github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity
102,192 Commits 42 Branches 7,905 Tags 1.3 GiB
ac6a1b1821
Commit Graph

102192 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Madhav Jivrajani
f0ffba75ad Add baseline check for procMount type 
- Will not allow if a container (init or not) sets the proc mount type to anything other than `Default`
- Include fixture for proc mount baseline generation and the consequent genreated test data

Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
 2021-07-01 20:02:36 +05:30
Kubernetes Prow Robot
1861e4756d
Merge pull request #103396 from praveenghuge/master-to-main-cleanup 
k8s.io master to main cleanup
 2021-07-01 04:45:54 -07:00
Kubernetes Prow Robot
3f4c39bbd7
Merge pull request #103063 from neolit123/1.22-add-patches-to-v1beta3 
kubeadm: add support for patches in v1beta3; deprecate --experimental-patches
 2021-07-01 02:25:54 -07:00
Sergey Kanzhelev
210c610d66 make sure to split NPD hashes by architecture when upgrading to 0.8.9 2021-07-01 08:12:35 +00:00
Kubernetes Prow Robot
a0c83ba938
Merge pull request #103385 from ravisantoshgudimetla/fix-ubernetes-tests-2 
[storage] [test] Ensure proper resource creation
 2021-07-01 00:06:06 -07:00
Kubernetes Prow Robot
dbfea1e2aa
Merge pull request #103365 from liggitt/podsecurity-feature-test 
PodSecurity: make failure integration tests feature-aware
 2021-07-01 00:05:54 -07:00
Kubernetes Prow Robot
c14017b270
Merge pull request #103176 from CaoDonghui123/updatemod 
Update golang.org/x/net
 2021-06-30 22:17:54 -07:00
Praveen Ghuge
db3534dd64 master too main cleanup 2021-06-30 21:56:29 -07:00
Kubernetes Prow Robot
5c23b61247
Merge pull request #103327 from SataQiu/fix-write-config-to 
kube-scheduler: ensure the default config output of --write-to-config is usable
 2021-06-30 21:00:06 -07:00
Kubernetes Prow Robot
ea0098b811
Merge pull request #103219 from mgutierrez98/refactor-wait_go 
Renamed variable within wait_test containing master to control plane
 2021-06-30 20:59:54 -07:00
wangyysde
e2e1c94f06 use native error instead of github.com/pkg/errors 
Signed-off-by: wangyysde <net_use@bzhy.com>
 2021-07-01 10:54:09 +08:00
Kubernetes Prow Robot
4748bb04b6
Merge pull request #102508 from kolyshkin/runc-1.0 
Update runc to 1.0.0
 2021-06-30 19:35:55 -07:00
pacoxu
2cab85a403 Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl 
Signed-off-by: pacoxu <paco.xu@daocloud.io>
 2021-07-01 10:31:21 +08:00
Jordan Liggitt
ba6b4c5a18 PodSecurity: test GA-only cases and alpha/beta fields separately 2021-06-30 22:08:11 -04:00
Jordan Liggitt
e87016cf94 PodSecurity: add ability to skip failure cases if relevant features are disabled 2021-06-30 22:05:00 -04:00
Yecheng Fu
b522e95aae Prioritizing nodes based on volume capacity: API changes 2021-07-01 10:00:59 +08:00
Swetha Repakula
03b7a699c2 Kubeproxy uses V1 EndpointSlice 2021-06-30 18:41:57 -07:00
Kubernetes Prow Robot
c206af0367
Merge pull request #103380 from vinayakankugoyal/bug 
Fix incorrect user and group for kube-scheduler when it is running as non-root.
 2021-06-30 17:21:53 -07:00
Kir Kolyshkin
ab5b77944e kubelet/cm: don't set Devices 
Since runc 1.0.0 it is now sufficient to have SkipDevices: true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2021-06-30 16:17:35 -07:00
Kir Kolyshkin
4e7cf5413d vendor: bump runc to 1.0.0 pre 
This is to check if runc 1.0.0 (to be released shortly) works with k8s.

