a643e14347
Implement resilient watchcache initialization post-start-hook
...
Kubernetes-commit: a5772bd42593f6492f5169eef49bc9884f95abba
2024-06-13 11:02:18 +02:00
77f498853b
KEP-4633: Allow health-only anonymous auth mode.
...
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
Kubernetes-commit: 5e6a4937f5a3e20dd77238946220461332ecddff
2024-05-16 21:18:34 +00:00
b26fefe178
add DefaultComponentGlobalsRegistry flags in ServerRunOptions
...
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Kubernetes-commit: 379676c4bef48e5d2add28851302b55b41fcabcf
2024-06-10 17:50:22 +00:00
00857ca9ec
Add version mapping in ComponentGlobalsRegistry.
...
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Kubernetes-commit: 4352c4ad2762ce49ce30e62381f8ceb24723fbcc
2024-05-31 20:29:48 -07:00
22612a3528
apiserver: Add API emulation versioning.
...
Co-authored-by: Siyuan Zhang <sizhang@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
Co-authored-by: Alex Zielenski <zielenski@google.com>
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Kubernetes-commit: 403301bfdf2c7312591077827abd2e72f445a53a
2024-01-19 16:07:00 -08:00
b0c3a41fa5
encryptionconfig: detect typos
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 2503fa55ff13e3211e9f17fa97f70f9a67f3f6fc
2024-05-16 12:38:42 -04:00
65ef30865d
move to generics for sets in kubeapiserver
...
Kubernetes-commit: b14936f6795028b1d8dd9f6a4cb0361b4c7bb9bc
2024-05-12 11:49:42 +03:00
c05e83dd40
Expose DisableHTTP2 flag in SecureServingOptions
...
This is to mitigate CVE-2023-44487
until the Go standard library and golang.org/x/net
are fully fixed.
Signed-off-by: Jayapriya Pai <janantha@redhat.com>
Kubernetes-commit: e2503e50381cc9cc2e4a4c90f0738e54992558f8
2023-12-05 11:41:58 +05:30
da88853b95
Use the generic/typed workqueue throughout
...
This change makes us use the generic workqueue throughout the project in
order to improve type safety and readability of the code.
Kubernetes-commit: 6d0ac8c561a7ac66c21e4ee7bd1976c2ecedbf32
2024-04-28 18:26:18 +02:00
7d59581b90
apiserver/options: avoid segfault by handling unset core k8s client
...
Fixes: https://github.com/kubernetes/apiserver/issues/108
Signed-off-by: Andrew DeMaria <ademaria@cloudflare.com>
Kubernetes-commit: b2d1aef1e3800c73e266131e585069eb3b177591
2024-04-22 12:50:23 -06:00
5ea67c789a
apiserver + controllers: enhance context support
...
27a68aee3a4834 introduced context support for events. Creating an event
broadcaster with context makes tests more resilient against leaking goroutines
when that context gets canceled at the end of a test and enables per-test
output via ktesting.
The context could get passed to the constructor. A cleaner solution is to
enhance context support for the apiserver and then pass the context into the
controller's run method. This ripples up the call stack to all places which
start an apiserver.
Kubernetes-commit: b92273a760503cc57aba37c4d3a28554f7fec7f8
2023-12-01 09:00:59 +01:00
74fb076497
Cleanup defer from SetFeatureGateDuringTest function call
...
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
2024-04-23 10:39:47 +02:00
f687e45ec2
prioritize user EtcdOptions.StorageConfig.StorageObjectCountTracker
...
Kubernetes-commit: 587ce02d90f3c1e1bb7418753009baf63f6039b7
2024-04-18 23:02:16 +08:00
70fb342c48
Fix: StorageObjectCountTracker is nil, apf estimator got ObjectCountNotFoundErr
...
Kubernetes-commit: 4abc2b387b188d694e369e05c08effce9d23e7e7
2024-04-08 11:09:27 +08:00
8c4fa4e478
Remove k8s.io/apiserver ability to bind insecure ports
...
The project does not recommend using insecure ports. Even
unauthenticated TLS is an improvement since it provides confidentiality.
If you relied upon this, please update to secure serving options.
