kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,150 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

250 Commits

Author SHA1 Message Date
Andrew DeMaria 81abb60d67 generate fully qualified type references 
Currently type references for non-local names are output as relative
types which is subject to the resolution rules as defined at
https://protobuf.com/docs/language-spec#reference-resolution
This works fine within the k8s.io namespace where no subpackages are
named k8s, but other users of go-to-protobuf likely have k8s in their
package name. This causes conflicts in the search resolution when
executing `go-to-protobuf`:

```
company.example.com/k8s/custom/pkg/apis/custom.k8s.example.com/v1/generated.proto:64:12: "k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta" is resolved to "company.example.com.k8s.custom.pkg.apis.custom.k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta", which is not defined. The innermost scope is searched first in name resolution. Consider using a leading '.'(i.e., ".k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta") to start from the outermost scope.
```

To avoid this we can output fully qualified type references using a
preceding dot (.)

This results in a change for k8s generated.proto files, but the
effect is a noop.

Fixes kubernetes/code-generator#147

Signed-off-by: Andrew DeMaria <ademaria@cloudflare.com>

Kubernetes-commit: 9edf1fc51c56d565348c48f3765cf094518ba7ed
 2023-03-20 18:02:14 -06:00
Monis Khan 5b4b237d07 Require email_verified to be used when email is set as username via CEL 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 121607e80963370c1838f9f620c2b8552041abfc
 2024-03-05 17:20:18 -05:00
Anish Ramasekar bc65af8e04 Support multiple JWT authenticators with structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 39e1c9108c0802024ebb01ad2286b2f09f63798e
 2024-02-21 15:19:25 -08:00
Anish Ramasekar f09dddfc89 Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b502aa6f31d3f55ce87cafdf3eb5e3fb87e74b50
 2024-03-04 23:37:31 -08:00
Monis Khan 37809637af Fix AuthenticationConfiguration docs around nested claims via CEL 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 290f2a7e1b62d2bfce2363ec528155a9748e0adb
 2024-03-05 12:01:11 -05:00
Monis Khan 9432b4df38 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
 2024-02-27 17:11:18 -05:00
Anish Ramasekar f2c6133c7f Add `DiscoveryURL` to AuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 84852ff56f952b4c3daab920d119d24c2e6a3476
 2024-02-07 01:41:52 +00:00
Jordan Liggitt 4153027735 Duplicate v1alpha1 AuthorizationConfiguration to v1beta1 
Kubernetes-commit: 0605a75c5e3590e2b0ab80d2163a76c4e77f4380
 2024-03-02 01:56:29 -05:00
Jordan Liggitt 59cba35b06 Fix discovery v2 conversion registration data race 
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
 2024-03-01 19:29:39 -05:00
Anish Ramasekar 7b0c197f53 cleanup structured authn/authz error logic 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: c2c4f4616d4ecea9fad5b994cdc72e3f96728962
 2024-01-25 22:45:19 +00:00
Jefftree d8d3b8c351 Use v2 types with agg discovery 
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
 2024-01-19 16:13:47 -05:00
Tim Hockin 541bc37de9 Fix go-to-protobuf wrt gengo/v2 
There's some very fishy-smelling logic in here, but this commit is
trying to be as focused as possible.

The *.pb.go diffs are the "name" encoded in the descriptor.  The
descriptor blobs can be decoded by this program (thanks StackOverflow!):

```
package main

import (
	"bytes"
	"compress/gzip"
	"encoding/json"
	"fmt"
	"os"

	"io/ioutil"

	proto "github.com/golang/protobuf/proto"
	dpb "github.com/golang/protobuf/protoc-gen-go/descriptor"
)

func main() {
	m := map[string][]byte{
		"before": blobv1,
		"after":  blobv2,
	}
	arg := os.Args[1]
	dump(m[arg])
}

func dump(bytes []byte) {
	fd, err := decodeFileDesc(bytes)
	if err != nil {
		panic(err)
	}
	b, err := json.MarshalIndent(fd, "", "  ")
	if err != nil {
		panic(err)
	}
	fmt.Println(string(b))
}

// decompress does gzip decompression.
func decompress(b []byte) ([]byte, error) {
	r, err := gzip.NewReader(bytes.NewReader(b))
	if err != nil {
		return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
	}
	out, err := ioutil.ReadAll(r)
	if err != nil {
		return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
	}
	return out, nil
}

func decodeFileDesc(enc []byte) (*dpb.FileDescriptorProto, error) {
	raw, err := decompress(enc)
	if err != nil {
		return nil, fmt.Errorf("failed to decompress enc: %v", err)
	}

	fd := new(dpb.FileDescriptorProto)
	if err := proto.Unmarshal(raw, fd); err != nil {
		return nil, fmt.Errorf("bad descriptor: %v", err)
	}
	return fd, nil
}

var blobv1 = []byte{
	// insert proto "before" blob here
}

var blobv2 = []byte{
	// insert proto "after" blob here
}
```

