Beta OS/arch labels have been deprecated since 1.14.
This change replaces these labels with the GA ones.
Kubernetes-commit: bcd975aa6575ae37ec3be3481e44cd0dccd02337
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
Kubernetes-commit: 5a176ac77241ff059f22609fc569ac219334238c
Downstreams assume process restarts when counters decrement. Currently,
the "active" label is expected to decrement but the "ok" and "error"
labels are intended to be handled as counters. This is unneccesary and
hard to deal with. This changes consolidate "blocking" and "in_flight"
tracking into a single guage, which allows fetch completion to be a pure
counter.
Kubernetes-commit: dc5934f58456d95b0264665871c0c48e16ee6469
I've also moved the deserialization of the object outside the benchmark
since we're not trying to benchmark the yaml parser.
Kubernetes-commit: a52776fbfb305374d87bb553739f712e055b2206
Added LockingWriteMultipleOnly and LockingWriteOnceOnly interfaces,
so that further extensions are possible (in this package or others).
Moved common SetLocked behavior into promisoid.
Made comments say things that were implied.
Kubernetes-commit: cbdd3a279e6161d73f2c4e8a2b916ae74b258621
Previously, a `decisionCancel` could overwrite a `decisionReject` or
`decisionExecute`, causing confusion. Now a request gets exactly one
decision and there is no confusion.
Also added write-once to the promise package and refactored.
Kubernetes-commit: 1c092bf635954bde9c9c363672fa156b9430206b
So that errors can be detected before resolving concurrency shares
into concurrency counts.
Kubernetes-commit: 1e170637c3ce6c4ccd378275d9e52192f4be12b7
This PR fixes oversights and adds validation that rejects writes
of wrong Spec values for the four mandatory objects.
Kubernetes-commit: ec5321c6a9f23e5ad26cf88a41fda9dba0c5ce89
Lowers probability of managedField population on create/update to 0%
until serialization/normalization issues are resolved
Kubernetes-commit: ba23aa98f6574bd1f9781f0d3e61d0496f16fc53
From the listen godoc:
For TCP networks, if the host in the address parameter is empty or a
literal unspecified IP address, Listen listens on all available unicast
and anycast IP addresses of the local system.
Since the BindNetwork options is "tcp" by default, using an unspecified
address doesn't bind the listener to the IP family.
Kubernetes-commit: 05010d23ac7751a17aa26fb5cc011eb4f2127b1e
apiserver adds localhost to the alternateDNS field
if the bind address is 0.0.0.0.
This PR considers the IPv6 unspecified address too.
Kubernetes-commit: 29ec87f769c6494fad5c0a0c624efe2dc6eeab13
This change relaxes the KMS config cache size validation to allow
for negative values. The KMS code already treats all values <= 0 to
mean that the cache is disabled (zero is still a validation error).
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: a16808f353afb6abf402c862d5f859b949d2027a
request_total is fully accumulating, fetch_total is mostly accumulating
except for the active label.
Kubernetes-commit: a84e883e4b39f6a040d479b5be89b0750f4e7bf1
Attempting to add ResourceVersion precondition to
eviction requests results in a conflict failure. This
is due to the fact that we apply a deletion timestamp
which mutates the underlying resource. The resource
version is then checked again later in the code.
This commit removes the ResourceVersion precondition
after the object has a deletion timestamp applied.
Related-Bug: https://github.com/kubernetes/kubernetes/issues/85485
Kubernetes-commit: 494629ef58c6d01607d610d3e757666356c0b18d
This commit responds to the comments on PR #85192 that were not yet
addressed at the time it merged, apart from the one fixed in PR
Generalized fairqueuing to allow for zero queues, to support a
priority level that limits concurrency but does no queuing.
Kubernetes-commit: b123a43e7117e977606bacd31d77f4a30d2ed212
The old name is too broad, we wanted a name that is more specific to
the actual feature.
This is an alpha gate, and no release has yet associated any
functionality with this gate.
Kubernetes-commit: 76d090e30f917888c5882228f7261ed31a34a2ab
(1) Replaced random-looking assortment of counter increments and
decrements with something hopefully more principalled-looking. Most
importantly, introduced the MutablePromise abstraction to neatly wrap
up the complicated business of unioning multiple sources of
unblocking.
(2) Improved debug logging.
(3) Somewhat more interesting test cases, and a bug fix wrt round
robin index.
Kubernetes-commit: 1c31b2bdc65377f502c2306dbdf32a802eb1afb7
b.N is adjusted by pkg/testing using an internal heuristic:
> The benchmark function must run the target code b.N times. During
> benchmark execution, b.N is adjusted until the benchmark function
> lasts long enough to be timed reliably.
Using b.N to seed other parameters makes the benchmark behavior
difficult to reason about. Before this change, thread count in the
CachedTokenAuthenticator benchmark is always 5000, and batch size is
almost always 1 when I run this locally. SimpleCache and StripedCache
benchmarks had similarly strange scaling.
After modifying CachedTokenAuthenticator to only adjust iterations based
on b.N, the batch chan was an point of contention and I wasn't able to
see any significant CPU consumption. This was fixed by using
ParallelBench to do the batching, rather than using a chan.
