kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,292 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

72 Commits

Author SHA1 Message Date
Monis Khan 242620fc19 kmsv2: validate encrypt response at DEK generation time 
Prior to this change, we wait until the DEK is used to perform an
encryption before validating the response.  This means that the
plugin could report healthy but all TransformToStorage calls would
fail.  Now we correctly cause the plugin to become unhealthy and do
not attempt to use the newly generated DEK.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 5469c198e5d074c7e88e14c3dcbc3ebb2b37cfa8
 2023-03-22 21:27:47 -04:00
Anish Ramasekar ea9c745386 [KMSv2] Generate proto API and update feature gate for beta 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: ad698cc0aeb6e9b5fb1a7913d5db9f65fb1a51ac
 2023-01-12 00:14:42 +00:00
Anish Ramasekar b21cb57710 [KMSv2] use encDEK, keyID and annotations to generate cache key 
It is possible for a KMSv2 plugin to return a static value as Ciphertext
and store the actual encrypted DEK in the annotations. In this case,
using the encDEK will not work. Instead, we are now using a combination
of the encDEK, keyID and annotations to generate the cache key.

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 8eacf09649ac9042c7e998b5c24ac59d68ae7e6c
 2023-03-14 19:38:30 +00:00
Monis Khan 254de03ce9 kmsv2: re-use DEK while key ID is unchanged 
This change updates KMS v2 to not create a new DEK for every
encryption.  Instead, we re-use the DEK while the key ID is stable.

Specifically:

We no longer use a random 12 byte nonce per encryption.  Instead, we
use both a random 4 byte nonce and an 8 byte nonce set via an atomic
counter.  Since each DEK is randomly generated and never re-used,
the combination of DEK and counter are always unique.  Thus there
can never be a nonce collision.  AES GCM strongly encourages the use
of a 12 byte nonce, hence the additional 4 byte random nonce.  We
could leave those 4 bytes set to all zeros, but there is no harm in
setting them to random data (it may help in some edge cases such as
live VM migration).

If the plugin is not healthy, the last DEK will be used for
encryption for up to three minutes (there is no difference on the
behavior of reads which have always used the DEK cache).  This will
reduce the impact of a short plugin outage while making it easy to
perform storage migration after a key ID change (i.e. simply wait
ten minutes after the key ID change before starting the migration).

The DEK rotation cycle is performed in sync with the KMS v2 status
poll thus we always have the correct information to determine if a
read is stale in regards to storage migration.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 832d6f0e19f13b9dd22b1fe9d705817e9e64f4f1
 2023-02-24 16:51:08 -05:00
Monis Khan 3bc72d5b27 no-op: drop baseTransformerFunc indirection 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 346f39e18b0dd7aa45441de636cce5708e34a6db
 2023-02-24 12:39:14 -05:00
Nilekh Chaudhari 9bc62d2547 feat: implements encrypt all 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

Kubernetes-commit: 9382fab9b65669e74e8fb77247b14e6cb3ec6b3f
 2023-01-18 00:54:47 +00:00
Patrick Ohly 190d08cb5d staging: fix "go vet" issues 
These issues were not found earlier because "make vet" ignored staging. Some of
these fixes are stylistic and/or don't matter in practice, but all of the
loopclosure issues seem to be real: those tests didn't run as intended.

Here's the full error report:

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_discovery_controller.go:304:11: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersion struct literal uses unkeyed fields (govet)
				gv := schema.GroupVersion{crd.Spec.Group, v.Name}
				      ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler_test.go:790:119: composites: k8s.io/apimachinery/pkg/runtime/serializer/json.SerializerOptions struct literal uses unkeyed fields (govet)
			delegate := serializerjson.NewSerializerWithOptions(serializerjson.DefaultMetaFactory, unstructuredCreator{}, nil, serializerjson.SerializerOptions{tc.yaml, false, tc.strictDecoding})
			                                                                                                                   ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go:171:30: composites: k8s.io/apiserver/pkg/cel.Error struct literal uses unkeyed fields (govet)
		compilationResult.Error = &apiservercel.Error{apiservercel.ErrorTypeInvalid, "compilation failed: " + issues.String()}
		                           ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go:175:30: composites: k8s.io/apiserver/pkg/cel.Error struct literal uses unkeyed fields (govet)
		compilationResult.Error = &apiservercel.Error{apiservercel.ErrorTypeInvalid, "cel expression must evaluate to a bool"}
		                           ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go:182:30: composites: k8s.io/apiserver/pkg/cel.Error struct literal uses unkeyed fields (govet)
		compilationResult.Error = &apiservercel.Error{apiservercel.ErrorTypeInternal, "unexpected compilation error: " + err.Error()}
		                           ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go:201:30: composites: k8s.io/apiserver/pkg/cel.Error struct literal uses unkeyed fields (govet)
		compilationResult.Error = &apiservercel.Error{apiservercel.ErrorTypeInvalid, "program instantiation failed: " + err.Error()}
		                           ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go:206:30: composites: k8s.io/apiserver/pkg/cel.Error struct literal uses unkeyed fields (govet)
		compilationResult.Error = &apiservercel.Error{apiservercel.ErrorTypeInternal, "cost estimation failed: " + err.Error()}
		                           ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:38:14: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
				Default: structuralschema.JSON{"foo"},
				         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:44:15: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
					Default: structuralschema.JSON{"foo"},
					         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:53:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default: structuralschema.JSON{"A"},
							         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:58:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default: structuralschema.JSON{"B"},
							         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:63:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default: structuralschema.JSON{"C"},
							         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:76:19: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
									Default: structuralschema.JSON{"A"},
									         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:81:19: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
									Default: structuralschema.JSON{"B"},
									         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:91:18: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
								Default: structuralschema.JSON{"N"},
								         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:96:18: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
								Default: structuralschema.JSON{"O"},
								         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:108:21: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
											Default: structuralschema.JSON{"alpha"},
											         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:113:21: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
											Default: structuralschema.JSON{"beta"},
											         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:123:16: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
						Default: structuralschema.JSON{"bar"},
						         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:133:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default: structuralschema.JSON{"A"},
							         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:147:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default: structuralschema.JSON{"A"},
							         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:159:15: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
					Default: structuralschema.JSON{"A"},
					         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:169:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
						Default:  structuralschema.JSON{"A"},
						          ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:179:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
						Default:  structuralschema.JSON{"A"},
						          ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:190:18: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default:  structuralschema.JSON{"A"},
							          ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/algorithm_test.go:202:18: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default:  structuralschema.JSON{"A"},
							          ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/prunenulls_test.go:38:14: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
				Default: structuralschema.JSON{"foo"},
				         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/prunenulls_test.go:47:17: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default: structuralschema.JSON{"A"},
							         ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/prunenulls_test.go:57:18: composites: k8s.io/apiextensions-apiserver/pkg/apiserver/schema.JSON struct literal uses unkeyed fields (govet)
							Default:  structuralschema.JSON{"C"},
							          ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/defaulting_test.go:289:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/listtype_test.go:140:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/objectmeta_test.go:453:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go:214:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go:266:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go:377:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go:418:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go:471:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go:556:38: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
	                                    ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/celcoststability_test.go:1096:32: loopclosure: loop variable validRule captured by func literal (govet)
					s := withRule(*tt.schema, validRule)
					                          ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/celcoststability_test.go:1107:19: loopclosure: loop variable expectedCost captured by func literal (govet)
					if rtCost != expectedCost {
					             ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/celcoststability_test.go:1108:83: loopclosure: loop variable expectedCost captured by func literal (govet)
						t.Fatalf("runtime cost %d does not match expected runtime cost %d", rtCost, expectedCost)
