b313c48103
Retain the test coverage of TestObserveWebhookRejection.
...
Kubernetes-commit: ae90e6b9a1f1e9e7704feeefa8723c15f2afa61e
2021-05-18 21:13:24 +00:00
7edb7c1c1e
Add attr to the argument list of ObserveWebhookRejection, and remove
...
operation, as it is included in attr.
Kubernetes-commit: fb23e449ab680bc53fc1aae826e377c1153d51e4
2021-05-18 17:42:02 +00:00
a2b831d599
Extend the max of admission latency buckets to 10s.
...
Kubernetes-commit: 2dbdfd0902e2625d40f338fdbb814ada63720d32
2021-04-17 00:59:25 +00:00
bbc089727a
Add a namespace label to admission metrics.
...
Kubernetes-commit: e7db88b0b65cf685ccae804ff2d073169ed9637e
2021-04-17 00:58:11 +00:00
f9b4d95442
add fail-open audit logs to validating and mutating admission webhook
...
Kubernetes-commit: 9fe7c8955bcb1edbb5aa4fe6bfb8bb6d93d381de
2021-05-18 13:31:03 -04:00
04c8c14809
admission metrics reset metrics after tests
...
Kubernetes-commit: b1a81d2fb8b4528172a8de6de01b53526b7b2277
2021-03-13 21:26:22 +01:00
8c01d7fe18
apiserver: wrap errors in admission with context
...
When the API server encounters an error during admission webhook
handling, lower-level errors are bubbled up without any additional
context added. This leads to fairly opaque and unintelligible errors. It
is not clear to users if the API server itself is having an error (for
instance, fetching the REST client) or if the request to the webhook
failed in some way.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes-commit: ae9e71ba68cb1dd00bb5ed2635bac9aab2abbafe
2021-04-27 11:19:01 -07:00
4a7c21439a
webhook config manager: HasSynced returns true when the manager is synced with existing webhookconfig objects at startup
...
Kubernetes-commit: 37d171e5bc6ca5b7aab7bfe52c8baabdea536415
2021-03-17 14:34:06 -07:00
887895128f
staging/src/k8s.io/apiserver/pkg/admission: migrate to structured logs
...
Kubernetes-commit: 2dc8cadd00962512fa90c460b9fa86a175ca73fc
2021-01-18 17:19:32 +08:00
4c292300d7
add context to metrics in apiserver admission webhook
...
Kubernetes-commit: b3aeaa4ed7bf8d419a96b4456a97bdf4c29e4330
2020-12-09 16:46:15 -08:00
ee05a4663e
bugfix: check Spec.AllocateLoadBalancerNodePorts for nodeport and skip zero usage in delta evaluator
...
Signed-off-by: pacoxu <paco.xu@daocloud.io>
When Spec.AllocateLoadBalancerNodePorts is "false" NodePort shall
not be included when computing quota for type:LoadBalancer.
Co-authored-by: uablrek
Kubernetes-commit: 15867d9e8a1faf007f6df563c26a9b5e8744b2a1
2020-12-22 19:19:15 +08:00
584906efd7
Fix staticcheck in staging/src/k8s.io/apiserver/pkg/admission/initializer
...
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
Kubernetes-commit: 8a0bce0021ca5565ba90d2119e479d3728a53865
2021-01-02 22:38:09 +02:00
5d58b175c8
fix S1021 var declaration
...
Signed-off-by: Ken Sipe <kensipe@gmail.com>
Kubernetes-commit: 6c49299739a9819c3672248517ab3d6636d1d8c6
2020-06-25 17:10:34 -05:00
8e88bf25dd
Fix go lint on folder apimachinery/pkg/runtime/serializer/json
...
Kubernetes-commit: 4b8b9c92bfc4bffe2fbaca3c5a5f731b77dc8915
2020-11-06 20:20:57 -03:00
618f4b129a
Make the creation of namespace using POST and PATCH consistent
...
PATCH verb is used when creating a namespace using server-side apply,
while POST verb is used when creating a namespace using client-side
apply.
The difference in path between the two ways to create a namespace led to
an inconsistency when calling webhooks. When server-side apply is used,
the request sent to webhooks has the field "namespace" populated with
the name of namespace being created. On the other hand, when using
client-side apply the "namespace" field is omitted.
