kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,629 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

4629 Commits

Author SHA1 Message Date
Jefftree 285024a6b7 Promote SSA GA 
Kubernetes-commit: 94cf48a2d16d7eaa915b7f685746a0e63870d5ff
 2021-03-11 06:40:43 -08:00
David Eads 526d12c09b prevent mutation of deletion options during delete collection 
Kubernetes-commit: 649b87aaf85dbb6e8190bf7d16c5dc903b5ecedc
 2021-03-10 15:41:03 -05:00
Margo Crawford 6c62752c02 This introduces an Impersonate-Uid header to server side code. 
UserInfo contains a uid field alongside groups, username and extra.
This change makes it possible to pass a UID through as an impersonation header like you
can with Impersonate-Group, Impersonate-User and Impersonate-Extra.

This PR contains:

* Changes to impersonation.go to parse the Impersonate-Uid header and authorize uid impersonation
* Unit tests for allowed and disallowed impersonation cases
* An integration test that creates a CertificateSigningRequest using impersonation,
  and ensures that the API server populates the correct impersonated spec.uid upon creation.

Kubernetes-commit: 74f5ed6b17287100b339a2b3a43fd4c6fb200978
 2021-03-04 15:19:52 -08:00
xiaofei.sun e9a1de1bba add user-agent for audit log format legacy 
Kubernetes-commit: 358b33519cdcb3561b41a665558306967cc1d1b9
 2021-02-25 20:23:51 +08:00
zhuangqh 640ba0e40e docs: fix outdated enhancement doc link 
Signed-off-by: zhuangqh <zhuangqhc@gmail.com>

Kubernetes-commit: adf28648cb32d17cd186a6c7e8b264419e6d0759
 2021-02-24 15:22:50 +08:00
Shihang Zhang 4a6863aa9a the last upperbound of kms latency metric is too small 
Kubernetes-commit: 6d7c83f2cd19455107bc02bc98fed2296bb46dca
 2021-02-23 14:19:25 -08:00
Lukasz Szaszkiewicz 69433684ce adds metrics for authentication webhook 
Kubernetes-commit: 322c18c147da08dd2eea25ba3c2b9630a228cf5f
 2021-02-23 08:39:25 +01:00
Andrea Nodari 8df8282eaf Track ownership of deployments scale subresource 
Kubernetes-commit: a9ea98b3b9272a7f7788a0d37891e4b13b9be38d
 2021-01-23 18:50:14 +01:00
Kubernetes Publisher c883d6c994 Merge pull request #101234 from gautierdelorme/rm-go-openapi-spec 
eliminate dependency on go-openapi/spec

Kubernetes-commit: 565d5f456242fcc79b7540a4c4913c7577cbfc7d
 2021-05-18 11:27:27 +00:00
Gautier Delorme af9424d2c9 remove go-openapi/spec 
Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>

Kubernetes-commit: 34b0fcef5fc47e3fcddf7f6ca1b3e6176b2a5323
 2021-04-20 17:48:33 +02:00
Gautier Delorme 4a8e81fac6 bump k8s.io/kube-openapi 
Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>

Kubernetes-commit: bcdde6bf75c7e177b44e58c5313e405c22d8d46d
 2021-04-20 17:43:59 +02:00
Kubernetes Publisher f48391aefe Merge pull request #100964 from njuptlzf/SelectionPredicateUT 
Add more unit tests for SelectionPredicate

Kubernetes-commit: 90e599f56a931f9ba32244c7f6250db27cb61af5
 2021-05-18 11:27:23 +00:00
Kubernetes Publisher b9ad7382f7 Merge pull request #100979 from mikedanese/tlscleanup 
force implementors of dyanmiccertificates providers to think about notify

Kubernetes-commit: 496a94bf98c86abea5c18395880340ad64dcb9dd
 2021-05-18 11:27:20 +00:00
Kubernetes Publisher 0be3b21634 Merge pull request #100490 from howardjohn/gnostic-v051 
Update kube-openapi and gnostic dependencies

Kubernetes-commit: c555b23f1c84bcdd1d87a7ae831675281f5c0c94
 2021-05-18 11:27:17 +00:00
Kubernetes Publisher 152ef2fa3b Merge pull request #101155 from zshihang/bound 
allow multiple of --service-account-issuer

Kubernetes-commit: 6157361dd758dc5774b7776d897727b53d696d57
 2021-05-18 11:27:13 +00:00
Shihang Zhang 87ac3f57d4 allow multiple of --service-account-issuer 
Kubernetes-commit: 925900317e43e58435082f624f5969e3cfe25c67
 2021-04-15 09:50:43 -07:00
Kubernetes Publisher 940c107184 Merge pull request #100970 from apelisse/add-subresource-managedfields 
Add subresource managedfields

Kubernetes-commit: 0f1d105f8d3e114f0bf47307513fe519a71351a2
 2021-04-17 16:17:57 +00:00
Kubernetes Publisher 64747d3be0 Merge pull request #101151 from mborsz/nodehealth 
Add "node-high" priority-level