						                                                                            ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go:2009:30: loopclosure: loop variable tt captured by func literal (govet)
			celValidator := validator(tt.schema, true, model.SchemaDeclType(tt.schema, true), PerCallLimit)
			                          ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go:2013:65: loopclosure: loop variable tt captured by func literal (govet)
			errs, _ := celValidator.Validate(ctx, field.NewPath("root"), tt.schema, tt.obj, tt.oldObj, math.MaxInt)
			                                                             ^
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go:2015:22: loopclosure: loop variable tt captured by func literal (govet)
			for _, e := range tt.errors {
			                  ^
staging/src/k8s.io/apimachinery/pkg/runtime/mapper_test.go:28:67: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	gvr := func(g, v, r string) schema.GroupVersionResource { return schema.GroupVersionResource{g, v, r} }
	                                                                 ^
staging/src/k8s.io/apimachinery/pkg/runtime/mapper_test.go:30:63: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
	gvk := func(g, v, k string) schema.GroupVersionKind { return schema.GroupVersionKind{g, v, k} }
	                                                             ^
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go:150:35: composites: k8s.io/apimachinery/pkg/runtime.WithoutVersionDecoder struct literal uses unkeyed fields (govet)
		if err := d.DecodeNestedObjects(runtime.WithoutVersionDecoder{c.decoder}); err != nil {
		                                ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go:119:18: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
		return false, &apierrors.StatusError{status.Status()}
		               ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go:300:17: composites: k8s.io/api/admissionregistration/v1.MutatingWebhook struct literal uses unkeyed fields (govet)
		mutating[i] = registrationv1.MutatingWebhook{h.Name, h.ClientConfig, h.Rules, h.FailurePolicy, h.MatchPolicy, h.NamespaceSelector, h.ObjectSelector, h.SideEffects, h.TimeoutSeconds, h.AdmissionReviewVersions, nil}
		              ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:70:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"extensions", "v1beta1", "deployments"}, "", schema.GroupVersionKind{"extensions", "v1beta1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:71:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1", "deployments"}, "", schema.GroupVersionKind{"apps", "v1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:72:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1beta1", "deployments"}, "", schema.GroupVersionKind{"apps", "v1beta1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:73:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1alpha1", "deployments"}, "", schema.GroupVersionKind{"apps", "v1alpha1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:75:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"extensions", "v1beta1", "deployments"}, "scale", schema.GroupVersionKind{"extensions", "v1beta1", "Scale"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:76:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1", "deployments"}, "scale", schema.GroupVersionKind{"autoscaling", "v1", "Scale"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:77:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1beta1", "deployments"}, "scale", schema.GroupVersionKind{"apps", "v1beta1", "Scale"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:78:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1alpha1", "deployments"}, "scale", schema.GroupVersionKind{"apps", "v1alpha1", "Scale"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:81:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"example.com", "v1", "widgets"}, "", schema.GroupVersionKind{"", "", ""})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:82:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"example.com", "v2", "widgets"}, "", schema.GroupVersionKind{"", "", ""})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go💯59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:114:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:116:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"apps", "v1", "Deployment"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:139:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:141:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"apps", "v1", "Deployment"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:159:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:179:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:199:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:201:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"extensions", "v1beta1", "Deployment"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:220:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"apps", "v1", "Deployment"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:222:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"apps", "v1beta1", "Deployment"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:246:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:248:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"autoscaling", "v1", "Scale"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:266:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:286:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:306:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:308:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"extensions", "v1beta1", "Scale"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:327:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:329:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"apps", "v1beta1", "Scale"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:343:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:345:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"autoscaling", "v1", "Scale"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:359:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:375:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"extensions", "v1beta1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:377:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"autoscaling", "v1", "Scale"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:392:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"extensions", "v1beta1", "deployments"}, "scale", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:413:61: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:           admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                         ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:415:22: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectMatchKind: &schema.GroupVersionKind{"autoscaling", "v1", "Scale"},
