kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,400 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

875 Commits

Author SHA1 Message Date
David Eads f26d4ed894 add field and label selectors to authorization attributes 
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
 2024-05-23 15:12:26 -04:00
Matthieu MOREL 8705baa8b2 fix: enable empty and len rules from testifylint on pkg package 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Co-authored-by: Patrick Ohly <patrick.ohly@intel.com>

Kubernetes-commit: f014b754fb5925dfbca6e27a44d0c3968b157e14
 2024-06-28 21:20:13 +02:00
Eric Lin 5d14d72b5c Fix httplog not logging watch duration in separate goroutines 
Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 06c7058115e623126884d05c54a30db511a9cb71
 2024-06-21 10:03:31 +00:00
Vinayak Goyal 77f498853b KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>

Kubernetes-commit: 5e6a4937f5a3e20dd77238946220461332ecddff
 2024-05-16 21:18:34 +00:00
Joe Betz b5d1135b94 Apply feedback 
Kubernetes-commit: 13f809478f9322341a04715cda1b3912a9e470d5
 2024-06-03 14:59:31 -04:00
Joe Betz dfdf159360 Handle unstructured objects correctly in IgnoreManagedFieldsTimestampsTransformer 
Kubernetes-commit: c942ab6900ddb7b6e3e7c550c521409693180968
 2024-05-31 21:25:25 -04:00
Joe Betz 30fd718497 Fix apply equality check to allow empty map to be equal to nil for builtin types 
Kubernetes-commit: f8a33e3679488e5ee3700d37dd45cee8b346e89e
 2024-06-04 12:11:00 -04:00
TommyStarK 2c2eb3836c kube-apiserver: remove deprecated otel NewNoopTracerProvider 
Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Kubernetes-commit: cce8551272de44882a3cd4fc7c06805247941086
 2024-06-07 19:57:37 +02:00
Harish Kuna eecd18b483 Annotate APF Wait Queue Latnecyto understand at the request level 
Kubernetes-commit: 9a0d922a296e837b344d5538c0829d9e222c2ef6
 2024-03-13 21:54:59 +00:00
Stephen Kitt 942c16fb6a Use canonical json-patch v4 import 
The canonical import for json-patch v4 is
gopkg.in/evanphx/json-patch.v4 (see
https://github.com/evanphx/json-patch/blob/master/README.md#get-it for
reference).

Using the v4-specific path should also reduce the risk of unwanted v5
upgrade attempts, because they won't be offered as automated upgrades
by dependency upgrade management tools, and they won't happen through
indirect dependencies (see
https://github.com/kubernetes/kubernetes/pull/120327 for context).

Signed-off-by: Stephen Kitt <skitt@redhat.com>

Kubernetes-commit: 5300466a5c8988b479a151ceb77f49dd00065c83
 2024-02-16 13:57:24 +01:00
Marek Siarkowicz 74fb076497 Cleanup defer from SetFeatureGateDuringTest function call 
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
 2024-04-23 10:39:47 +02:00
Ziqi Zhao 39347989da fix for comments to ignore the request without request info 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 91af1145bf7b0e18a6b520a78875a1db6db29d96
 2024-03-15 09:42:42 +08:00
Ziqi Zhao 54b3a0e7f5 add http method to span name 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 1aeb0ba314016f2a2cd94b0450ba097c2b165e5d
 2024-03-13 13:25:36 +08:00
Ziqi Zhao 29913c19e4 change the integration test 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 02154293c76a0ea54293c82236c9025b96ea0125
 2024-03-12 22:49:38 +08:00
Ziqi Zhao 68eb5caed4 rename apiserver trace span to http server guidelines 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 84b9fbbdefa3f0bcfb1c4787093aa7840079b7ce
 2024-02-29 19:03:43 +08:00
Marek Siarkowicz 3a83dc12eb Fix SetFeatureGateDuringTest handling of Parallel tests 
Stop using defer as parallel subtest will might result in main test
finishing before subtest.

Fatal when same flag is set twice.

