kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,150 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

864 Commits

Author SHA1 Message Date
Ziqi Zhao 39347989da fix for comments to ignore the request without request info 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 91af1145bf7b0e18a6b520a78875a1db6db29d96
 2024-03-15 09:42:42 +08:00
Ziqi Zhao 54b3a0e7f5 add http method to span name 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 1aeb0ba314016f2a2cd94b0450ba097c2b165e5d
 2024-03-13 13:25:36 +08:00
Ziqi Zhao 29913c19e4 change the integration test 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 02154293c76a0ea54293c82236c9025b96ea0125
 2024-03-12 22:49:38 +08:00
Ziqi Zhao 68eb5caed4 rename apiserver trace span to http server guidelines 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 84b9fbbdefa3f0bcfb1c4787093aa7840079b7ce
 2024-02-29 19:03:43 +08:00
Marek Siarkowicz 3a83dc12eb Fix SetFeatureGateDuringTest handling of Parallel tests 
Stop using defer as parallel subtest will might result in main test
finishing before subtest.

Fatal when same flag is set twice.

Kubernetes-commit: 9fcf279e2b91e7549190a433373f256fb5aebe85
 2024-03-05 21:56:40 +01:00
Tim Allclair 337f031e71 Stop appending AppArmor status to node ready condition 
Kubernetes-commit: 24537a91317f9fd125ee805cd0b781358ac86f35
 2024-02-21 13:11:07 -08:00
Jordan Liggitt 59cba35b06 Fix discovery v2 conversion registration data race 
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
 2024-03-01 19:29:39 -05:00
Jefftree d8d3b8c351 Use v2 types with agg discovery 
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
 2024-01-19 16:13:47 -05:00
Jefftree fc2ef69449 Remove test for disabling aggregated discovery 
Kubernetes-commit: 0593746f6093a5a59a7a047f03a4139275fcaf11
 2024-02-27 18:27:54 -05:00
Joe Betz 414d2e2d63 Add selectableFields to CRDs 
Kubernetes-commit: 291703482d58ae030da71c6d671a96a6f960fc6f
 2024-02-28 14:06:06 -05:00
Eric Lin 000601bdbe Add handler to run watch serving in separate goroutine 
This handler allows running execution prior to actual serving in a separate
goroutine when serving requests. Doing so benefits cases in serving long running
requests because it allows freeing memory used by the separate goroutine
and keeps the serving routines slim.

Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 7b2698a5e5c61b303481c2006847409fc8704746
 2023-10-10 08:53:26 +00:00
Abu Kashem e6f368f3b9 apiserver: refactor handleError in endpoints/filters 
Kubernetes-commit: 9e37ccedc7fbbbacf07ecc79949c75e1e250ba58
 2024-01-09 13:32:09 -05:00
HirazawaUi bc8676d59a Add decoding time to the audit log 
Kubernetes-commit: 20fe2a3539e90f7554f94359ac3b4058a5bbb363
 2023-10-25 22:52:11 +08:00
Vandit Singh ff6a2dc722 Negative index regression test for json-patch (#122625) 
* add testcase with negative index

* exercise successful negative index patching

* use different values for testing

Co-authored-by: Chris Bandy <bandy.chris@gmail.com>

---------

Co-authored-by: Chris Bandy <bandy.chris@gmail.com>

Kubernetes-commit: 83ff8a2f49f820fb355b24c65b8629710dca8a54
 2024-01-18 09:31:12 +00:00
Eric Lin a2e6b85db4 handlers/watch: refactor watch serving to prepare offloading 
Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 87d817e62d8c6e93cf45bf90a7ecadfe4156ab1f
 2023-11-27 10:06:50 +00:00
Wojciech Tyczyński 697d456e35 Minor cleanup in watch handlers 
Kubernetes-commit: d907062308563b1a9e52152c48f4240a6e11aade
 2023-11-29 22:31:05 +01:00
Wojciech Tyczyński 442cc39449 Unify watch handler across http and websockets 
Kubernetes-commit: 55e60db88b126013f00135f49df3296f52b2572a
 2023-11-29 21:57:39 +01:00
Wojciech Tyczyński d64b183dbd Address review comments 
Kubernetes-commit: 0dd495e6dc253f94b0ad0bb92178fb5e8981116b
 2023-10-13 10:48:16 +02:00
Wojciech Tyczyński 65d3be7b39 Refactor watch event serialization to allow caching 
Kubernetes-commit: 7ff866463af46b5f7cf068ba8d51c68e417b9ece
 2023-08-25 15:41:14 +02:00
Yao Cheng 2b3f11cba2 Register metrics for apiserver handlers 
Signed-off-by: Yao Cheng <chengyao09@hotmail.com>

