kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
8,103 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

79 Commits

Author SHA1 Message Date
Karl Isenberg 46dd96ca03 refactor: Stop using ioutil in apiserver 
- The ioutl package is deprecated. Migrate to os package functions.

Kubernetes-commit: f93e4645c18c6f56bfddc158ef7b3f674b3c41dd
 2025-05-08 11:28:52 -07:00
Tim Hockin 9641d30242 Use randfill, do API renames 
Kubernetes-commit: e54719bb6674fac228671e0786d19c2cf27b08a3
 2025-02-20 09:45:22 -08:00
Jordan Liggitt 08766af90d KEP-3221: Promote StructuredAuthorizationConfiguration to GA 
Kubernetes-commit: ad808e609a599723cf17f7fcdfb73ca37bcf78fc
 2024-10-17 21:48:30 -04:00
Jordan Liggitt 1e62dc23aa KEP-4601: AuthorizeNodeWithSelectors / AuthorizeWithSelectors to beta 
Kubernetes-commit: 9caca7312645b5ffba964cc8170484b4e7f7b602
 2024-10-17 19:51:07 -04:00
Dr. Stefan Schimanski 4b46916a7b apiserver/authconfig: wire CEL compiler through lower layers to allow sharing 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 4024390d8c8a19056ab7ced95eef5cce43c8096d
 2024-09-20 12:34:08 +02:00
Mangirdas Judeikis 07be2984cd wire in ctx to rbac plugins 
Kubernetes-commit: 4e4eb8c5c95652b4cbe672a02e4077a93d0bfe2d
 2024-09-13 12:03:47 +03:00
Jordan Liggitt eabf12957a Add structured labelSelector / fieldSelector to authorization webhook match conditions 
Kubernetes-commit: a1398a8ccaeb7f881acb65d1276392f4cac259e8
 2024-06-26 17:17:43 -04:00
David Eads f26d4ed894 add field and label selectors to authorization attributes 
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
 2024-05-23 15:12:26 -04:00
Jordan Liggitt 4676a5aa43 Fix structured authorization webhook timeout wiring 
Kubernetes-commit: c50f68d6eef33079e44f5cd8f658e8d08d09708d
 2024-06-17 11:08:30 -04:00
Marek Siarkowicz 74fb076497 Cleanup defer from SetFeatureGateDuringTest function call 
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
 2024-04-23 10:39:47 +02:00
Jordan Liggitt 9adb3ee3c0 Add authorization webhook duration/count/failopen metrics 
Kubernetes-commit: 79b344d85e3e2f8f3192a3dcabb384cfe87136a6
 2024-03-02 01:44:28 -05:00
Rita Zhang b7a30e3bfb add authz webhook matchcondition metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
 2024-02-29 20:55:32 -08:00
Rita Zhang c4ab5aa41a add false matchCondition benchmark 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 7c5dfceff8a4de3387b48e941d098a3957de2870
 2023-11-13 09:22:24 -08:00
Rita Zhang e319da4264 split compile and eval 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 11cdb8fd011a931d34506ade65e966f7c5208ae7
 2023-11-08 16:37:10 -08:00
Rita Zhang f0d5068944 authz: add benchmark for webhook authorizer 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: fe53db0dbdc25c9b2f87adbd53f1ebe4b6c1169d
 2023-11-08 15:38:11 -08:00
Jordan Liggitt 2a9f8b8d15 Include empty string attributes for CEL authz evaluation 
Kubernetes-commit: 44d89c8cf8c1ba883029e1244492a523d6b50b92
 2023-11-02 15:14:06 -04:00
Jordan Liggitt 4eacc8425d Plumb failure policy from config to webhook construction 
Kubernetes-commit: 2e2f51a4417d93b5505091d28b319365dc95e137
 2023-11-02 13:55:35 -04:00
Rita Zhang cca4910d25 authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4
 2023-10-06 17:47:23 -07:00
HirazawaUi 709ca925ae fix fd leaks and failed file removing for pkg controller-manager and apiserver 
Kubernetes-commit: 982d2966cd33d79026a5d111dcb8bfeae62e657f
 2023-05-03 01:36:00 +08:00
Tim Hockin 0165503c5a Replace uses of ObjectReflectDiff with cmp.Diff 
ObjectReflectDiff is already a shim over cmp.Diff, so no actual output
or behavior changes

