github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-12-03 12:40:47 +00:00
Code Issues Projects Releases Wiki Activity
52,608 Commits 42 Branches 8,286 Tags
4a57d68da02705deedcd85608da92b51a004eed1
Commit Graph

211 Commits

Author SHA1 Message Date
Kubernetes Submit Queue
fc8e029f8f Merge pull request #40034 from liggitt/node-bootstrapper-role 
Automatic merge from submit-queue

Add node TLS bootstrapping role

Adds a role describing permissions needed to complete the kubelet client bootstrap flow. Needed by kubeadm in https://github.com/kubernetes/kubernetes/pull/39846#discussion_r96491471
 2017-01-17 12:44:24 -08:00
Steven E. Harris
0016f7f2fc Include "ingresses" in RBAC bootstrap roles 
The bootstrap RBAC roles "admin", "edit", and "view" should all be
able to apply their respective access verbs to the "ingresses"
resource in order to facilitate both publishing Ingress resources (for
service administrators) and consuming them (for ingress controllers).
 2017-01-17 15:37:19 -05:00
Jordan Liggitt
d11f5a0a20 Add node TLS bootstrapping role 2017-01-17 14:31:34 -05:00
deads2k
b2586830c3 add heapster role 2017-01-17 11:27:57 -05:00
Kubernetes Submit Queue
6cd0592a46 Merge pull request #39963 from deads2k/rbac-39-permissions 
Automatic merge from submit-queue

add patch RS to deployment controller

Found in http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gci-gce/2841/artifacts/bootstrap-e2e-master/, `RBAC DENY: user "system:serviceaccount:kube-system:deployment-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "replicasets.extensions/" in namespace "e2e-tests-deployment-3rj5g"
`

@kubernetes/sig-auth-misc
 2017-01-16 12:15:16 -08:00
Kubernetes Submit Queue
8ab0519160 Merge pull request #39961 from liggitt/patch-permissions 
Automatic merge from submit-queue

Give replicaset controller patch permission on pods

Needed for AdoptPod/ReleasePod

Fixes denials seen in autoscaling test log:
`RBAC DENY: user "system:serviceaccount:kube-system:replicaset-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "pods./"`
 2017-01-16 11:23:40 -08:00
deads2k
56c0ae6456 add patch RS to deployment controller 2017-01-16 12:44:25 -05:00
Jordan Liggitt
4eee0b2b41 Give replicaset controller patch permission on pods 
Needed for AdoptPod/ReleasePod
 2017-01-16 12:32:37 -05:00
Kubernetes Submit Queue
8fa23586cf Merge pull request #39918 from liggitt/e2e-examples-permissions 
Automatic merge from submit-queue

Fix examples e2e permission check

Ref #39382
Follow-up from #39896

Permission check should be done within the e2e test namespace, not cluster-wide

Also improved RBAC audit logging to make the scope of the permission check clearer
 2017-01-16 06:30:29 -08:00
Kubernetes Submit Queue
eb9f953496 Merge pull request #39876 from deads2k/generic-20-deps-03 
Automatic merge from submit-queue

move more things to apiserver

```
pkg/genericapiserver/api/handlers/negotiation/ -> apiserver/pkg/handlers/negotiation
pkg/genericapiserver/api/metrics -> apiserver/pkg/metrics
pkg/genericapiserver/api/request -> apiserver/pkg/request
pkg/util/wsstream -> apiserver/pkg/util/wsstream
plugin/pkg/auth/authenticator/request/headerrequest -> apiserver/pkg/authentication/request/headerrequest
plugin/pkg/webhook -> apiserver/pkg/webhook
```

and mechanicals.

`k8s.io/kubernetes/pkg/genericapiserver/routes/data/swagger` needs to be sorted out.
 2017-01-16 04:14:37 -08:00
Jordan Liggitt
7f81e2e4ac Improve RBAC denial audit logging 2017-01-14 17:31:58 -05:00
Kubernetes Submit Queue
f21a0f03c3 Merge pull request #39905 from mikedanese/cert-rbac 
Automatic merge from submit-queue

add rbac role for certificate-controller

@liggitt @jcbsmpsn @pipejakob
 2017-01-14 07:46:11 -08:00
Mike Danese
f3e97d522d add rbac role for certificate-controller 2017-01-13 17:40:24 -08:00
deads2k
31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k
633e9d98fc use apimachinery packages instead of client-go packages 2017-01-13 14:04:54 -05:00
deads2k
f1176d9c5c mechanical repercussions 2017-01-13 08:27:14 -05:00
Kubernetes Submit Queue
8d4cc53175 Merge pull request #39483 from deads2k/generic-15-deps-02-for-real 
Automatic merge from submit-queue