Running this with "before" and "after" args, and diffing the output
yields something like:

```diff
--- /tmp/a	2023-12-23 23:57:04.748090836 -0800
+++ /tmp/b	2023-12-23 23:57:11.000040973 -0800
@@ -1,5 +1,5 @@
 {
-  "name": "k8s.io/kubernetes/vendor/k8s.io/api/admission/v1/generated.proto",
+  "name": "k8s.io/api/admission/v1/generated.proto",
   "package": "k8s.io.api.admission.v1",
   "dependency": [
     "github.com/gogo/protobuf/gogoproto/gogo.proto",
```

Kubernetes-commit: b0a70dec4ab4cb9f972cf39a81ca5e5555417227
 2023-12-24 10:01:42 -08:00
Anish Ramasekar b3e4dc29ef add min valid jwt payload to API docs for structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
 2024-02-22 16:33:24 -08:00
Tim Hockin d38e8187d9 Cleanup: s/depreciated/deprecated/g 
Kubernetes-commit: 9f4b82bf3b079fe868effbd2498b61464db6d459
 2024-02-18 14:50:55 -08:00
Anish Ramasekar 1bc99127a6 Add integration test for multiple audience in structured authn 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1
 2024-02-14 17:04:21 -08:00
Anish Ramasekar fb760be3fc support multiple audiences with jwt authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 18c563546a764b559ce5b74f09eaaaf9c1f0e5fb
 2024-01-24 17:15:11 +00:00
Anish Ramasekar 26996e3679 Add AudienceMatchPolicy to AuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 19da90d6396ce9471f612d6e9a31f1b1c8d605b1
 2024-01-25 22:35:16 +00:00
Anish Ramasekar e7eedd15ec move encryption config types to standard API server config location 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 75695dae1093cc08cb56a4930c0be8e7e4433be1
 2023-12-16 00:00:21 +00:00
Anish Ramasekar 6bad17ce50 [StructuredAuthnConfig] add comment for extra keys unique requirement 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: af8da8e01c28286feedf528e94683781a0387a99
 2024-01-02 19:58:20 +00:00
Tim Hockin 7674c1a859 Fix list_type_missing in k8s.io/apiserver 
Kubernetes-commit: eddf65849dfa1b3c351597d7018a2700371d8955
 2023-11-17 11:46:28 -08:00
Jordan Liggitt 374f72b704 Require match condition version only if matchConditions are specified 
Kubernetes-commit: a000af25ff3bcc79fe7d8da299225ad252c9894a
 2023-11-02 13:54:39 -04:00
Anish Ramasekar 78b670287d Implement CEL and wire it with OIDC authenticator 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 26e3a03d12d71e6e97bc7c40542cb7519051dd73
 2023-09-20 23:11:37 +00:00
Anish Ramasekar 9032e4e6da add new fields in v1alpha1 StructuredAuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 6b971153d75534a768a67a6b50ee44423611f5b0
 2023-09-07 22:30:28 +00:00
Rita Zhang cca4910d25 authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4
 2023-10-06 17:47:23 -07:00
Abu Kashem b041969f97 apiserver: allow zero value for the 'nominalConcurrencyShares' field 
Kubernetes-commit: 9fd2ab419ad771790d3cb80ea7b8e6828d9ce305
 2023-10-27 19:26:08 -04:00
Abu Kashem 0b0a995736 apiserver: apf controller, bootstrap, tests should use flowcontrol v1 API 
Kubernetes-commit: 17bda3c3e05a75943591f61f37d7fdc0d07870ec
 2023-10-11 09:20:41 -04:00
Nabarun Pal 4693682515 Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 22e5a806a73e48486a90491fc3eb03d208b520a0
 2023-09-25 09:18:11 +05:30
Nabarun Pal b259861486 staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 2bf2c4f3a413d3a2e070fe61aeba6fb309bf2e5e
 2023-09-27 17:48:38 +05:30
Qiming Teng e014cf25b9 Generated files 
Kubernetes-commit: c65fe450d8a3229cfe531a3806939775dd52e7e0
 2023-10-03 20:16:10 +08:00
Qiming Teng d763e7d132 Fix API docs for audit APIs 
The `*`s in the source comment is confusing the API reference generator.
They are treated as symbols for bold texts when generating reference docs.
This PR replaces the quote marks with backtiqs so that the reference
generator can properly handle them.

