2c968342df
oidc authentication: email_verified claim is not required for JWT validation
...
Kubernetes-commit: 1f25319077f9b371440a66eebbd3d1e0edcbfda9
2018-03-21 16:15:17 -07:00
f5c57057ab
remove unused code authenticator/password/allow
...
Kubernetes-commit: bf44c29932711c27d4b64e2443627fd16e809119
2018-03-15 17:14:28 +08:00
0e5b010b14
[advanced audit]fix comment about throttle burst
...
Kubernetes-commit: c6f72c20d121a8f4e161d490af0aa2db48e05caf
2018-03-09 18:07:04 +08:00
627fa76a8b
sync: initially remove files BUILD */BUILD BUILD.bazel */BUILD.bazel
2018-03-15 09:38:17 +00:00
d89e8e9460
Fix default auditing options.
...
- Log backend defaults to blocking mode (backwards compatability)
- Fix webhook validation
- Add options test
Kubernetes-commit: e004257919d779d56f27ad84c7f33799cc7ab580
2018-03-02 15:16:37 -08:00
6466b038b4
fix option --audit-webhook-initial-backoff
...
Before this change, --audit-webhook-initial-backoff has no effect
Kubernetes-commit: 5bc5cd1b2ccb0b9fb5e652b579b4fb379428cb56
2018-03-10 17:44:20 +08:00
d75d797054
oidc: add rithujohn191 as a reviewer
...
Kubernetes-commit: 3561f23128a35a53256e541776eea1a7c3437c11
2018-03-05 10:44:33 -08:00
9169f6d300
Add buffering to the log audit backend
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 881e6d4f6f905079b2c27299e7b631b6903b6815
2018-02-22 19:52:33 +01:00
054769c183
Introduce buffered audit backend
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 3f0e49aea430c30f4539d34c0f93486fd451d073
2018-02-20 15:25:46 +01:00
ee1578474d
bump(github.com/coreos/go-oidc): 065b426bd41667456c1a924468f507673629c46b
...
Kubernetes-commit: 379af0405c318de9a009e339ee03a1d8ab0cde2f
2018-01-19 11:18:27 -08:00
94fd51cf3a
oidc authentication: generate testdata and delete old test packages
...
Kubernetes-commit: 2d8cb9c4ad9a792ccfe5066f55e725ca50c77330
2018-01-19 11:15:38 -08:00
1acdd69460
oidc authentication: switch to v2 of coreos/go-oidc
...
Kubernetes-commit: 48c6d1abf5de6ac8167bbe3af07963ceb91a6716
2018-01-19 11:14:05 -08:00
1ab12b2dc8
Autogenerated: hack/update-bazel.sh
...
Kubernetes-commit: ef56a8d6bb3800ab7803713eafc4191e8202ad6e
2018-02-16 13:43:01 -08:00
650e119954
Remove experimental keystone authenticator
...
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559c5c0ab8a2e50b1ee11cc62f9ebb3a8
So we don't need this older style / hard coded / experimental code
anymore.
Kubernetes-commit: 18590378c4491eacdea5cd05f98c92fe84020263
2018-02-07 13:17:29 -05:00
6f8c3a80da
fix typo in package apiserver
...
Kubernetes-commit: 0da91a8577ddfdeaff985cbb6c0da69d5a2ffc81
2018-02-01 03:04:33 +08:00
c8a97ee31a
Autogenerate BUILD files
...
Kubernetes-commit: efee0704c60a2ee3049268a41535aaee7f661f6c
2017-12-23 13:06:26 -08:00
8977dcee4a
Make audit batch webhook backend configurable
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 7e717ef3a6a57d31251ccee94d9e2dd29a70c27b
2017-11-30 18:47:48 +01:00
c7a7912588
add deny to SAR API
...
Kubernetes-commit: 096da12fc4bf3c8b4003679d22f7228d3d178e54
2017-10-13 13:51:38 -07:00
06a5d25846
move authorizers over to new interface
...
Kubernetes-commit: 12125455d84c75562e6dd6a183762549adff747f
2017-09-29 14:21:40 -07:00
f4dbe23125
update BUILD files
...
Kubernetes-commit: aee5f457dbfd70c2d15c33e392dce6a3ca710116
2017-10-12 13:52:10 -07:00
f7e881914a
support micro time for advanced audit
...
Kubernetes-commit: 817bc6954ca9af02013fd8f492f8ef865c217b0d
2017-09-25 11:56:30 +08:00
29522c33dc
Add throttling to the batching audit webhook
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 6bce120a11782caad7ea477aaaafe3ba31f797d1
2017-10-05 23:19:45 +02:00
bddf432ba6
Adjust defaults of audit webhook backends
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 5f4ff9f28341d58a4a905a0e86742aa6c90e81bf
2017-10-05 23:18:55 +02:00
5d22e67a97
enhance unit tests of advance audit feature
...
