github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-11-22 03:10:26 +00:00
Code Issues Projects Releases Wiki Activity
50,248 Commits 42 Branches 8,286 Tags
49b51c2de8f94e4554524f757a63a5ca183bae04
Commit Graph

306 Commits

Author SHA1 Message Date
Kubernetes Submit Queue
6cd0592a46 Merge pull request #39963 from deads2k/rbac-39-permissions 
Automatic merge from submit-queue

add patch RS to deployment controller

Found in http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gci-gce/2841/artifacts/bootstrap-e2e-master/, `RBAC DENY: user "system:serviceaccount:kube-system:deployment-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "replicasets.extensions/" in namespace "e2e-tests-deployment-3rj5g"
`

@kubernetes/sig-auth-misc
 2017-01-16 12:15:16 -08:00
Kubernetes Submit Queue
8ab0519160 Merge pull request #39961 from liggitt/patch-permissions 
Automatic merge from submit-queue

Give replicaset controller patch permission on pods

Needed for AdoptPod/ReleasePod

Fixes denials seen in autoscaling test log:
`RBAC DENY: user "system:serviceaccount:kube-system:replicaset-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "pods./"`
 2017-01-16 11:23:40 -08:00
deads2k
56c0ae6456 add patch RS to deployment controller 2017-01-16 12:44:25 -05:00
Jordan Liggitt
4eee0b2b41 Give replicaset controller patch permission on pods 
Needed for AdoptPod/ReleasePod
 2017-01-16 12:32:37 -05:00
Kubernetes Submit Queue
8fa23586cf Merge pull request #39918 from liggitt/e2e-examples-permissions 
Automatic merge from submit-queue

Fix examples e2e permission check

Ref #39382
Follow-up from #39896

Permission check should be done within the e2e test namespace, not cluster-wide

Also improved RBAC audit logging to make the scope of the permission check clearer
 2017-01-16 06:30:29 -08:00
Kubernetes Submit Queue
eb9f953496 Merge pull request #39876 from deads2k/generic-20-deps-03 
Automatic merge from submit-queue

move more things to apiserver

```
pkg/genericapiserver/api/handlers/negotiation/ -> apiserver/pkg/handlers/negotiation
pkg/genericapiserver/api/metrics -> apiserver/pkg/metrics
pkg/genericapiserver/api/request -> apiserver/pkg/request
pkg/util/wsstream -> apiserver/pkg/util/wsstream
plugin/pkg/auth/authenticator/request/headerrequest -> apiserver/pkg/authentication/request/headerrequest
plugin/pkg/webhook -> apiserver/pkg/webhook
```

and mechanicals.

`k8s.io/kubernetes/pkg/genericapiserver/routes/data/swagger` needs to be sorted out.
 2017-01-16 04:14:37 -08:00
Jordan Liggitt
7f81e2e4ac Improve RBAC denial audit logging 2017-01-14 17:31:58 -05:00
Kubernetes Submit Queue
f21a0f03c3 Merge pull request #39905 from mikedanese/cert-rbac 
Automatic merge from submit-queue

add rbac role for certificate-controller

@liggitt @jcbsmpsn @pipejakob
 2017-01-14 07:46:11 -08:00
Mike Danese
f3e97d522d add rbac role for certificate-controller 2017-01-13 17:40:24 -08:00
deads2k
31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k
81b073a5f5 move no k8s.io/kubernetes deps to apiserver 2017-01-13 16:26:58 -05:00
deads2k
633e9d98fc use apimachinery packages instead of client-go packages 2017-01-13 14:04:54 -05:00
deads2k
f1176d9c5c mechanical repercussions 2017-01-13 08:27:14 -05:00
Kubernetes Submit Queue
8d4cc53175 Merge pull request #39483 from deads2k/generic-15-deps-02-for-real 
Automatic merge from submit-queue

move no k8s.io/kubernetes dep packages for genericapiserver

Move the next set of no-dep packages for genericapiserver.  Feel the ratchet click!

```
k8s.io/kubernetes/pkg/auth/authenticator/bearertoken -> k8s.io/apiserver/pkg/authentication/request/bearertoken
k8s.io/kubernetes/pkg/auth/authorizer/union -> k8s.io/apiserver/pkg/authorization/union
k8s.io/kubernetes/pkg/auth/group -> k8s.io/apiserver/pkg/authentication/group
k8s.io/kubernetes/pkg/httplog -> k8s.io/apiserver/pkg/httplog
k8s.io/kubernetes/pkg/ssh -> k8s.io/apiserver/pkg/ssh
k8s.io/kubernetes/pkg/storage/etcd/metrics -> k8s.io/apiserver/pkg/storage/etcd/metrics
k8s.io/kubernetes/pkg/util/cache -> k8s.io/apiserver/pkg/util/cache
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/anonymous -> k8s.io/apiserver/pkg/authentication/request/anonymous
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union -> k8s.io/apiserver/pkg/authentication/request/union
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509 -> k8s.io/apiserver/pkg/authentication/request/x509
k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile -> k8s.io/apiserver/pkg/authentication/token/tokenfile
```

@sttts
 2017-01-11 15:16:13 -08:00
deads2k
c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
deads2k
5280c8d3ac moves of genericapiserver packages without dependencies 2017-01-11 15:06:38 -05:00
Dr. Stefan Schimanski
4a1d507756 Update bazel 2017-01-11 18:53:24 +01:00
Dr. Stefan Schimanski
cf60bec396 Split out server side code from pkg/apis/rbac/validation 2017-01-11 18:31:58 +01:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Kubernetes Submit Queue
959687543a Merge pull request #39651 from liggitt/passwordfile-groups 
Automatic merge from submit-queue (batch tested with PRs 39694, 39383, 39651, 39691, 39497)

Add support for groups to passwordfile

As we move deployment methods to using RBAC, it is useful to be able to place the admin user in the bootstrap kubeconfig files in a superuser group. The tokencsv file supports specifying group membership, but the basicauth file does not. This adds it for parity.

