kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,407 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

203 Commits

Author SHA1 Message Date
Stanislav Láznička a7981497b1 authz tests: delay response in context cancelled scenario 
The net/http transport checks for immediate response when
its handling context cancellation. The unit test was racing
with this check by responding too fast.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>

Kubernetes-commit: efcf97f98c7c9891015d4f2b37d2fc3afcdd336c
 2025-07-30 14:33:28 +02:00
Monis Khan bcfdd8b141 Add egress selector support to JWT authenticator 
This change adds the StructuredAuthenticationConfigurationEgressSelector
beta feature (default on).  When enabled, each JWT authenticator
specified via the AuthenticationConfiguration.jwt array can
optionally specify either the controlplane or cluster egress
selector by setting the issuer.egressSelectorType field.  When
unset, the prior behavior of using no egress selector is retained.

Egress selection is valuable when the persona configuring the JWT
authenticator and the persona managing the control plane are
different individuals.  This change allows the latter to protect
control plane network services from unexpected connections.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: b69fd9d42c4d03b8fe5b37433d59f85483835d30
 2025-06-24 17:12:28 -04:00
Jordan Liggitt c31c6756df KEP-4601: Graduate selector authorization to stable 
Kubernetes-commit: a04e7cf5eb842754ccf1f340792e2d92c694af72
 2025-07-01 12:11:54 -04:00
PatrickLaabs 9b1ef94042 chore: first depr. pointer pkg replacement for apiserver 
Kubernetes-commit: 4a61b8170138998a1f1d49f01ad38e8e3aa88f20
 2025-07-06 10:58:23 +02:00
Anish Ramasekar f8343759d9 Update tests for StructuredAuthenticationConfiguration feature gate GA 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 512f000d0f321c568b76b175bc4a44ea9dd73cf3
 2025-05-22 17:00:24 -07:00
Anish Ramasekar 851e917827 KEP-3331: Add test to simulate revocation via user validation rule using unique identifier (jti) 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 6a495241ef3dfb828d4ae1112123a7fc98a493b9
 2025-06-03 14:40:17 -07:00
Karl Isenberg 46dd96ca03 refactor: Stop using ioutil in apiserver 
- The ioutl package is deprecated. Migrate to os package functions.

Kubernetes-commit: f93e4645c18c6f56bfddc158ef7b3f674b3c41dd
 2025-05-08 11:28:52 -07:00
Monis Khan f2b320dc52 jwt: support CEL expressions with escaped names 
This is purely for consistency with other uses of CEL in the
project.  Using `[` for accessing claims or user data is preferred
when names contain characters that would need to be escaped.  CEL
optionals via `?` can be used in places where `has` cannot be used,
i.e. `claims[?"kubernetes.io"]` or `user.extra[?"domain.io/foo"]`.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 7b50c8a510f2645219ee05da5195042c02552932
 2025-05-01 13:22:52 -04:00
Monis Khan cb5a7a865d jwt: add unit tests for using CEL with deeply nested claims 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 5441f5fdef781298cd7d924eecd00e20e08831ce
 2025-04-30 00:03:25 -04:00
Monis Khan dbbb6a075e jwt: refactor CEL eval to drop unstructured and map[string]any 
This prepares us to add support for distributed claims support in
CEL expressions.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 43d6ea12e3f757e46e17311801a596aa5e70b06e
 2025-04-28 17:19:54 -04:00
Tim Hockin 9641d30242 Use randfill, do API renames 
Kubernetes-commit: e54719bb6674fac228671e0786d19c2cf27b08a3
 2025-02-20 09:45:22 -08:00
Davanum Srinivas 6e7ca2c0dc Switch to gopkg.in/go-jose/go-jose.v2 @ v2.6.3 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: c9e81cd84ca12d0a60c8e11eb318c13f657217c1
 2025-01-21 09:21:27 -05:00
Patrick Ohly b84662911c remove import doc comments 
The "// import <path>" comment has been superseded by Go modules.
We don't have to remove them, but doing so has some advantages:

- They are used inconsistently, which is confusing.
- We can then also remove the (currently broken) hack/update-vanity-imports.sh.
- Last but not least, it would be a first step towards avoiding the k8s.io domain.

