s-ci-robot
e133ab274d
Merge pull request #70515 from davidz627/feature/csiNodeInfo 
Add explicit "Installed" field to CSINodeInfo and change update semantics
 2018-11-09 06:42:09 -08:00
David Zhu
4621887037 Updated test files with new fields 2018-11-08 19:45:01 -08:00
k8s-ci-robot
f212b9db23
Merge pull request #70598 from dims/switch-from-sigs.k8s.io/yaml-to-ghodss/yaml 
Switch to sigs.k8s.io/yaml from ghodss/yaml
 2018-11-08 10:57:36 -08:00
k8s-ci-robot
3f5db92840
Merge pull request #68812 from WanLinghao/token_projection_ca_secret_create 
Create Ca-certificate configmap  used by token projected volume
 2018-11-08 10:57:25 -08:00
WanLinghao
efac533f92 To inject ca.crt into container when projected volume was specified, configmap should be created in each namespace. 
This patch add a controller called "root-ca-cert-publisher" to complete above job as well as some bootstrap rbac policies.
 2018-11-08 11:33:47 +08:00
Davanum Srinivas
43f523d405
Switch to sigs.k8s.io/yaml from ghodss/yaml 
Change-Id: Ic72b5131bf441d159012d67a6a3d87088d0e6d31
 2018-11-07 13:17:32 -05:00
k8s-ci-robot
7e097cf243
Merge pull request #70355 from yue9944882/flake/fixes-improper-test-gc-admission 
Fixes unnecessary legacy scheme dry import for gc admission test regression
 2018-11-07 09:06:08 -08:00
Jordan Liggitt
001627000f Include read access to controllerrevisions for admin/edit/view roles 2018-11-06 10:23:39 -05:00
Jordan Liggitt
360a890c58 serviceaccount subproject approvers/reviewers 2018-11-06 00:57:39 -05:00
Jordan Liggitt
35178d352d auth policy subproject approvers/reviewers 2018-11-06 00:57:39 -05:00
Jordan Liggitt
4cbdc98df3 node-isolation approvers/reviewers 2018-11-06 00:57:39 -05:00
Jordan Liggitt
9ae79f9653 authorizers subproject approvers/reviewers 2018-11-06 00:57:38 -05:00
Jordan Liggitt
4fa2a0cc8a authenticators subproject approvers/reviewers 2018-11-06 00:57:38 -05:00
zuoxiu.jm
965448ff83 fixes unnecessary dry import for test regression 2018-11-03 11:41:59 +08:00
k8s-ci-robot
4351cea80c
Merge pull request #70046 from cheftako/lintCleanGce 
Fixed lint errors for pkg/cloudprovider/providers/gce.
 2018-11-01 13:44:06 -07:00
k8s-ci-robot
bf5c862889
Merge pull request #70389 from caesarxuchao/gc-admission-cluster-scoped-owner 
make gc admission set attribute namespace correctly for owners
 2018-10-31 14:48:07 -07:00
Chao Xu
db3c84a97c make gc admission set attribute namespace correctly for owners 2018-10-29 15:00:11 -07:00
walter
735ad9ed63 Fixed lint errors for pkg/cloudprovider/providers/gce. 
Fixed minor issues.
Cleaned up from merge errors.
 2018-10-29 11:52:24 -07:00
Samuel Davidson
3558f83957 Revert "Improve multi-authorizer errors" 
This reverts commit 1c012f1c49.
 2018-10-29 11:05:45 -07:00
Kim Min
79599ac419 Prune internal clientset/informer from kubeapiserver admission initializer (#70167) 
* externalize pv resize admission controller

