70e2d9115d
Merge pull request #123413 from seans3/tunneling-spdy-websockets
...
PortForward: Tunnel SPDY through WebSockets
Kubernetes-commit: f745503112e06d6ff199e929d536c6a29825c01a
2024-03-05 05:11:34 +00:00
311716fd2e
Merge pull request #123639 from liggitt/authz-metrics
...
Add authorization webhook duration/count/failopen metrics
Kubernetes-commit: 46a2137c1ba017970c316c0ec10c074cb6450732
2024-03-05 01:28:55 +00:00
250f19d55f
Merge pull request #123190 from padlar/add-apiserver-wait-cache-metric
...
Add apiserver_watch_cache_read_wait metric to cache refresh time
Kubernetes-commit: 599d92f1fb6fce102ae83d6c98be1aa5749f35de
2024-03-04 21:09:36 +00:00
0376e5de57
adds comments to tunnelingResponseWriter
...
Kubernetes-commit: 3d56ff21fd3c9c9da82ff22044691ef0671ac7b6
2024-03-04 11:10:17 -08:00
7092a3d47e
Merge pull request #123660 from xigang/cacher/watch
...
cleanup: if triggerValue has a value fast break
Kubernetes-commit: a4eaf6e1200fa6f2050c71ef7a7e8ab27a8e4947
2024-03-04 13:20:46 +00:00
047ed89b4a
Merge pull request #123527 from aramase/aramase/f/kep_3331_discovery_url
...
Add `DiscoveryURL` to Authentication Configuration
Kubernetes-commit: ee5eca2a492531139f36201b101e2a7575120337
2024-03-03 18:51:54 -08:00
2eff540b7c
cleanup: if triggerValue has a value, fast break
...
Signed-off-by: xigang <wangxigang2014@gmail.com>
Kubernetes-commit: d72448a41c24911a57b24cabdef3ca63ee048bd4
2024-03-04 10:29:31 +08:00
9610424488
Fix headerInterceptingConn handling
...
Kubernetes-commit: 2443b3fa694462ab0438f10dea38557edea4d4e7
2024-03-02 17:57:39 -05:00
4d70dec65c
Promote StructuredAuthorizationConfiguration feature gate to beta
...
Kubernetes-commit: 30256c8909ab8c30a64f786361543768f2719c77
2024-03-02 02:12:36 -05:00
9adb3ee3c0
Add authorization webhook duration/count/failopen metrics
...
Kubernetes-commit: 79b344d85e3e2f8f3192a3dcabb384cfe87136a6
2024-03-02 01:44:28 -05:00
743b53428c
Test that separation of streams work by using progress notifies
...
Kubernetes-commit: 1cf4cec449cb29718a694e25f4750452af3f491d
2024-02-29 17:51:46 +01:00
a86b013fb6
make ValidatingAdmissionPolicy ignore excluded resources.
...
Kubernetes-commit: 64ee859aa82c17daa8037e4e90e066ae4582d653
2024-02-28 15:31:44 -08:00
b1e2103ed5
add resource filter to admission initializer.
...
Kubernetes-commit: 5b1fffa3e40b812e81ede244f671c90e3428e2ec
2024-02-28 15:31:18 -08:00
4eaefb0cee
jwt: fail on empty username via CEL expression
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 8345ad0bac4fee6d25f033f0445e2e10eae6afbe
2024-02-28 12:53:08 -05:00
9432b4df38
Prevent conflicts between service account and jwt issuers
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
2024-02-27 17:11:18 -05:00
e810084a4b
Prevent watch cache starvation, by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior
...
Kubernetes-commit: 31d404b182d2985ce0d3c43f75d80c29a708beda
2024-02-27 11:25:42 +01:00
d456bc0c1b
wire up discovery url in authenticator
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 78fb0bae22f2106219d19fff060caa7866c27430
2024-02-26 16:17:58 -08:00
f4bc37078e
portforward: tunnel spdy through websockets
...
Kubernetes-commit: 8b447d8c97e8823b4308eb91cf7d75693e867c61
2024-02-21 08:56:07 +00:00
9ffd1e2039
Add apiserver_watch_cache_read_wait metric to cache refresh time
...
Signed-off-by: Sunil Shivanand <padlar@live.com>
Kubernetes-commit: e6ed0f37c65fb22c16f5afa408bc4de166070ebc
2024-02-08 12:39:50 +01:00
f2c6133c7f
Add `DiscoveryURL` to AuthenticationConfiguration
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 84852ff56f952b4c3daab920d119d24c2e6a3476
2024-02-07 01:41:52 +00:00
e92429c2ad
Merge pull request #123225 from aramase/aramase/f/kep_3331_latency_metrics
...