Kubernetes-commit: 18c3b6fce43edd76620a07707af2d851b52c3fad
 2023-09-06 17:25:12 +00:00
carlory 5ac339fec6 update pretty param description 
Kubernetes-commit: 75f20ee64da5317f4473de643eac43686fe9215e
 2023-10-16 16:36:31 +08:00
Damien Grisonnet b5b4cd7758 apiserver: rename request body size metric 
Rename the apiserver_request_body_sizes metric to
apiserver_request_body_size_bytes to conform with Prometheus best
practices.

This can be done safely without deprecation because that metric wasn't
registered before.

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>

Kubernetes-commit: 08006c842fd6a584bb8e2511587c999ffe7ced9d
 2023-09-07 19:16:31 +02:00
Monis Khan 87ef6687ab Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests 
These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: cd5db9b7f23b0156bf5535fc0124361fbef0ce6a
 2023-10-12 19:13:07 -04:00
Monis Khan 445b713906 Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
 2023-10-07 21:50:37 -04:00
David Ashpole d35f091281 fix missing http.target trace attribute 
Kubernetes-commit: 80269d5d3497acc8ad155cb9bfbfaa7fd9e20d1f
 2023-10-06 18:09:29 +00:00
Lukasz Szaszkiewicz 1c49f6c8ba endpoints/metrics: define watchListLatencies metric and associated functions 
Kubernetes-commit: a97f4b7a3123c9768ec7136b6ca32be926e16cd6
 2023-09-19 03:05:37 +02:00
Lukasz Szaszkiewicz cd87b8f62d handlers/watch: calculate and record WatchList latency metric. 
Kubernetes-commit: 772b1f4cd84a738f632716e28d4067c00f0b7f13
 2023-09-19 03:05:00 +02:00
HirazawaUi 91aa0e1c62 Add namespace to apiserver tracing 
Kubernetes-commit: 45b9b0df41fb67cf2c71263b3577f3b3daff4899
 2023-09-03 21:50:47 +08:00
HirazawaUi f5f4a6148a Add subresource to apiserver tracing 
Kubernetes-commit: c83eb6dcaaacfe8b5706f7fdc969000fbef2d119
 2023-09-03 21:37:13 +08:00
HirazawaUi 2b665e42e6 Add name to apiserver tracing 
Kubernetes-commit: bcb59a03ebb50a966cc6921dea016cc68e0bf843
 2023-09-03 21:33:48 +08:00
HirazawaUi 79f4968b20 Add api-version to apiserver tracing 
Kubernetes-commit: 646053d73dbda9cae5df5fd105a720661ff051dc
 2023-09-03 21:24:13 +08:00
HirazawaUi c51632c143 Add group to apiserver tracing 
Kubernetes-commit: 8c34208a62f09904cd270906889d57c7a613b5d6
 2023-09-03 21:11:08 +08:00
Wojciech Tyczyński 3bcdefc0fd Refactor transformers for watch to implement Encoder interface 
Kubernetes-commit: 160589a0edb2038f2e22e376b6a0b71a24d21f22
 2023-08-11 21:43:49 +02:00
Wojciech Tyczyński 70b023f369 Minor cleanup tranformers interface 
Kubernetes-commit: 3fcc045bce9d77704f872d6089d7c09342e26a44
 2023-08-09 19:49:59 +02:00
Wojciech Tyczyński 6311828461 Cleanup setting non-nil Items field 
Kubernetes-commit: 172a41192c65324b1dc9dc4d90903552c538d664
 2023-08-07 21:17:03 +02:00
Wojciech Tyczyński 3fd71eeb11 Refactor WatchServer to prepare for using encoders 
Kubernetes-commit: ff56d3b6914dbc9e16683ab731eb8c0a485b4ab4
 2023-08-03 21:50:08 +02:00
Jefftree 35302d6383 Move adding GroupVersion log until after an update is confirmed 
Kubernetes-commit: 49e00e8bdeec6b1cdaf691ec85ba8510892ebbc2
 2023-08-08 14:28:54 +00:00
Dr. Stefan Schimanski 13a3aab581 apiserver/httplog: pretty up impersonation output 
```
I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo=<

      &{kubernetes-admin  [system:masters system:authenticated] map[]} is acting as &{foo  [system:authenticated] map[]}
       >
```

