4eaefb0cee
jwt: fail on empty username via CEL expression
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 8345ad0bac4fee6d25f033f0445e2e10eae6afbe
2024-02-28 12:53:08 -05:00
9432b4df38
Prevent conflicts between service account and jwt issuers
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
2024-02-27 17:11:18 -05:00
e810084a4b
Prevent watch cache starvation, by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior
...
Kubernetes-commit: 31d404b182d2985ce0d3c43f75d80c29a708beda
2024-02-27 11:25:42 +01:00
d456bc0c1b
wire up discovery url in authenticator
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 78fb0bae22f2106219d19fff060caa7866c27430
2024-02-26 16:17:58 -08:00
f4bc37078e
portforward: tunnel spdy through websockets
...
Kubernetes-commit: 8b447d8c97e8823b4308eb91cf7d75693e867c61
2024-02-21 08:56:07 +00:00
9ffd1e2039
Add apiserver_watch_cache_read_wait metric to cache refresh time
...
Signed-off-by: Sunil Shivanand <padlar@live.com>
Kubernetes-commit: e6ed0f37c65fb22c16f5afa408bc4de166070ebc
2024-02-08 12:39:50 +01:00
f2c6133c7f
Add `DiscoveryURL` to AuthenticationConfiguration
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 84852ff56f952b4c3daab920d119d24c2e6a3476
2024-02-07 01:41:52 +00:00
e92429c2ad
Merge pull request #123225 from aramase/aramase/f/kep_3331_latency_metrics
...
Add `apiserver_authentication_jwt_authenticator_latency_seconds` metric
Kubernetes-commit: 6d2ee131ebd13ce2ec2448300bb99f4ea942f1a9
2024-03-04 01:15:11 +00:00
6f43b57386
Merge pull request #123640 from liggitt/authz-beta-config
...
Duplicate v1alpha1 AuthorizationConfiguration to v1beta1
Kubernetes-commit: 8674282a054d3ae32e2e009dab6f8a0da3689828
2024-03-02 21:03:19 +00:00
4153027735
Duplicate v1alpha1 AuthorizationConfiguration to v1beta1
...
Kubernetes-commit: 0605a75c5e3590e2b0ab80d2163a76c4e77f4380
2024-03-02 01:56:29 -05:00
bf894b0555
Merge pull request #123634 from liggitt/handler-race
...
Fix discovery v2 conversion registration data race
Kubernetes-commit: 95875b7723fe1aa50b0a6a425ece8a0927ef83f8
2024-03-02 05:50:08 +00:00
cc00aa34b6
Merge pull request #123611 from ritazh/authz-mcmetrics
...
Add authz webhook matchcondition metrics
Kubernetes-commit: 3e1da218014b5a4e5c95ee79404093302104438b
2024-03-02 05:50:07 +00:00
00ac59edfa
Merge pull request #122975 from aramase/aramase/c/cleanup_authn_validation
...
cleanup structured authn/authz error logic
Kubernetes-commit: 4e8674f4e582c7d33143c42990d9409990d979a3
2024-03-02 05:50:03 +00:00
0d2b79b3b6
Merge pull request #122882 from Jefftree/agg-discovery-v2-usage
...
Use Aggregated Discovery v2 types and promote to GA
Kubernetes-commit: 3f25211d69b4412e3e926835067918f86f629f3e
2024-03-02 01:40:36 +00:00
59cba35b06
Fix discovery v2 conversion registration data race
...
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
2024-03-01 19:29:39 -05:00
b7a30e3bfb
add authz webhook matchcondition metrics
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>
Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
2024-02-29 20:55:32 -08:00
09c9be2c2e
Add `apiserver_authentication_jwt_authenticator_latency_seconds` metric
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 0da5e8137b839860d55938ceb6d520caba3fc776
2024-02-08 18:08:07 +00:00
7b0c197f53
cleanup structured authn/authz error logic
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: c2c4f4616d4ecea9fad5b994cdc72e3f96728962
2024-01-25 22:45:19 +00:00
d8d3b8c351
Use v2 types with agg discovery
...
