kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,092 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

271 Commits

Author SHA1 Message Date
Anish Ramasekar 9333a5f386 Duplicate v1beta1 AuthenticationConfiguration to v1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: aea874e5e47c1740d12f1dbea6bba8249407c9f8
 2025-05-13 15:48:04 -07:00
Antoni Zawodny cd728bc91b Remove FlowSchemas handling non-leases-backed leader election 
Kubernetes-commit: 2800c16c8b97991b228c00b86934daa134f08add
 2025-04-08 13:57:46 +02:00
Benjamin Elder 0710a6fd0a make update 
Kubernetes-commit: 1c3dc397ae137cc8b1d2095ea33217a239b81b55
 2025-03-21 18:19:43 -07:00
Benjamin Elder 81c5d13c4d remove inaccurate hostNetwork doc comment 
also remove from copies in example / test APIs

Kubernetes-commit: 8af1629f7aeeabeaec21f3fbcee5bc60d9ad2015
 2025-03-21 18:19:29 -07:00
Rafael Franzke 213eed6ea1 Allow disabling caching for webhook authorizers when using `apiserver.config.k8s.io/v1{alpha1,beta1}.AuthorizationConfiguration` (#129237) 
* Introduce new boolean `cache{Una,A}uthorizedRequests` field

* Run `hack/update-codegen.sh`

* Respect legacy flags values for caching

With the legacy `--authorization-webhook-cache-{un}authorized-ttl`
flags, caching was disabled when the TTL was set to `0`, so let's
continue doing so when building the authz configuration struct.

* Pass TTL=0 to webhook authz plugin when cache disabled

Kubernetes-commit: fa8e37f7805d608c121f07da5259d3086436d397
 2025-04-23 22:30:52 +02:00
Anish Ramasekar 3a95207b18 Add unit test to validate email_verified in claim validation rules 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: af291a44c3a2e31ef58851d27aaa70e9a02fedaa
 2025-03-17 15:38:35 -07:00
Anish Ramasekar 67dfc24d13 fix godoc for email_verified requirement when username contains claims.email 
Using 'claims.?email_verified.orValue(true) == true' in the example
validation rule. By explicitly comparing the value to true, we let type-checking see the result
will be a boolean, and to make sure a non-boolean email_verified claim will be caught at runtime.

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 916c7867f7ea766824728851a25b01ebbc600491
 2025-03-17 15:18:05 -07:00
Tim Hockin 9641d30242 Use randfill, do API renames 
Kubernetes-commit: e54719bb6674fac228671e0786d19c2cf27b08a3
 2025-02-20 09:45:22 -08:00
Patrick Ohly b84662911c remove import doc comments 
The "// import <path>" comment has been superseded by Go modules.
We don't have to remove them, but doing so has some advantages:

- They are used inconsistently, which is confusing.
- We can then also remove the (currently broken) hack/update-vanity-imports.sh.
- Last but not least, it would be a first step towards avoiding the k8s.io domain.

This commit was generated with
   sed -i -e 's;^package \(.*\) // import.*;package \1;' $(git grep -l '^package.*// import' | grep -v 'vendor/')

Everything was included, except for
   package labels // import k8s.io/kubernetes/pkg/util/labels
because that package is marked as "read-only".

Kubernetes-commit: 8a908e0c0bd96a3455edf7e3b5f5af90564e65b0
 2024-12-02 14:43:58 +01:00
Rita Zhang 882c7896e7 Add webhookmatchcondition doc comment 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

Kubernetes-commit: 151599d47a9b866a7d7b8dffc5714557817bbcf2
 2024-11-04 16:26:42 -08:00
Jordan Liggitt 08766af90d KEP-3221: Promote StructuredAuthorizationConfiguration to GA 
Kubernetes-commit: ad808e609a599723cf17f7fcdfb73ca37bcf78fc
 2024-10-17 21:48:30 -04:00
Dr. Stefan Schimanski bf20cce32f apiserver/validation: fix some sets.NewString deprecations 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: c44fc280871f1c4de177ed70367afcc9a9b06175
 2024-09-25 11:39:53 +02:00
Dr. Stefan Schimanski 4b46916a7b apiserver/authconfig: wire CEL compiler through lower layers to allow sharing 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 4024390d8c8a19056ab7ced95eef5cce43c8096d
 2024-09-20 12:34:08 +02:00
xuzhenglun 3abc312093 add test coverage for cohabitating resources in StroageFactory 
Kubernetes-commit: d994895dc4580101f17661eb573fc282d4b8517d
 2024-09-12 16:59:08 +08:00
Anish Ramasekar fed75d52d6 Disallow k8s.io and kubernetes.io namespaced extra key in structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 89c619f4fe698bf5b208ce86bce5da6833ca77b6
 2024-08-05 16:09:00 -07:00
Anish Ramasekar febd487238 Validate structured authn feature is enabled for discovery url/multiple 
audiences

