github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-11-25 15:33:33 +00:00
Code Issues Projects Releases Wiki Activity
125,376 Commits 42 Branches 8,286 Tags
beb51e17593d7c678df2b7c269de059f95b44771
Commit Graph

595 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
e456fbfaa6 Merge pull request #127545 from mjudeikis/mjudeikis/sa.flow.fix 
Fix npe in serviceAccount  flow
 2024-09-23 08:00:06 +01:00
Mangirdas Judeikis
4783af9a49 fix npe when running in limited config in generic-control-plane mode 2024-09-22 19:06:45 +03:00
Mangirdas Judeikis
cf6d113f24 fix npe in serviceAccount flow 2024-09-22 16:04:48 +03:00
Kubernetes Prow Robot
f2700895a4 Merge pull request #127422 from srivastav-abhishek/go-vet-fix 
Go vet fixes for gotip
 2024-09-20 14:37:58 +01:00
Abhishek Kr Srivastav
95860cff1c Fix Go vet errors for master golang 
Co-authored-by: Rajalakshmi-Girish <rajalakshmi.girish1@ibm.com>
Co-authored-by: Abhishek Kr Srivastav <Abhishek.kr.srivastav@ibm.com>
 2024-09-20 12:36:38 +05:30
Mangirdas Judeikis
4e4eb8c5c9 wire in ctx to rbac plugins 2024-09-17 20:04:02 +03:00
Stanislav Láznička
7fabd06c2b requestheaders: add a "requestheader-uid-headers" flag and wire it up 2024-09-05 14:28:31 +02:00
Kubernetes Prow Robot
5891e72703 Merge pull request #126411 from hoskeri/fix-authnz-configfile-usage-formatting 
Fix formatting of the authnz config usage.
 2024-08-13 21:03:52 -07:00
Kubernetes Prow Robot
bbd1dd8c6f Merge pull request #126342 from aramase/aramase/c/auth_rm_unused_function 
cleanup unused fn IsValidServiceAccountKeyFile in authenticator config
 2024-08-13 21:03:38 -07:00
Abhijit Hoskeri
c383823228 Fix formatting of the authnz config usage. 
- Reword to be less verbose, more in line with the
  writing style in other flags.
- Add spaces after the end of sentences.
 2024-07-27 14:26:46 -07:00
Anish Ramasekar
71d7e29954 cleanup unused fn IsValidServiceAccountKeyFile in authenticator config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-07-24 14:35:21 -07:00
Jefftree
e3e56eb1e2 CLE storage and type registration changes 2024-07-24 14:38:11 +00:00
Kubernetes Prow Robot
c2fdeca4ab Merge pull request #126145 from carlory/kep-3751-api 
[KEP-3751] Promote VolumeAttributesClass to beta
 2024-07-23 13:31:05 -07:00
Kubernetes Prow Robot
e83fca8dd9 Merge pull request #124530 from sttts/sttts-controlplane-plumbing-split 
Step 12 - Add generic controlplane example
 2024-07-23 12:21:02 -07:00
carlory
0260c7d023 Promote VolumeAttributesClass to beta 2024-07-23 13:58:14 +08:00
Dr. Stefan Schimanski
b6aebb0e4b options/authentication: fix serviceaccount TokenGetter with ServiceAccountTokenNodeBindingValidation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-07-22 18:21:26 +02:00
Dr. Stefan Schimanski
dc0bcd62e3 options/authentication: revert extra serviceaccount TokenGetter function silently enabling serviceaccounts 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-07-22 18:21:26 +02:00
Patrick Ohly
b51d68bb87 DRA: bump API v1alpha2 -> v1alpha3 
This is in preparation for revamping the resource.k8s.io completely. Because
there will be no support for transitioning from v1alpha2 to v1alpha3, the
roundtrip test data for that API in 1.29 and 1.30 gets removed.

Repeating the version in the import name of the API packages is not really
required. It was done for a while to support simpler grepping for usage of
alpha APIs, but there are better ways for that now. So during this transition,
"resourceapi" gets used instead of "resourcev1alpha3" and the version gets
dropped from informer and lister imports. The advantage is that the next bump
to v1beta1 will affect fewer source code lines.