			                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:435:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"extensions", "v1beta1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:450:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:460:59: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{"autoscaling", "v1", "Scale"}, "ns", "name", schema.GroupVersionResource{"apps", "v1", "deployments"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:475:70: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(&example.Pod{}, nil, schema.GroupVersionKind{"example.apiserver.k8s.io", "v1", "Pod"}, "ns", "name", schema.GroupVersionResource{"example.apiserver.k8s.io", "v1", "pods"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:491:70: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(&example.Pod{}, nil, schema.GroupVersionKind{"example.apiserver.k8s.io", "v1", "Pod"}, "ns", "name", schema.GroupVersionResource{"example.apiserver.k8s.io", "v1", "pods"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:507:70: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(&example.Pod{}, nil, schema.GroupVersionKind{"example.apiserver.k8s.io", "v1", "Pod"}, "ns", "name", schema.GroupVersionResource{"example.apiserver.k8s.io", "v1", "pods"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:523:70: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			attrs:         admission.NewAttributesRecord(&example.Pod{}, nil, schema.GroupVersionKind{"example.apiserver.k8s.io", "v1", "Pod"}, "ns", "name", schema.GroupVersionResource{"example.apiserver.k8s.io", "v1", "pods"}, "", admission.Create, &metav1.CreateOptions{}, false, nil),
			                                                                  ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:591:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"extensions", "v1beta1", "deployments"}, "", schema.GroupVersionKind{"extensions", "v1beta1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:592:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1", "deployments"}, "", schema.GroupVersionKind{"apps", "v1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:593:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1beta1", "deployments"}, "", schema.GroupVersionKind{"apps", "v1beta1", "Deployment"})
	                       ^
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go:594:25: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionResource struct literal uses unkeyed fields (govet)
	mapper.RegisterKindFor(schema.GroupVersionResource{"apps", "v1alpha1", "deployments"}, "", schema.GroupVersionKind{"apps", "v1alpha1", "Deployment"})
	                       ^
staging/src/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go:120:19: composites: k8s.io/apimachinery/pkg/apis/meta/v1.Time struct literal uses unkeyed fields (govet)
		r.AcquireTime = metav1.Time{spec.AcquireTime.Time}
		                ^
staging/src/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go:123:17: composites: k8s.io/apimachinery/pkg/apis/meta/v1.Time struct literal uses unkeyed fields (govet)
		r.RenewTime = metav1.Time{spec.RenewTime.Time}
		              ^
staging/src/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go:135:26: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
		AcquireTime:          &metav1.MicroTime{ler.AcquireTime.Time},
		                       ^
staging/src/k8s.io/client-go/tools/leaderelection/resourcelock/leaselock.go:136:26: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
		RenewTime:            &metav1.MicroTime{ler.RenewTime.Time},
		                       ^
staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go:1088:28: composites: k8s.io/apimachinery/pkg/apis/meta/v1.Time struct literal uses unkeyed fields (govet)
			ExpirationTimestamp:   &v1.Time{now.Add(time.Hour)},
			                        ^
staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go:1100:28: composites: k8s.io/apimachinery/pkg/apis/meta/v1.Time struct literal uses unkeyed fields (govet)
			ExpirationTimestamp:   &v1.Time{now.Add(time.Hour)},
			                        ^
staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go:1110:28: composites: k8s.io/apimachinery/pkg/apis/meta/v1.Time struct literal uses unkeyed fields (govet)
			ExpirationTimestamp:   &v1.Time{now.Add(time.Hour)},
			                        ^
staging/src/k8s.io/client-go/tools/events/event_recorder.go:44:15: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
	timestamp := metav1.MicroTime{time.Now()}
	             ^
staging/src/k8s.io/client-go/tools/events/eventseries_test.go:95:24: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
		EventTime:           metav1.MicroTime{time.Now()},
		                     ^
staging/src/k8s.io/client-go/tools/events/eventseries_test.go:299:56: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
	cachedEvent := recorder.makeEvent(regarding, related, metav1.MicroTime{time.Now()}, v1.EventTypeNormal, "test", "some verbose message: 1", "eventTest", "eventTest-"+hostname, "started")
	                                                      ^
staging/src/k8s.io/client-go/tools/events/eventseries_test.go:385:57: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
		cachedEvent := recorder.makeEvent(regarding, related, metav1.MicroTime{time.Now()}, v1.EventTypeNormal, "test", "some verbose message: 1", "eventTest", "eventTest-"+hostname, "started")
		                                                      ^
staging/src/k8s.io/client-go/tools/leaderelection/leaderelection_test.go:365:26: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
		AcquireTime:          &metav1.MicroTime{time.Now()},
		                       ^
staging/src/k8s.io/client-go/tools/leaderelection/leaderelection_test.go:366:26: composites: k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime struct literal uses unkeyed fields (govet)
		RenewTime:            &metav1.MicroTime{time.Now()},
		                       ^
staging/src/k8s.io/client-go/tools/auth/exec/types_test.go:40:53: loopclosure: loop variable cluster captured by func literal (govet)
			testClientAuthenticationClusterTypesAreSynced(t, cluster)
			                                                 ^
staging/src/k8s.io/cli-runtime/pkg/resource/scheme_test.go:44:16: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectGVK: &schema.GroupVersionKind{"", "v1", "Status"},
			            ^
staging/src/k8s.io/cli-runtime/pkg/resource/scheme_test.go:50:16: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectGVK: &schema.GroupVersionKind{"meta.k8s.io", "v1", "Status"},
			            ^
staging/src/k8s.io/cli-runtime/pkg/resource/scheme_test.go:56:16: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectGVK: &schema.GroupVersionKind{"example.com", "v1", "Status"},
			            ^
staging/src/k8s.io/cli-runtime/pkg/resource/scheme_test.go:62:16: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
			expectGVK: &schema.GroupVersionKind{"example.com", "v1", "Foo"},
			            ^
staging/src/k8s.io/cli-runtime/pkg/resource/builder_example_test.go:77:1: tests: ExampleLocalBuilder refers to unknown identifier: LocalBuilder (govet)
func ExampleLocalBuilder() {
^
staging/src/k8s.io/component-base/metrics/desc_test.go:159:26: copylocks: call of reflect.DeepEqual copies lock value: k8s.io/component-base/metrics.Desc contains sync.RWMutex (govet)
			if !reflect.DeepEqual(*descA, *descB) {
			                      ^
staging/src/k8s.io/component-base/logs/json/json_benchmark_test.go:46:6: structtag: struct field secret has json tag but is not exported (govet)
					secret  string `json:"secret"`
					^
staging/src/k8s.io/component-base/logs/json/json_benchmark_test.go:76:6: structtag: struct field secret has json tag but is not exported (govet)
					secret  string `json:"secret"`
					^
staging/src/k8s.io/component-base/logs/json/json_benchmark_test.go:105:6: structtag: struct field secret has json tag but is not exported (govet)
					secret  string `json:"secret"`
					^
staging/src/k8s.io/csi-translation-lib/plugins/vsphere_volume_test.go:31:26: composites: k8s.io/api/core/v1.TopologySelectorTerm struct literal uses unkeyed fields (govet)