Kubernetes-commit: de302c73e9558c192fde1cd7d6dcbea7eb76e950
2024-03-18 09:25:49 -04:00
ee481149d7
Add metrics for authentication config reload
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 62ac88b9ea5dace6a61b784f4654fcf379b958e2
2024-03-09 13:29:56 -08:00
be9c733e9d
Promote ValidatingAdmissionPolicy to GA.
...
Kubernetes-commit: de506ce7ac9981c8253b2f818478bb4093fb7bb6
2024-01-23 22:10:40 +00:00
fe847b31f4
Add allowed/denied metrics for authorizers
...
Kubernetes-commit: d5d3eddb95b657f03677c21498f185d70d87cdda
2024-02-16 02:26:18 -05:00
c2310e1279
Implement authz config file reloading
...
Kubernetes-commit: 5dc92ada068cb80a2866cfaa1f9aa760d2524680
2023-11-08 08:49:58 -06:00
57e06e43f7
refactor: move vap into parent `policy` folder
...
also renames to remove stutter
comment
Kubernetes-commit: 8b14116509ac19234924878ab08f7e9e8f03549a
2024-01-17 18:09:30 -08:00
f6b16dddb3
Add `apiserver_encryption_config_controller_automatic_reloads_total`
...
metric
- Adds `apiserver_encryption_config_controller_automatic_reloads_total`
metric with status label for encryption config reload success/failure.
- Deprecated `apiserver_encryption_config_controller_automatic_reload_failures_total` and `apiserver_encryption_config_controller_automatic_reload_success_total`
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 77241d31253baf051302fff7480c9601ad817399
2024-02-07 19:44:41 +00:00
285e6ec394
Clean up encryption config reading and hashing logic
...
This is a no-op change that makes the internal encryption config
hash more specific to it use and explicitly marks it as unstable.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 9387a66c71fd85840cb199b468610b8fa950253f
2024-01-10 14:48:30 -05:00
e7eedd15ec
move encryption config types to standard API server config location
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 75695dae1093cc08cb56a4930c0be8e7e4433be1
2023-12-16 00:00:21 +00:00
3097e77b18
encryptionconfig/controller: run unit tests faster
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 6ac7da1da87bb0e739806cad94676da915be6d9c
2023-10-31 11:59:37 -04:00
b3499eec62
apiserver: set APF featuregate to ga
...
Kubernetes-commit: c7fcef187562e1b3ffdaa2e2109c65d800b8f5d5
2023-10-31 08:35:52 -04:00
0b0a995736
apiserver: apf controller, bootstrap, tests should use flowcontrol v1 API
...
Kubernetes-commit: 17bda3c3e05a75943591f61f37d7fdc0d07870ec
2023-10-11 09:20:41 -04:00
d93aaa8d93
feat: updates encryption config file watch logic to polling
...
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
fix (#2 )
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: e95b7c6d8b889e42ee44e626914e457e228ce8d4
2023-10-17 21:21:00 +00:00
cd9457dbfc
Deep disablement for APF based on --enable-priority-and-fairness.
...
Avoids starting informers or the config-consuming controller when
--enable-priority-and-fairness=false. For kube-apiserver, the config-producing controller runs if
and only if flowcontrol API storage is enabled.
Kubernetes-commit: 83f5b5c240e5cced1371bbd22e458dae43975238
2023-06-26 17:00:26 -04:00
26219aabef
[KMSv2] promote KMSv2 and KMSv2KDF to GA
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Kubernetes-commit: a9b1adbafc7fe52f669dc98aada21bc3e46cdce3
2023-10-24 09:50:45 -07:00
5bf4f58ab8
Remove storageConfig.Paging parameter
...
Kubernetes-commit: b386120da239bf9652fc02b2d2cbbd0fcc3cd121
2023-10-20 15:35:58 +02:00
47998d1ee6
cleanup: omit comparison with bool constants
...
Signed-off-by: tao.yang <tao.yang@daocloud.io>
Kubernetes-commit: b35357b6c08f21ba0fd312536051394c2567ec79
2023-09-04 16:59:23 +08:00
a270d45ae5
Add validation for --storage-media-type option.
...
Kubernetes-commit: cf836309dc278d8d4f046e1580649179b1531143
2023-10-19 10:54:16 -04:00
d64c9b18da
apf: remove RequestWaitLimit from queueset config
...
