kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,608 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

6608 Commits

Author SHA1 Message Date
Kubernetes Publisher 51262c6edb Merge pull request #123477 from ritazh/automated-cherry-pick-of-#123003-upstream-release-1.28 
Automated cherry pick of #123003: bugfix: dont skip reconcile for unchanged policy if last sync

Kubernetes-commit: 2c184e444f7878bf1f017ed29e59c52f41bebe2e
 2024-07-29 14:18:22 +00:00
Kubernetes Publisher f0e8082184 Merge pull request #126150 from xyz-li/cherrpick-125145-128 
cherry pick of #125145 apiserver fix watch namespace

Kubernetes-commit: 36fab93866e8e06d950303e6198fa1d3b10fed4e
 2024-07-29 14:18:19 +00:00
xyz-li c0f4484e0c apiserver: fix watch namespace 
For request like '/api/v1/watch/namespaces/*', don't set scope.namespace.
Because the func `addWatcher` add a watcher to allWatchers with the value `scope.namespace` not empty.
But the function `dispatchEvent` dispatch event with an empty namespace.

Signed-off-by: xyz-li <hui0787411@163.com>

Kubernetes-commit: 2b601dad708d21278fe76fc094a08557459ac71c
 2024-05-27 17:48:49 +08:00
Kubernetes Publisher 4f57204264 Merge pull request #125025 from wojtek-t/automated-cherry-pick-of-#122027-upstream-release-1.28 
Automated cherry pick of #122027: Don't sort under lock

Kubernetes-commit: d1f78930639adac7b578a334aa65bd5b9f10d430
 2024-05-22 00:21:20 -07:00
Alexander Zielenski 61d2454447 bugfix: dont skip reconcile for unchanged policy if last sync failed 
Kubernetes-commit: 4f3a79be1f85f2f433e8d26c9f7765a5840bc0d7
 2024-01-26 18:57:30 -08:00
Wojciech Tyczyński ac6b7d920a Don't sort under lock 
Kubernetes-commit: c92678f3ceda2b5156eae94931351243b4f77e63
 2023-11-23 18:13:43 +01:00
Kubernetes Publisher 838ca3fa2f Merge pull request #124804 from seantywork/automated-cherry-pick-of-#124662-upstream-release-1.28 
Automated cherry pick of #124662: Updated & added visibility to apiserver x509 test

Kubernetes-commit: 51e3d5dfdc8792f2770e751d80953c2d389f280c
 2024-05-21 01:00:11 -07:00
Taehoon Yoon 1ef43be5d7 Updated & added visibility to apiserver x509 test certificates expiring this year 
Kubernetes-commit: d0167db0f4b587cea4433ac564f9b2dd58e3ff90
 2024-05-02 23:22:55 +00:00
Kubernetes Publisher c2bb8b1287 Merge pull request #124293 from dims/automated-cherry-pick-of-#124283-upstream-release-1.28 
Automated cherry pick of #124283: Rename `cluster` to `storage_cluster_id` for

Kubernetes-commit: 73dadc3b15efe6074b03b3f322bc33809abe31da
 2024-05-10 01:07:04 -07:00
Davanum Srinivas 224cfcbb09 Rename `cluster` to `storage_cluster_id` for apiserver_storage_size_bytes metric 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: ef5b2c7a89186a798ace210f6da7c549b13e4866
 2024-04-11 15:06:03 -04:00
Kubernetes Publisher b858ff828c Merge pull request #124179 from MadhavJivrajani/bump-x-net-2023-45288-128 
[CVE-2023-45288][1.28] Bump x/net to v0.23.0

Kubernetes-commit: 86b2c8c37de0f2b8b358b4691d2aa03bd3eda7b3
 2024-04-04 16:44:22 +00:00
Madhav Jivrajani b0bc62763c [CVE-2023-45288] .*: bump x/net to v0.23.0 
Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>

Kubernetes-commit: af92f0441687c94b95b3a1c86f8af4f165aa7a61
 2024-04-04 14:13:20 +05:30
Kubernetes Publisher f2e31f826c Merge pull request #124006 from serathius/consistent-watch-from-etcd-1.28 
Cherry-pick of #123935: Serve watch without resourceVersion from cache and introduce a WatchFromStorageWithoutResourceVersion feature gate to allow serving watch from storage.