Add `apiserver_authentication_jwt_authenticator_latency_seconds` metric
Kubernetes-commit: 6d2ee131ebd13ce2ec2448300bb99f4ea942f1a9
2024-03-04 01:15:11 +00:00
6f43b57386
Merge pull request #123640 from liggitt/authz-beta-config
...
Duplicate v1alpha1 AuthorizationConfiguration to v1beta1
Kubernetes-commit: 8674282a054d3ae32e2e009dab6f8a0da3689828
2024-03-02 21:03:19 +00:00
4153027735
Duplicate v1alpha1 AuthorizationConfiguration to v1beta1
...
Kubernetes-commit: 0605a75c5e3590e2b0ab80d2163a76c4e77f4380
2024-03-02 01:56:29 -05:00
bf894b0555
Merge pull request #123634 from liggitt/handler-race
...
Fix discovery v2 conversion registration data race
Kubernetes-commit: 95875b7723fe1aa50b0a6a425ece8a0927ef83f8
2024-03-02 05:50:08 +00:00
cc00aa34b6
Merge pull request #123611 from ritazh/authz-mcmetrics
...
Add authz webhook matchcondition metrics
Kubernetes-commit: 3e1da218014b5a4e5c95ee79404093302104438b
2024-03-02 05:50:07 +00:00
00ac59edfa
Merge pull request #122975 from aramase/aramase/c/cleanup_authn_validation
...
cleanup structured authn/authz error logic
Kubernetes-commit: 4e8674f4e582c7d33143c42990d9409990d979a3
2024-03-02 05:50:03 +00:00
0d2b79b3b6
Merge pull request #122882 from Jefftree/agg-discovery-v2-usage
...
Use Aggregated Discovery v2 types and promote to GA
Kubernetes-commit: 3f25211d69b4412e3e926835067918f86f629f3e
2024-03-02 01:40:36 +00:00
59cba35b06
Fix discovery v2 conversion registration data race
...
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
2024-03-01 19:29:39 -05:00
b7a30e3bfb
add authz webhook matchcondition metrics
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>
Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
2024-02-29 20:55:32 -08:00
09c9be2c2e
Add `apiserver_authentication_jwt_authenticator_latency_seconds` metric
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 0da5e8137b839860d55938ceb6d520caba3fc776
2024-02-08 18:08:07 +00:00
7b0c197f53
cleanup structured authn/authz error logic
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: c2c4f4616d4ecea9fad5b994cdc72e3f96728962
2024-01-25 22:45:19 +00:00
d8d3b8c351
Use v2 types with agg discovery
...
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
2024-01-19 16:13:47 -05:00
7c8cdebce9
Promote AggregatedDiscovery to GA
...
Kubernetes-commit: 301e804c3f2fb3935c2cf3d2a04967f47921fc99
2024-02-27 16:59:46 -05:00
fc2ef69449
Remove test for disabling aggregated discovery
...
Kubernetes-commit: 0593746f6093a5a59a7a047f03a4139275fcaf11
2024-02-27 18:27:54 -05:00
4fa5c0c492
Merge pull request #123529 from thockin/go-workspaces
...
Go workspaces for k/k and k/staging/*
Kubernetes-commit: df366107d16aa2e2cdd620be41e592184f379da4
2024-03-01 21:19:35 +00:00
57928aa72c
Merge pull request #123560 from ivelichkovich/master
...
kep-3716 GA, remove feature gate
Kubernetes-commit: 6cc77a577e56c68e4fde81865e022e05e8e02538
2024-03-01 08:22:12 +00:00
e3922247fe
Merge pull request #123458 from aramase/aramase/i/min_jwt_payload
...
add min valid jwt payload to API docs for structured authn config
Kubernetes-commit: 5cf4fbe524ca1479607a4880949a032064556f76
2024-03-01 00:40:31 +00:00
3d757e5f42
Merge pull request #122676 from p0lyn0mial/upstream-watch-cache-init-events-ordering
...
apiserver/storage: improve RunWatchSemanticInitialEventsExtended test
Kubernetes-commit: 234f0fcfc32919301739c39941bcf86e99666bc7
2024-02-29 12:27:20 +00:00
9ccc257322
Merge pull request #122717 from jpbetz/crd-object-filters
...
KEP-4358: Custom Resource Field Selectors
Kubernetes-commit: a67973a45c4b48585e3331889eca09425caca7c2
2024-02-29 07:01:48 +00:00
0f77d82857
Fix up go.mod files after reviews
...
Because of how the previous 100+ commits were done, so changes snuck
thru that properly belong in earlier commits but it's not really
possible to do that without a lot of effort.
We agreed it was OK to "spackle" these cracks with a final commit.