* externalize podtolerationrestriction admission controller

* externalize podnodeselector admission controller

* remove internal clientset/informer from kubeapiserver admission initializer

* minor change: fixes scheduler integration test compiliation
 2018-10-24 14:47:16 -07:00
zuoxiu.jm
e3b61ea9cf switch informer in token authn 2018-10-24 15:46:55 +08:00
k8s-ci-robot
753dfbe8fd
Merge pull request #69685 from yue9944882/externalize-psp-admission-controller 
Externalize PSP admission controller
 2018-10-23 12:29:38 -07:00
yue9944882
e2c61169b1 externalize psp admission controller 2018-10-24 00:22:07 +08:00
Mike Danese
e5227216c0 rebase authenticators onto new interface. 2018-10-22 10:16:59 -07:00
Slava Semushin
14c969b604 Remove myself from OWNERS files. 2018-10-16 22:47:44 +01:00
k8s-ci-robot
a1d1385f40
Merge pull request #66854 from k82cn/k8s_66853 
Set PriorityClassName when there's a default PirorityClass.
 2018-10-13 01:33:02 -07:00
tanshanshan
b7c7966b9f Move pkg/scheduler/algorithm/well_known_labels.go out 2018-10-13 09:10:00 +08:00
k8s-ci-robot
53e85280f4
Merge pull request #69714 from ericchiang/owners 
Remove ericchiang from OWNERS files
 2018-10-12 16:01:52 -07:00
k8s-ci-robot
e23a3af013
Merge pull request #67802 from krmayankk/dockershimtests 
Implement RunAsGroup Strategy in PSP
 2018-10-12 11:19:39 -07:00
k8s-ci-robot
b3033a7278
Merge pull request #67934 from tanshanshan/typo828 
fix spelling mistakes
 2018-10-11 18:26:24 -07:00
Eric Chiang
766f5875bf Remove ericchiang from OWNERS files 
Kept myself in the OpenID Connect ones for now.
 2018-10-11 18:11:15 -07:00
Mayank Kumar
bc3e3afc46 api changes for psp runasgroup policy 2018-10-09 17:32:09 -07:00
k8s-ci-robot
0f17e9ade6
Merge pull request #69386 from cblecker/go-1.11 
Update to go1.11.1
 2018-10-05 17:35:51 -07:00
Christoph Blecker
563734faf7
fix vet error in plugin/pkg/admission/storage/persistentvolume/label/admission.go 
plugin/pkg/admission/storage/persistentvolume/label/admission.go:173: Verbose.Info call has possible formatting directive %v
 2018-10-05 15:54:23 -07:00
Christoph Blecker
97b2992dc1
Update gofmt for go1.11 2018-10-05 12:59:38 -07:00
Walter Fender
f3f46d5f5a Moving the cloudprovider interface to staging. 
Individual implementations are not yet being moved.
Fixed all dependencies which call the interface.
Fixed golint exceptions to reflect the move.
Added project info as per @dims and
https://github.com/kubernetes/kubernetes-template-project.
Added dims to the security contacts.
Fixed minor issues.
Added missing template files.
Copied ControllerClientBuilder interface to cp.
This allows us to break the only dependency on K8s/K8s.
Added TODO to ControllerClientBuilder.
Fixed GoDeps.
Factored in feedback from JustinSB.
 2018-10-04 14:41:20 -07:00
k8s-ci-robot
f14271b27d
Merge pull request #69133 from yue9944882/refactor/externalize-namespace-admission-controller 
Externalize namespace admission controller
 2018-10-03 04:43:49 -07:00
k8s-ci-robot
c179a9c9df
Merge pull request #67356 from yliaog/master 
Moved staging/src/k8s.io/client-go/tools/bootstrap to staging/src/k8s…
 2018-10-02 20:35:51 -07:00
k8s-ci-robot
7bcdd8b55c
Merge pull request #62673 from jennybuckley/no-limitrange-on-pod-updates 
Do not run limitrange admission plugin on pod update requests
 2018-10-02 12:13:34 -07:00
Yu Liao
fc21115c3f Moved staging/src/k8s.io/client-go/tools/bootstrap to staging/src/k8s.io/cluster-bootstrap 2018-10-02 09:46:13 -07:00
k8s-ci-robot
8e6172dec2
Merge pull request #69062 from dghubble/add-configmap-get 
Add configmap get to system:kube-controller-manager
 2018-09-27 07:18:50 -07:00
Da K. Ma
083b92acf3 Set PriorityClassName when there's a default PirorityClass. 
Signed-off-by: Da K. Ma <klaus1982.cn@gmail.com>
 2018-09-27 15:26:13 +08:00
zuoxiu.jm
a097e23efc namespace exists externalization 2018-09-27 13:24:15 +08:00
zuoxiu.jm
be7194e166 namespace autoprovision externalization 2018-09-27 12:11:02 +08:00
Dalton Hubble
dfc3c83e64 Add configmap get to system:kube-controller-manager 
* v1.12.x kube-controller-manager tries to get the
extension-apiserver-authentication ConfigMap by default
 2018-09-26 22:03:27 +02:00
k8s-ci-robot
07e81cb8ff
Merge pull request #67831 from xmudrii/extern-exec 
admission/exec: externalize exec admission controller
 2018-09-26 09:55:05 -07:00
k8s-ci-robot
2042125a51
Merge pull request #67810 from yue9944882/refactor/externalize-podpreset 
Propagate externalization to podpreset admission controller
 2018-09-26 08:44:17 -07:00
k8s-ci-robot
055a816b2f
Merge pull request #67696 from yue9944882/chore/cleanup-limit-ranger-admission 
Propagate externalization to limitranger admission controller
 2018-09-26 07:24:11 -07:00
k8s-ci-robot
a67689dfca
Merge pull request #68245 from jingyih/remove_tagName_in_goDoc 
*: Remove comment tags in GoDoc
 2018-09-25 06:13:23 -07:00
k8s-ci-robot
0805860dba
Merge pull request #67870 from yue9944882/refactor/externalize-resource-quota-admission-controller 
Externalize resource quota admission controller & controller reconciliation
 2018-09-25 02:41:40 -07:00
k8s-ci-robot
38d2f05d52
Merge pull request #67842 from xmudrii/extern-priority 
admission/priority: externalize priority admission controller
 2018-09-25 01:27:31 -07:00
jennybuckley
3f1b0cc511 Don't run limitranger admission plugin on pod update requests 2018-09-18 14:49:45 -07:00
Jingyi Hu
61117761cd *: Remove comment tags in GoDoc 
Adding blank line between comment tag and package name in doc.go. So
that the comment tags such as '+k8s:deepcopy-gen=package' do not show up
in GoDoc.
 2018-09-13 20:27:32 -07:00
Cheng Xing
4ca39ef0ed Consolidated CSIDriver logic under CSIDriverRegistry flag 2018-09-10 13:34:40 -07:00
Cheng Xing
94d649b590 Rearranged feature flags 2018-09-07 17:45:27 -07:00
Cheng Xing
becc6a9c19 Implemented logic in kubelet for registering node info, including wiring to CSINodeInfo; added unit tests for node updates; updated RBAC, NodeAuthorizer, NodeRestriction. 2018-09-06 19:16:51 -07:00
Jan Safranek
dc6be0cbf1 Add new RBAC rules for CSIDriver 
Nodes need to watch CSIDrivers to know if they should send pod information
in NodePublish.
 2018-09-05 21:01:32 -04:00
Kubernetes Submit Queue
19c2538798
Merge pull request #67955 from jsafrane/csi-skip-attach-saad 
Automatic merge from submit-queue (batch tested with PRs 68161, 68023, 67909, 67955, 67731). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