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
2024-01-19 16:13:47 -05:00
7c8cdebce9
Promote AggregatedDiscovery to GA
...
Kubernetes-commit: 301e804c3f2fb3935c2cf3d2a04967f47921fc99
2024-02-27 16:59:46 -05:00
fc2ef69449
Remove test for disabling aggregated discovery
...
Kubernetes-commit: 0593746f6093a5a59a7a047f03a4139275fcaf11
2024-02-27 18:27:54 -05:00
4fa5c0c492
Merge pull request #123529 from thockin/go-workspaces
...
Go workspaces for k/k and k/staging/*
Kubernetes-commit: df366107d16aa2e2cdd620be41e592184f379da4
2024-03-01 21:19:35 +00:00
57928aa72c
Merge pull request #123560 from ivelichkovich/master
...
kep-3716 GA, remove feature gate
Kubernetes-commit: 6cc77a577e56c68e4fde81865e022e05e8e02538
2024-03-01 08:22:12 +00:00
e3922247fe
Merge pull request #123458 from aramase/aramase/i/min_jwt_payload
...
add min valid jwt payload to API docs for structured authn config
Kubernetes-commit: 5cf4fbe524ca1479607a4880949a032064556f76
2024-03-01 00:40:31 +00:00
3d757e5f42
Merge pull request #122676 from p0lyn0mial/upstream-watch-cache-init-events-ordering
...
apiserver/storage: improve RunWatchSemanticInitialEventsExtended test
Kubernetes-commit: 234f0fcfc32919301739c39941bcf86e99666bc7
2024-02-29 12:27:20 +00:00
9ccc257322
Merge pull request #122717 from jpbetz/crd-object-filters
...
KEP-4358: Custom Resource Field Selectors
Kubernetes-commit: a67973a45c4b48585e3331889eca09425caca7c2
2024-02-29 07:01:48 +00:00
0f77d82857
Fix up go.mod files after reviews
...
Because of how the previous 100+ commits were done, so changes snuck
thru that properly belong in earlier commits but it's not really
possible to do that without a lot of effort.
We agreed it was OK to "spackle" these cracks with a final commit.
Kubernetes-commit: 21715e6bbd19c932576ff268843d8ead3edb05e4
2024-02-28 16:50:55 -08:00
0a2e73e991
Merge pull request #123562 from jpbetz/bump-cel-go-0_17_8
...
Bump cel-go to v0.17.8 to pick up CEL estimated cost fix
Kubernetes-commit: fe8a12d264c88ac3cd0fb97d73c936de3fdd9788
2024-02-28 23:18:35 +00:00
414d2e2d63
Add selectableFields to CRDs
...
Kubernetes-commit: 291703482d58ae030da71c6d671a96a6f960fc6f
2024-02-28 14:06:06 -05:00
fc7cf5fb84
kep-3716 GA, remove feature gate
...
Kubernetes-commit: a51a5b462236d5eb87e6d690065f884c281a833c
2024-02-28 10:45:51 -06:00
5957e27e51
Bump cel-go to v0.17.8 to pick up CEL estimated cost fix
...
Kubernetes-commit: d49949b64205ca68222d001806d127fc6d7489f9
2024-02-28 10:52:36 -05:00
4b96323a12
Merge pull request #120897 from wojtek-t/fix_order_of_init_events
...
Ensure that initial events are sorted for WatchList
Kubernetes-commit: 54f9807e1e84981b2053f4daf779f5ed19962144
2024-02-28 07:29:22 -08:00
27e765eeff
Remove old gengo detritus
...
Kubernetes-commit: 812d5fff4011df4693dcdace516feec30ebff8ba
2024-02-26 23:31:41 -08:00
b3e4dc29ef
add min valid jwt payload to API docs for structured authn config
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
2024-02-22 16:33:24 -08:00
5624a05672
Remove defunct references to "vendor"
...