Kubernetes-commit: 21715e6bbd19c932576ff268843d8ead3edb05e4
2024-02-28 16:50:55 -08:00
0a2e73e991
Merge pull request #123562 from jpbetz/bump-cel-go-0_17_8
...
Bump cel-go to v0.17.8 to pick up CEL estimated cost fix
Kubernetes-commit: fe8a12d264c88ac3cd0fb97d73c936de3fdd9788
2024-02-28 23:18:35 +00:00
414d2e2d63
Add selectableFields to CRDs
...
Kubernetes-commit: 291703482d58ae030da71c6d671a96a6f960fc6f
2024-02-28 14:06:06 -05:00
fc7cf5fb84
kep-3716 GA, remove feature gate
...
Kubernetes-commit: a51a5b462236d5eb87e6d690065f884c281a833c
2024-02-28 10:45:51 -06:00
5957e27e51
Bump cel-go to v0.17.8 to pick up CEL estimated cost fix
...
Kubernetes-commit: d49949b64205ca68222d001806d127fc6d7489f9
2024-02-28 10:52:36 -05:00
4b96323a12
Merge pull request #120897 from wojtek-t/fix_order_of_init_events
...
Ensure that initial events are sorted for WatchList
Kubernetes-commit: 54f9807e1e84981b2053f4daf779f5ed19962144
2024-02-28 07:29:22 -08:00
27e765eeff
Remove old gengo detritus
...
Kubernetes-commit: 812d5fff4011df4693dcdace516feec30ebff8ba
2024-02-26 23:31:41 -08:00
b3e4dc29ef
add min valid jwt payload to API docs for structured authn config
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
2024-02-22 16:33:24 -08:00
5624a05672
Remove defunct references to "vendor"
...
Kubernetes-commit: d772f7719dc55ebfec2e9461b6e14bf17f5301df
2024-01-15 15:56:21 -08:00
816c9a3d12
apiserver/storage: improve RunWatchSemanticInitialEventsExtended test
...
changes the test to populate the underlying data store with
more data to trigger potential ordering issues.
Kubernetes-commit: 20ded275705a6e11c1113cbeedad4de94e2dc666
2024-01-10 11:08:35 +01:00
541bc37de9
Fix go-to-protobuf wrt gengo/v2
...
There's some very fishy-smelling logic in here, but this commit is
trying to be as focused as possible.
The *.pb.go diffs are the "name" encoded in the descriptor. The
descriptor blobs can be decoded by this program (thanks StackOverflow!):
```
package main
import (
"bytes"
"compress/gzip"
"encoding/json"
"fmt"
"os"
"io/ioutil"
proto "github.com/golang/protobuf/proto"
dpb "github.com/golang/protobuf/protoc-gen-go/descriptor"
)
func main() {
m := map[string][]byte{
"before": blobv1,
"after": blobv2,
}
arg := os.Args[1]
dump(m[arg])
}
func dump(bytes []byte) {
fd, err := decodeFileDesc(bytes)
if err != nil {
panic(err)
}
b, err := json.MarshalIndent(fd, "", " ")
if err != nil {
panic(err)
}
fmt.Println(string(b))
}
// decompress does gzip decompression.
func decompress(b []byte) ([]byte, error) {
r, err := gzip.NewReader(bytes.NewReader(b))
if err != nil {
return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
}
out, err := ioutil.ReadAll(r)
if err != nil {
return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
}
return out, nil
}
func decodeFileDesc(enc []byte) (*dpb.FileDescriptorProto, error) {
raw, err := decompress(enc)
if err != nil {
return nil, fmt.Errorf("failed to decompress enc: %v", err)
}
fd := new(dpb.FileDescriptorProto)
if err := proto.Unmarshal(raw, fd); err != nil {
return nil, fmt.Errorf("bad descriptor: %v", err)
}
return fd, nil
}
var blobv1 = []byte{
// insert proto "before" blob here
}
var blobv2 = []byte{
// insert proto "after" blob here
}
```
Running this with "before" and "after" args, and diffing the output
yields something like:
```diff
--- /tmp/a 2023-12-23 23:57:04.748090836 -0800
+++ /tmp/b 2023-12-23 23:57:11.000040973 -0800
@@ -1,5 +1,5 @@
{
- "name": "k8s.io/kubernetes/vendor/k8s.io/api/admission/v1/generated.proto",
+ "name": "k8s.io/api/admission/v1/generated.proto",
"package": "k8s.io.api.admission.v1",
"dependency": [
"github.com/gogo/protobuf/gogoproto/gogo.proto",
```
Kubernetes-commit: b0a70dec4ab4cb9f972cf39a81ca5e5555417227
2023-12-24 10:01:42 -08:00
Kubernetes Publisher