Kubernetes-commit: e7b2aeee930188eec125bbb91096d9d3fd6f3b5c
 2023-10-03 17:18:23 +08:00
Nabarun Pal 70eb989b94 k8s.io/apiserver: fix levelling of the name field in AuthorizationConfiguration 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 11ce6d29157daf7437d6da7fdeb11cabf2e774aa
 2023-10-04 10:33:58 +05:30
Nabarun Pal 1eae2482e2 Bootstrap API Types for Structured Authorization Configuration 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 52c582ca77c775ee13300a999a29f8c4180750a2
 2023-09-14 19:19:29 +05:30
Anish Ramasekar 25d893ad5f add loading config and wire feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 9e1ff1e51201ac41ddb1eed0d5cc015b4b6aa3df
 2023-08-10 22:45:07 +00:00
Anish Ramasekar fdfc990c33 wiring existing oidc flags with internal API struct 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 1bad3cbbf59a61805a48f609b8cc0a2a40c168ef
 2023-06-28 06:04:45 +00:00
Anish Ramasekar 496ba1943b add AuthenticationConfiguration v1alpha1 api 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: f909eb630cac310adf7267b85922f1340508ca79
 2023-06-27 21:07:47 +00:00
Abu Kashem dfc035926b apf: add validation to exempt for borrowing 
Signed-off-by: Mike Spreitzer <mspreitz@us.ibm.com>

Kubernetes-commit: f8e4e8abac8637f6510838d7d476a838ce612659
 2023-05-15 12:08:18 -04:00
Tim Hockin 6fa34a3ae5 Clean up brace whitespace in **/validation_test.go 
This was making my eyes bleed as I read over code.

I used the following in vim.  I made them up on the fly, but they seemed
to pass manual inspection.

:g/},\n\s*{$/s//}, {/
:w
:g/{$\n\s*{$/s//{{/
:w
:g/^\(\s*\)},\n\1},$/s//}},/
:w
:g/^\(\s*\)},$\n\1}$/s//}}/
:w

Kubernetes-commit: d55b67b349021b6c46fc6ce78f2a36bd4217145f
 2023-05-02 00:36:15 -07:00
Igor Velichkovich 05d2078e68 Matchconditions admission webhooks alpha implementation for kep-3716 (#116261) 
* api changes adding match conditions

* feature gate and registry strategy to drop fields

* matchConditions logic for admission webhooks

* feedback

* update test

* import order

* bears.com

* update fail policy ignore behavior

* update docs and matcher to hold fail policy as non-pointer

* update matcher error aggregation, fix early fail failpolicy ignore, update docs

* final cleanup

* openapi gen

Kubernetes-commit: 5e5b3029f3bbfc93c3569f07ad300a5c6057fc58
 2023-03-15 07:36:02 +00:00
Kermit Alexander II fb14f0e553 Implement MessageExpression. 
Kubernetes-commit: 4e26f680a9e10f0da94830bbaba9633807e22aba
 2023-03-07 23:24:23 +00:00
Nilekh Chaudhari 9bc62d2547 feat: implements encrypt all 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

Kubernetes-commit: 9382fab9b65669e74e8fb77247b14e6cb3ec6b3f
 2023-01-18 00:54:47 +00:00
David Ashpole fd3a7591f6 graduate API Server tracing to beta 
Kubernetes-commit: 4014d0fbbf93f3bb9002b1e37a125840f7be131b
 2023-03-07 21:39:39 +00:00
Cici Huang 16f5e2148c Update CRD validation rules path accordingly. 
Kubernetes-commit: 1f4a9dd9187899a46a4fb86b52af50198da59aaf
 2023-03-05 20:43:58 +00:00
Cici Huang c4a92f1b65 Apply resource constraints to ValidatingAdmissionPolicy. 
Kubernetes-commit: 244c63a2e6c8d859be8f4c6c23fbe1263dbfab0a
 2023-02-14 06:37:57 +00:00
Paco Xu f4e378eb7b API docs: point to current docs instead of archived designs 
Kubernetes-commit: 3d536bd14bba0586f20d1d96560073e5d9e82f97
 2023-02-16 15:29:56 +08:00
Paco Xu 1e1b60ce05 archived design proposals are now moved to Design Proposals Archive Repo. 
Kubernetes-commit: 019d2615af3f7fd0ed0d593ef9df348f6d85b204
 2023-02-08 11:12:22 +08:00
Anish Ramasekar 9fb6b944f0 kmsv2: implement expire cache with clock 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 4804baa01187b4251bd632e07721d875f567d6f1
 2022-09-14 20:01:45 +00:00
Tim Hockin db316c3a3c Fix apiserver example2 to update gen'ed protobufs 
regen apiserver example2

Kubernetes-commit: 9a491f79a8770e9eca8e19516b01018ed16cbe8a
 2023-01-04 13:55:48 -08:00
Rita Zhang 911df25617 Update the godoc on the encryption config API on how to specify group/resources to be encrypted 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: c085031a8f3f366708f9b7aa7ab1695d802d9f5a
 2022-11-28 07:18:02 -08:00
David Ashpole 34af8dc84a Revert "Graduate API Server tracing to beta" 
Kubernetes-commit: e799fcdadd3cc3e8aa4ebde75d1bf0c05465b110
 2022-11-09 22:37:28 -05:00
David Ashpole 855ac5dd3a embed component-base tracing configuration 
Kubernetes-commit: 6e13cf69f62e54622d45269e9ae33799a85f7cff
 2022-11-08 22:43:28 +00:00