CSI: skip attach for non-attachable drivers

**What this PR does / why we need it**:
This is implementation of https://github.com/kubernetes/community/pull/2523. CSI volumes that don't need attach/detach now don't need external attacher running.

WIP:
 * contains #67803 to get CSIDriver API. Ignore the first commit.
 * ~~missing e2e test~~

/sig storage

cc: @saad-ali @vladimirvivien @verult @msau42 @gnufied @davidz627 

**Release note**:
```release-note
CSI volume plugin does not need external attacher for non-attachable CSI volumes.
```
 2018-09-05 14:51:51 -07:00
Kubernetes Submit Queue
d7c849969d
Merge pull request #68134 from yue9944882/chore/add-yue9944882-reviewer 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

Add yue9944882 as subproject reviewer (core admission/apiserver)

extend reviewer bandwidth 😃am a super careful reviewer

i had contributed series of refactors for core admission controllers and apiserver launch flow. 

/assign @deads2k 

**Release note**:

```release-note
NONE
```
 2018-09-05 10:55:18 -07:00
Jan Safranek
4e7eca7b31 Add new RBAC rules for CSIDriver 
A/D controller and nodes need to watch CSIDrivers to know if they should send pod information
in NodePublish.
 2018-09-05 10:15:43 -04:00
Janet Kuo
5186807587 Add TTL GC controller 2018-09-04 13:11:18 -07:00
Tim Allclair
0c59d4db32 Add RuntimeClass read permission for nodes 2018-08-31 18:22:13 -07:00
Marko Mudrinić
21d2377821
admission/priority: externalize priority admission controller 2018-08-31 15:33:37 +02:00
yue9944882
099f9a8ba2 add reviewer 2018-08-31 20:29:09 +08:00
Kubernetes Submit Queue
c081c024c7
Merge pull request #67349 from mikedanese/trbeta 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