	topologySelectorTerm := v1.TopologySelectorTerm{[]v1.TopologySelectorLabelRequirement{
	                        ^
staging/src/k8s.io/csi-translation-lib/plugins/vsphere_volume_test.go:37:40: composites: k8s.io/api/core/v1.TopologySelectorTerm struct literal uses unkeyed fields (govet)
	topologySelectorTermWithBetaLabels := v1.TopologySelectorTerm{[]v1.TopologySelectorLabelRequirement{
	                                      ^
staging/src/k8s.io/csi-translation-lib/plugins/vsphere_volume_test.go:43:34: composites: k8s.io/api/core/v1.TopologySelectorTerm struct literal uses unkeyed fields (govet)
	expectedTopologySelectorTerm := v1.TopologySelectorTerm{[]v1.TopologySelectorLabelRequirement{
	                                ^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:506:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() error = %v", err)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:509:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() annotations = %v, want %v", resp.Annotations, encLocalKEK)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:539:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() error = %v", err)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:542:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() annotations = %v, want %v", resp.Annotations, lk.encKEK)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:589:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() error = %v", err)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:592:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() annotations = %v, want %v", resp.Annotations, encLocalKEK)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:627:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() error = %v", err)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:630:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() annotations = %v, want %v", resp.Annotations, lk.encKEK)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:677:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() error = %v", err)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:680:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() annotations = %v, want %v", resp.Annotations, encLocalKEK)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:717:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() error = %v", err)
				^
staging/src/k8s.io/kms/pkg/hierarchy/hierarchy_test.go:720:5: testinggoroutine: call to (*T).Fatalf from a non-test goroutine (govet)
				t.Fatalf("Encrypt() annotations = %v, want %v", resp.Annotations, lk.encKEK)
				^
staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go:451:25: composites: k8s.io/apimachinery/pkg/apis/meta/v1.Time struct literal uses unkeyed fields (govet)
					CreationTimestamp: metav1.Time{time.Now()},
					                   ^
staging/src/k8s.io/kubectl/pkg/cmd/util/helpers_test.go:341:5: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
			&errors.StatusError{metav1.Status{
			 ^
staging/src/k8s.io/kubectl/pkg/cmd/util/helpers_test.go:352:5: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
			&errors.StatusError{metav1.Status{
			 ^
staging/src/k8s.io/kubectl/pkg/cmd/util/helpers_test.go:364:5: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
			&errors.StatusError{metav1.Status{
			 ^
staging/src/k8s.io/kubectl/pkg/cmd/util/helpers_test.go:374:5: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
			&errors.StatusError{metav1.Status{
			 ^
staging/src/k8s.io/kubectl/pkg/cmd/util/helpers_test.go:385:50: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
			AddSourceToErr("creating", "configmap.yaml", &errors.StatusError{metav1.Status{
			                                              ^
staging/src/k8s.io/kubectl/pkg/cmd/util/helpers_test.go:395:5: composites: k8s.io/apimachinery/pkg/api/errors.StatusError struct literal uses unkeyed fields (govet)
			&errors.StatusError{metav1.Status{
			 ^
staging/src/k8s.io/kubectl/pkg/explain/v2/funcs_test.go:204:15: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
				"needle": schema.GroupVersionKind{"testgroup.k8s.io", "v1", "Kind"},
				          ^
staging/src/k8s.io/kubectl/pkg/explain/v2/funcs_test.go:206:6: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
					{"randomgroup.k8s.io", "v1", "OtherKind"},
					^
staging/src/k8s.io/kubectl/pkg/explain/v2/funcs_test.go:207:6: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
					{"testgroup.k8s.io", "v1", "OtherKind"},
					^
staging/src/k8s.io/kubectl/pkg/explain/v2/funcs_test.go:208:6: composites: k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind struct literal uses unkeyed fields (govet)
					{"testgroup.k8s.io", "v1", "Kind"},
					^
staging/src/k8s.io/kubectl/pkg/polymorphichelpers/history_test.go:95:46: composites: k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference struct literal uses unkeyed fields (govet)
				OwnerReferences: []metav1.OwnerReference{{"apps/v1", "Deployment", deployment.Name, deployment.UID, &trueVar, nil}},
				                                         ^
staging/src/k8s.io/kubectl/pkg/polymorphichelpers/history_test.go:222:46: composites: k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference struct literal uses unkeyed fields (govet)
				OwnerReferences: []metav1.OwnerReference{{"apps/v1", "StatefulSet", "moons", "1993", &trueVar, nil}},
				                                         ^
staging/src/k8s.io/kubectl/pkg/polymorphichelpers/history_test.go:326:46: composites: k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference struct literal uses unkeyed fields (govet)
				OwnerReferences: []metav1.OwnerReference{{"apps/v1", "DaemonSet", "moons", "1993", &trueVar, nil}},
				                                         ^
staging/src/k8s.io/kubectl/pkg/util/i18n/i18n_test.go:143:31: loopclosure: loop variable envVar captured by func literal (govet)
					defer func() { os.Setenv(envVar, envVarValue) }()
					                         ^
staging/src/k8s.io/legacy-cloud-providers/aws/aws_assumerole_provider_test.go:95:9: copylocks: range var tt copies lock: struct{name string; fields k8s.io/legacy-cloud-providers/aws.fields; want github.com/aws/aws-sdk-go/aws/credentials.Value; wantProviderCalled bool; sleepBeforeCallingProvider time.Duration; wantErr bool; wantErrString string} contains k8s.io/legacy-cloud-providers/aws.fields contains sync.RWMutex (govet)
	for _, tt := range tests {
	       ^
staging/src/k8s.io/legacy-cloud-providers/vsphere/nodemanager.go:190:5: lostcancel: the cancel function is not used on all paths (possible context leak) (govet)
				ctx, cancel := context.WithCancel(context.Background())
				^
staging/src/k8s.io/legacy-cloud-providers/vsphere/nodemanager.go:236:3: lostcancel: this return statement may be reached without using the cancel var defined on line 190 (govet)
		}()
		^
staging/src/k8s.io/pod-security-admission/policy/registry_test.go:152:35: composites: k8s.io/pod-security-admission/api.LevelVersion struct literal uses unkeyed fields (govet)
		results := registry.EvaluatePod(api.LevelVersion{tc.level, versionOrPanic(tc.version)}, nil, nil)
		                                ^
staging/src/k8s.io/sample-apiserver/pkg/registry/wardle/fischer/etcd.go:50:10: composites: k8s.io/sample-apiserver/pkg/registry.REST struct literal uses unkeyed fields (govet)
	return &registry.REST{store}, nil
	        ^
staging/src/k8s.io/sample-apiserver/pkg/registry/wardle/flunder/etcd.go:50:10: composites: k8s.io/sample-apiserver/pkg/registry.REST struct literal uses unkeyed fields (govet)
	return &registry.REST{store}, nil
	        ^