Kubernetes-commit: bc302fa4144d21a338683cd83701661f97be4aba
 2023-03-23 11:34:03 -07:00
Tim Hockin aa9b8ec0fe Replace uses of ObjectGoPrintDiff with cmp.Diff 
ObjectGoPrintDiff is already a shim over cmp.Diff, so no actual output
or behavior changes

Kubernetes-commit: 9627c50ef37f3b5274486e6f5ad37b73b1b69bf0
 2023-03-23 11:31:25 -07:00
Davanum Srinivas 7e94033a61 Generate and format files 
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
 2022-07-19 20:54:13 -04:00
Monis Khan 2d35015235 webhook: use rest.Config instead of kubeconfig file as input 
This change updates the generic webhook logic to use a rest.Config
as its input instead of a kubeconfig file.  This exposes all of the
rest.Config knobs to the caller instead of the more limited set
available through the kubeconfig format.  This is useful when this
code is being used as a library outside of core Kubernetes. For
example, a downstream consumer may want to override the webhook's
internals such as its TLS configuration.

Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: fef7d0ef1e1fbff65e8d445256036704bb9dbcbd
 2021-07-23 11:15:47 -04:00
Davanum Srinivas 56a3a30ae1 Check in OWNERS modified by update-yamlfmt.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 9405e9b55ebcd461f161859a698b949ea3bde31d
 2021-12-09 21:31:26 -05:00
tanjing2020 4e2d5a4ec5 Replace with 
Kubernetes-commit: 1a598798fca6f15f4e883368666e7d4d3565fcc6
 2021-07-23 10:26:26 +08:00
Lukasz Szaszkiewicz 9ff2637133 adds metrics for authorization webhook 
Kubernetes-commit: 4a2aef00d6dd2543b011aa7e5af28df598a0cd72
 2021-03-17 16:30:40 +01:00
Abu Kashem 3ba02b7f93 handle webhook authenticator and authorizer error 
webhook.WithExponentialBackoff returns an error, and the priority is:
- A: if the last invocation of the webhook function returned an error
  that error should be returned, otherwise
- B: the error associated with the context if it has been canceled or
  it has expired, or the ErrWaitTimeout returned by the wait package
  once all retries have been exhausted.

caller should check the error returned by webhook.WithExponentialBackoff
to handle both A and B. Currently, we only handle A.

Kubernetes-commit: ae2b353fbf519b29d168c534f88c373fd67a1c31
 2021-01-07 16:14:18 -05:00
Abu Kashem 5254108841 make backoff parameters configurable for webhook 
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.

Kubernetes-commit: 53a1307f68ccf6c9ffd252eeea2b333e818c1103
 2020-10-30 11:25:32 -04:00
ruiwen-zhao 3951aa5897 Fix staticcheck failures on apiserver/plugin/pkg/{authenticator, authorizer} 
Kubernetes-commit: bdedc4ce34c6ed5453efa2fb7427b8f00d94fc16
 2020-10-22 21:47:17 +00:00
Davanum Srinivas 5879417a28 switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 442a69c3bdf6fe8e525b05887e57d89db1e2f3a5
 2020-04-17 15:25:06 -04:00
Jefftree f1c9537c7b pass Dialer instead of egressselector to webhooks 
Kubernetes-commit: 1b38199ea8b220be0b645af8a4cbdef4c87ce7fc
 2019-12-05 17:28:59 -08:00
Jefftree aa55f94611 authentication webhook via network proxy 
Kubernetes-commit: d318e52ffe0ba156a96cb5507026de6827d543ca
 2019-12-03 15:20:49 -08:00
Mike Danese 47a8e95ee2 migrate authenticator and authorizer to Create 
Kubernetes-commit: 5954f34ade6b56d996ceaa46d403bbf07a164b9b
 2020-02-10 10:57:24 -08:00
Mike Danese f7c2e26715 cleanup req.Context() and ResponseWrapper 
Kubernetes-commit: 968adfa99362f733ef82f4aabb34a59dbbd6e56a
 2020-01-27 18:52:27 -08:00
Mike Danese 5737088b7f refactor 
Kubernetes-commit: d55d6175f8e2cfdab0b79aac72046a652c2eb515
 2020-01-27 18:19:44 -08:00
Mike Danese 05faa1edc6 increase LRU cache size 8x for authorization webhook 
1024 seems absurdly small for any normal deployment. At our 10000 byte
entry size limit, this will consume max ~80 MB of memory. More realistic
entry sizes are going to be less than a kB.