to

```
I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo="kubernetes-admin[system:masters system:authenticated] is impersonating foo[system:authenticated]"
```

Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 37730c07dd658ba585ffee3861780e18947ca534
 2023-08-07 11:23:30 +02:00
Jordan Liggitt 1edd7d6157 Avoid returning nil responseKind in v1beta1 aggregated discovery 
Kubernetes-commit: 1876ddf71497bad349f7c4df24c2e22356d3bad9
 2023-08-08 14:25:56 -04:00
VillageHeadHuang e6c3a57fb9 replace strings.Index with strings.Contains instead 
replace strings.Index() !=-1  with strings.Contains instead

Kubernetes-commit: 037847066ce7ebb622c4b207355ac97814414841
 2023-07-14 15:25:36 +08:00
David Eads 5ed33dc31d add list of served versions to storage version 
Kubernetes-commit: 90ab7580aaeca1c6e949df15554ad5bc408dca8e
 2023-07-12 18:27:27 -04:00
Tim Allclair 2a8bc69060 Initialize the AuditEvent with the AuditContext (#113611) 
* Initialize the AuditEvent with the AuditContext

* Squash: Address PR feedback

* Squash: address PR feedback

Kubernetes-commit: 2b03f04ce589a57cf80b2153c7e5056c53c374d3
 2023-07-03 18:28:13 +00:00
Andrew Sy Kim 986c8832e5 apiserver: introduce larger buckets for request_filter_duration_seconds metric 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>

Kubernetes-commit: c607984379234249403354bf1f9a2e86a740caf0
 2023-06-28 14:19:51 +00:00
Sean Sullivan cdd93b4685 Refactor wsstream library from apiserver to apimachinery 
Kubernetes-commit: 8f3109da7913ef17c6656893f12f0e29ceabbde0
 2023-05-22 10:03:17 -07:00
Eric Lin edd537cbe3 Do not copy bytes for cached serializations 
Since cachingObject has the encoded data cached and they are not
supposed to change. It's memory efficient to just copy the slice
references.

Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 3085b57869a2a7bf5290ab97facaf17fedfa88a0
 2023-05-31 19:12:32 +00:00
HirazawaUi e6be55636d add Authentication tracking request/error counts and latency metrics 
Kubernetes-commit: 104c208d0fb69ad8edb180b2b306516f9d01d021
 2023-04-11 22:35:14 +08:00
Alexander Zielenski 5ea7a9f341 fixup patcher test to include field manager 
Kubernetes-commit: 077cc20f8af4387f37d972e925510cb5e2ef56ea
 2023-03-15 14:42:07 -07:00
Alexander Zielenski 4bd3e89853 remove checks for fieldmanager from handlers 
it should never be nil

Kubernetes-commit: ad5cda4d21974104db01732474130d10c001d3f2
 2023-03-14 15:08:00 -07:00
Alexander Zielenski c5d71177bc supply deduced typeconverter to apiserver tests 
Kubernetes-commit: 94909af68aee4e5ad9f9c4f48f0b328473725e7a
 2023-03-03 10:45:44 -08:00
Alexander Zielenski 3783e4af68 Throw error if OpenAPIV3 config is not provided 
it is required for Server-SIde-Apply to function correctly (SSA is based on OpenAPI schemas)

Kubernetes-commit: 302daa889c5ddb9c862cd0101b94071e42a3081d
 2023-01-11 14:54:03 -08:00