Kubernetes-commit: a58eb1b3da870b2b568fcf0ffd42332d6a0fd667
 2023-02-28 21:22:40 +01:00
Rita Zhang c31e450231 kmsv2: improve test coverage 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 51db940dcc485a82303dc0b9b664ab564d462914
 2023-03-01 19:05:50 -08:00
Anish Ramasekar e8322225ee [KMSv2] restructure kms staging dir 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: c9b8ad6a55aaf7d95ce6fbc06ec4afba905e86c0
 2023-02-21 19:49:09 +00:00
Rita Zhang 8ef5a288d6 kmsv2: add metrics for invalid_key_id_from_status_total 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 5292542b72df0665fb73bb0060fe73553dbf9b05
 2023-02-16 11:56:31 -08:00
Rita Zhang f471919cab kmsv2: add metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: bd0f7f8ee8f7f1c7809e17fa60804bb37f65c495
 2023-01-29 22:40:18 -08:00
Anish Ramasekar 63ca46e40a [KMSv2] Add metrics for grpc service 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: de3b2d525b42d6eedeaa0b157f0f5ab98a4821f4
 2023-02-09 07:46:29 +00:00
Nilekh Chaudhari f218c03473 chore: improves tests 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

Kubernetes-commit: b3f326722d9025f6633b26f88a47f4799c3abd83
 2022-11-14 19:57:50 +00:00
Anish Ramasekar 9fb6b944f0 kmsv2: implement expire cache with clock 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 4804baa01187b4251bd632e07721d875f567d6f1
 2022-09-14 20:01:45 +00:00
Monis Khan 54f0629e69 Prime KMS v2 key ID inline with transformer construction 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 345f41f8e5256ea44066aa884f85c161d44ebd0d
 2023-01-23 09:49:18 -05:00
Rita Zhang 19c40b040a kmsv2: use status key ID to update staleness of encrypted data 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 510ac9b3919b62cb52e166192a7d0d09a9b2dfb5
 2022-12-02 13:32:34 -08:00
Krzysztof Ostrowski a85078bf03 apiserver/kmsv2: mv Service interface into kmsv2 
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>