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: f80c73248f872769d72b620e567747a1018f8a2b
 2024-07-23 15:04:02 -07:00
Jordan Liggitt eabf12957a Add structured labelSelector / fieldSelector to authorization webhook match conditions 
Kubernetes-commit: a1398a8ccaeb7f881acb65d1276392f4cac259e8
 2024-06-26 17:17:43 -04:00
Vinayak Goyal fd1f3aafaf Fix typo in error message for anonymous field in AuthenticationConfiguration. 
Kubernetes-commit: 27e8923c70c8bf95e0db02aeb7a0d45908ae9d62
 2024-07-09 21:04:28 +00:00
Vinayak Goyal 77f498853b KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>

Kubernetes-commit: 5e6a4937f5a3e20dd77238946220461332ecddff
 2024-05-16 21:18:34 +00:00
Cici Huang d44012e895 Adding the feature gates to fix cost for VAP and webhook matchConditions. 
Kubernetes-commit: d6e4115ead6b93d2accf688876471231b365ceae
 2024-05-01 16:26:41 -07:00
Marek Siarkowicz 74fb076497 Cleanup defer from SetFeatureGateDuringTest function call 
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
 2024-04-23 10:39:47 +02:00
Andrew DeMaria 81abb60d67 generate fully qualified type references 
Currently type references for non-local names are output as relative
types which is subject to the resolution rules as defined at
https://protobuf.com/docs/language-spec#reference-resolution
This works fine within the k8s.io namespace where no subpackages are
named k8s, but other users of go-to-protobuf likely have k8s in their
package name. This causes conflicts in the search resolution when
executing `go-to-protobuf`:

```
company.example.com/k8s/custom/pkg/apis/custom.k8s.example.com/v1/generated.proto:64:12: "k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta" is resolved to "company.example.com.k8s.custom.pkg.apis.custom.k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta", which is not defined. The innermost scope is searched first in name resolution. Consider using a leading '.'(i.e., ".k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta") to start from the outermost scope.
```

To avoid this we can output fully qualified type references using a
preceding dot (.)

This results in a change for k8s generated.proto files, but the
effect is a noop.

Fixes kubernetes/code-generator#147

Signed-off-by: Andrew DeMaria <ademaria@cloudflare.com>

Kubernetes-commit: 9edf1fc51c56d565348c48f3765cf094518ba7ed
 2023-03-20 18:02:14 -06:00
Monis Khan 5b4b237d07 Require email_verified to be used when email is set as username via CEL 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 121607e80963370c1838f9f620c2b8552041abfc
 2024-03-05 17:20:18 -05:00
Anish Ramasekar bc65af8e04 Support multiple JWT authenticators with structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 39e1c9108c0802024ebb01ad2286b2f09f63798e
 2024-02-21 15:19:25 -08:00
Anish Ramasekar f09dddfc89 Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b502aa6f31d3f55ce87cafdf3eb5e3fb87e74b50
 2024-03-04 23:37:31 -08:00
Monis Khan 37809637af Fix AuthenticationConfiguration docs around nested claims via CEL 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 290f2a7e1b62d2bfce2363ec528155a9748e0adb
 2024-03-05 12:01:11 -05:00
Monis Khan 9432b4df38 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
 2024-02-27 17:11:18 -05:00
Anish Ramasekar f2c6133c7f Add `DiscoveryURL` to AuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 84852ff56f952b4c3daab920d119d24c2e6a3476
 2024-02-07 01:41:52 +00:00
Jordan Liggitt 4153027735 Duplicate v1alpha1 AuthorizationConfiguration to v1beta1 
Kubernetes-commit: 0605a75c5e3590e2b0ab80d2163a76c4e77f4380
 2024-03-02 01:56:29 -05:00
Jordan Liggitt 59cba35b06 Fix discovery v2 conversion registration data race 
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
 2024-03-01 19:29:39 -05:00
Anish Ramasekar 7b0c197f53 cleanup structured authn/authz error logic 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: c2c4f4616d4ecea9fad5b994cdc72e3f96728962
 2024-01-25 22:45:19 +00:00
Jefftree d8d3b8c351 Use v2 types with agg discovery 
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
 2024-01-19 16:13:47 -05:00
Tim Hockin 541bc37de9 Fix go-to-protobuf wrt gengo/v2 
There's some very fishy-smelling logic in here, but this commit is
trying to be as focused as possible.