This change does three things:
1. use auditinternal for unit test in filter stage
2. add a seperate unit test for Audit-ID http header
3. add unit test for audit log backend
Kubernetes-commit: c030026b544da2dd7ef7201019bdc0ac255c2d23
2017-09-09 21:44:30 +00:00
8a6b3f7f2e
oidc auth: make the OIDC claims prefix configurable
...
Add the following flags to control the prefixing of usernames and
groups authenticated using OpenID Connect tokens.
--oidc-username-prefix
--oidc-groups-prefix
Kubernetes-commit: 1f8ee7fe13490a8e8e0e7801492770caca9f9b5c
2017-09-04 14:03:47 +00:00
3c2866020c
Switch audit output to v1beta1
...
Kubernetes-commit: f3487f08c6c2444adde9ba110263c9132769332b
2017-09-03 14:04:14 +00:00
b4c851a534
generated
...
Kubernetes-commit: ed8adf6e51d76b3652be3b433b2dab590f1ff1f0
2017-09-03 14:04:11 +00:00
a50d8a0b4f
add selfsubjectrulesreview api
...
Kubernetes-commit: f14c1384387ac196e87334b5a0e05e01d7581387
2017-09-03 14:04:10 +00:00
cbc6b83455
remove dead code for cloner
...
I found some dead code in audit webhook backend.
This change do some clean work for: 2bbe72d4e0
2017-08-29 13:16:15 +00:00
24a3b34c79
audit: disable new v1beta1 types until incompatible changes are done
...
Kubernetes-commit: 1dc251a1604b1576258f123ac8dd8390bba2e4a9
2017-08-29 13:16:13 +00:00
24b54db39e
run hack/update-all.sh
...
Kubernetes-commit: 0410221c3fec1a54cde05104b92e44e13cddc77a
2017-08-29 13:16:13 +00:00
3468d049a7
upgrade advanced audit to v1beta1
...
Kubernetes-commit: f4e8b8f1464e588306d5c1c4ffdc1a6cb1e9313b
2017-08-29 13:16:13 +00:00
04aa1e08ec
Implement batching audit webhook graceful shutdown
...
Kubernetes-commit: 7798d32fc787d79da617914259d9285e558054f7
2017-08-29 13:16:12 +00:00
86ef841256
apiservers: add synchronous shutdown mechanism on SIGTERM+INT
...
Kubernetes-commit: 11b25366bc7bfe2ad273c8bf9c332fd9d233bffc
2017-08-29 13:16:11 +00:00
6c539a43c6
Use buildozer to delete licenses() rules except under third_party/
...
Kubernetes-commit: a7f49c906df816123e7d4ccbd4cebab411519465
2017-08-29 13:15:24 +00:00
6caa2933ae
Use buildozer to remove deprecated automanaged tags
...
Kubernetes-commit: 33276f06be5e872bf53ca62a095fcf0a6b6c11a8
2017-08-29 13:15:24 +00:00
44942b068a
Run hack/update-bazel.sh to generate BUILD files
...
Kubernetes-commit: 3579017b865ddbc5449d6bba87346f086e4b93ff
2017-08-29 13:13:51 +00:00
7d27fa3fec
Add missing UID in SubjectAccessReviewSpec
...
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.
Kubernetes-commit: 9a761b16c1558106800222dbc52f6ab03c40c64c
2017-08-29 13:13:50 +00:00
008d37c785
fix typo
...
Kubernetes-commit: 6c7aef07cbdea73a9c7eabb48a668f9dfba0210b
2017-07-28 13:56:11 +00:00
6fb062b0b3
*: remove --insecure-allow-any-token option
...
e2e and integration tests have been switched over to the tokenfile
authenticator instead.
```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
Kubernetes-commit: e2f2ab67f29d3e859e0b3e6668d8d770d93132fc
2017-07-28 13:56:11 +00:00
e24df9a2e5
Update generated code
...
Kubernetes-commit: 8dd0989b395b29b872e1f5e06934721863e4a210
2017-07-19 03:49:08 +00:00
42619eca71
deepcopy: misc fixes for static deepcopy compilation
...
- port direct calls to deepcopy funcs
- apimachinery: fix types in unstructured converter test
- federation: fix deepcopy registration
Kubernetes-commit: 2bbe72d4e09f7c95e1ad851187d4733a54644fbe
2017-07-19 03:49:08 +00:00
8304eb8a20
audit: fix deepcopy registration
...
Kubernetes-commit: ad23081273785668ee2520e5349cf0b05f64e41f
2017-07-16 04:08:41 +00:00
8bc6800aeb
support json output for log backend of advanced audit
...