Kubernetes-commit: d772f7719dc55ebfec2e9461b6e14bf17f5301df
2024-01-15 15:56:21 -08:00
816c9a3d12
apiserver/storage: improve RunWatchSemanticInitialEventsExtended test
...
changes the test to populate the underlying data store with
more data to trigger potential ordering issues.
Kubernetes-commit: 20ded275705a6e11c1113cbeedad4de94e2dc666
2024-01-10 11:08:35 +01:00
541bc37de9
Fix go-to-protobuf wrt gengo/v2
...
There's some very fishy-smelling logic in here, but this commit is
trying to be as focused as possible.
The *.pb.go diffs are the "name" encoded in the descriptor. The
descriptor blobs can be decoded by this program (thanks StackOverflow!):
```
package main
import (
"bytes"
"compress/gzip"
"encoding/json"
"fmt"
"os"
"io/ioutil"
proto "github.com/golang/protobuf/proto"
dpb "github.com/golang/protobuf/protoc-gen-go/descriptor"
)
func main() {
m := map[string][]byte{
"before": blobv1,
"after": blobv2,
}
arg := os.Args[1]
dump(m[arg])
}
func dump(bytes []byte) {
fd, err := decodeFileDesc(bytes)
if err != nil {
panic(err)
}
b, err := json.MarshalIndent(fd, "", " ")
if err != nil {
panic(err)
}
fmt.Println(string(b))
}
// decompress does gzip decompression.
func decompress(b []byte) ([]byte, error) {
r, err := gzip.NewReader(bytes.NewReader(b))
if err != nil {
return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
}
out, err := ioutil.ReadAll(r)
if err != nil {
return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
}
return out, nil
}
func decodeFileDesc(enc []byte) (*dpb.FileDescriptorProto, error) {
raw, err := decompress(enc)
if err != nil {
return nil, fmt.Errorf("failed to decompress enc: %v", err)
}
fd := new(dpb.FileDescriptorProto)
if err := proto.Unmarshal(raw, fd); err != nil {
return nil, fmt.Errorf("bad descriptor: %v", err)
}
return fd, nil
}
var blobv1 = []byte{
// insert proto "before" blob here
}
var blobv2 = []byte{
// insert proto "after" blob here
}
```
Running this with "before" and "after" args, and diffing the output
yields something like:
```diff
--- /tmp/a 2023-12-23 23:57:04.748090836 -0800
+++ /tmp/b 2023-12-23 23:57:11.000040973 -0800
@@ -1,5 +1,5 @@
{
- "name": "k8s.io/kubernetes/vendor/k8s.io/api/admission/v1/generated.proto",
+ "name": "k8s.io/api/admission/v1/generated.proto",
"package": "k8s.io.api.admission.v1",
"dependency": [
"github.com/gogo/protobuf/gogoproto/gogo.proto",
```
Kubernetes-commit: b0a70dec4ab4cb9f972cf39a81ca5e5555417227
2023-12-24 10:01:42 -08:00
510f374e58
Re-vendor latest kube-openapi and gengo/v2
...
./hack/pin-dependency.sh k8s.io/kube-openapi latest
./hack/pin-dependency.sh k8s.io/gengo/v2 latest
./hack/update-vendor.sh
Kubernetes-commit: 6f2f3735e04df5e4822176a2784069634c3c74a3
2024-02-26 17:02:22 -08:00
c05e83dd40
Expose DisableHTTP2 flag in SecureServingOptions
...
This is to mitigate CVE-2023-44487
until the Go standard library and golang.org/x/net
are fully fixed.
Signed-off-by: Jayapriya Pai <janantha@redhat.com>
Kubernetes-commit: e2503e50381cc9cc2e4a4c90f0738e54992558f8
2023-12-05 11:41:58 +05:30
5ea67c789a
apiserver + controllers: enhance context support
...
27a68aee3a4834 introduced context support for events. Creating an event
broadcaster with context makes tests more resilient against leaking goroutines
when that context gets canceled at the end of a test and enables per-test
output via ktesting.