Kubernetes-commit: 43d34882c9b3612d933b97b6e470fd8d36fe492b
Instead of returning an error on the watch stream, if we can't properly
negotiate a watch serialization format we should error and return that
error to the client.
Kubernetes-commit: 9aad6aa54d824ba93a6670cd5a0cab6ad337e9f0
Also rename utilnet.ChooseBindAddress() to ResolveBindAddress(), to
better describe its functionality.
Kubernetes-commit: afa0b808f873b515c9d58a9ead788972ea7d2533
Clients should be able to identify when a namespace is being terminated and
take special action such as backing off or giving up. Add a helper for
getting the cause of an error and then add a special cause to the forbidden
error that namespace lifecycle admission returns. We can't change the forbidden
reason without potentially breaking older clients and so cause is the
appropriate tool.
Add `StatusCause` and `HasStatusCause` to the errors package to make checking
for causes simpler. Add `NamespaceTerminatingCause` to the v1 API as a constant.
Kubernetes-commit: a62c5b282fda7c0832d329cde45e5e0a836924e8
Reload SNI certificate cert and key file from disk every minute and notify
the dynamic certificate controller when they change, allowing serving
tls config to be updated.
Kubernetes-commit: d9adf535f35051be1d79d1309c72762939593d7c
Reload certificate cert and key file from disk every minute and notify
the dynamic certificate controller when they change, allowing serving
tls config to be updated.
Kubernetes-commit: 3f5fbfbfac281f40c11de2f57d58cc332affc37b
Clean up useless functions, only keep the basic function Deal
and the function DealIntoHand which will be used by Priority
and Fairness.
Improve some comments for constants and functions.
Introduce Dealer to combine parameters and methods into a whole.
Use fixed-size slice to improve performance.
Use math.Ceil and math.Log2 to calculate required entropy bits.
Make the given hand adaptive to handSize in DealIntoHand.
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Kubernetes-commit: 7a3ca070cdd9804a22bf5db8a99576b09fc52484
Changes following up on shuffle sharding util package.
Made the validation checking function return a slice of error messages
rather than just a bit.
Replaced all the `int32` with `int` because this is intended for more
than just the priority-and-faireness feature and so should not be a
slave to its configuration datatypes.
Introduced ShuffleAndDealIntoHand, to make memory allocation the
caller's problem/privilege.
Made the hand uniformity tester avoid reflection, evaluate the
histogram against the expected range of counts, and run multiple test
cases, including one in which the number of hash values is a power of
two with four extra bits (as the validation check requires) and one in
which the deck size is not a power of two.
Kubernetes-commit: da0b647155912c6b1e6b971aa5685768915d810d
Implement several shuffle sharding functions including ShuffleAndDeal,
ShuffleAndDealToSlice.
Add benchmarks and tests for shuffle sharding to test performance,
correctness and distribution uniformity.
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Kubernetes-commit: e97eaef4f65ec2cbfebf4fd9e726c9e2a6bf5499
We create and use a dynamic certificate provider for the SNI serving
certificates. Currently we only use static serving certificate
providers, so the files are not reloaded, but we should be able to move
to a provider that is able to reload later on.
Kubernetes-commit: 84bc6b151d0726db0c737443874577f044e0e9c8
Currently we record request metrics during the normal request flow and
we also manually invoke `Record` in the timeout handler to record
timeouts. This means that we effectively double count whenever we
timeout. This PR renames the `Record` function to `RecordRequestError`
to more accurately reflect the intended side-effect of the function
call.
Change-Id: Ie37fd0c1e501bd525640a434433d364a5fd6dde2
Kubernetes-commit: 4c6e7247878477a1f2efc26df7f141258010374f
We create and use a dynamic certificate provider for the main apiserver
serving certificates: SNI will be handled separately later. Currently we
only use static serving certificate providers, so the files are not
reloaded, but we should be able to move to a provider that is able to
reload later on.
Kubernetes-commit: 6f89f1027488aeba4af0786988c2fd2ace9a6f1d
It is possible to configure the token cache to cache failures. We
allow 1 MB of headers per request, meaning a malicious actor could
cause the cache to use a large amount of memory by filling it with
large invalid tokens. This change hashes the token before using it
as a key. Measures have been taken to prevent precomputation
attacks. SHA 256 is used as the hash to prevent collisions.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: 9a547bca8e6e15273bfafd3496aa6524fd7d35bd
This is super expensive and not needed at all since we don't have to
reparse the entire object. Remove all allocations but the first one.
Kubernetes-commit: 31c644a1e79c685b52683ed1e84964186a37f3ff
This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix. If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix. A failure in the first one should not
prevent a later match from being attempted.
Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions. Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: 4dc16f29a7285a4bcaff1915728953d8a55e1b6e
longer assigned to me by blunderbuss.
Move myself to be an emeritus approver for the cluster directory.
Kubernetes-commit: 9d211ab352f78482fde7ec593b3dcacea9bcc139
Mike Spreitzer