mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00

Production-Grade Container Scheduling and Management

Go to file

Monis Khan 9b23f22472 Make oidc authenticator audience agnostic This change removes the audience logic from the oidc authenticator and collapses it onto the same logic used by other audience unaware authenticators. oidc is audience unaware in the sense that it does not know or understand the API server's audience. As before, the authenticator will continue to check that the token audience matches the configured client ID. The reasoning for this simplification is: 1. The previous code tries to make the client ID on the oidc token a valid audience. But by not returning any audience, the token is not valid when used via token review on a server that is configured to honor audiences (the token works against the Kube API because the audience check is skipped). 2. It is unclear what functionality would be gained by allowing token review to check the client ID as a valid audience. It could serve as a proxy to know that the token was honored by the oidc authenticator, but that does not seem like a valid use case. 3. It has never been possible to use the client ID as an audience with token review as it would have always failed the audience intersection check. Thus this change is backwards compatible. It is strange that the oidc authenticator would be considered audience unaware when oidc tokens have an audience claim, but from the perspective of the Kube API (and for backwards compatibility), these tokens are only valid for the API server's audience. This change seems to be the least magical and most consistent way to honor backwards compatibility and to allow oidc tokens to be used via token review when audience support in enabled. Signed-off-by: Monis Khan <mok@vmware.com>		2020-02-04 13:24:49 -08:00
.github
api	Merge pull request #87676 from MikeSpreitzer/apf-fix-list-types	2020-01-30 17:00:07 -08:00
build	Merge pull request #87628 from alculquicondor/cc-v1alpha2	2020-01-30 16:59:33 -08:00
cluster	Merge pull request #82454 from beautytiger/fix_shellcheck_common.sh	2020-02-02 07:05:20 -08:00
cmd	Merge pull request #81056 from neolit123/1.16-kubeadm-node-names	2020-02-01 03:35:20 -08:00
docs
Godeps
hack	Merge pull request #82454 from beautytiger/fix_shellcheck_common.sh	2020-02-02 07:05:20 -08:00
logo
pkg	Make oidc authenticator audience agnostic	2020-02-04 13:24:49 -08:00
plugin	Merge pull request #87693 from liggitt/node-authz-index	2020-01-30 21:20:55 -08:00
staging	Make oidc authenticator audience agnostic	2020-02-04 13:24:49 -08:00
test	Merge pull request #87598 from sureshpalemoni/master	2020-02-04 06:03:27 -08:00
third_party
translations
vendor	Merge pull request #87628 from alculquicondor/cc-v1alpha2	2020-01-30 16:59:33 -08:00
.bazelrc
.bazelversion
.generated_files
.gitattributes
.gitignore
.kazelcfg.json
BUILD.bazel
CHANGELOG-1.2.md
CHANGELOG-1.3.md
CHANGELOG-1.4.md
CHANGELOG-1.5.md
CHANGELOG-1.6.md
CHANGELOG-1.7.md
CHANGELOG-1.8.md
CHANGELOG-1.9.md
CHANGELOG-1.10.md
CHANGELOG-1.11.md
CHANGELOG-1.12.md
CHANGELOG-1.13.md
CHANGELOG-1.14.md
CHANGELOG-1.15.md
CHANGELOG-1.16.md
CHANGELOG-1.17.md	Merge pull request #87090 from bhcleek/master-1.17-release-storage	2020-01-30 16:58:33 -08:00
CHANGELOG-1.18.md	Add CHANGELOG-1.18.md for v1.18.0-alpha.3	2020-02-04 17:09:16 +00:00
CHANGELOG.md
code-of-conduct.md
CONTRIBUTING.md
go.mod	Merge pull request #87517 from odinuge/prom-client_model	2020-01-30 16:59:12 -08:00
go.sum	Merge pull request #87517 from odinuge/prom-client_model	2020-01-30 16:59:12 -08:00
LICENSE
Makefile
Makefile.generated_files
OWNERS
OWNERS_ALIASES
README.md
SECURITY_CONTACTS
SUPPORT.md
WORKSPACE

README.md

Kubernetes

Kubernetes is an open source system for managing containerized applications across multiple hosts. It provides basic mechanisms for deployment, maintenance, and scaling of applications.

Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.

Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If your company wants to help shape the evolution of technologies that are container-packaged, dynamically scheduled, and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.

To start using Kubernetes

See our documentation on kubernetes.io.

Try our interactive tutorial.

Take a free course on Scalable Microservices with Kubernetes.

To use Kubernetes code as a library in other applications, see the list of published components. Use of the k8s.io/kubernetes module or k8s.io/kubernetes/... packages as libraries is not supported.

To start developing Kubernetes

The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.

If you want to build Kubernetes right away there are two options:

You have a working Go environment.

mkdir -p $GOPATH/src/k8s.io
cd $GOPATH/src/k8s.io
git clone https://github.com/kubernetes/kubernetes
cd kubernetes
make

You have a working Docker environment.

git clone https://github.com/kubernetes/kubernetes
cd kubernetes
make quick-release

For the full story, head over to the developer's documentation.

Support

If you need support, start with the troubleshooting guide, and work your way through the process that we've outlined.

That said, if you have questions, reach out to us one way or another.