This commit aims to make the behaviour consistent and populates the
"namespace" field when creating a namespace using POST verb (i.e.
client-side apply).
Kubernetes-commit: 3cb510e33eecbdc37aad14f121396ccfbf5268cb
2020-09-21 12:13:12 +02:00
8622b05104
fix duplicate testcase names
...
Kubernetes-commit: c3f71ad5487844e4cdd01702d4df3ac8606ca397
2020-09-17 17:15:05 -07:00
db03041f4b
Add more tests for LRU cache lookup
...
Kubernetes-commit: cc0b86fa3c5d83ab8023f9403feee3928794f85a
2020-08-04 14:57:45 +02:00
50305ec465
Move ResourceQuota admission to k8s.io/apiserver
...
Kubernetes-commit: 70d440bc7e3ec31b3f193b85f265b39d629aa3bb
2020-07-29 10:34:39 +02:00
ada9fc3d08
extend ShouldCallHook benchmark to verify performance imporvement
...
Kubernetes-commit: 850a913ea98a070e26cc62cbf95508084e8cc66b
2020-07-28 10:09:37 +08:00
7e3b5e44da
skip mismatched webhookAccessor and object
...
Kubernetes-commit: c1d78f2619b69585713597e4ffdaeef12b6c20ec
2020-07-01 23:57:04 +08:00
3fab22a096
cleanup tempfiles in unit test
...
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Kubernetes-commit: 02eaa4f354fd9abb4b11c5616ce8906684e2b4f5
2020-06-18 11:24:46 +08:00
97937c66f2
Revert nested trace PR#88936
...
Kubernetes-commit: 02cf58102a61b6d1e021e256381ff750573ce55d
2020-07-20 09:55:05 -07:00
7a467399ac
Enable nested tracing, add request filter chain tracing incl. authn/authz tracing
...
Kubernetes-commit: b12ac0abc64adb71d97fbde12f373b1424631f20
2020-03-06 16:11:21 -08:00
ff5372c83d
Add warnings capability for admission webhooks
...
Kubernetes-commit: 5eef60a00aeb18eda4238dbd8f6dc96930a6a05a
2020-06-30 16:27:56 -04:00
5879417a28
switch over k/k to use klog v2
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 442a69c3bdf6fe8e525b05887e57d89db1e2f3a5
2020-04-17 15:25:06 -04:00
529b6da9bb
remove prometheus dependencies from k/k and add testcases for LabelsMatch
...
Kubernetes-commit: 6e986249ee4252f83037f229a8773869feaab15a
2020-04-22 14:07:53 +08:00
7adab84d8a
Adding IngressClass to networking/v1beta1
...
Co-authored-by: Christopher M. Luciano <cmluciano@us.ibm.com>
Kubernetes-commit: 132d2afca0794b4bcaedb6dbbefe4e9d66e80239
2020-02-24 21:20:45 -08:00
15ffd4d5c4
Remove global variable dependency from runtimeclass admission
...
Kubernetes-commit: 57ea7a11a646e5ad9b3f5c42ba42c0b1d279286b
2020-02-27 15:20:26 -05:00
337d7943db
generated: run refactor
...
Kubernetes-commit: 3aa59f7f3077642592dc8a864fcef8ba98699894
2020-02-07 18:16:47 -08:00
f7c2e26715
cleanup req.Context() and ResponseWrapper
...
Kubernetes-commit: 968adfa99362f733ef82f4aabb34a59dbbd6e56a
2020-01-27 18:52:27 -08:00
5737088b7f
refactor
...
Kubernetes-commit: d55d6175f8e2cfdab0b79aac72046a652c2eb515
2020-01-27 18:19:44 -08:00
b858bded65
Promote WebhookAdmissionConfiguration to v1
...
Kubernetes-commit: 71fad812caf6be07be3c5eabe9fdc39c29f7b2a9
2019-11-12 09:43:35 -05:00
4b9c976f43
AdmissionConfiguration v1
...
Kubernetes-commit: 1234290adfa11eb3dd34242c296e1f1dbe211c19
2019-11-11 11:57:29 -05:00
331894196f
add featuregate inspection as admission plugin initializer
...