Kubernetes-commit: 09bd59687500e6b3c53e34cf20ef7727a1886c22
 2021-04-17 11:54:00 +00:00
Kubernetes Publisher 16fda89d29 sync: update go.mod 2021-04-17 03:58:27 +00:00
Kubernetes Publisher 66df8c7bf0 Merge pull request #100963 from enj/enj/i/authz_func_ctx 
authorizer func: pass through context

Kubernetes-commit: f1c1379defd362a7156b0568c77b2f41583b1e00
 2021-04-16 23:54:04 +00:00
Kubernetes Publisher db0339edde Merge pull request #100969 from enj/enj/i/audit_stage_const 
audit: make stage consts use correct type

Kubernetes-commit: 2ec888b2d0a23861a93e6599e0f993e12c7a79f4
 2021-04-16 19:57:58 +00:00
Kubernetes Publisher 4004e014d5 Merge pull request #100724 from liggitt/eviction-v1beta1 
Add policy/v1 Eviction support

Kubernetes-commit: 27a625cf8921007eaf115425b6d61587eb253e92
 2021-04-16 19:57:56 +00:00
Kubernetes Publisher f09aa9568e Merge pull request #101086 from enj/enj/i/auth_owners_gen 
Prune stale entries from OWNERS files

Kubernetes-commit: 24350a922ea2b1b2a8aeba58e150fa90370a282b
 2021-04-15 15:59:31 +00:00
Maciej Borsz b0d1b1af17 Add "node-high" priority-level 
Kubernetes-commit: 8d6e76f2766e51177ee50a1fba09bc5b04d6ce53
 2021-04-15 16:24:02 +02:00
Kubernetes Publisher 781f4a4107 Merge pull request #100959 from p0lyn0mial/upstream-delegated-authn-timeout 
DelegatingAuthenticationOptions: TokenReview request timeout

Kubernetes-commit: dc2020eb9d59a19952cbdabd3d4f819c6f307899
 2021-04-15 03:54:50 +00:00
Kubernetes Publisher 584a6d3ae5 Merge pull request #101076 from kevindelgado/fix-diff 
Chain the field manager creation calls in newDefaultFieldManager 

Kubernetes-commit: 6cc27991e95a4bd242a9c631d520a909778d05e6
 2021-04-13 21:08:42 -07:00
Kevin Delgado ea32c4f47f Chain the field manager creation calls in newDefaultFieldManager and test 
Kubernetes-commit: d37461180a1e5a52aeb85cf5853e000acfeb852d
 2021-04-13 16:15:25 +00:00
Kubernetes Publisher 56981b814f Merge pull request #99237 from tkashem/audit-correlation 
Use the audit ID of a request for better correlation

Kubernetes-commit: 46563b0abebbb00e21db967950a1343e83a0c6a2
 2021-04-13 15:55:56 +00:00
Kubernetes Publisher 3f59c51398 Merge pull request #100885 from enj/enj/i/auth_owners 
Update sig-auth OWNERS

Kubernetes-commit: d51f15ed0d47aa81c572076877c69e3107ad3bfc
 2021-04-13 07:30:31 +00:00
Kubernetes Publisher c5d971fadc Merge pull request #100739 from pacoxu/update-zap 
update uber zap to 1.16.0 to fix a nil pointer exception

Kubernetes-commit: 0b0727b563502e45802e2fc4536b2c6734781261
 2021-04-12 03:34:26 +00:00
Kubernetes Publisher 42edede127 Merge pull request #100868 from enj/enj/f/oidc_controller 
oidc authenticator: make library usage easier

Kubernetes-commit: 7f200cb75b62647c0e0d7d7aa8ecf5129cd6b293
 2021-04-11 03:30:42 +00:00
Kubernetes Publisher cba9cd88c4 Merge pull request #100784 from kevindelgado/smd-to-4-1-1 
Update structured-merge-diff to v4.1.1

Kubernetes-commit: 442b3218b3d3eecdd9e55bffcb2c6b135f3084b7
 2021-04-11 03:30:40 +00:00
Mike Danese a6a121887a force implementors of dyanmiccertificates providers to think about notify 
Right now, `_, ok := provider.(Notifier); !ok` can mean one of two
things:

1. The provider does not support notification because the provided
   content is static.
2. The implementor of the provider hasn't gotten around to implementing
   Notifier yet.

These have very different implications. We should not force consumers of
these interfaces to have to figure out the static of Notifier across
sometimes numerous different implementations. Instead, we should force
implementors to implement Notifier, even if it's a noop.