Only source code where the version really matters (like API registration)
retains the versioned import.
 2024-07-21 17:28:13 +02:00
Kubernetes Prow Robot
0c8b3e5f30 Merge pull request #125986 from vinayakankugoyal/typo 
Fix typo in error message for anonymous field in AuthenticationConfig…
 2024-07-09 20:45:05 -07:00
Vinayak Goyal
27e8923c70 Fix typo in error message for anonymous field in AuthenticationConfiguration. 2024-07-09 21:04:28 +00:00
Kubernetes Prow Robot
51bf5df54a Merge pull request #125836 from mjudeikis/mjudeikis/auth.token.getter 
Extend service accounts with optional tokenGetter provider
 2024-07-09 00:30:34 -07:00
Mangirdas Judeikis
a72266ff9d Add test for WithTokenGetter 2024-07-02 17:26:53 +03:00
Mangirdas Judeikis
a15b22cd98 wire in optional tokenGetter provider 2024-07-01 18:09:46 +03:00
Antonio Ojea
29f33bc21d enable networking v1beta1 features on apiserver storage 2024-06-28 13:16:33 +00:00
Kubernetes Prow Robot
522e2e5066 Merge pull request #124917 from vinayakankugoyal/kep4633 
KEP-4633: Only allow anonymous auth for configured endpoints.
 2024-06-27 20:39:51 -07:00
Vinayak Goyal
5e6a4937f5 KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 2024-06-28 00:30:05 +00:00
Kubernetes Prow Robot
ef1d28aa52 Merge pull request #125177 from liggitt/dynamic-public-key 
Move public key serviceaccount getter to interface, filter by key id
 2024-06-27 11:57:06 -07:00
Siyuan Zhang
403301bfdf apiserver: Add API emulation versioning. 
Co-authored-by: Siyuan Zhang <sizhang@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
Co-authored-by: Alex Zielenski <zielenski@google.com>

Signed-off-by: Siyuan Zhang <sizhang@google.com>
 2024-06-25 22:12:11 +00:00
Jordan Liggitt
3e037070bb Move public key getter to interface 2024-06-25 18:10:08 -04:00
Jordan Liggitt
c50f68d6ee Fix structured authorization webhook timeout wiring 2024-06-19 15:36:36 -04:00
Alexander Zielenski
cd41a7d8e1 store validatingadmissionpolicy and bindings at v1 2024-05-29 13:14:51 -07:00
John McGrath
e72788d58e Revert "DisableServiceLinks admission controller" 2024-05-20 12:20:46 -05:00
Mangirdas Judeikis
b14936f679 move to generics for sets in kubeapiserver 2024-05-12 11:49:42 +03:00
Jan Safranek
e7a6ed2e3d Remove PersistentVolumeLabel admission plugin 
Remove useless admission plugin.

* It has been deprecated for years.
* All in-tree cloud providers were removed, so the admission plugin does not have
  any way to get PV labels.
* There is a replacement in https://github.com/kubernetes-sigs/cloud-pv-admission-labeler
 2024-05-09 11:10:14 +02:00
Dr. Stefan Schimanski
acbb89d9b9 kube-apiserver: split admission initializers into generic and non-generic 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-04-29 23:28:42 +02:00
Marek Siarkowicz
3ee8178768 Cleanup defer from SetFeatureGateDuringTest function call 2024-04-24 20:25:29 +02:00
Kubernetes Prow Robot
6faeecc87d Merge pull request #122631 from jmcgrath207/disable-service-links 
DisableServiceLinks admission controller
 2024-04-18 00:00:28 -07:00
Kubernetes Prow Robot
8f80e01467 Merge pull request #123719 from enj/enj/f/authn_config_beta 
Mark StructuredAuthenticationConfiguration feature gate as beta
 2024-03-09 17:09:56 -08:00
Anish Ramasekar
62ac88b9ea Add metrics for authentication config reload 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-09 14:40:22 -08:00
Monis Khan
b4935d910d Add dynamic reload support for authentication configuration 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-09 14:29:33 -05:00
Nilekh Chaudhari
91a7708cdc feat: implements Storage Version Migration API in-tree 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2024-03-08 04:18:56 +00:00
Patrick Ohly
0b6a0d686a dra api: rename NodeResourceSlice -> ResourceSlice 
While currently those objects only get published by the kubelet for node-local
resources, this could change once we also support network-attached
resources. Dropping the "Node" prefix enables such a future extension.

The NodeName in ResourceSlice and StructuredResourceHandle then becomes
optional. The kubelet still needs to provide one and it must match its own node
name, otherwise it doesn't have permission to access ResourceSlice objects.
 2024-03-07 22:22:55 +01:00
Patrick Ohly
2e34e187c9 node authorizer: lock down access for NodeResourceSlice 
The kubelet running on one node should not be allowed to access
NodeResourceSlice objects belonging to some other node, as defined by the
NodeResourceSlice.NodeName field.
 2024-03-07 16:15:52 +01:00
Kubernetes Prow Robot
05cb0a55c8 Merge pull request #123696 from aramase/aramase/f/kep_3331_v1beta1_api 
Duplicate v1alpha1 AuthenticationConfiguration to v1beta1
 2024-03-06 15:35:28 -08:00
John Mcgrath
edb0287cb1 DisableServiceLinks admission controller 2024-03-06 00:39:23 -06:00
cici37
de506ce7ac Promote ValidatingAdmissionPolicy to GA. 2024-03-05 16:00:21 -08:00
Jiahui Feng
6b03166bed update to inject only the list of excluded resources. 2024-03-05 11:11:10 -08:00
Anish Ramasekar
b502aa6f31 Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-05 09:10:34 -08:00
Monis Khan
bc7aa13bf7 Mark StructuredAuthenticationConfiguration feature gate as beta 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-05 11:34:30 -05:00
Kubernetes Prow Robot
26600b17ab Merge pull request #123561 from enj/enj/i/validate_jwt_sa_iss 
Prevent conflicts between service account and jwt issuers
 2024-03-04 20:07:24 -08:00