Commit Graph

47 Commits

Author SHA1 Message Date
Dr. Stefan Schimanski 4b46916a7b apiserver/authconfig: wire CEL compiler through lower layers to allow sharing
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 4024390d8c8a19056ab7ced95eef5cce43c8096d
2024-09-20 12:34:08 +02:00
Mangirdas Judeikis 07be2984cd wire in ctx to rbac plugins
Kubernetes-commit: 4e4eb8c5c95652b4cbe672a02e4077a93d0bfe2d
2024-09-13 12:03:47 +03:00
David Eads f26d4ed894 add field and label selectors to authorization attributes
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
2024-05-23 15:12:26 -04:00
Jordan Liggitt 4676a5aa43 Fix structured authorization webhook timeout wiring
Kubernetes-commit: c50f68d6eef33079e44f5cd8f658e8d08d09708d
2024-06-17 11:08:30 -04:00
Jordan Liggitt 9adb3ee3c0 Add authorization webhook duration/count/failopen metrics
Kubernetes-commit: 79b344d85e3e2f8f3192a3dcabb384cfe87136a6
2024-03-02 01:44:28 -05:00
Rita Zhang b7a30e3bfb add authz webhook matchcondition metrics
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
2024-02-29 20:55:32 -08:00
Jordan Liggitt 4eacc8425d Plumb failure policy from config to webhook construction
Kubernetes-commit: 2e2f51a4417d93b5505091d28b319365dc95e137
2023-11-02 13:55:35 -04:00
Rita Zhang cca4910d25 authz: add cel expression to webhook matchconditions
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4
2023-10-06 17:47:23 -07:00
Davanum Srinivas 7e94033a61 Generate and format files
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
2022-07-19 20:54:13 -04:00
Monis Khan 2d35015235 webhook: use rest.Config instead of kubeconfig file as input
This change updates the generic webhook logic to use a rest.Config
as its input instead of a kubeconfig file.  This exposes all of the
rest.Config knobs to the caller instead of the more limited set
available through the kubeconfig format.  This is useful when this
code is being used as a library outside of core Kubernetes. For
example, a downstream consumer may want to override the webhook's
internals such as its TLS configuration.

Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: fef7d0ef1e1fbff65e8d445256036704bb9dbcbd
2021-07-23 11:15:47 -04:00
tanjing2020 4e2d5a4ec5 Replace with
Kubernetes-commit: 1a598798fca6f15f4e883368666e7d4d3565fcc6
2021-07-23 10:26:26 +08:00
Lukasz Szaszkiewicz 9ff2637133 adds metrics for authorization webhook
Kubernetes-commit: 4a2aef00d6dd2543b011aa7e5af28df598a0cd72
2021-03-17 16:30:40 +01:00
Abu Kashem 3ba02b7f93 handle webhook authenticator and authorizer error
webhook.WithExponentialBackoff returns an error, and the priority is:
- A: if the last invocation of the webhook function returned an error
  that error should be returned, otherwise
- B: the error associated with the context if it has been canceled or
  it has expired, or the ErrWaitTimeout returned by the wait package
  once all retries have been exhausted.

caller should check the error returned by webhook.WithExponentialBackoff
to handle both A and B. Currently, we only handle A.

Kubernetes-commit: ae2b353fbf519b29d168c534f88c373fd67a1c31
2021-01-07 16:14:18 -05:00
Abu Kashem 5254108841 make backoff parameters configurable for webhook
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.

Kubernetes-commit: 53a1307f68ccf6c9ffd252eeea2b333e818c1103
2020-10-30 11:25:32 -04:00
Davanum Srinivas 5879417a28 switch over k/k to use klog v2
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 442a69c3bdf6fe8e525b05887e57d89db1e2f3a5
2020-04-17 15:25:06 -04:00
Jefftree f1c9537c7b pass Dialer instead of egressselector to webhooks
Kubernetes-commit: 1b38199ea8b220be0b645af8a4cbdef4c87ce7fc
2019-12-05 17:28:59 -08:00
Jefftree aa55f94611 authentication webhook via network proxy
Kubernetes-commit: d318e52ffe0ba156a96cb5507026de6827d543ca
2019-12-03 15:20:49 -08:00
Mike Danese 47a8e95ee2 migrate authenticator and authorizer to Create
Kubernetes-commit: 5954f34ade6b56d996ceaa46d403bbf07a164b9b
2020-02-10 10:57:24 -08:00
Mike Danese f7c2e26715 cleanup req.Context() and ResponseWrapper
Kubernetes-commit: 968adfa99362f733ef82f4aabb34a59dbbd6e56a
2020-01-27 18:52:27 -08:00
Mike Danese 5737088b7f refactor
Kubernetes-commit: d55d6175f8e2cfdab0b79aac72046a652c2eb515
2020-01-27 18:19:44 -08:00
Mike Danese 05faa1edc6 increase LRU cache size 8x for authorization webhook
1024 seems absurdly small for any normal deployment. At our 10000 byte
entry size limit, this will consume max ~80 MB of memory. More realistic
entry sizes are going to be less than a kB.