Kubernetes-commit: 21db079e14fe1f48c75b923ab9635f7dbf2a86ce
 2024-03-21 00:51:45 +00:00
Marek Siarkowicz 0bc2adb2d7 Serve watch without resourceVersion from cache and introduce a WatchFromStorageWithoutResourceVersion feature gate to allow serving watch from storage. 
Kubernetes-commit: d32c7d007700d4137a988bdf36e4d16a49a0d124
 2024-03-14 15:20:29 +01:00
Kubernetes Publisher 3df21bbd9e Merge pull request #123694 from mengqiy/automated-cherry-pick-of-#123532-upstream-release-1.28 
Automated cherry pick of #123532: Prevent watch cache starvation, by moving its watch to

Kubernetes-commit: 643ce7f8ddd9fa025faeb61176dcc61b510bc038
 2024-03-08 12:46:40 +00:00
Kubernetes Publisher 635e701fbc Merge pull request #123764 from liggitt/proto-1.28 
[1.28][CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0

Kubernetes-commit: 25d9edca2cbfb75c2ee84ea8be01b14d50d7ead4
 2024-03-07 19:41:42 +00:00
Jordan Liggitt 1b129108e8 [CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 
Kubernetes-commit: 7889bca8b327399bf390cc3d31dd084072c2adf0
 2024-03-06 10:47:48 -05:00
Marek Siarkowicz 553b06f148 Test that separation of streams work by using progress notifies 
Kubernetes-commit: 4fbf9a22a6e475d48c48b9aef1520b2a39b8d655
 2024-02-29 17:51:46 +01:00
Marek Siarkowicz c7a8f4062d Prevent watch cache starvation, by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior 
Kubernetes-commit: 1792c73a2811507ba02d1db2adb231220fce3afd
 2024-02-27 11:25:42 +01:00
Kubernetes Publisher d6d0e36719 Merge pull request #122516 from jiahuif-forks/automated-cherry-pick-of-#121624-upstream-release-1.28 
Automated cherry pick of #121624: use context for lazy evaluation.

Kubernetes-commit: 90d8a060c0667f4465bdf955010ec30c4158e970
 2024-01-13 01:42:20 +00:00
Kubernetes Publisher ab4e09f2cb Merge pull request #122513 from Swizzmaster/automated-cherry-pick-of-#120090-upstream-release-1.28 
Automated cherry pick of #120090: Handle edge cases in seat demand stats

Kubernetes-commit: b2fb9812aff249ccce6ba38fcdaabfc48a377462
 2024-01-11 18:13:13 +00:00
Kubernetes Publisher ad397e52aa Merge pull request #122428 from MadhavJivrajani/tools-bump-128 
[1.28][go1.22] .*: bump golang.org/x/tools to v0.16.1

Kubernetes-commit: 7d018be572572d17d8e51528c2c9324c219f884b
 2024-01-10 18:30:00 +00:00
Madhav Jivrajani e0a520ca79 .*: bump golang.org/x/tools to v0.16.1 
Bumping tools to include the fix for a nil pointer
deref error in go/types. See golang/go#64812
for more details.

This fix is needed for when we bump to go1.22.

Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>

Kubernetes-commit: ad5cf74325652795717d80940e0e04ed5b7c047d
 2023-12-21 11:08:40 +05:30
Kubernetes Publisher 91bff96d31 Merge pull request #121006 from tkashem/automated-cherry-pick-of-#119385-#120222-upstream-release-1.28 
Automated cherry pick of #119385: apiserver: add flow control metric current_inqueue_seats
#120222: apf: use context for queue wait

Kubernetes-commit: 1d7fc30de9e387deb3e08d79820023a9a7043a2f
 2023-12-14 13:39:20 +00:00
Kubernetes Publisher 499722b408 Merge pull request #122096 from ritazh/automated-cherry-pick-of-#119825-upstream-release-1.28 
Automated cherry pick of #119825: Move adding GroupVersion log until after an update is

Kubernetes-commit: a37653d0f89ddacecd246bc1ffcc83c0330f2c17
 2023-11-29 13:03:32 +01:00
Jiahui Feng 8f41261b7d use context for lazy evaluation. 
Kubernetes-commit: 435b74180e8ac781629b003d5c40070f97eb108e
 2023-10-30 11:29:57 -07:00
Abu Kashem 8613c4d422 apf: request ejected from queue should use reason 'time-out' 
Kubernetes-commit: a41240a274543195dd5f0e075eda7386524343af
 2023-08-29 16:30:02 -04:00
Abu Kashem cf25a2f79a apf: remove RequestWaitLimit from queueset config 
Kubernetes-commit: 165d5b741950b5c0a63b149d6f9c1db9231e6578
 2023-08-29 12:11:08 -04:00
Abu Kashem 29ab0c28c6 apf: remove timeoutOldRequestsAndRejectOrEnqueueLocked function 
Kubernetes-commit: 0377a5b98d907db33b9409a6f418283dc161e1e3
 2023-08-28 17:26:11 -04:00
Abu Kashem 9c1239eb7e apf: use context for queue wait 
Kubernetes-commit: 7104af1d6be7e801688b9c9e13fa27fe1ad8b4dc
 2023-08-28 17:01:16 -04:00
Mike Spreitzer 98a2826223 Handle edge cases in seat demand stats 
Signed-off-by: Mike Spreitzer <mspreitz@us.ibm.com>

Kubernetes-commit: d3e3a59800789a6983e5ed6c110eaa87b3956ceb
 2023-08-21 15:26:38 -04:00
Jefftree bde072a727 Move adding GroupVersion log until after an update is confirmed 
Kubernetes-commit: 4fe29d69f8e50ce611a503040b80881a773642fd
 2023-08-08 14:28:54 +00:00
Kubernetes Publisher f90338af1e Merge pull request #121545 from dims/automated-cherry-pick-of-#121364-upstream-release-1.28 
Automated cherry pick of #121364: bump golang.org/grpc to v1.56.3

Kubernetes-commit: 197e7579adb1bf180617bd3becc2aa4dcceb5291
 2023-11-01 14:03:40 +00:00
Jonathan Gonzalez V 8e79124b52 bump golang.org/grpc to v1.56.3 
Bumping golang.org/grpc in light of CVE-2023-44487.

Signed-off-by: Jonathan Gonzalez V <jonathan.abdiel@gmail.com>

Kubernetes-commit: 93b91ceea8609012bb6291a4c1f65db3dab4eeb9
 2023-10-19 14:58:49 -03:00
Kubernetes Publisher 1ebb1031f2 Merge pull request #121204 from enj/automated-cherry-pick-of-#121203-upstream-release-1.28 
Automated cherry pick of #121203: Skip TestUnauthenticatedHTTP2ClientConnectionClose http1

Kubernetes-commit: 33523303c991b545075c4b471f45d6d601f30090
 2023-10-13 02:25:30 +02:00
Monis Khan afde85cbf8 Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests 
These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 9fa4bdfc537966db198029381c64a9eed3545726
 2023-10-12 19:13:07 -04:00
Kubernetes Publisher 8efa5e2be4 Merge pull request #121196 from enj/automated-cherry-pick-of-#121120-upstream-release-1.28 
Prevent rapid reset http2 DOS on API server (disabled by default)

