Commit Graph

329 Commits

Author SHA1 Message Date
Antonio Ojea
adbf3b5aa5 Add granular authorization for DRA ResourceClaim status updates
This commit introduces the DRAResourceClaimGranularStatusAuthorization
feature gate (Beta in 1.36) to enforce fine-grained authorization checks
on ResourceClaim status updates.

Previously, 'update' permission on 'resourceclaims/status' allowed modifying
the entire status. To enforce the principle of least privilege for DRA
drivers and the scheduler, this change introduces synthetic subresources and
verb prefixes:

- 'resourceclaims/binding': Required to update 'status.allocation' and
  'status.reservedFor'.
- 'resourceclaims/driver': Required to update 'status.devices'. Evaluated
  on a per-driver basis using 'associated-node:<verb>' (for node-local
  ServiceAccounts) or 'arbitrary-node:<verb>' (for cluster-wide controllers).
2026-03-26 13:22:09 +00:00
Kubernetes Prow Robot
5edaecfa53 Merge pull request #137609 from enj/enj/f/constrained_impersonation_beta
KEP-5284: promote constrained impersonation to beta
2026-03-17 06:35:36 +05:30
Peter Hunt
539352eddd feature: promote ProcMountType to GA
Signed-off-by: Peter Hunt <pehunt@redhat.com>
2026-03-13 12:27:16 -04:00
Kubernetes Prow Robot
f7f694e5e0 Merge pull request #136792 from rata/userns-goes-ga
feature: Migrate UserNamespacesSupport to GA
2026-03-12 21:57:36 +05:30
Rodrigo Campos
f25830be53 test/e2e*: Remove references to UserNamespacesSupport feature gate
It's GA now.

Signed-off-by: Rodrigo Campos <rodrigo@amutable.com>
2026-03-12 15:20:09 +01:00
Monis Khan
5c61dc4974 KEP-5284: promote constrained impersonation to beta
Signed-off-by: Monis Khan <mok@microsoft.com>
2026-03-10 12:28:44 -04:00
Monis Khan
8a154c3d39 KEP-5284: add impersonation latency tracking
This change allows slow impersonation requests to be tracked via the
apiserver.latency.k8s.io/impersonation audit event annotation.

Updated tests to assert that the audit event log:

- Contains the new latency annotation
- Contains the impersonationConstraint field
- Failed impersonation attempts are observable by the response status

Signed-off-by: Monis Khan <mok@microsoft.com>
2026-03-09 19:58:31 -04:00
Monis Khan
ba2a68e1db KEP-5284: add constrained impersonation metrics
See https://kep.k8s.io/5284 for details.

apiserver_impersonation_attempts_total{mode, decision}
apiserver_impersonation_attempts_duration_seconds{mode, decision}
apiserver_impersonation_authorization_attempts_total{mode, decision}
apiserver_impersonation_authorization_attempts_duration_seconds{mode, decision}

Signed-off-by: Monis Khan <mok@microsoft.com>
2026-03-05 15:26:45 -05:00
Monis Khan
2a3f66d3f6 KEP-5284: Implement Constrained Impersonation
Signed-off-by: Jian Qiu <jqiu@redhat.com>
Signed-off-by: Monis Khan <mok@microsoft.com>

Co-authored-by: Jian Qiu <jqiu@redhat.com>
Co-authored-by: Monis Khan <mok@microsoft.com>
2025-11-04 16:30:49 -05:00
Siyuan Zhang
70ac573619 adopt consistent way to set feature gate based on emulation version for kcm and scheduler test server.
Signed-off-by: Siyuan Zhang <sizhang@google.com>
2025-10-22 13:20:30 -05:00
Kubernetes Prow Robot
f7fb7cd86b Merge pull request #134588 from liggitt/fixes-only-no-go-bump
go 1.25.2/1.24.8 related fixes
2025-10-14 07:45:36 -07:00
Jordan Liggitt
3c2c64a7f6 Add integration test for invalid SAN certificate handling 2025-10-13 20:22:05 -04:00
Tim Allclair
4986abe0b8 Automated refactoring to use SetFeatureGatesDuringTest 2025-10-01 21:10:53 -07:00
Patrick Ohly
5c4f81743c DRA: use v1 API
As before when adding v1beta2, DRA drivers built using the
k8s.io/dynamic-resource-allocation helper packages remain compatible with all
Kubernetes release >= 1.32. The helper code picks whatever API version is
enabled from v1beta1/v1beta2/v1.