I plan to update the generated password file to put the admin user in a group (similar to the way https://github.com/kubernetes/kubernetes/pull/39537 puts that user in a group in the token file)

```release-note
--basic-auth-file supports optionally specifying groups in the fourth column of the file
```
 2017-01-10 21:25:15 -08:00
Kubernetes Submit Queue
49a0cf7f68 Merge pull request #39641 from liggitt/node-controller-status 
Automatic merge from submit-queue (batch tested with PRs 38212, 38792, 39641, 36390, 39005)

Allow node-controller to update node status

ref: #39639 

* adds required permissions to node-controller
 * fixes typo in role name for pod-garbage-collector role
* adds event watching permissions to persistent volume controller
* adds event permissions to node proxier
 2017-01-10 19:48:12 -08:00
Kubernetes Submit Queue
609e3e3890 Merge pull request #39619 from deads2k/fed-20-rename 
Automatic merge from submit-queue (batch tested with PRs 34488, 39511, 39619, 38342, 39491)

rename kubernetes-discovery to kube-aggregator

Rename `kubernetes-discovery` to `kube-aggregator`.  Move and bulk rename.

@kubernetes/sig-api-machinery-misc
 2017-01-10 16:07:14 -08:00
deads2k
453651cbfc rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
Jordan Liggitt
caca81b1b5 Add support for groups to passwordfile 2017-01-10 00:04:26 -05:00
Jordan Liggitt
c6550af702 Allow proxier to write events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
6d3b06125e Allow the persistent volume binder to watch events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
c59c11eb0d fix role for pod-garbage-collector 2017-01-09 23:36:09 -05:00
Jordan Liggitt
bda95a59ad Allow node-controller to update node status 2017-01-09 23:36:09 -05:00
deads2k
1df5b658f2 switch webhook to clientgo 2017-01-09 16:53:24 -05:00
Anirudh
a8a65022b4 Update fixtures 2017-01-06 13:36:34 -08:00
Anirudh
2146f2f221 Allow disruption controller to read statefulsets 2017-01-06 13:03:44 -08:00
Jeff Grafton
20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
deads2k
4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k
1ebe759743 selectively move to client-go packages 2017-01-04 17:49:24 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Kubernetes Submit Queue
38d57e5a71 Merge pull request #39355 from kargakis/update-rc-manager 
Automatic merge from submit-queue

Share rc cache from the rc manager

@kubernetes/sig-apps-misc @hodovska
 2017-01-04 05:18:29 -08:00
Kubernetes Submit Queue
016133cf7d Merge pull request #36087 from ericchiang/plugin-auth-oidc-verify-email 
Automatic merge from submit-queue

oidc auth-n plugin: enforce email_verified claim

This change causes the OpenID Connect authenticator to start
enforcing the 'email_verified' claim.

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

If the OIDC authenticator uses the 'email' claim as a user's username
and the 'email_verified' is not set to `true`, reject that authentication attempt.

cc @erictune @kubernetes/sig-auth @mlbiam

```release-note
When using OIDC authentication and specifying --oidc-username-claim=email, an `"email_verified":true` claim must be returned from the identity provider.
```
 2017-01-04 00:50:31 -08:00
Kubernetes Submit Queue
2bad7e6be1 Merge pull request #39219 from liggitt/swagger-discovery 
Automatic merge from submit-queue

Include swaggerapi urls in system:discovery role

Used by client side API validation and for client schema generation
 2017-01-04 00:09:41 -08:00
xilabao
9b38eaf98e omit the reason if we don't have an error when using rbac 2017-01-04 11:41:43 +08:00
Michail Kargakis
e5b586b5b0 Share rc cache from the rc manager 2017-01-03 16:59:09 +01:00
Mike Danese
161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Jordan Liggitt
a209040ac8 Include swaggerapi urls in system:discovery role 2016-12-24 12:36:38 -05:00
xilabao
2a77353164 extend err info when authorize failed 2016-12-22 14:47:56 +08:00
deads2k
17f600d671 rbac deny output for e2e tests 2016-12-21 13:51:50 -05:00
deads2k
8f1677b7c8 add service status detection to kubernetes-discovery 2016-12-19 14:56:20 -05:00
Maciej Szulik
9f064c57ce Remove extensions/v1beta1 Job 2016-12-17 00:07:24 +01:00
Mike Danese
8fdec87d19 bazel: fix some unit tests 2016-12-15 18:36:22 -08:00
deads2k
6ab6975983 update for controller RBAC roles 2016-12-15 09:18:48 -05:00
Chao Xu
03d8820edc rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
Mike Danese
c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00