Kubernetes-commit: bc94370e9cbf3e54dc7dab1dbfc7404815eafb4c
2017-07-16 04:08:41 +00:00
d0c809bf05
remove unused function and variable from audit backend
...
Kubernetes-commit: 00e871a84623c3e2565270604255e5467eaada8d
2017-07-05 08:39:50 +00:00
8be42ee0d0
run hack/update-all
...
Kubernetes-commit: 60604f8818aecbc9c3736fbc32747cc0a535bc80
2017-06-28 00:14:31 +00:00
81b7aaaa7d
run root-rewrite-import-client-go-api-types
...
Kubernetes-commit: f2d3220a11111f86b2f481e70e3c1ca4f5896f44
2017-06-28 00:14:31 +00:00
9b573e7060
Remove extra empty lines from log
...
remove extra "\n" from Everything()
Kubernetes-commit: 3816b6fde565720ac09177d30fb63d718dca8692
2017-06-13 20:47:33 +00:00
91a3addb8d
Instrument advanced auditing
...
Kubernetes-commit: b77c8198f002f9a9c7bdca11d28cac1710bbb185
2017-06-13 20:47:30 +00:00
be1a712a68
apiserver: add a webhook implementation of the audit backend
...
Kubernetes-commit: a88e0187f9f6083ed68d18e939a776c44c728e4b
2017-06-13 20:47:30 +00:00
a177d01bf0
audit: uniform 2 or 3 events for short/long running requests
...
Kubernetes-commit: 548f7be8fa10b6cbedcf179af088536e76a6c0e3
2017-06-13 20:47:29 +00:00
94ea219615
Update bazel
...
Kubernetes-commit: 9fdc36a47ada0bc34ee53b68edd085d368ed9012
2017-06-13 20:47:28 +00:00
f7d766d92d
audit: add audit event to the context and fill in handlers
...
Kubernetes-commit: 0b5bcb021932355b3ff7c2b45fb579f4adad84bf
2017-06-13 20:47:28 +00:00
3cbbcf996a
Move pkg/util/cache to apimachinery
...
Will be used by client-go as well
Kubernetes-commit: 529e627c8a4338d48cd2bf658303bac6fef6aaaa
2017-05-21 17:28:01 +00:00
3ffeae2ff7
hack/update-bazel.sh
...
Kubernetes-commit: 14045d253d11c801ad94f0928cb9b13a224ee18f
2017-05-13 17:27:43 +00:00
e46eb82a82
remove invocation of k8s.io/client-go/pkg/api/install
...
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Kubernetes-commit: c354076aa41e3cf417b291d5f0eff2b70395ac30
2017-05-13 17:27:42 +00:00
e84e32eaa5
remove references to client-go/pkg/api
...
Kubernetes-commit: d978f22e04519f6eecfde839110c398dc28d4e8e
2017-05-03 20:36:26 +00:00
2aab760a2a
autogenerated
...
Kubernetes-commit: a05c3c0efdc5822049e34b1a5a1ee259c5fb1906
2017-04-15 20:35:23 +00:00
bf70084dea
Ensure invalid username/password returns 401 error, not 403
...
If a user attempts to use basic auth, and the username/password combination
is rejected, the authenticator should return an error. This distinguishes
requests that did not provide username/passwrod (and are unauthenticated
without error) from ones that attempted to, and failed.
Kubernetes-commit: 0ec585c1395a6e380ca36fb33c6842b7aca0ea4b
2017-04-08 20:35:19 +00:00
82c37fb374
update kubeconfig document url in comments
...
Kubernetes-commit: 506b88e07064efb2cd85361b9ffb26b96f8ad010
2017-03-31 20:37:15 +00:00
8c88b249db
Migrate rackspace/gophercloud -> gophercloud/gophercloud
...
This change migrates the 'openstack' provider and 'keystone'
authenticator plugin to the newer gophercloud/gophercloud library.
Note the 'rackspace' provider still uses rackspace/gophercloud.
Fixes #30404
2017-02-23 09:48:09 -05:00
2770a87575
stop hardcoding api registry and codecs in webhook
2017-01-27 08:47:01 -05:00
01994f3f6a
Update generated files
2017-01-25 07:42:18 -05:00
0d74915b2b
genericapiserver: move authz webhook plugins into k8s.io/apiserver
2017-01-25 07:42:18 -05:00
7442d5eaaa
genericapiserver: move authn plugins into k8s.io/apiserver
2017-01-25 07:42:18 -05:00
rithu john
hangaoshuai
Cao Shufeng
Kubernetes Publisher
Tim Allclair
Eric Chiang
Mik Vyatskov
Jeff Grafton
Davanum Srinivas
halfcrazy
Mike Danese
Maciej Szulik
Chen Rong
Dr. Stefan Schimanski
Chao Xu
Tim St. Clair
Clayton Coleman
linyouchong
Angus Lees
deads2k