kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,092 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

197 Commits

Author SHA1 Message Date
Karl Isenberg 46dd96ca03 refactor: Stop using ioutil in apiserver 
- The ioutl package is deprecated. Migrate to os package functions.

Kubernetes-commit: f93e4645c18c6f56bfddc158ef7b3f674b3c41dd
 2025-05-08 11:28:52 -07:00
Monis Khan f2b320dc52 jwt: support CEL expressions with escaped names 
This is purely for consistency with other uses of CEL in the
project.  Using `[` for accessing claims or user data is preferred
when names contain characters that would need to be escaped.  CEL
optionals via `?` can be used in places where `has` cannot be used,
i.e. `claims[?"kubernetes.io"]` or `user.extra[?"domain.io/foo"]`.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 7b50c8a510f2645219ee05da5195042c02552932
 2025-05-01 13:22:52 -04:00
Monis Khan cb5a7a865d jwt: add unit tests for using CEL with deeply nested claims 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 5441f5fdef781298cd7d924eecd00e20e08831ce
 2025-04-30 00:03:25 -04:00
Monis Khan dbbb6a075e jwt: refactor CEL eval to drop unstructured and map[string]any 
This prepares us to add support for distributed claims support in
CEL expressions.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 43d6ea12e3f757e46e17311801a596aa5e70b06e
 2025-04-28 17:19:54 -04:00
Tim Hockin 9641d30242 Use randfill, do API renames 
Kubernetes-commit: e54719bb6674fac228671e0786d19c2cf27b08a3
 2025-02-20 09:45:22 -08:00
Davanum Srinivas 6e7ca2c0dc Switch to gopkg.in/go-jose/go-jose.v2 @ v2.6.3 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: c9e81cd84ca12d0a60c8e11eb318c13f657217c1
 2025-01-21 09:21:27 -05:00
Patrick Ohly b84662911c remove import doc comments 
The "// import <path>" comment has been superseded by Go modules.
We don't have to remove them, but doing so has some advantages:

- They are used inconsistently, which is confusing.
- We can then also remove the (currently broken) hack/update-vanity-imports.sh.
- Last but not least, it would be a first step towards avoiding the k8s.io domain.

This commit was generated with
   sed -i -e 's;^package \(.*\) // import.*;package \1;' $(git grep -l '^package.*// import' | grep -v 'vendor/')

Everything was included, except for
   package labels // import k8s.io/kubernetes/pkg/util/labels
because that package is marked as "read-only".

Kubernetes-commit: 8a908e0c0bd96a3455edf7e3b5f5af90564e65b0
 2024-12-02 14:43:58 +01:00
Jordan Liggitt 08766af90d KEP-3221: Promote StructuredAuthorizationConfiguration to GA 
Kubernetes-commit: ad808e609a599723cf17f7fcdfb73ca37bcf78fc
 2024-10-17 21:48:30 -04:00
Jordan Liggitt 1e62dc23aa KEP-4601: AuthorizeNodeWithSelectors / AuthorizeWithSelectors to beta 
Kubernetes-commit: 9caca7312645b5ffba964cc8170484b4e7f7b602
 2024-10-17 19:51:07 -04:00
Dr. Stefan Schimanski 4b46916a7b apiserver/authconfig: wire CEL compiler through lower layers to allow sharing 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 4024390d8c8a19056ab7ced95eef5cce43c8096d
 2024-09-20 12:34:08 +02:00
Matthieu MOREL 33d4365d5b fix: enable formatter rule from testifylint in module `k8s.io/apiserver` 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Kubernetes-commit: 58d5acd59870219f11721eb46103d1764884bef1
 2024-07-14 07:58:03 +00:00
Mangirdas Judeikis 07be2984cd wire in ctx to rbac plugins 
Kubernetes-commit: 4e4eb8c5c95652b4cbe672a02e4077a93d0bfe2d
 2024-09-13 12:03:47 +03:00
liyuerich 535f09400e drop deprecated json/yaml newSerializers, use json.NewSerializerWithOptions instead 
Signed-off-by: liyuerich <yue.li@daocloud.io>