Kubernetes-commit: 51b96deeba61fdc6d590f58a37dd7b6d61c936ac
 2023-10-12 23:41:12 +00:00
Monis Khan 11df348a2d Disable UnauthenticatedHTTP2DOSMitigation by default 
This makes backports safer by not changing any default behavior.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 0f33a62f9768cf7120d93b74015f5bde3df9a477
 2023-10-12 17:50:33 -04:00
Monis Khan 850deeb40c Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 238d89c9a068dcd7ab994be1b3e646ce8d296ef8
 2023-10-07 21:50:37 -04:00
Kubernetes Publisher e874526043 Merge pull request #121128 from MadhavJivrajani/bump-x-net-128 
[1.28][CVE-2023-39325] .: bump golang.org/x/net to v0.17.0

Kubernetes-commit: f86a84670e550f31e04df95bd32b0cf035629a0d
 2023-10-12 12:35:03 +00:00
Madhav Jivrajani ffd1c5cc39 .: bump golang.org/x/net to v0.17.0 
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>

Kubernetes-commit: 1cd2ac99542ad0b9f82e3c0177ed3c3e18465136
 2023-10-11 03:44:03 +05:30
Kubernetes Publisher d48ffca130 Merge pull request #120544 from ritazh/kmsv2-reload-bugbackport 
kmsv2: reload metrics bug fix backport

Kubernetes-commit: de7e8547c80bf07fdb0b6ce014a6c6bc129f85c9
 2023-09-26 06:32:01 +00:00
Kubernetes Publisher ef77af0aff Merge pull request #120587 from pacoxu/automated-cherry-pick-of-#119824-upstream-release-1.28 
Automated cherry pick of #119824: fix race on etcd client constructor for healthchecks

Kubernetes-commit: abb24c300888e7a1a9443c49153b21684524f1ce
 2023-09-14 01:46:27 -07:00
Rita Zhang 7577990279 kmsv2: reload metrics bug fix backport 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 2480fce67f5f59bda73c2053090f0abb52065cbf
 2023-09-09 16:00:07 -07:00
Antonio Ojea 14a9184493 fix race on etcd client constructor for healthchecks 
Change-Id: Id29b5b377989dcb5377316cfcdea367071a47365

Kubernetes-commit: 47507f9f022b0a5b6f6b1171aa0ad7872177eba3
 2023-08-08 13:55:14 +00:00
Kubernetes Publisher 7e09bf3509 Merge pull request #119807 from jpbetz/automated-cherry-pick-of-#119800-origin-release-1.28 
Automated cherry pick of #119800: Fixes CEL estimated cost to propagate result sizes correctly

Kubernetes-commit: ab3cebfdb2cd1054f34f4287a757755810ede009
 2023-09-06 19:37:30 +00:00
Kubernetes Publisher bf038b7f38 Merge pull request #120329 from liggitt/automated-cherry-pick-of-#120327-upstream-release-1.28 
Automated cherry pick of #120327: Revert to json-patch 4.12.0

Kubernetes-commit: 797b3cf45ec77becceb7d6ae4deb6f6b293fdbf5
 2023-09-04 11:46:07 +00:00
Jordan Liggitt efed843810 Revert to json-patch 4.12.0 
Kubernetes-commit: 8c7c4f3fc4dcabb1ab2c004b42ff91ebf2e78ede
 2023-08-31 19:01:37 -04:00
Kubernetes Publisher 3735a002de Merge pull request #120155 from divyasri537/automated-cherry-pick-of-#120087-upstream-release-1.28 
Automated cherry pick of #120087: Incorporating feedback on 119341

Kubernetes-commit: fa14335ea5e842444acc318d70401a09851cdfa1
 2023-08-25 08:20:52 -07:00
Joe Betz 915c09dbda check for overflow 
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

Kubernetes-commit: 175bbaa8894a683cb7ba09f1e36160bc187840e4
 2023-08-22 10:02:10 -07:00