However, the control plane now depends on v1, so a cluster configuration where
only v1beta1 or v1beta2 are enabled without the v1 won't work.
2025-07-24 08:33:45 +02:00
Simran Kaur
c7d6c09683 List available endpoints for kube-apiserver (#132581)
Fix tests and formatting

Use ListedPaths for finding useful endpoints

Fix maps import

Update dependencies

Fix lint

Add option to pass listedpaths

Remove apiserver component check

Install statuz in genericapiserver

Register zpagesfeatures

Fix import order

Avoid adding non-debugging endpoints

Fix tests

Fix tests

fix tests

Sort paths

Sort in-place

Copy paths before sorting

Fix string initialization

Move sorting to later stage

Fix imports
2025-07-23 21:44:27 -07:00
Anish Ramasekar
21e2fcea9e Add automatic_reload_last_config_info metric for auth configs
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2025-07-17 17:47:51 -05:00
Kubernetes Prow Robot
3430e34d88 Merge pull request #132656 from liggitt/selector-authz
KEP-4601: Graduate selector authorization to stable
2025-07-14 16:42:38 -07:00
Jordan Liggitt
a04e7cf5eb KEP-4601: Graduate selector authorization to stable 2025-07-14 16:19:52 -04:00
Anish Ramasekar
45dfb46448 Add TokenRequestServiceAccountUIDValidation feature gate with UID validation
This change introduces the TokenRequestServiceAccountUIDValidation feature
gate and implements feature-gated service account UID validation for the
TokenRequest API. When enabled, the API validates that the service account
UID in token requests matches the actual service account UID, preventing
token requests for recreated service accounts with the same name but
different UIDs.

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2025-07-10 23:20:23 -05:00
PatrickLaabs
1802c55652 chore: depr. pointer pkg replacement for test integration 2025-07-06 22:02:04 +02:00
Jordan Liggitt
6bb6c99342 Drop null creationTimestamp from test fixtures 2025-05-02 15:38:40 -04:00
Anish Ramasekar
3f5d30543d Add integration tests for using SAR with node audience restriction
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2025-03-07 16:25:18 -06:00
Jefftree
92cc680c8a Fix SelfSubjectReview test to decouple beta and GA types from the same apiserver 2025-02-20 19:32:16 +00:00
Anish Ramasekar
62809dd0de node audience restriction: use csi translator to convert intree inline_vol/pv to csi
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2025-02-06 13:17:16 -06:00
Davanum Srinivas
c9e81cd84c Switch to gopkg.in/go-jose/go-jose.v2 @ v2.6.3
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2025-01-21 09:21:27 -05:00
Jordan Liggitt
59850b5823 Promote ServiceAccountTokenNodeBinding to GA 2025-01-14 09:48:35 -05:00
Kubernetes Prow Robot
41ea061d2b Merge pull request #128705 from aramase/aramase/c/node_int_test_todo_cleanup
cleanup todo comment in node restriction integration tests
2024-12-18 00:40:52 +01:00
Jordan Liggitt
161a817812 Clean up v1alpha1 serving for authorization API 2024-12-13 08:37:57 -05:00
Monis Khan
779d76176a Update tests to handle RemoteRequestHeaderUID
Signed-off-by: Monis Khan <mok@microsoft.com>
2024-12-04 16:04:36 -05:00
Anish Ramasekar
50ed36229c cleanup todo comment in node restriction integration tests
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2024-11-08 10:10:59 -08:00
Richa Banker
8bf6eecedf add statusz implementation and enablement in apiserver 2024-11-07 12:37:38 -08:00
Harshal Neelkamal
6fdacf0411 Add plugin and key-cache for ExternalJWTSigner integration 2024-11-07 03:16:23 +00:00
Anish Ramasekar
e93d5d5425 Enforce sa token node audience restriction when ServiceAccountNodeAudienceRestriction=true
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2024-11-06 09:51:40 -08:00
Patrick Ohly
33ea278c51 DRA: use v1beta1 API
No code is left which depends on the v1alpha3, except of course the code
implementing that version.
2024-11-06 13:03:19 +01:00
Rita Zhang
e7cdc59555 deprecate EnforceMountableSecretsAnnotation in 1.32
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
2024-11-04 13:13:32 -08:00
Kubernetes Prow Robot
79cca2786e Merge pull request #128172 from liggitt/3221-ga
KEP-3221: Promote StructuredAuthorizationConfiguration to GA
2024-10-18 20:21:09 +01:00
Jordan Liggitt
ad808e609a KEP-3221: Promote StructuredAuthorizationConfiguration to GA 2024-10-17 21:53:45 -04:00
Jordan Liggitt
0771f601e1 KEP-4193: Promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo, ServiceAccountTokenNodeBindingValidation to stable 2024-10-17 21:25:09 -04:00
Robbie Cronin
cdbfbde4aa Add ut coverage for capabilities.Setup (#125395)
* Add ut coverage for capabilities.Setup