Kubernetes-commit: 9fcf279e2b91e7549190a433373f256fb5aebe85
 2024-03-05 21:56:40 +01:00
Tim Allclair 337f031e71 Stop appending AppArmor status to node ready condition 
Kubernetes-commit: 24537a91317f9fd125ee805cd0b781358ac86f35
 2024-02-21 13:11:07 -08:00
Jordan Liggitt 59cba35b06 Fix discovery v2 conversion registration data race 
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
 2024-03-01 19:29:39 -05:00
Jefftree d8d3b8c351 Use v2 types with agg discovery 
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
 2024-01-19 16:13:47 -05:00
Jefftree fc2ef69449 Remove test for disabling aggregated discovery 
Kubernetes-commit: 0593746f6093a5a59a7a047f03a4139275fcaf11
 2024-02-27 18:27:54 -05:00
Joe Betz 414d2e2d63 Add selectableFields to CRDs 
Kubernetes-commit: 291703482d58ae030da71c6d671a96a6f960fc6f
 2024-02-28 14:06:06 -05:00
Eric Lin 000601bdbe Add handler to run watch serving in separate goroutine 
This handler allows running execution prior to actual serving in a separate
goroutine when serving requests. Doing so benefits cases in serving long running
requests because it allows freeing memory used by the separate goroutine
and keeps the serving routines slim.

Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 7b2698a5e5c61b303481c2006847409fc8704746
 2023-10-10 08:53:26 +00:00
Abu Kashem e6f368f3b9 apiserver: refactor handleError in endpoints/filters 
Kubernetes-commit: 9e37ccedc7fbbbacf07ecc79949c75e1e250ba58
 2024-01-09 13:32:09 -05:00
HirazawaUi bc8676d59a Add decoding time to the audit log 
Kubernetes-commit: 20fe2a3539e90f7554f94359ac3b4058a5bbb363
 2023-10-25 22:52:11 +08:00
Vandit Singh ff6a2dc722 Negative index regression test for json-patch (#122625) 
* add testcase with negative index

* exercise successful negative index patching

* use different values for testing

Co-authored-by: Chris Bandy <bandy.chris@gmail.com>

---------

Co-authored-by: Chris Bandy <bandy.chris@gmail.com>

Kubernetes-commit: 83ff8a2f49f820fb355b24c65b8629710dca8a54
 2024-01-18 09:31:12 +00:00
Eric Lin a2e6b85db4 handlers/watch: refactor watch serving to prepare offloading 
Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 87d817e62d8c6e93cf45bf90a7ecadfe4156ab1f
 2023-11-27 10:06:50 +00:00
Wojciech Tyczyński 697d456e35 Minor cleanup in watch handlers 
Kubernetes-commit: d907062308563b1a9e52152c48f4240a6e11aade
 2023-11-29 22:31:05 +01:00
Wojciech Tyczyński 442cc39449 Unify watch handler across http and websockets 
Kubernetes-commit: 55e60db88b126013f00135f49df3296f52b2572a
 2023-11-29 21:57:39 +01:00
Wojciech Tyczyński d64b183dbd Address review comments 
Kubernetes-commit: 0dd495e6dc253f94b0ad0bb92178fb5e8981116b
 2023-10-13 10:48:16 +02:00
Wojciech Tyczyński 65d3be7b39 Refactor watch event serialization to allow caching 
Kubernetes-commit: 7ff866463af46b5f7cf068ba8d51c68e417b9ece
 2023-08-25 15:41:14 +02:00
Yao Cheng 2b3f11cba2 Register metrics for apiserver handlers 
Signed-off-by: Yao Cheng <chengyao09@hotmail.com>

Kubernetes-commit: 18c3b6fce43edd76620a07707af2d851b52c3fad
 2023-09-06 17:25:12 +00:00
carlory 5ac339fec6 update pretty param description 
Kubernetes-commit: 75f20ee64da5317f4473de643eac43686fe9215e
 2023-10-16 16:36:31 +08:00
Damien Grisonnet b5b4cd7758 apiserver: rename request body size metric 
Rename the apiserver_request_body_sizes metric to
apiserver_request_body_size_bytes to conform with Prometheus best
practices.

This can be done safely without deprecation because that metric wasn't
registered before.