Kubernetes-commit: b7701b00eaa8cdc2103beb8ab78f625cc3b62d90
 2023-01-09 14:36:06 +01:00
Monis Khan ebb0d405b3 encryption-at-rest: clean up context usage and duplicated code 
This change in a no-op refactor of the encryption at rest code that
primarily changes the wiring to consistently use context for
lifecycle management (instead of a mixture of context and stop
channels).

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 70b414b0e5cbe9706e5a4fc0d7299ec6b169d642
 2022-11-09 17:33:38 -05:00
Nilekh Chaudhari 25c1e9054d feat: implements kms encryption config hot reload 
This change enables hot reload of encryption config file when api server
flag --encryption-provider-config-automatic-reload is set to true. This
allows the user to change the encryption config file without restarting
kube-apiserver. The change is detected by polling the file and is done
by using fsnotify watcher. When file is updated it's process to generate
new set of transformers and close the old ones.

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

Kubernetes-commit: 761b7822fca569d475f782b135ef433e5b014147
 2022-11-07 22:15:56 +00:00
Anish Ramasekar 525c6769a4 [KMS]: validate duplicate kms config name for v1 and v2 when reload=true 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 47f8c4bec63a2c4d6406cd615b41cd16f12be434
 2022-11-07 20:16:04 +00:00
Monis Khan e137a3da77 kms: add wiring to support automatic encryption config reload 
This change adds a flag --encryption-provider-config-automatic-reload
which will be used to drive automatic reloading of the encryption
config at runtime.  While this flag is set to true, or when KMS v2
plugins are used without KMS v1 plugins, the /healthz endpoints
associated with said plugins are collapsed into a single endpoint at
/healthz/kms-providers - in this state, it is not possible to
configure exclusions for specific KMS providers while including the
remaining ones - ex: using /readyz?exclude=kms-provider-1 to exclude
a particular KMS is not possible.  This single healthz check handles
checking  all configured KMS providers.  When reloading is enabled
but no KMS providers are configured, it is a no-op.

k8s.io/apiserver does not support dynamic addition and removal of
healthz checks at runtime.  Reloading will instead have a single
static healthz check and swap the underlying implementation at
runtime when a config change occurs.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 22e540bc48d9bf698c4f381ccb56ed57dea0dae2
 2022-11-02 01:08:42 -04:00
Monis Khan 8d68e6f323 Load encryption config once 
This change updates the API server code to load the encryption
config once at start up instead of multiple times.  Previously the
code would set up the storage transformers and the etcd healthz
checks in separate parse steps.  This is problematic for KMS v2 key
ID based staleness checks which need to be able to assert that the
API server has a single view into the KMS plugin's current key ID.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: f507bc255382b2e2095351053bc17e74f7100d35
 2022-08-29 17:25:48 -04:00
Monis Khan c602291fa1 encryption config: no-op refactor to prepare for single loading 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: db850931a8699e780dd794e1763fd0e54b4239b5
 2022-08-29 17:25:48 -04:00
Monis Khan 70b4742ce2 kms: fix go routine leak in gRPC connection 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 4e68e9b5ad70ae074b3fb20f0fb2ba25d0792274
 2022-08-24 01:51:19 +00:00
Anish Ramasekar bdd7082eed chore(kms): remove unused plugin name and migrate from deprecated `io/ioutil` pkg 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 7db7a63959162d743f771183bf4e88e82afef868
 2022-08-23 22:55:22 +00:00
Anish Ramasekar 225e26ac4a Implement KMS v2alpha1 
- add feature gate
- add encrypted object and run generated_files
- generate protobuf for encrypted object and add unit tests
- move parse endpoint to util and refactor
- refactor interface and remove unused interceptor
- add protobuf generate to update-generated-kms.sh
- add integration tests
- add defaulting for apiVersion in kmsConfiguration
- handle v1/v2 and default in encryption config parsing
- move metrics to own pkg and reuse for v2
- use Marshal and Unmarshal instead of serializer
- add context for all service methods
- check version and keyid for healthz

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: f19f3f409938ff9ac8a61966e47fbe9c6075ec90
 2022-06-29 20:51:35 +00:00
Anish Ramasekar 8ab3aa3011 feat:(kms) encrypt data with DEK using AES-GCM instead of AES-CBC 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: d54631a41a869f7a28d82fcab2e174ee85879027
 2022-07-13 17:14:50 +00:00
Anish Ramasekar e442eafb33 feat: prepare KMS data encryption for migration to AES-GCM 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Co-authored-by: Monis Khan <mok@vmware.com>
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 90b42f91fd904b71fd52ca9ae55a5de73e6b779a
 2022-03-16 17:54:10 +00:00
Steve Kuznetsov af1cb1cefe storage: transformers: pass a context.Context 
When an envelope transformer calls out to KMS (for instance), it will be
very helpful to pass a `context.Context` to allow for cancellation. This
patch does that, while passing the previously-expected additional data
via a context value.