The *.pb.go diffs are the "name" encoded in the descriptor.  The
descriptor blobs can be decoded by this program (thanks StackOverflow!):

```
package main

import (
	"bytes"
	"compress/gzip"
	"encoding/json"
	"fmt"
	"os"

	"io/ioutil"

	proto "github.com/golang/protobuf/proto"
	dpb "github.com/golang/protobuf/protoc-gen-go/descriptor"
)

func main() {
	m := map[string][]byte{
		"before": blobv1,
		"after":  blobv2,
	}
	arg := os.Args[1]
	dump(m[arg])
}

func dump(bytes []byte) {
	fd, err := decodeFileDesc(bytes)
	if err != nil {
		panic(err)
	}
	b, err := json.MarshalIndent(fd, "", "  ")
	if err != nil {
		panic(err)
	}
	fmt.Println(string(b))
}

// decompress does gzip decompression.
func decompress(b []byte) ([]byte, error) {
	r, err := gzip.NewReader(bytes.NewReader(b))
	if err != nil {
		return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
	}
	out, err := ioutil.ReadAll(r)
	if err != nil {
		return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
	}
	return out, nil
}

func decodeFileDesc(enc []byte) (*dpb.FileDescriptorProto, error) {
	raw, err := decompress(enc)
	if err != nil {
		return nil, fmt.Errorf("failed to decompress enc: %v", err)
	}

	fd := new(dpb.FileDescriptorProto)
	if err := proto.Unmarshal(raw, fd); err != nil {
		return nil, fmt.Errorf("bad descriptor: %v", err)
	}
	return fd, nil
}

var blobv1 = []byte{
	// insert proto "before" blob here
}

var blobv2 = []byte{
	// insert proto "after" blob here
}
```

Running this with "before" and "after" args, and diffing the output
yields something like:

```diff
--- /tmp/a	2023-12-23 23:57:04.748090836 -0800
+++ /tmp/b	2023-12-23 23:57:11.000040973 -0800
@@ -1,5 +1,5 @@
 {
-  "name": "k8s.io/kubernetes/vendor/k8s.io/api/admission/v1/generated.proto",
+  "name": "k8s.io/api/admission/v1/generated.proto",
   "package": "k8s.io.api.admission.v1",
   "dependency": [
     "github.com/gogo/protobuf/gogoproto/gogo.proto",
```

Kubernetes-commit: b0a70dec4ab4cb9f972cf39a81ca5e5555417227
 2023-12-24 10:01:42 -08:00
Anish Ramasekar b3e4dc29ef add min valid jwt payload to API docs for structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
 2024-02-22 16:33:24 -08:00
Tim Hockin d38e8187d9 Cleanup: s/depreciated/deprecated/g 
Kubernetes-commit: 9f4b82bf3b079fe868effbd2498b61464db6d459
 2024-02-18 14:50:55 -08:00
Anish Ramasekar 1bc99127a6 Add integration test for multiple audience in structured authn 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1
 2024-02-14 17:04:21 -08:00
Anish Ramasekar fb760be3fc support multiple audiences with jwt authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 18c563546a764b559ce5b74f09eaaaf9c1f0e5fb
 2024-01-24 17:15:11 +00:00
Anish Ramasekar 26996e3679 Add AudienceMatchPolicy to AuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 19da90d6396ce9471f612d6e9a31f1b1c8d605b1
 2024-01-25 22:35:16 +00:00
Anish Ramasekar e7eedd15ec move encryption config types to standard API server config location 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 75695dae1093cc08cb56a4930c0be8e7e4433be1
 2023-12-16 00:00:21 +00:00
Anish Ramasekar 6bad17ce50 [StructuredAuthnConfig] add comment for extra keys unique requirement 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: af8da8e01c28286feedf528e94683781a0387a99
 2024-01-02 19:58:20 +00:00
Tim Hockin 7674c1a859 Fix list_type_missing in k8s.io/apiserver 
Kubernetes-commit: eddf65849dfa1b3c351597d7018a2700371d8955
 2023-11-17 11:46:28 -08:00
Jordan Liggitt 374f72b704 Require match condition version only if matchConditions are specified 
Kubernetes-commit: a000af25ff3bcc79fe7d8da299225ad252c9894a
 2023-11-02 13:54:39 -04:00
Anish Ramasekar 78b670287d Implement CEL and wire it with OIDC authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 26e3a03d12d71e6e97bc7c40542cb7519051dd73
 2023-09-20 23:11:37 +00:00
Anish Ramasekar 9032e4e6da add new fields in v1alpha1 StructuredAuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 6b971153d75534a768a67a6b50ee44423611f5b0
 2023-09-07 22:30:28 +00:00
Rita Zhang cca4910d25 authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4
 2023-10-06 17:47:23 -07:00
Abu Kashem b041969f97 apiserver: allow zero value for the 'nominalConcurrencyShares' field 
Kubernetes-commit: 9fd2ab419ad771790d3cb80ea7b8e6828d9ce305
 2023-10-27 19:26:08 -04:00
Abu Kashem 0b0a995736 apiserver: apf controller, bootstrap, tests should use flowcontrol v1 API 
Kubernetes-commit: 17bda3c3e05a75943591f61f37d7fdc0d07870ec
 2023-10-11 09:20:41 -04:00
Nabarun Pal 4693682515 Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 22e5a806a73e48486a90491fc3eb03d208b520a0
 2023-09-25 09:18:11 +05:30
Nabarun Pal b259861486 staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 2bf2c4f3a413d3a2e070fe61aeba6fb309bf2e5e
 2023-09-27 17:48:38 +05:30
Qiming Teng e014cf25b9 Generated files 
Kubernetes-commit: c65fe450d8a3229cfe531a3806939775dd52e7e0
 2023-10-03 20:16:10 +08:00