This commit was generated with
   sed -i -e 's;^package \(.*\) // import.*;package \1;' $(git grep -l '^package.*// import' | grep -v 'vendor/')

Everything was included, except for
   package labels // import k8s.io/kubernetes/pkg/util/labels
because that package is marked as "read-only".

Kubernetes-commit: 8a908e0c0bd96a3455edf7e3b5f5af90564e65b0
 2024-12-02 14:43:58 +01:00
Jordan Liggitt 08766af90d KEP-3221: Promote StructuredAuthorizationConfiguration to GA 
Kubernetes-commit: ad808e609a599723cf17f7fcdfb73ca37bcf78fc
 2024-10-17 21:48:30 -04:00
Jordan Liggitt 1e62dc23aa KEP-4601: AuthorizeNodeWithSelectors / AuthorizeWithSelectors to beta 
Kubernetes-commit: 9caca7312645b5ffba964cc8170484b4e7f7b602
 2024-10-17 19:51:07 -04:00
Dr. Stefan Schimanski 4b46916a7b apiserver/authconfig: wire CEL compiler through lower layers to allow sharing 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 4024390d8c8a19056ab7ced95eef5cce43c8096d
 2024-09-20 12:34:08 +02:00
Matthieu MOREL 33d4365d5b fix: enable formatter rule from testifylint in module `k8s.io/apiserver` 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Kubernetes-commit: 58d5acd59870219f11721eb46103d1764884bef1
 2024-07-14 07:58:03 +00:00
Mangirdas Judeikis 07be2984cd wire in ctx to rbac plugins 
Kubernetes-commit: 4e4eb8c5c95652b4cbe672a02e4077a93d0bfe2d
 2024-09-13 12:03:47 +03:00
liyuerich 535f09400e drop deprecated json/yaml newSerializers, use json.NewSerializerWithOptions instead 
Signed-off-by: liyuerich <yue.li@daocloud.io>

Kubernetes-commit: 3c9309db463679c348934429d8487d190ed5e64a
 2024-05-29 19:00:00 +08:00
Anish Ramasekar 13c06f3696 Set credential-id in userinfo.extra for jwt authenticators if jti claim present 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: c22a41e879e72ba4c925b06d8aa00e43160a0f86
 2024-08-29 17:09:07 -07:00
Jordan Liggitt eabf12957a Add structured labelSelector / fieldSelector to authorization webhook match conditions 
Kubernetes-commit: a1398a8ccaeb7f881acb65d1276392f4cac259e8
 2024-06-26 17:17:43 -04:00
David Eads f26d4ed894 add field and label selectors to authorization attributes 
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
 2024-05-23 15:12:26 -04:00
Matthieu MOREL 8705baa8b2 fix: enable empty and len rules from testifylint on pkg package 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Co-authored-by: Patrick Ohly <patrick.ohly@intel.com>

