github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-10-31 13:50:01 +00:00
Code Issues Projects Releases Wiki Activity
88,472 Commits 42 Branches 8,159 Tags
a6739dbffc76b0b6cd8000fa45c02c2945f2889c
Commit Graph

2961 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
8ca96f3e07 Merge pull request #80724 from cceckman/provider-info-e2e 
Provide OIDC discovery for service account token issuer
 2020-02-13 01:38:35 -08:00
Kubernetes Prow Robot
d5ea2f15b5 Merge pull request #87234 from KobayashiD27/fix-golint 
fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy
 2020-02-12 02:23:05 -08:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints 
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
 2020-02-11 16:23:31 -08:00
Jordan Liggitt
8a3f587b04 Add fast path to node authorizer for node/edge removal 2020-02-10 13:51:33 -05:00
Jordan Liggitt
3e0c0792d7 Switch node authorizer index to refcounts 2020-02-10 13:24:13 -05:00
Jordan Liggitt
6d335372b2 Add configmap->node destination edges to the node authorizer index 2020-02-10 13:23:50 -05:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Kubernetes Prow Robot
91738cb031 Merge pull request #87688 from mborsz/node2 
Add a fast path for adding new node in node_authorizer
 2020-02-07 05:57:03 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
Maciej Borsz
69df8a8230 Add a fast path for adding new node in node_autorizer. 
This seems to improve WriteIndexMaintenance benchmark:

Before:
BenchmarkWriteIndexMaintenance-12    	    1034	   1157922 ns/op	    1906 B/op	      41 allocs/op
After:
BenchmarkWriteIndexMaintenance-12    	    4891	    239821 ns/op	    1572 B/op	      37 allocs/op
 2020-02-04 11:32:06 +01:00
Kubernetes Prow Robot
1bb68a2cde Merge pull request #87693 from liggitt/node-authz-index 
Fix node authorizer index recomputation
 2020-01-30 21:20:55 -08:00
Jordan Liggitt
d8c00b7f52 Fix node authorizer index recomputation 2020-01-30 13:29:57 -05:00
Mike Danese
968adfa993 cleanup req.Context() and ResponseWrapper 2020-01-29 08:50:45 -08:00
Mike Danese
d55d6175f8 refactor 2020-01-29 08:50:45 -08:00
Kubernetes Prow Robot
9633dd63b2 Merge pull request #87239 from lemonli/cleanup/node-authorizer 
clean up node_authorizer code: verb judgement
 2020-01-24 19:21:15 -08:00
Rob Scott
469de65c25 Enabling EndpointSlice feature gate by default 
This enables the EndpointSlice controller by default, but does not make
kube-proxy a consumer of the EndpointSlice API.
 2020-01-17 16:19:29 -08:00
Kobayashi Daisuke
0c3112fff3 fix golint error in plugin/pkg/auth/authorizer/rbac/bootstrappolicy 2020-01-16 09:23:16 +09:00
lemonli
2498dbf636 clean node_authorizer code: verb judgement 2020-01-15 18:08:09 +08:00
Jordan Liggitt
39e373fc45 Do not require token secrets when using bound service account tokens 2020-01-09 13:20:45 -05:00
wojtekt
1657ef25eb Extend authorization benchmark 2019-12-12 16:20:38 +01:00
Kubernetes Prow Robot
14fe931e9f Merge pull request #85375 from liggitt/delegated-list-watch 
Add single-item list/watch to delegated authentication reader role
 2019-11-15 20:49:41 -08:00
Kubernetes Prow Robot
5848ee4945 Merge pull request #85365 from robscott/endpointslice-default-off 
Disabling EndpointSlice feature gate by default
 2019-11-15 17:57:50 -08:00
Jordan Liggitt
ba93157fd2 Add single-item list/watch to delegated authentication reader role 2019-11-15 20:37:43 -05:00
Rob Scott
37aa219fff Disabling EndpointSlice feature gate by default 
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
 2019-11-15 14:54:35 -08:00
David Zhu
e64a4bc631 Update attachdetach-controller role to include permissions to get, list, and watch csinodes for CSIMigration 2019-11-15 11:22:35 -08:00
Roc Chan
c9cf3f5b72 Service Topology implementation 
* Implement Service Topology for ipvs and iptables proxier
* Add test files
* API validation
 2019-11-15 13:36:43 +08:00
Tim Allclair (St. Clair)
581d3e26c9 Restrict mirror pod owner references (#84657) 
* Restrict mirror pod owners.