Kubernetes-commit: 675c2fb924e82091f7ce4601e48daf4cc7030e72
2019-11-05 14:28:40 -05:00
3d42d38e70
namespace: Provide a special status cause when a namespace is terminating
...
Clients should be able to identify when a namespace is being terminated and
take special action such as backing off or giving up. Add a helper for
getting the cause of an error and then add a special cause to the forbidden
error that namespace lifecycle admission returns. We can't change the forbidden
reason without potentially breaking older clients and so cause is the
appropriate tool.
Add `StatusCause` and `HasStatusCause` to the errors package to make checking
for causes simpler. Add `NamespaceTerminatingCause` to the v1 API as a constant.
Kubernetes-commit: a62c5b282fda7c0832d329cde45e5e0a836924e8
2019-10-19 22:57:21 -04:00
630eda2c9b
eliminate direct references to prometheus
...
Kubernetes-commit: f99b4339681329779e44cd9f0c8ffdbabfeb6fcf
2019-10-10 11:18:52 +08:00
c51b9411f6
Switch admission webhook config manager to v1
...
Kubernetes-commit: f247e75980061d7cf83c63c0fb1f12c7060c599f
2019-08-01 21:57:39 -04:00
7400a466d2
Explicitly handle returned error values in admission metrics_test
...
Kubernetes-commit: 774641ebdbdc7fe89380e7e1e77f5ebbe843ecec
2019-08-21 12:13:33 -07:00
d1d66bda16
Propagate context to Authorize() calls
...
Kubernetes-commit: 92eb072989eba22236d034b56cc2bf159dfb4915
2019-09-24 10:06:32 -04:00
25bf5d3b30
Add integration test for webhook client auth
...
Kubernetes-commit: e734c70e037cf1311581eb61ae3e45adaa76771b
2019-09-02 22:37:07 -04:00
80b9dc503b
Plumb service port, URL port to webhook client auth resolution
...
Kubernetes-commit: d127042cb81cbf545332ec3124161525ef84183c
2019-09-02 22:38:36 -04:00
ce4eaaeeb3
Make webhook benchmarks parallel
...
Kubernetes-commit: 601b7d33a9cf0b724cdabb5de81b0bf2821f0fca
2019-08-28 13:27:38 -04:00
8d86fef522
wire up the webhook rejection metrics in webhook handlers
...
Kubernetes-commit: 620f5f2c587971be50cb27bb2a2d35209b3dc058
2019-08-28 17:32:07 -07:00
466e192e26
test
...
Kubernetes-commit: 71d7477c2187c0f956b90b7b55e8beee449229a2
2019-08-28 16:54:39 -07:00
c5bca07c6b
add webhook rejection metrics
...
Kubernetes-commit: 714dced0d1c7fbb703fa55c39a071a8a97db9176
2019-08-28 16:49:47 -07:00
e248b8b513
fix semantics of the rejected label in webhook metrics
...
when error calling webhook is ignored, do not log the request as
rejected
Kubernetes-commit: f3c793512b45ea3910d5e5a379292c13b62ab64b
2019-08-28 15:31:27 -07:00
58f780d1e2
Use cached selectors/client for webhooks
...
Kubernetes-commit: 8c10d929cac13dc50ca4ffaca83e7ae5c8e41292
2019-08-24 17:12:14 -04:00
b7340127c3
Add admission benchmarks
...
go test ./vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating -bench . -benchmem -run DoNotRun
go test ./vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating -bench . -benchmem -run DoNotRun
Kubernetes-commit: 27f535e26ad88fa30d5c0fcde4bc31897b9d521c
2019-08-24 17:40:07 -04:00
eb2a4467ba
Let webhook accessors construct client/selectors once
...
Kubernetes-commit: 14154c2345e7e467be0ff003c61cec9c0bd2be3e
2019-08-20 17:16:21 -04:00
b9084e350a
migrate kube-apiserver metrics to stability framework
...
Kubernetes-commit: 466980dd747e06e55451301c624eecccfa505123
2019-08-22 15:38:42 -07:00
Dinghua Li