mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00

Production-Grade Container Scheduling and Management

Go to file

Filip Filmar dfb527843c Implements distributed OIDC claims. A distributed claim allows the OIDC provider to delegate a claim to a separate URL. Distributed claims are of the form as seen below, and are defined in the OIDC Connect Core 1.0, section 5.6.2. See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims Example claim: ``` { ... (other normal claims)... "_claim_names": { "groups": "src1" }, "_claim_sources": { "src1": { "endpoint": "https://www.example.com", "access_token": "f005ba11" }, }, } ``` Example response to a followup request to https://www.example.com is a JWT-encoded claim token: ``` { "iss": "https://www.example.com", "aud": "my-client", "groups": ["team1", "team2"], "exp": 9876543210 } ``` Apart from the indirection, the distributed claim behaves exactly the same as a standard claim. For Kubernetes, this means that the token must be verified using the same approach as for the original OIDC token. This requires the presence of "iss", "aud" and "exp" claims in addition to "groups". All existing OIDC options (e.g. groups prefix) apply. Any claim can be made distributed, even though the "groups" claim is the primary use case. Allows groups to be a single string due to https://github.com/kubernetes/kubernetes/issues/33290, even though OIDC defines "groups" claim to be an array of strings. So, this will be parsed correctly: ``` { "iss": "https://www.example.com", "aud": "my-client", "groups": "team1", "exp": 9876543210 } ``` Expects that distributed claims endpoints return JWT, per OIDC specs. In case both a standard and a distributed claim with the same name exist, standard claim wins. The specs seem undecided about the correct approach here. Distributed claims are resolved serially. This could be parallelized for performance if needed. Aggregated claims are silently skipped. Support could be added if needed.		2018-05-01 17:12:34 -07:00
.github
api	Merge pull request #62893 from hzxuzhonghu/mark-APIServiceSpec.CABundle-optional	2018-05-01 14:05:42 -07:00
build	Merge pull request #63152 from mikedanese/break	2018-05-01 07:36:09 -07:00
cluster	Merge pull request #63341 from wwwtyro/rye/arm64-microbot	2018-05-01 16:00:18 -07:00
cmd	Merge pull request #63201 from chuckha/offline-plan	2018-05-01 16:00:15 -07:00
docs	Merge pull request #60741 from zlabjp/optional-subjects	2018-04-27 17:43:11 -07:00
Godeps	Upgrade Azure Go SDK to v14.6.0	2018-04-26 09:38:48 +08:00
hack	Remove Factory from more Run commands	2018-04-30 19:58:54 +02:00
logo
pkg	Merge pull request #63091 from gonzolino/lb-member-name	2018-05-01 16:00:12 -07:00
plugin	remove incorrect static restmapper	2018-05-01 07:51:17 -04:00
staging	Implements distributed OIDC claims.	2018-05-01 17:12:34 -07:00
test	Merge pull request #63206 from deads2k/api-11-restmapper	2018-05-01 08:10:37 -07:00
third_party
translations
vendor	Upgrade Azure Go SDK to v14.6.0	2018-04-26 09:38:48 +08:00
.bazelrc
.generated_files
.gitattributes
.gitignore
.kazelcfg.json
BUILD.bazel
CHANGELOG-1.2.md
CHANGELOG-1.3.md
CHANGELOG-1.4.md
CHANGELOG-1.5.md
CHANGELOG-1.6.md
CHANGELOG-1.7.md
CHANGELOG-1.8.md
CHANGELOG-1.9.md
CHANGELOG-1.10.md	Merge pull request #61874 from Pingan2017/changelog1-10	2018-04-29 07:45:43 -07:00
CHANGELOG-1.11.md
CHANGELOG.md
code-of-conduct.md
CONTRIBUTING.md
labels.yaml
LICENSE
Makefile
Makefile.generated_files
OWNERS
OWNERS_ALIASES	Add myself to sig-scheduling maintainers/approvers list.	2018-04-26 14:15:14 -04:00
README.md
SUPPORT.md
WORKSPACE

README.md

Kubernetes

Kubernetes is an open source system for managing containerized applications across multiple hosts; providing basic mechanisms for deployment, maintenance, and scaling of applications.

Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.

Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.

To start using Kubernetes

See our documentation on kubernetes.io.

Try our interactive tutorial.

Take a free course on Scalable Microservices with Kubernetes.

To start developing Kubernetes

The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.

If you want to build Kubernetes right away there are two options:

You have a working Go environment.

$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make

You have a working Docker environment.

$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release

For the full story, head over to the developer's documentation.

Support

If you need support, start with the troubleshooting guide, and work your way through the process that we've outlined.

That said, if you have questions, reach out to us one way or another.