The commands used were (roughly):

	hack/pin-dependency.sh github.com/opencontainers/runc v1.0.0
	hack/lint-dependencies.sh
	# Follow its recommendations.
	hack/pin-dependency.sh github.com/cilium/ebpf v0.6.1
	hack/pin-dependency.sh github.com/opencontainers/selinux v1.8.2
	hack/pin-dependency.sh github.com/sirupsen/logrus v1.8.1
	# Recheck.
	hack/lint-dependencies.sh
	GO111MODULE=on go mod edit -dropreplace github.com/willf/bitset
	hack/update-vendor.sh
	# Recheck.
	hack/lint-dependencies.sh
	hack/update-internal-modules.sh
	# Recheck.
	hack/lint-dependencies.sh

[v2: rebased, updated runc 3a0234e1fe2e82 -> 2f8e8e9d977500]
[v3: testing master + runc pr 3019]
[v4: updated to 93a01cd4d0b7a0f08a]
[v5: updated to f093cca13d3cf8a484]
[v6: rebased]
[v7: updated to runc v1.0.0]
[v8: rebased]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2021-06-30 16:16:32 -07:00
Kubernetes Prow Robot
642f42d62b
Merge pull request #103364 from aramase/check-privileged 
[PodSecurity] Add privileged containers baseline check
 2021-06-30 16:11:48 -07:00
Kubernetes Prow Robot
385402d506
Merge pull request #103082 from chrishenzie/read-write-once-pod-access-mode-scheduler 
Enforce ReadWriteOncePod during scheduling
 2021-06-30 16:11:36 -07:00
ravisantoshgudimetla
67bc23411b [storage] [test] Ensure proper resource creation 
Ensure resources are created in zone with schedulable
nodes. For example, if we have 4 zones with 3 zones
having worker nodes and 1 zone having master nodes(unscheduable
for workloads), we should not create resources like PV, PVC or
pods in that zone.
 2021-06-30 18:01:57 -04:00
Kubernetes Prow Robot
0dad7d1c47
Merge pull request #103318 from jpbetz/fix-102749 
Bump SMD to v4.1.2 to pick up #102749 fix
 2021-06-30 14:03:03 -07:00
Anish Ramasekar
5bd3334ad6
[PodSecurity] Add privileged containers baseline check 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2021-06-30 16:39:28 -04:00
Joe Betz
b790cf388c Bump SMD to v4.1.2 to pick up #102749 fix 2021-06-30 12:06:35 -07:00
Kubernetes Prow Robot
9c360b6185
Merge pull request #103361 from m14815/commit-21.6.2 
Error string should not be capitalized or end with punctuation.
 2021-06-30 11:50:17 -07:00
Kubernetes Prow Robot
60ea3b6d52
Merge pull request #103325 from njuptlzf/psp-sysctls 
[PodSecurity] Implement sysctls check
 2021-06-30 11:50:07 -07:00
Kubernetes Prow Robot
0ccdc4afc3
Merge pull request #103315 from sejr/test-psp-hostPath 
[Pod Security] HostPath baseline check
 2021-06-30 11:49:54 -07:00
Kubernetes Prow Robot
4dc82f94ed
Merge pull request #103314 from PushkarJ/psp-hostports 
[PodSecurity] Implement host ports check
 2021-06-30 11:49:41 -07:00
Kubernetes Prow Robot
a6ef76157b
Merge pull request #102623 from vazmin/bug-cli-string-slice-flag 
fix bug where string slice flag is not assigned
 2021-06-30 11:49:28 -07:00
Kubernetes Prow Robot
f962166f30
Merge pull request #100339 from p0lyn0mial/upstream-delegated-authz-metrics 
adds metrics for delegated authz
 2021-06-30 11:49:16 -07:00
Kubernetes Prow Robot
98d20f552b
Merge pull request #99378 from mattcary/api 
StatefulSet PersistentVolumeClaimDeletePolicy
 2021-06-30 11:49:03 -07:00
Vinayak Goyal
1c39cf2365 Fix incorrect user and group for kube-scheduler when it is running as non-root. 2021-06-30 11:28:15 -07:00
Chris Henzie
7ad44d04fc Enforce ReadWriteOncePod access mode during scheduling 
Check the PVC ref count on the node info cache to determine if a pod's
PVCs are in use. If they are and it is using ReadWriteOncePod, fail the
request.
 2021-06-30 10:40:14 -07:00
Kubernetes Prow Robot
044fd6fdf6
Merge pull request #99829 from palnabarun/migrate-to-go-embed 
Replace go-bindata with //go:embed
 2021-06-30 10:37:03 -07:00
Pushkar Joglekar
d57e143277 [PodSecurity] Implement host ports check 
Applies to baseline policy. Since host ports is
a niche feature, usage of any host ports is
forbidden for either app container or init container