Kubernetes-commit: f014b754fb5925dfbca6e27a44d0c3968b157e14
 2024-06-28 21:20:13 +02:00
Jordan Liggitt 4676a5aa43 Fix structured authorization webhook timeout wiring 
Kubernetes-commit: c50f68d6eef33079e44f5cd8f658e8d08d09708d
 2024-06-17 11:08:30 -04:00
Marek Siarkowicz 74fb076497 Cleanup defer from SetFeatureGateDuringTest function call 
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
 2024-04-23 10:39:47 +02:00
Monis Khan 2c1ad21e66 Add dynamic reload support for authentication configuration 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: b4935d910dcf256288694391ef675acfbdb8e7a3
 2024-01-10 12:36:55 -05:00
Monis Khan 4eaefb0cee jwt: fail on empty username via CEL expression 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 8345ad0bac4fee6d25f033f0445e2e10eae6afbe
 2024-02-28 12:53:08 -05:00
Monis Khan 9432b4df38 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
 2024-02-27 17:11:18 -05:00
Jordan Liggitt 9adb3ee3c0 Add authorization webhook duration/count/failopen metrics 
Kubernetes-commit: 79b344d85e3e2f8f3192a3dcabb384cfe87136a6
 2024-03-02 01:44:28 -05:00
Anish Ramasekar d456bc0c1b wire up discovery url in authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 78fb0bae22f2106219d19fff060caa7866c27430
 2024-02-26 16:17:58 -08:00
Anish Ramasekar 09c9be2c2e Add `apiserver_authentication_jwt_authenticator_latency_seconds` metric 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0da5e8137b839860d55938ceb6d520caba3fc776
 2024-02-08 18:08:07 +00:00
Rita Zhang b7a30e3bfb add authz webhook matchcondition metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
 2024-02-29 20:55:32 -08:00
Anish Ramasekar b3e4dc29ef add min valid jwt payload to API docs for structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
 2024-02-22 16:33:24 -08:00
Monis Khan 1154db23b1 jwt: strictly support compact serialization only 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: e89dddd4af67d34e441ec1733bdb22ce725d621c
 2024-02-27 12:40:59 -05:00
Anish Ramasekar 1bc99127a6 Add integration test for multiple audience in structured authn 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1
 2024-02-14 17:04:21 -08:00
Monis Khan d887d80e81 Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: b5e0068325da7aa5ca42a7d5ea6b0f012a519765
 2024-02-13 13:45:53 -05:00
Anish Ramasekar fb760be3fc support multiple audiences with jwt authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 18c563546a764b559ce5b74f09eaaaf9c1f0e5fb
 2024-01-24 17:15:11 +00:00
Rita Zhang c4ab5aa41a add false matchCondition benchmark 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 7c5dfceff8a4de3387b48e941d098a3957de2870
 2023-11-13 09:22:24 -08:00
Rita Zhang e319da4264 split compile and eval 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 11cdb8fd011a931d34506ade65e966f7c5208ae7
 2023-11-08 16:37:10 -08:00
Rita Zhang f0d5068944 authz: add benchmark for webhook authorizer 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: fe53db0dbdc25c9b2f87adbd53f1ebe4b6c1169d
 2023-11-08 15:38:11 -08:00
Anish Ramasekar 17a9a816ec [StructuredAuthn] Ensure empty fields of user object are accessible by 
CEL

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b693f09d544b17c82af4437bd93ea0b165e2622e
 2023-11-02 22:20:06 +00:00
Jordan Liggitt 2a9f8b8d15 Include empty string attributes for CEL authz evaluation 
Kubernetes-commit: 44d89c8cf8c1ba883029e1244492a523d6b50b92
 2023-11-02 15:14:06 -04:00
Jordan Liggitt 4eacc8425d Plumb failure policy from config to webhook construction 
Kubernetes-commit: 2e2f51a4417d93b5505091d28b319365dc95e137
 2023-11-02 13:55:35 -04:00
Anish Ramasekar 78b670287d Implement CEL and wire it with OIDC authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 26e3a03d12d71e6e97bc7c40542cb7519051dd73
 2023-09-20 23:11:37 +00:00
Rita Zhang cca4910d25 authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4
 2023-10-06 17:47:23 -07:00
Anish Ramasekar d4b9ebf180 [StructuredAuthnConfig] use local variables in oidc pkg 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: e410f86825fa5df5b05cc3aed5417f7cd9716ebd
 2023-08-25 19:39:32 +00:00
Anish Ramasekar fdfc990c33 wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 1bad3cbbf59a61805a48f609b8cc0a2a40c168ef
 2023-06-28 06:04:45 +00:00
Anish Ramasekar 822396743a [StructuredAuthenticationConfig] wire request context to claim resolver 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 150f732c7ee68cd738043c5e8a9966a9d55fb69d
 2023-06-28 20:37:40 +00:00
HirazawaUi 709ca925ae fix fd leaks and failed file removing for pkg controller-manager and apiserver 
Kubernetes-commit: 982d2966cd33d79026a5d111dcb8bfeae62e657f
 2023-05-03 01:36:00 +08:00
Tim Hockin 0165503c5a Replace uses of ObjectReflectDiff with cmp.Diff 
ObjectReflectDiff is already a shim over cmp.Diff, so no actual output
or behavior changes

Kubernetes-commit: bc302fa4144d21a338683cd83701661f97be4aba
 2023-03-23 11:34:03 -07:00