move no k8s.io/kubernetes dep packages for genericapiserver

Move the next set of no-dep packages for genericapiserver.  Feel the ratchet click!

```
k8s.io/kubernetes/pkg/auth/authenticator/bearertoken -> k8s.io/apiserver/pkg/authentication/request/bearertoken
k8s.io/kubernetes/pkg/auth/authorizer/union -> k8s.io/apiserver/pkg/authorization/union
k8s.io/kubernetes/pkg/auth/group -> k8s.io/apiserver/pkg/authentication/group
k8s.io/kubernetes/pkg/httplog -> k8s.io/apiserver/pkg/httplog
k8s.io/kubernetes/pkg/ssh -> k8s.io/apiserver/pkg/ssh
k8s.io/kubernetes/pkg/storage/etcd/metrics -> k8s.io/apiserver/pkg/storage/etcd/metrics
k8s.io/kubernetes/pkg/util/cache -> k8s.io/apiserver/pkg/util/cache
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/anonymous -> k8s.io/apiserver/pkg/authentication/request/anonymous
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union -> k8s.io/apiserver/pkg/authentication/request/union
k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509 -> k8s.io/apiserver/pkg/authentication/request/x509
k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile -> k8s.io/apiserver/pkg/authentication/token/tokenfile
```

@sttts
 2017-01-11 15:16:13 -08:00
deads2k
c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
Dr. Stefan Schimanski
4a1d507756 Update bazel 2017-01-11 18:53:24 +01:00
Dr. Stefan Schimanski
cf60bec396 Split out server side code from pkg/apis/rbac/validation 2017-01-11 18:31:58 +01:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Kubernetes Submit Queue
49a0cf7f68 Merge pull request #39641 from liggitt/node-controller-status 
Automatic merge from submit-queue (batch tested with PRs 38212, 38792, 39641, 36390, 39005)

Allow node-controller to update node status

ref: #39639 

* adds required permissions to node-controller
 * fixes typo in role name for pod-garbage-collector role
* adds event watching permissions to persistent volume controller
* adds event permissions to node proxier
 2017-01-10 19:48:12 -08:00
Kubernetes Submit Queue
609e3e3890 Merge pull request #39619 from deads2k/fed-20-rename 
Automatic merge from submit-queue (batch tested with PRs 34488, 39511, 39619, 38342, 39491)

rename kubernetes-discovery to kube-aggregator

Rename `kubernetes-discovery` to `kube-aggregator`.  Move and bulk rename.

@kubernetes/sig-api-machinery-misc
 2017-01-10 16:07:14 -08:00
deads2k
453651cbfc rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
Jordan Liggitt
c6550af702 Allow proxier to write events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
6d3b06125e Allow the persistent volume binder to watch events 2017-01-09 23:36:09 -05:00
Jordan Liggitt
c59c11eb0d fix role for pod-garbage-collector 2017-01-09 23:36:09 -05:00
Jordan Liggitt
bda95a59ad Allow node-controller to update node status 2017-01-09 23:36:09 -05:00
deads2k
1df5b658f2 switch webhook to clientgo 2017-01-09 16:53:24 -05:00
Anirudh
a8a65022b4 Update fixtures 2017-01-06 13:36:34 -08:00
Anirudh
2146f2f221 Allow disruption controller to read statefulsets 2017-01-06 13:03:44 -08:00
Jeff Grafton
20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
deads2k
4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Kubernetes Submit Queue
38d57e5a71 Merge pull request #39355 from kargakis/update-rc-manager 
Automatic merge from submit-queue

Share rc cache from the rc manager

@kubernetes/sig-apps-misc @hodovska
 2017-01-04 05:18:29 -08:00
Kubernetes Submit Queue
2bad7e6be1 Merge pull request #39219 from liggitt/swagger-discovery 
Automatic merge from submit-queue

Include swaggerapi urls in system:discovery role

Used by client side API validation and for client schema generation
 2017-01-04 00:09:41 -08:00
xilabao
9b38eaf98e omit the reason if we don't have an error when using rbac 2017-01-04 11:41:43 +08:00
Michail Kargakis
e5b586b5b0 Share rc cache from the rc manager 2017-01-03 16:59:09 +01:00
Mike Danese
161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Jordan Liggitt
a209040ac8 Include swaggerapi urls in system:discovery role 2016-12-24 12:36:38 -05:00
xilabao
2a77353164 extend err info when authorize failed 2016-12-22 14:47:56 +08:00
deads2k
17f600d671 rbac deny output for e2e tests 2016-12-21 13:51:50 -05:00
deads2k
8f1677b7c8 add service status detection to kubernetes-discovery 2016-12-19 14:56:20 -05:00
Maciej Szulik
9f064c57ce Remove extensions/v1beta1 Job 2016-12-17 00:07:24 +01:00
Mike Danese
8fdec87d19 bazel: fix some unit tests 2016-12-15 18:36:22 -08:00
deads2k
6ab6975983 update for controller RBAC roles 2016-12-15 09:18:48 -05:00
Chao Xu
03d8820edc rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
Mike Danese
c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00
deads2k
4aeb3f3ffe update pod RBAC roles to work against head 2016-12-12 08:55:47 -05:00
xilabao
1d475edd1c add default label <kubernetes.io/bootstrapping=rbac-defaults> to rbac bootstrap policy 2016-12-07 09:08:34 +08:00