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>

Kubernetes-commit: 08006c842fd6a584bb8e2511587c999ffe7ced9d
 2023-09-07 19:16:31 +02:00
Monis Khan 87ef6687ab Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests 
These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: cd5db9b7f23b0156bf5535fc0124361fbef0ce6a
 2023-10-12 19:13:07 -04:00
Monis Khan 445b713906 Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
 2023-10-07 21:50:37 -04:00
David Ashpole d35f091281 fix missing http.target trace attribute 
Kubernetes-commit: 80269d5d3497acc8ad155cb9bfbfaa7fd9e20d1f
 2023-10-06 18:09:29 +00:00
Lukasz Szaszkiewicz 1c49f6c8ba endpoints/metrics: define watchListLatencies metric and associated functions 
Kubernetes-commit: a97f4b7a3123c9768ec7136b6ca32be926e16cd6
 2023-09-19 03:05:37 +02:00
Lukasz Szaszkiewicz cd87b8f62d handlers/watch: calculate and record WatchList latency metric. 
Kubernetes-commit: 772b1f4cd84a738f632716e28d4067c00f0b7f13
 2023-09-19 03:05:00 +02:00
HirazawaUi 91aa0e1c62 Add namespace to apiserver tracing 
Kubernetes-commit: 45b9b0df41fb67cf2c71263b3577f3b3daff4899
 2023-09-03 21:50:47 +08:00
HirazawaUi f5f4a6148a Add subresource to apiserver tracing 
Kubernetes-commit: c83eb6dcaaacfe8b5706f7fdc969000fbef2d119
 2023-09-03 21:37:13 +08:00
HirazawaUi 2b665e42e6 Add name to apiserver tracing 
Kubernetes-commit: bcb59a03ebb50a966cc6921dea016cc68e0bf843
 2023-09-03 21:33:48 +08:00
HirazawaUi 79f4968b20 Add api-version to apiserver tracing 
Kubernetes-commit: 646053d73dbda9cae5df5fd105a720661ff051dc
 2023-09-03 21:24:13 +08:00
HirazawaUi c51632c143 Add group to apiserver tracing 
Kubernetes-commit: 8c34208a62f09904cd270906889d57c7a613b5d6
 2023-09-03 21:11:08 +08:00
Wojciech Tyczyński 3bcdefc0fd Refactor transformers for watch to implement Encoder interface 
Kubernetes-commit: 160589a0edb2038f2e22e376b6a0b71a24d21f22
 2023-08-11 21:43:49 +02:00
Wojciech Tyczyński 70b023f369 Minor cleanup tranformers interface 
Kubernetes-commit: 3fcc045bce9d77704f872d6089d7c09342e26a44
 2023-08-09 19:49:59 +02:00
Wojciech Tyczyński 6311828461 Cleanup setting non-nil Items field 
Kubernetes-commit: 172a41192c65324b1dc9dc4d90903552c538d664
 2023-08-07 21:17:03 +02:00
Wojciech Tyczyński 3fd71eeb11 Refactor WatchServer to prepare for using encoders 
Kubernetes-commit: ff56d3b6914dbc9e16683ab731eb8c0a485b4ab4
 2023-08-03 21:50:08 +02:00
Jefftree 35302d6383 Move adding GroupVersion log until after an update is confirmed 
Kubernetes-commit: 49e00e8bdeec6b1cdaf691ec85ba8510892ebbc2
 2023-08-08 14:28:54 +00:00
Dr. Stefan Schimanski 13a3aab581 apiserver/httplog: pretty up impersonation output 
```
I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo=<

      &{kubernetes-admin  [system:masters system:authenticated] map[]} is acting as &{foo  [system:authenticated] map[]}
       >
```

to

```
I0807 09:09:16.419239       1 httplog.go:132] "HTTP" verb="GET" URI="/apis/batch/v1?timeout=32s" latency="214.666µs" userAgent="kubernetes-provider/v0.0.0 (linux/arm64) kubernetes/$Format" audit-ID="948ef6b2-474d-45a7-ad5f-894ce93d05f7" srcIP="192.168.139.202:35542" apf_pl="exempt" apf_fs="exempt" apf_execution_time="129.5µs" resp=200 addedInfo="kubernetes-admin[system:masters system:authenticated] is impersonating foo[system:authenticated]"
```

Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 37730c07dd658ba585ffee3861780e18947ca534
 2023-08-07 11:23:30 +02:00
Jordan Liggitt 1edd7d6157 Avoid returning nil responseKind in v1beta1 aggregated discovery 
Kubernetes-commit: 1876ddf71497bad349f7c4df24c2e22356d3bad9
 2023-08-08 14:25:56 -04:00