Kubernetes-commit: 11ef9514dad6f46a4315198978fee14132c4bbca
2023-08-29 12:11:08 -04:00
2f3285287e
controlplane: make option structs uniformly optional
...
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Kubernetes-commit: 63950491764535a8635cb2c4810db59a9a1fad25
2023-09-24 11:50:38 +02:00
cdb2cea24a
kms: remove livez check
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Kubernetes-commit: 7710128636a16c73045291d4729675339a7d57f7
2023-09-11 16:47:29 -07:00
2bed5d11d9
kmsv2: add apiserver identity to metrics
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Kubernetes-commit: 43ccf6c4e8f173d981edebb6146c58b523fc21b7
2023-09-05 13:03:18 -07:00
9c40486020
kmsv2: enable KMSv2KDF feature gate by default
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 657cc2045ee46922b00d4fd7c126f57d1e8ecc43
2023-09-05 12:27:55 -04:00
9b1c514777
register API types only once for encryption config
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 418af0f4dcbe15147b21462b9e5db5a5ba769c12
2023-09-01 17:24:20 +00:00
bf05e35835
kubernetes mutual (2-way) x509 comment
...
Kubernetes-commit: 48260b4a77b423b178ec5e262ac67be52d49f455
2023-08-18 01:31:22 +00:00
2eac3ca68c
kmsv2 test feature enablement unit test
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Kubernetes-commit: d86e72202c4b039e1dceccbfbae559fb1c54471d
2023-08-01 10:17:01 -07:00
8e93c650b5
kmsv2: KDF based nonce extension
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: bf49c727ba10881d5378e9242f31dc00dede51be
2023-03-25 14:41:04 -04:00
1668629f57
feat: implements metrics for encryption config hot reload
...
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
Kubernetes-commit: c291e6355c44e84c2e1d503d1d9bf3e8fab9e194
2023-07-05 22:28:15 +00:00
36a1803532
chore: hashes keyID
...
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
Kubernetes-commit: 131216fa8f2dd13f2585e2010717733f4cb2c1e2
2023-06-29 20:32:27 +00:00
c534f8e2b9
Add enj to apiserver options approver
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: b81f07ac9a61d425f1e457132803ed94f6b8a52d
2023-07-11 16:07:44 -04:00
573a8d6d05
Improve apiserver storage size metric to allow it's graduation
...
Change name to make it compliant with prometheus guidelines.
Calculate it on demand instead of periodic to comply with prometheus standards.
Replace "endpoint" with "server" label to make it semantically consistent with storage factory
Kubernetes-commit: 7a63997c8a1a9ba14f2bdc478fdf33cf88f48d80
2023-06-22 11:56:09 +02:00
a01ccc2e32
Document address family of listening INET sockets
...
Kubernetes-commit: de0764309571f0989847b2322db1906c5b34949e
2023-07-10 15:01:13 +03:00
5d08b1abe9
[KMSv2] Mark KMS v1beta1 as deprecated with no further fixes ( #119007 )
...
* add feature gate
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
* add validation and warning in load config
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
* mark v1beta1 proto message deprecated
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
---------
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 1acdb4ae86e0e43475c31f108a6106b1f5ea5027
2023-07-06 23:55:47 +00:00
aa8212180e
kmsv2: no-op refactor priming logic into its own function
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 55b690ee018bfa2e32c4d2dab13123a336c7d013
2023-03-23 11:49:20 -04:00
296a76b0b7
kmsv2: refine probing logic to avoid slow starts
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 15003c609d0ad4aea79895530b1dd4517514154d
2023-03-23 11:35:36 -04:00
cb83ab1a45
kmsv2: add a sanity check to confirm that new state is always valid
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: d8150b816014427b9fec342f2cf303e1472c62c7
2023-03-23 10:42:05 -04:00
Wojciech Tyczyński
Vinayak Goyal
Siyuan Zhang
Monis Khan
Mangirdas Judeikis
Jayapriya Pai
Alvaro Aleman
Andrew DeMaria
Patrick Ohly
Marek Siarkowicz
chenk008
David Eads
Anish Ramasekar
cici37
Jordan Liggitt
Alexander Zielenski
Abu Kashem
Nilekh Chaudhari
Ben Luddy
Rita Zhang
tao.yang
Dr. Stefan Schimanski
seantywork
Jad Haj Yahya