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>

Kubernetes-commit: 27312feb9983c18d1daf00afba788727d024cdd0
 2022-02-17 07:29:44 -08:00
Davanum Srinivas 56a3a30ae1 Check in OWNERS modified by update-yamlfmt.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 9405e9b55ebcd461f161859a698b949ea3bde31d
 2021-12-09 21:31:26 -05:00
Anish Ramasekar 1e3c9bfcdb fix typo in kms encryption config logs 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 63295a126e316fb7b8630dbc57e98041e747cbed
 2021-09-16 18:18:59 +00:00
Stefan Bueringer c8433b21e4 fix staticcheck: vendor/k8s.io/apiserver/pkg/server 
Kubernetes-commit: ed0adcb65e92198177bf23db97807b3312d6be29
 2020-11-17 11:58:13 +01:00
immutablet 209aff3d4b Hide methods in the encryption config that are not used outside the package. 
Kubernetes-commit: 922e0bfaec0a8b25fdb04e559ac454c416f8c2e8
 2020-03-05 16:54:27 -08:00
Tim Allclair 56dc51d310 Ensure testing credentials are labeled as such 
Kubernetes-commit: 9d3670f3586c98c02cdca93b7c98dd91fc0b87bd
 2020-02-04 10:36:05 -08:00
Shihang Zhang 6207833539 ping kmsplugin gentely when in good state 
Change-Id: I50ce249d7996e5c51dcbb00e53d67300aa72a87f

Kubernetes-commit: c084d57b18a7c90c14bc13dc2daa256e84037a74
 2019-12-02 16:38:03 -08:00
immutablet 5cec6b4746 Add defaulting logic for EncryptionConfiguration. 
Kubernetes-commit: a151aa35dc21881d178e498141e5f58df13fb400
 2019-11-14 22:53:18 -08:00
immutablet 6e01b8c8f3 Move test inputs for EncryptionConfiguration tests into testdata. 
Kubernetes-commit: 883e9a0b502b787a9454e10c26e324ffaa30eb29
 2019-11-13 16:38:20 -08:00
chenyaqi01 4f9778fb9d replace bytes.Compare() with bytes.Equal() 
Kubernetes-commit: 66be69bb0e7fd147be650385d272ae14ee2857c8
 2019-09-27 10:06:50 +08:00
mengyang02 0da8f30350 replace time.Now().Sub with time.Since 
Kubernetes-commit: 0205215425607a7a390eaa6493033511626bb189
 2019-09-03 20:43:32 +08:00
Monis Khan 298cf1beec Encryption config: correctly handle overlapping providers 
This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix.  If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix.  A failure in the first one should not
prevent a later match from being attempted.

Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions.  Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.

Signed-off-by: Monis Khan <mkhan@redhat.com>

Kubernetes-commit: 4dc16f29a7285a4bcaff1915728953d8a55e1b6e
 2019-09-06 12:09:43 -04:00
Han Kang 2b0c93afef rename healthz methodNames to be more consistent w/ present day usages 
Kubernetes-commit: 2e23788fda86c68e7f17cf0b66ee1017594c1055
 2019-08-13 12:42:13 -07:00
immutablet 5faffb9123 Allow kube-apiserver to test the status of kms-plugin. 
Kubernetes-commit: 05fdbb201ffbaff4e92f0899f9e2ca038febb88d
 2019-05-30 11:15:35 -07:00
Roy Lenferink 4c9524b9fb Updated OWNERS files to include link to docs 
Kubernetes-commit: b43c04452f3b563473b5c2a765d4ac18cc0ff58f
 2019-01-30 20:05:00 +01:00
immutableT 9c474d9c53 require timeout to be greater than zero. 
add unit test to cover timeout behaviour.

Kubernetes-commit: 39aca564749cd92ed1cfec7129eb3f6593549137
 2019-01-04 17:06:07 -08:00
immutableT d9414ee2ab Expose kms timeout value via encryption config. 
Kubernetes-commit: a4dc53cfeb91ee07cedcc6959e88e30cb0c3cca8
 2019-01-03 14:26:57 -08:00
Slava Semushin e2bc8e4617 Introduce kubeapiserver.config.k8s.io/v1 with EncryptionConfiguration and use a standard method for parsing config file. 
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>

Kubernetes-commit: c21cb548e6c7d4ab019fce8a35c9b99c035c2071
 2018-05-02 18:21:38 +02:00
Davanum Srinivas 032ec9d79b Switch to sigs.k8s.io/yaml from ghodss/yaml 
Change-Id: Ic72b5131bf441d159012d67a6a3d87088d0e6d31

Kubernetes-commit: 43f523d405b012fa8d90dd95b667f520e036f6bc
 2018-11-02 16:41:57 -04:00
Jordan Liggitt 136e478e9f encryption-at-rest approvers/reviewers 
Kubernetes-commit: 666c93a8343029a499ea64de8a6d09596097ccb3
 2018-11-02 17:38:17 -04:00
immutablet e9bce895cf Lazily dial kms-plugin. 
Kubernetes-commit: 07cbf2545f705d0448631f479a18d0b86b7055dc
 2018-09-12 14:56:44 -07:00
Kubernetes Publisher 627fa76a8b sync: initially remove files BUILD */BUILD BUILD.bazel */BUILD.bazel 2018-03-15 09:38:17 +00:00