See http://git.k8s.io/enhancements/keps/sig-auth/20190916-noderestriction-pods.md

* Address feedback, refactor test

* Verify node owner UID
 2019-11-14 20:52:16 -08:00
Rob Scott
a7e589a8c6 Promoting EndpointSlices to beta 2019-11-13 14:20:19 -08:00
Kubernetes Prow Robot
195664db0e Merge pull request #85099 from liggitt/quota-config-v1 
Promote apiserver.config.k8s.io/v1, kind=ResourceQuotaConfiguration
 2019-11-13 13:02:52 -08:00
draveness
5cb92260a6 feat: graduate ResourceQuotaScopeSelectors to GA 2019-11-13 14:07:22 +08:00
Kubernetes Prow Robot
bb55aa7c54 Merge pull request #76310 from ravisantoshgudimetla/fix-priority-quota 
Relax namespace restriction for critical pods
 2019-11-12 19:00:11 -08:00
ravisantoshgudimetla
f2cbbe228f BUILD files 2019-11-12 17:22:14 -05:00
ravisantoshgudimetla
fe4cac73c8 Relax namespace restriction for critical pods 2019-11-12 17:22:09 -05:00
Kubernetes Prow Robot
c580a12c8e Merge pull request #83568 from bertinatto/volume_limits_ga 
Promote volume limits to GA
 2019-11-12 11:50:22 -08:00
Kubernetes Prow Robot
94efa988f4 Merge pull request #84813 from deads2k/admission-feature-gates 
remove global variable dependency from admission plugins
 2019-11-12 10:23:14 -08:00
David Eads
83f6f2717e remove global variable dep in admission 2019-11-12 10:55:14 -05:00
Jordan Liggitt
7d3012f297 Promote resource quota admission configuration to v1 2019-11-12 09:03:55 -05:00
Fabio Bertinatto
affcd0128b Promote volume limits to GA 2019-11-12 09:43:53 +01:00
Kubernetes Prow Robot
9cf309ed59 Merge pull request #82049 from andrewsykim/ga-node-instance-type-label 
Promote Node Instance Type Label to GA
 2019-11-08 13:47:58 -08:00
David Eads
675c2fb924 add featuregate inspection as admission plugin initializer 2019-11-08 13:07:40 -05:00
Kubernetes Prow Robot
ae15368355 Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA 
Promote node lease to GA
 2019-11-08 09:00:15 -08:00
Andrew Sy Kim
560b8efb79 noderestriction: update node restriction unit tests to use stable instance-type label 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-08 11:17:58 -05:00
Andrew Sy Kim
349749644f test/e2e: check both beta and zone label for getting cluster zone 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:05 -05:00
Andrew Sy Kim
4c194d52da kubelet: set both deprecated Beta and GA labels for zone/region topology from the cloud provider 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
 2019-11-07 21:22:04 -05:00
Wei Huang
019d7497a5 bazel files 2019-11-05 20:57:21 -08:00
Wei Huang
dd74205bcf Move out const strings in pkg/scheduler/api/well_known_labels.go 2019-11-05 20:56:21 -08:00
wojtekt
ffad401b4e Promote NodeLease feature to GA 2019-11-05 09:01:12 +01:00
Kubernetes Prow Robot
1d1385af91 Merge pull request #83474 from msau42/topology-ga 
CSI Topology ga
 2019-11-04 15:28:27 -08:00
Kubernetes Prow Robot
0c88c4893f Merge pull request #84275 from liggitt/beta-gate-runtimeclass-informers 
Feature-gate RuntimeClass informer starts
 2019-10-28 17:48:42 -07:00