The context could get passed to the constructor. A cleaner solution is to
enhance context support for the apiserver and then pass the context into the
controller's run method. This ripples up the call stack to all places which
start an apiserver.
Kubernetes-commit: b92273a760503cc57aba37c4d3a28554f7fec7f8
2023-12-01 09:00:59 +01:00
d712a4ee7e
apimachinery runtime: support contextual logging
...
In contrast to the original HandleError and HandleCrash, the new
HandleErrorWithContext and HandleCrashWithContext functions properly do contextual
logging, so if a problem occurs while e.g. dealing with a certain request and
WithValues was used for that request, then the error log entry will also
contain information about it.
The output changes from unstructured to structured, which might be a breaking
change for users who grep for panics. Care was taken to format panics
as similar as possible to the original output.
For errors, a message string gets added. There was none before, which made it
impossible to find all error output coming from HandleError.
Keeping HandleError and HandleCrash around without deprecating while changing
the signature of callbacks is a compromise between not breaking existing code
and not adding too many special cases that need to be supported. There is some
code which uses PanicHandlers or ErrorHandlers, but less than code that uses
the Handle* calls.
In Kubernetes, we want to replace the calls. logcheck warns about them in code
which is supposed to be contextual. The steps towards that are:
- add TODO remarks as reminder (this commit)
- locally remove " TODO(pohly): " to enable the check with `//logcheck:context`,
merge fixes for linter warnings
- once there are none, remove the TODO to enable the check permanently
Kubernetes-commit: 5a130d2b71e5d70cfff15087f4d521c6b68fb01e
2023-11-20 20:25:00 +01:00
d8646c593d
drop deprecated workqueue NewNamed package
...
Signed-off-by: liyuerich <yue.li@daocloud.io>
Kubernetes-commit: 98dfaed4bec33b4995572685eb084d8202ac235b
2023-10-16 18:11:17 +08:00
45b7f21179
Ensure that initial events are sorted for WatchList
...
Kubernetes-commit: 92bdc7b3873800e6130176e49acdf5e17110e5b9
2023-09-26 18:39:44 +02:00
04dda9abb8
Merge pull request #122830 from p0lyn0mial/upstream-watch-cache-wati-for-bk-after-rv
...
storage/cacher: ensure the cache is at the Most Recent ResourceVersion when streaming was requested
Kubernetes-commit: d2b4928669c633cffb0e4aa6317d0e016ee37de6
2024-02-28 12:29:11 +00:00
3e22226ac6
Merge pull request #123281 from seans3/remote-command-websocket-beta
...
RemoteCommand over WebSockets to Beta
Kubernetes-commit: f7ca532472f035db2aedc8a1f86639dfd1dc596f
2024-02-28 12:29:10 +00:00
f663919323
Merge pull request #123538 from jiahuif-forks/fix/cel/mutation-library-map-support
...
CEL mutation library: add support for map
Kubernetes-commit: 286cdad32d7967a5f3b84a8924448ea914d44c00
2024-02-28 12:29:05 +00:00
e79edc2673
Merge pull request #123540 from enj/enj/i/jwt_iss
...
jwt: strictly support compact serialization only
Kubernetes-commit: 236f1b0f6b4cbb7e372a72d181c6285bdaf74873
2024-02-28 00:35:48 +00:00
8485f72a96
add support for map
...
to CEL mutation library.
Kubernetes-commit: dc4c92f5a5646ed8d131a8bb8ff96b5e6b3e4bb8
2024-02-27 13:55:08 -08:00
1154db23b1
jwt: strictly support compact serialization only
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: e89dddd4af67d34e441ec1733bdb22ce725d621c
2024-02-27 12:40:59 -05:00
e53bac21d8
storage/watch_cache: rework getAllEventsSinceLocked
...
Kubernetes-commit: ecaf2093f51fed5f544520b0ac00fb33a474b7f5
2024-02-26 12:22:05 +01:00
Monis Khan