* Update pkg/capabilities/capabilities_test.go

Co-authored-by: Ed Bartosh <eduard.bartosh@intel.com>

* Add ut coverage for capabilities.Setup

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>

---------

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
Co-authored-by: Ed Bartosh <eduard.bartosh@intel.com>
2024-10-17 18:23:03 +01:00
Kubernetes Prow Robot
6f1583990a Merge pull request #124792 from mjudeikis/mjudeikis/ctx.wiring
Wire in ctx into rbac plugins
2024-09-18 08:26:44 +01:00
Aaron Prindle
701e6c7ab1 chore: bump DefaultKubeBinaryVersion to 1.32, make 1.32 CEL changes, fix int tests to handle 1 version off API deprecation, and fix prerelease-lifecycle-gen for # of APIs 2024-09-17 19:32:14 +00:00
Mangirdas Judeikis
4e4eb8c5c9 wire in ctx to rbac plugins 2024-09-17 20:04:02 +03:00
Stanislav Láznička
3a4d9eccf4 integration: add a test for KAS remote UID headers 2024-09-05 14:34:15 +02:00
Kubernetes Prow Robot
bbd83d8644 Merge pull request #125634 from ahmedtd/x509credentialID
Define credential IDs for X.509 certificates
2024-08-28 16:02:56 +01:00
Taahir Ahmed
2ad2bd8907 Define credential IDs for X.509 certificates
This commit expands the existing credential ID concept to cover X.509
certificates.  We use the certificate's signature as the credential ID,
since this safe and unique.
2024-08-06 11:33:01 -07:00
Kubernetes Prow Robot
7590cb7adf Merge pull request #125257 from vinayakankugoyal/armor
KEP-24: Update AppArmor feature gates to GA stage.
2024-07-23 09:20:52 -07:00
Patrick Ohly
91d7882e86 DRA: new API for 1.31
This is a complete revamp of the original API. Some of the key
differences:
- refocused on structured parameters and allocating devices
- support for constraints across devices
- support for allocating "all" or a fixed amount
  of similar devices in a single request
- no class for ResourceClaims, instead individual
  device requests are associated with a mandatory
  DeviceClass

For the sake of simplicity, optional basic types (ints, strings) where the null
value is the default are represented as values in the API types. This makes Go
code simpler because it doesn't have to check for nil (consumers) and values
can be set directly (producers). The effect is that in protobuf, these fields
always get encoded because `opt` only has an effect for pointers.

The roundtrip test data for v1.29.0 and v1.30.0 changes because of the new
"request" field. This is considered acceptable because the entire `claims`
field in the pod spec is still alpha.

The implementation is complete enough to bring up the apiserver.
Adapting other components follows.
2024-07-22 18:09:34 +02:00
Patrick Ohly
b51d68bb87 DRA: bump API v1alpha2 -> v1alpha3
This is in preparation for revamping the resource.k8s.io completely. Because
there will be no support for transitioning from v1alpha2 to v1alpha3, the
roundtrip test data for that API in 1.29 and 1.30 gets removed.

Repeating the version in the import name of the API packages is not really
required. It was done for a while to support simpler grepping for usage of
alpha APIs, but there are better ways for that now. So during this transition,
"resourceapi" gets used instead of "resourcev1alpha3" and the version gets
dropped from informer and lister imports. The advantage is that the next bump
to v1beta1 will affect fewer source code lines.

Only source code where the version really matters (like API registration)
retains the versioned import.
2024-07-21 17:28:13 +02:00
Jordan Liggitt
5f22dd7c1a Add integration test exercising webhook selector authz 2024-07-19 15:06:52 -04:00
Patrick Ohly
8d814298bb kubelet: grant permission for DeleteCollection
2e34e187c9 enabled kubelet to do List and Watch
requests with the caveat that kubelet should better use a field selector (which
it does). The same is now also needed for DeleteCollection because kubelet will
use that to clean up in one operation instead of using multiple.
2024-07-18 09:09:19 +02:00