Refactored two fixtures into one for non-host ports in app container and init container

Fixes based on PR feedback
- remove no-op if check,
- use correct Int32 list for hostPort
- remove ensureHostPorts func

Removed redundant fixtures as per PR feedback

Removed minimal valid pod

Updates after gofmt
 2021-06-30 09:26:22 -07:00
Kubernetes Prow Robot
1534e0c7ec
Merge pull request #103350 from tech-geek29/fix-mac-local-cluster 
Update local-cluster-up.sh to auto-detect darwin and skip kubelet and kube-proxy
 2021-06-30 09:11:04 -07:00
maruiyan
9c150b0f22 Error string should not be capitalized or end with punctuation. 2021-06-30 23:23:30 +08:00
Rishabh Jain
584eb5e947 Update local-cluster-up.sh to auto-detect darwin and skip kubelet and kube-proxy 2021-06-30 20:30:03 +05:30
njuptlzf
1ac0e018d5 [PodSecurity] Implement sysctls check 2021-06-30 21:53:20 +08:00
Kubernetes Prow Robot
b3cc522b53
Merge pull request #103281 from makusu2/patch-1 
Fix grammar
 2021-06-30 05:41:03 -07:00
Kubernetes Prow Robot
d787eaa4d5
Merge pull request #103332 from mcshooter/updateNPDVersion 
Update NPD release version and include windows defender config
 2021-06-30 01:19:02 -07:00
Lukasz Szaszkiewicz
4a2aef00d6 adds metrics for authorization webhook 2021-06-30 09:26:25 +02:00
SataQiu
6c86c34457 kube-scheduler: ensure the default config output of --write-to-config is usable 2021-06-30 13:26:27 +08:00
Kubernetes Prow Robot
696d0f5772
Merge pull request #103316 from sejr/podsecurity-baseline-hostNamespace 
[Pod Security]: HostNamespace baseline check
 2021-06-29 21:19:03 -07:00
Samuel Roth
1441a33030 hostPath baseline check for Pod Security Standards 
graduate IngressClassNamespacedParams to beta

add fuzzer patch to fix tests

Destroy the created runtimeclass resources at the end of the test case.

addressing comments

dont ensure security context
 2021-06-30 00:19:01 -04:00
Dave Chen
1fa673c15c Extent the NodeResourcesBalancedAllocation plugin to cover more resources 
Signed-off-by: Dave Chen <dave.chen@arm.com>
 2021-06-30 11:15:12 +08:00
Samuel Roth
71cb2d71a8 podsecurity: add baseline hostNamespace check 
less repetitive detail

dont ensure security context

minor doc fix

fixing keys
 2021-06-29 23:11:32 -04:00
maruiyan
da4aaf81cd Error should be checked first, then go to other steps. 2021-06-30 11:00:55 +08:00