Change-Id: Ie7a26697a9a17790bfaa58d67045663bcc71e3cb

Kubernetes-commit: 9b7d654a08d694d20226609f7075b112fb18639b
 2021-04-09 16:59:17 -07:00
Monis Khan bd0605a728 audit: make stage consts use correct type 
Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: 84ac2398da2be7810d311c4bc9f7358618ed193b
 2021-04-09 12:29:20 -04:00
Kubernetes Publisher 2cc2936b04 Merge pull request #100678 from tkashem/apf-exempt-probes 
apf: exempt probes /healthz /livez /readyz

Kubernetes-commit: 3294787f572e0fb22ce81c6fba89f631652e13b7
 2021-04-09 15:37:41 +00:00
Kubernetes Publisher 0ae9575f8c Merge pull request #100671 from Niekvdplas/spelling-mistakes 
Fixed several spelling mistakes

Kubernetes-commit: 4959cd6339ca5d44df5121efd86bb7b17f7a088b
 2021-04-09 15:37:39 +00:00
Kubernetes Publisher 0f7cee9856 Merge pull request #100141 from brendandburns/master 
Fix api installer to indicate PATCH may return a 201 for server side apply

Kubernetes-commit: e5e18d5266413fa56cc1b708f3c9e6772e6690e8
 2021-04-09 15:37:36 +00:00
njuptlzf b86a0eee08 Add more test code for SelectionPredicate 
Kubernetes-commit: 5468db05f0ca33e78ebf96420281097d28971140
 2021-04-09 22:28:51 +08:00
Monis Khan e14444ffc5 authorizer func: pass through context 
Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: 8f00e918d84a76ea43d76a8d5b96c3f2535afa99
 2021-04-09 09:33:46 -04:00
Lukasz Szaszkiewicz 49d90ce0ad DelegatingAuthenticationOptions TokenReview request timeout 
it turns out that setting a timeout on HTTP client affect watch requests made by the delegated authentication component.
with a 10 second timeout watch requests are being re-established exactly after 10 seconds even though the default request timeout for them is ~5 minutes.

this is because if multiple timeouts were set, the stdlib picks the smaller timeout to be applied, leaving other useless.
for more details see a937729c2c/src/net/http/client.go (L364)

instead of setting a timeout on the HTTP client we should use context for cancellation.

Kubernetes-commit: d690d71d27c78f2f7981b286f5b584455ff30246
 2021-04-09 13:20:51 +02:00
Kubernetes Publisher faa33164d5 Merge pull request #100523 from tkashem/refactor-finish-request 
Refactor rest.FinishRequest function

Kubernetes-commit: a5489431cfc0598dad421fccd2d713f84bf520bd
 2021-04-09 07:50:34 +00:00
Kubernetes Publisher 6de9cb2087 Merge pull request #100032 from apelisse/strip-before-updating-timestamp 
fieldmanager: Strip managedfields BEFORE we update the timestamp

Kubernetes-commit: 53fac160e530311703d77c2e23f2dcd633b628b6
 2021-04-09 03:27:41 +00:00
Kubernetes Publisher fa8a40ce7f Merge pull request #99868 from tkashem/httplog-started-timestamp 
Use the 'request received timestamp' value inside httplog

Kubernetes-commit: ff7ac966267c68400ac2d3c9b8681fb7f0482858
 2021-04-08 23:31:35 +00:00
Kubernetes Publisher 6baff345cb Merge pull request #99775 from p0lyn0mial/upstream-delegated-auth-custom-rt 
DelegatingAuthOptions: custom RoundTripper

Kubernetes-commit: 8fb400c475cefb8a40898d29a086a9b0fc20eb02
 2021-04-08 23:31:32 +00:00
Kubernetes Publisher 13b386f3f6 Merge pull request #99528 from pandaamanda/apiserver_validation_code_optimization 
fix log message and optimize log format check logic

Kubernetes-commit: 26fba1403b6189537be75325a484aeb04144b36e
 2021-04-08 23:31:30 +00:00
Kubernetes Publisher e61fc2bced Merge pull request #97989 from Danil-Grigorev/atomic-label-selectors 
Make selectors atomic

Kubernetes-commit: 1e05d25890afa9b4547c5585d0978ef56dcf07ca
 2021-04-08 23:31:28 +00:00
Monis Khan 0ac9d4bf6d Update auth OWNERS files to only use aliases 
Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: bca4993004953041c91ad56e37ef195b32066c27
 2021-04-07 10:42:00 -04:00
Monis Khan 2ad661f8c5 Prune stale entries from OWNERS files 
Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: 91241eac9b7a7e62cc31e663147294bf6dc8f875
 2021-04-07 10:38:27 -04:00
Monis Khan 725e1d4432 oidc authenticator: allow specifying a KeySet directly 
This change updates the oidc authenticator to allow specifying an
oidc.KeySet as an input option.  This makes it possible to
synchronously initialize the KeySet instead of relying on the
asynchronous initialization that is normally done to support
self-hosted providers.  This makes it easier to use this code as a
library.

Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: b5a1a45d48b4e90e54f512fc829b2ab9866b282e
 2021-04-06 12:20:57 -04:00
Monis Khan 1fd6a1891c oidc authenticator: allow passing in CA via bytes 
This change updates the OIDC authenticator code to use a subset of
the dynamiccertificates.CAContentProvider interface to provide the
root CA bytes.  This removes the hard dependency on a file based CA
and makes it easier to use this code as a library.

Signed-off-by: Monis Khan <mok@vmware.com>

Kubernetes-commit: 5dd4c89df38d4a5389c0cbf2c7fe4f6a5d5534ce
 2021-04-06 11:04:05 -04:00