Kubernetes-commit: fb33b2f42a9621e65883c92a3cb49a278d14c6cc
 2019-12-05 08:48:15 -08:00
Jordan Liggitt 52b3bfb8fa Switch kubelet/aggregated API servers to use v1 subjectaccessreviews 
Kubernetes-commit: d54a70db5cfc0887e2f5177b0c3f795947be6eb4
 2019-11-04 23:29:56 -05:00
shturec b054ff44ee custom retry strategy in GenericWebhook 
Kubernetes-commit: 4877b0b7b50bdc3eaaadd3f968fd846c1396b708
 2019-09-27 13:04:10 +03:00
Jordan Liggitt f4d60f9c20 Plumb context to webhook calls 
Kubernetes-commit: b78edd86b8766b96278bcb46301f751d9e6e3631
 2019-09-24 11:07:33 -04:00
Jordan Liggitt 0ca78287c0 Propagate context to ExponentialBackoff 
Kubernetes-commit: 4c686ddc1c5f9bc5c28d711dd56551b1ac003faa
 2019-09-24 09:43:04 -04:00
Jordan Liggitt d1d66bda16 Propagate context to Authorize() calls 
Kubernetes-commit: 92eb072989eba22236d034b56cc2bf159dfb4915
 2019-09-24 10:06:32 -04:00
Xiang Dai ca6fc75dff delete all duplicate empty blanks 
Signed-off-by: Xiang Dai <764524258@qq.com>

Kubernetes-commit: 36065c6dd717c14e0a90131041e20345a7e5e324
 2019-02-22 09:43:51 +08:00
Tim Allclair d206d4fa00 Apply caching limits to authorized requests too 
Kubernetes-commit: d512173c86708ca83983c4307edd817a6bf109d5
 2019-01-24 13:37:30 -08:00
Tim Allclair ece17ec3d2 Only check caller-controlled attribute size for max cache key 
Kubernetes-commit: e23c15a0f348c87ee43e6e157731a69451f3db34
 2019-01-03 13:33:59 -08:00
Tim Allclair 8368b6dc06 Don't cache rediculous subject access reviews 
Kubernetes-commit: ea1b4eb2394a1ee5a3847f92382b30e32eee4d47
 2018-10-26 13:18:06 -07:00
Roy Lenferink 4c9524b9fb Updated OWNERS files to include link to docs 
Kubernetes-commit: b43c04452f3b563473b5c2a765d4ac18cc0ff58f
 2019-01-30 20:05:00 +01:00
danielqsj 8f8d23605e fix shellcheck in k8s.io/apiserver 
Kubernetes-commit: 481c2d8e03508dba2c28aeb4bba48ce48904183b
 2019-01-24 13:55:09 +08:00
Davanum Srinivas 2710b17b80 Move from glog to klog 
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135

Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
 2018-11-09 13:49:10 -05:00
Jordan Liggitt c710b80254 authorizers subproject approvers/reviewers 
Kubernetes-commit: 9ae79f965395047ed46de110b2b45f0a91083f43
 2018-11-02 13:53:57 -04:00
Christoph Blecker 92e87e143a Update gofmt for go1.11 
Kubernetes-commit: 97b2992dc191a357e2167eff5035ce26237a4799
 2018-10-05 12:59:38 -07:00