Kubernetes-commit: fb33b2f42a9621e65883c92a3cb49a278d14c6cc
2019-12-05 08:48:15 -08:00
Jordan Liggitt 52b3bfb8fa Switch kubelet/aggregated API servers to use v1 subjectaccessreviews
Kubernetes-commit: d54a70db5cfc0887e2f5177b0c3f795947be6eb4
2019-11-04 23:29:56 -05:00
shturec b054ff44ee custom retry strategy in GenericWebhook
Kubernetes-commit: 4877b0b7b50bdc3eaaadd3f968fd846c1396b708
2019-09-27 13:04:10 +03:00
Jordan Liggitt f4d60f9c20 Plumb context to webhook calls
Kubernetes-commit: b78edd86b8766b96278bcb46301f751d9e6e3631
2019-09-24 11:07:33 -04:00
Jordan Liggitt 0ca78287c0 Propagate context to ExponentialBackoff
Kubernetes-commit: 4c686ddc1c5f9bc5c28d711dd56551b1ac003faa
2019-09-24 09:43:04 -04:00
Jordan Liggitt d1d66bda16 Propagate context to Authorize() calls
Kubernetes-commit: 92eb072989eba22236d034b56cc2bf159dfb4915
2019-09-24 10:06:32 -04:00
Tim Allclair d206d4fa00 Apply caching limits to authorized requests too
Kubernetes-commit: d512173c86708ca83983c4307edd817a6bf109d5
2019-01-24 13:37:30 -08:00
Tim Allclair ece17ec3d2 Only check caller-controlled attribute size for max cache key
Kubernetes-commit: e23c15a0f348c87ee43e6e157731a69451f3db34
2019-01-03 13:33:59 -08:00
Tim Allclair 8368b6dc06 Don't cache rediculous subject access reviews
Kubernetes-commit: ea1b4eb2394a1ee5a3847f92382b30e32eee4d47
2018-10-26 13:18:06 -07:00
Davanum Srinivas 2710b17b80 Move from glog to klog
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135

Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
2018-11-09 13:49:10 -05:00
Mikhail Mazurskiy 0ba502e8f9 Handle errors
Kubernetes-commit: 5cab7f9a57dbbd6e2a181018aae523235843f77d
2018-07-17 20:29:55 +10:00
David Eads c41d1d0993 simplify api registration
Kubernetes-commit: c5445d3c56e06ab366b9cca34bd69c5cc386ec47
2018-05-07 08:32:20 -04:00
David Eads bf8532c54e remove KUBE_API_VERSIONS
Kubernetes-commit: a68c57155e728b2782408cbab88ecee0444a4ba8
2018-04-25 16:07:15 -04:00
David Eads 88d943c0e6 eliminate indirection from type registration
Kubernetes-commit: e7fbbe0e3c91f34836b999e695aa133503cfdae5
2018-04-24 08:21:23 -04:00
halfcrazy 6f8c3a80da fix typo in package apiserver
Kubernetes-commit: 0da91a8577ddfdeaff985cbb6c0da69d5a2ffc81
2018-02-01 03:04:33 +08:00
Mike Danese c7a7912588 add deny to SAR API
Kubernetes-commit: 096da12fc4bf3c8b4003679d22f7228d3d178e54
2017-10-13 13:51:38 -07:00
Mike Danese 06a5d25846 move authorizers over to new interface
Kubernetes-commit: 12125455d84c75562e6dd6a183762549adff747f
2017-09-29 14:21:40 -07:00
xilabao a50d8a0b4f add selfsubjectrulesreview api
Kubernetes-commit: f14c1384387ac196e87334b5a0e05e01d7581387
2017-09-03 14:04:10 +00:00
Davanum Srinivas 7d27fa3fec Add missing UID in SubjectAccessReviewSpec
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.

Kubernetes-commit: 9a761b16c1558106800222dbc52f6ab03c40c64c
2017-08-29 13:13:50 +00:00
Chao Xu 8be42ee0d0 run hack/update-all
Kubernetes-commit: 60604f8818aecbc9c3736fbc32747cc0a535bc80
2017-06-28 00:14:31 +00:00
Chao Xu 81b7aaaa7d run root-rewrite-import-client-go-api-types
Kubernetes-commit: f2d3220a11111f86b2f481e70e3c1ca4f5896f44
2017-06-28 00:14:31 +00:00
Clayton Coleman 3cbbcf996a Move pkg/util/cache to apimachinery
Will be used by client-go as well

Kubernetes-commit: 529e627c8a4338d48cd2bf658303bac6fef6aaaa
2017-05-21 17:28:01 +00:00
Chao Xu e46eb82a82 remove invocation of k8s.io/client-go/pkg/api/install
change import of client-go/api/helper to kubernetes/api/helper

remove unnecessary use of client-go/api.registry

change use of client-go/pkg/util to kubernetes/pkg/util

remove dependency on client-go/pkg/apis/extensions

remove unnecessary invocation of k8s.io/client-go/extension/intsall

change use of k8s.io/client-go/pkg/apis/authentication to v1

Kubernetes-commit: c354076aa41e3cf417b291d5f0eff2b70395ac30
2017-05-13 17:27:42 +00:00
Chao Xu e84e32eaa5 remove references to client-go/pkg/api
Kubernetes-commit: d978f22e04519f6eecfde839110c398dc28d4e8e
2017-05-03 20:36:26 +00:00
linyouchong 82c37fb374 update kubeconfig document url in comments
Kubernetes-commit: 506b88e07064efb2cd85361b9ffb26b96f8ad010
2017-03-31 20:37:15 +00:00
deads2k 2770a87575 stop hardcoding api registry and codecs in webhook 2017-01-27 08:47:01 -05:00
Dr. Stefan Schimanski 0d74915b2b genericapiserver: move authz webhook plugins into k8s.io/apiserver 2017-01-25 07:42:18 -05:00