Kubernetes-commit: 3c9309db463679c348934429d8487d190ed5e64a
 2024-05-29 19:00:00 +08:00
Anish Ramasekar 13c06f3696 Set credential-id in userinfo.extra for jwt authenticators if jti claim present 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: c22a41e879e72ba4c925b06d8aa00e43160a0f86
 2024-08-29 17:09:07 -07:00
Jordan Liggitt eabf12957a Add structured labelSelector / fieldSelector to authorization webhook match conditions 
Kubernetes-commit: a1398a8ccaeb7f881acb65d1276392f4cac259e8
 2024-06-26 17:17:43 -04:00
David Eads f26d4ed894 add field and label selectors to authorization attributes 
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
 2024-05-23 15:12:26 -04:00
Matthieu MOREL 8705baa8b2 fix: enable empty and len rules from testifylint on pkg package 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Co-authored-by: Patrick Ohly <patrick.ohly@intel.com>

Kubernetes-commit: f014b754fb5925dfbca6e27a44d0c3968b157e14
 2024-06-28 21:20:13 +02:00
Jordan Liggitt 4676a5aa43 Fix structured authorization webhook timeout wiring 
Kubernetes-commit: c50f68d6eef33079e44f5cd8f658e8d08d09708d
 2024-06-17 11:08:30 -04:00
Marek Siarkowicz 74fb076497 Cleanup defer from SetFeatureGateDuringTest function call 
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
 2024-04-23 10:39:47 +02:00
Monis Khan 2c1ad21e66 Add dynamic reload support for authentication configuration 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: b4935d910dcf256288694391ef675acfbdb8e7a3
 2024-01-10 12:36:55 -05:00
Monis Khan 4eaefb0cee jwt: fail on empty username via CEL expression 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 8345ad0bac4fee6d25f033f0445e2e10eae6afbe
 2024-02-28 12:53:08 -05:00
Monis Khan 9432b4df38 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
 2024-02-27 17:11:18 -05:00
Jordan Liggitt 9adb3ee3c0 Add authorization webhook duration/count/failopen metrics 
Kubernetes-commit: 79b344d85e3e2f8f3192a3dcabb384cfe87136a6
 2024-03-02 01:44:28 -05:00
Anish Ramasekar d456bc0c1b wire up discovery url in authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 78fb0bae22f2106219d19fff060caa7866c27430
 2024-02-26 16:17:58 -08:00
Anish Ramasekar 09c9be2c2e Add `apiserver_authentication_jwt_authenticator_latency_seconds` metric 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0da5e8137b839860d55938ceb6d520caba3fc776
 2024-02-08 18:08:07 +00:00
Rita Zhang b7a30e3bfb add authz webhook matchcondition metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
 2024-02-29 20:55:32 -08:00
Anish Ramasekar b3e4dc29ef add min valid jwt payload to API docs for structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
 2024-02-22 16:33:24 -08:00
Monis Khan 1154db23b1 jwt: strictly support compact serialization only 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: e89dddd4af67d34e441ec1733bdb22ce725d621c
 2024-02-27 12:40:59 -05:00
Anish Ramasekar 1bc99127a6 Add integration test for multiple audience in structured authn 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1
 2024-02-14 17:04:21 -08:00
Monis Khan d887d80e81 Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: b5e0068325da7aa5ca42a7d5ea6b0f012a519765
 2024-02-13 13:45:53 -05:00
Anish Ramasekar fb760be3fc support multiple audiences with jwt authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 18c563546a764b559ce5b74f09eaaaf9c1f0e5fb
 2024-01-24 17:15:11 +00:00
Rita Zhang c4ab5aa41a add false matchCondition benchmark 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 7c5dfceff8a4de3387b48e941d098a3957de2870
 2023-11-13 09:22:24 -08:00
Rita Zhang e319da4264 split compile and eval 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 11cdb8fd011a931d34506ade65e966f7c5208ae7
 2023-11-08 16:37:10 -08:00
Rita Zhang f0d5068944 authz: add benchmark for webhook authorizer 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: fe53db0dbdc25c9b2f87adbd53f1ebe4b6c1169d
 2023-11-08 15:38:11 -08:00
Anish Ramasekar 17a9a816ec [StructuredAuthn] Ensure empty fields of user object are accessible by 
CEL