promote TokenRequest and projection to beta in 1.12

```release-note
TokenRequest and TokenRequestProjection are now beta features. To enable these feature, the API server needs to be started with the following flags:
* --service-account-issuer
* --service-account-signing-key-file
* --service-account-api-audiences
```
 2018-08-30 20:09:42 -07:00
lichuqiang
4c43d626f2 related test update 2018-08-29 10:30:16 +08:00
lichuqiang
b4a57f6855 combine feature gate VolumeScheduling and DynamicProvisioningScheduling into one 2018-08-29 10:30:08 +08:00
tanshanshan
a83c4dbd19 fix spelling mistakes 2018-08-28 17:12:36 +08:00
Kubernetes Submit Queue
583dd0ff6b
Merge pull request #64597 from wteiken/add_review_annotations2 
Automatic merge from submit-queue (batch tested with PRs 64597, 67854, 67734, 67917, 67688). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Allow ImageReview backend to add audit annotations.

**What this PR does / why we need it**: 
This can be used to create annotations that will allow auditing of the created 
pods.

The change also introduces "fail open" audit annotations in addition to the
previously existing pod annotation for fail open.  The pod annotations for 
fail open will be deprecated soon.


**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:
```release-note
Allow ImageReview backend to return annotations to be added to the created pod.
```
 2018-08-27 22:18:06 -07:00
yue9944882
48dd084a79 externalize fields for quota private schema 2018-08-27 21:47:28 +08:00
yue9944882
b86e8f7631 externalize quota admission controller 2018-08-27 21:47:10 +08:00
Marko Mudrinić
b622acf8ec
admission/exec: externalize exec admission controller 2018-08-27 11:37:15 +02:00
Michael Taufen
1b7d06e025 Kubelet creates and manages node leases 
This extends the Kubelet to create and periodically update leases in a
new kube-node-lease namespace. Based on [KEP-0009](https://github.com/kubernetes/community/blob/master/keps/sig-node/0009-node-heartbeat.md),
these leases can be used as a node health signal, and will allow us to
reduce the load caused by over-frequent node status reporting.

- add NodeLease feature gate
- add kube-node-lease system namespace for node leases
- add Kubelet option for lease duration
- add Kubelet-internal lease controller to create and update lease
- add e2e test for NodeLease feature
- modify node authorizer and node restriction admission controller
to allow Kubelets access to corresponding leases
 2018-08-26 16:03:36 -07:00
yue9944882
1b3571b425 externalize podpreset 2018-08-24 17:25:02 +08:00
yue9944882
61ba80cbac externalize limitrange 2018-08-24 13:13:19 +08:00
Wilfried Teiken
73c522f79c Allow ImageReview backend to add audit annotations. 
This can be used to create annotations that will allow auditing of the created
pods.

The change also introduces "fail open" audit annotations in addition to the
previously existing pod annotation for fail open.  The pod annotations for
fail open will be deprecated soon.
 2018-08-23 22:53:06 -04:00
Kubernetes Submit Queue
687553a47a
Merge pull request #67576 from yue9944882/externalize-secret-serviceaccount-informer 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Externalize serviceaacount admission controller

ref: #66680

this pull externalizes serviceaccount admission controller in which secret & serviceaccount informers will be completely replaced.

/sig api-machinery

**Release note**:

```release-note
NONE
```
 2018-08-22 19:19:07 -07:00
yue9944882
8dd3919d12 externalize storageclass 2018-08-22 21:04:28 +08:00
yue9944882
17306b540b externalize serviceaacount admission controller 
remove unused internal serviceaccount util
 2018-08-22 11:41:54 +08:00
yue9944882
f624a4efb8 externalize node admission 
fixes internal pod annotation reference

completely strip internal informers from authz initialization
 2018-08-21 23:33:03 +08:00
yue9944882
e7d0983707 externalize pv informer in node authorizer 2018-08-17 11:14:43 +08:00
yue9944882
3e205cadcc externalize storage object in use protection 
prune listers from admission controller
 2018-08-17 11:14:39 +08:00
yue9944882
715f04b2ed should cast va instead of pv 2018-08-16 11:15:08 +08:00