github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-02 09:47:06 +00:00
Code Issues Projects Releases Wiki Activity
115,151 Commits 42 Branches 8,000 Tags
master
Commit Graph

245 Commits

Author SHA1 Message Date
Shihang Zhang
925900317e allow multiple of --service-account-issuer 2021-04-19 09:54:11 -07:00
Jordan Liggitt
33ad842480 allow evictions subresource to accept policy/v1 and policy/v1beta1 2021-04-13 21:22:25 -04:00
drfish
aa0b284ca1 Make integration tests not depend on e2e tests 2021-03-25 23:02:52 +08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
1095778dcc remove secret-based sa token client builder 2021-02-21 22:00:40 -08:00
Michael Taufen
6aa80d9172 Graduate ServiceAccountIssuerDiscovery to GA 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
 2021-02-01 11:44:23 -08:00
ialidzhikov
bc432124a2 Remove CSINodeInfo feature gate 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
 2020-12-10 09:58:22 +02:00
Abu Kashem
53a1307f68 make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
 2020-11-01 10:18:25 -05:00
Shihang Zhang
ff641f6eb2 mv TokenRequest and TokenRequestProjection to GA 2020-10-29 20:47:01 -07:00
Kubernetes Prow Robot
ccfdc09f35 Merge pull request #91683 from tedyu/mirror-pod-owner-ref 
Mirror pod without OwnerReference should not be created
 2020-09-25 11:02:48 -07:00
Daniel Smith
a86afc12df update scripts 2020-09-02 10:49:40 -07:00
Daniel Smith
15e0e3e90e rename 2020-09-02 10:48:26 -07:00
Ted Yu
9f95fdd3cd Mirror pod without OwnerReference should not be created 
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
 2020-06-21 08:00:17 -07:00
Kevin
bd961781d7 prevent update handler being called on disallowed CreateOnUpdate 2020-06-12 13:04:17 +00:00
Davanum Srinivas
07d88617e5 Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Jiajie Yang
ae0e52d28c Monitoring safe rollout of time-bound service account token. 2020-04-22 11:59:16 -07:00
Jordan Liggitt
d8abacba40 client-go: update expansions callers 2020-03-06 16:50:41 -05:00
Mike Danese
c58e69ec79 automated refactor 2020-03-05 14:59:46 -08:00
Jefftree
1b38199ea8 pass Dialer instead of egressselector to webhooks 2020-02-27 17:47:23 -08:00
Jefftree
d318e52ffe authentication webhook via network proxy 2020-02-27 17:47:23 -08:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
tanjunchen
264a1cf5f6 staticcheck:test/integration/auth/ 2020-01-07 15:23:19 +08:00
danielqsj
6596a14d39 add missing alias of api errors under test 2019-12-26 17:29:38 +08:00
Jordan Liggitt
5d5b444c4d Remove use of testapi codecs, selflink, resourcepath functions 2019-12-13 11:56:29 -05:00
tanjunchen
d2d68026fc Fix golint issues in test/e2e/lifecycle/ 2019-12-03 17:14:38 +08:00
Mike Danese
d16dde36a3 inline GC in expiring cache 
This allows us to drop the background goroutine with negligable
difference in performance.
 2019-11-15 17:50:31 -08:00
Mike Danese
3f194d5b41 migrate token cache to cache.Expiring 2019-11-14 13:50:15 -08:00
Jordan Liggitt
5ef4fe959a Switch kubelet/aggregated API servers to use v1 tokenreviews 2019-11-11 17:19:10 -05:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Michelle Au
2d467ed9d8 Update tests to use v1.CSINode 2019-10-28 13:41:13 -07:00
Jordan Liggitt
92eb072989 Propagate context to Authorize() calls 2019-09-24 11:14:54 -04:00
Ted Yu
87b2a3129b Propagate error from NewREST 2019-08-12 13:55:35 -07:00
Bin Lu
5504d845ff Bug fix: failed to run integration test by using bazel 
Signed-off-by: Bin Lu <bin.lu@arm.com>
 2019-05-17 11:19:55 +08:00
Kubernetes Prow Robot
09c4e10333 Merge pull request #74021 from andrewsykim/move-features-component-base 
Move feature gate package from k8s.io/apiserver to k8s.io/component-base
 2019-05-08 13:06:34 -07:00
Daniel (Shijun) Qian
5268f69405 fix duplicated imports of k8s code (#77484) 
* fix duplicated imports of api/core/v1

* fix duplicated imports of client-go/kubernetes

* fix duplicated imports of rest code

* change import name to more reasonable
 2019-05-08 10:12:47 -07:00
Andrew Kim
c919139245 update import of generic featuregate code from k8s.io/apiserver/pkg/util/feature -> k8s.io/component-base/featuregate 2019-05-08 10:01:50 -04:00
Baasbank
d97b7f20f8 fixes golint errors in pkg/printers/storage 
fixes golint errors in pkg/printers

fixes golint errors for pkg/printers/internalversion

implements recommended changes
 2019-05-01 17:02:55 +01:00
yue9944882
8f601d3413 prune internal client references from test/* 2019-04-09 21:43:55 +08:00
Michelle Au
d2aa8178f2 Remove alpha CRD install 2019-04-02 10:59:11 -07:00
WanLinghao
244b244f9d Migrate the controller to use TokenRequest and rotate token periodically 2019-03-25 14:54:22 +08:00
Antoine Pelisse
eb904d8fa8 Add "fieldManager" to flag to PATCH/CREATE/UPDATE 
And add a corresponding flag in kubectl (for apply), even though the
value is defaulted in kubectl with "kubectl".

The flag is required for Apply patch-type, and optional for other PATCH,
CREATE and UPDATE (in which case we fallback on the user-agent).
 2019-03-08 16:03:03 -08:00
Michelle Au
08330c37ca lock csi and plugin watcher GA feature gates 2019-03-05 09:59:05 -08:00
Xing Yang
d69e0ff3f0 Enable CSI test suite and fix test failures 2019-03-04 16:42:13 -08:00
Kubernetes Prow Robot
f16035600a Merge pull request #73807 from dekkagaijin/discovery-hardening 
harden the default RBAC discovery clusterrolebindings
 2019-03-01 21:49:30 -08:00
Jake Sanders
9c7d31928d harden the default RBAC discovery clusterrolebindings 2019-03-01 18:45:05 -08:00