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b693f09d544b17c82af4437bd93ea0b165e2622e
 2023-11-02 22:20:06 +00:00
Jordan Liggitt 2a9f8b8d15 Include empty string attributes for CEL authz evaluation 
Kubernetes-commit: 44d89c8cf8c1ba883029e1244492a523d6b50b92
 2023-11-02 15:14:06 -04:00
Jordan Liggitt 4eacc8425d Plumb failure policy from config to webhook construction 
Kubernetes-commit: 2e2f51a4417d93b5505091d28b319365dc95e137
 2023-11-02 13:55:35 -04:00
Anish Ramasekar 78b670287d Implement CEL and wire it with OIDC authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 26e3a03d12d71e6e97bc7c40542cb7519051dd73
 2023-09-20 23:11:37 +00:00
Rita Zhang cca4910d25 authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4
 2023-10-06 17:47:23 -07:00
Anish Ramasekar d4b9ebf180 [StructuredAuthnConfig] use local variables in oidc pkg 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: e410f86825fa5df5b05cc3aed5417f7cd9716ebd
 2023-08-25 19:39:32 +00:00
Anish Ramasekar fdfc990c33 wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 1bad3cbbf59a61805a48f609b8cc0a2a40c168ef
 2023-06-28 06:04:45 +00:00
Anish Ramasekar 822396743a [StructuredAuthenticationConfig] wire request context to claim resolver 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 150f732c7ee68cd738043c5e8a9966a9d55fb69d
 2023-06-28 20:37:40 +00:00
HirazawaUi 709ca925ae fix fd leaks and failed file removing for pkg controller-manager and apiserver 
Kubernetes-commit: 982d2966cd33d79026a5d111dcb8bfeae62e657f
 2023-05-03 01:36:00 +08:00
Tim Hockin 0165503c5a Replace uses of ObjectReflectDiff with cmp.Diff 
ObjectReflectDiff is already a shim over cmp.Diff, so no actual output
or behavior changes

Kubernetes-commit: bc302fa4144d21a338683cd83701661f97be4aba
 2023-03-23 11:34:03 -07:00
Tim Hockin aa9b8ec0fe Replace uses of ObjectGoPrintDiff with cmp.Diff 
ObjectGoPrintDiff is already a shim over cmp.Diff, so no actual output
or behavior changes

Kubernetes-commit: 9627c50ef37f3b5274486e6f5ad37b73b1b69bf0
 2023-03-23 11:31:25 -07:00
Shiming Zhang 5e43649440 Close body when Report non-OK status code 
Kubernetes-commit: 1d1dc364bdc75c0aab9ac2406cb74f5c46c104ae
 2022-10-09 11:22:10 +08:00
David Ashpole 911a29e64e migrate another usage of utiltrace to component base tracing 
Kubernetes-commit: 788b3c3bc3694ae1b28aac31616bd53464e460a1
 2022-11-07 21:13:31 +00:00
David Ashpole aa161f2fc0 migrate apiserver utiltrace usage to component-base/tracing 
Kubernetes-commit: de26b9023f2872c5cd7e15fad5dd5ab649222c13
 2022-10-20 18:15:38 +00:00
iutx 70f028d4e0 Optimize authenticator oidc test 
Signed-off-by: iutx <root@viper.run>

Kubernetes-commit: c21d33ab280f68176911e064ccff41ac2b96bbe3
 2022-09-22 20:50:34 +08:00
Davanum Srinivas 7e94033a61 Generate and format files 
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
 2022-07-19 20:54:13 -04:00