kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,751 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

3176 Commits

Author SHA1 Message Date
Siyuan Zhang 77032c52b8 k8s.io/apiserver/storage: add 3 new unit tests for delete. 
Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: 26a4e06c92c248748dd3c50c74d75f8adc3c6823
 2023-10-11 10:38:01 -07:00
Jefftree 2e1024671d Fix v3 spec 
Kubernetes-commit: b30c6bdff817cec28b3d88b3bb3e12f1e86488d0
 2023-10-04 12:55:49 -04:00
Siyuan Zhang 70af178d56 k8s.io/apiserver/storage: add a new TestCreate case. 
Add a test case of create with rv set.

Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: 2f923e356e042d9dce88e8f78abf30f414051e71
 2023-10-11 10:24:31 -07:00
Alexander Zielenski 8a3fe0e45c ratcheting: disable correlation by index 
discussion: https://github.com/kubernetes/kubernetes/pull/121118#discussion_r1358865893

Kubernetes-commit: fb1fc8b4a72758688d1251278579b2b0ac666fc7
 2023-10-13 14:36:46 -07:00
Alexander Zielenski b5ac4f9a61 comments: clear up correlateOldValueForChildAtNewIndex godoc 
Kubernetes-commit: d991ed56c29e646c0c5c51ce1ebd2376f34fce28
 2023-10-13 14:11:02 -07:00
Alexander Zielenski fbd7474961 cleanup: use swtich in CachedDeepEqual and add more comments 
Kubernetes-commit: 0ed67c9e41dcfc3eef6953ca63082454c189443b
 2023-10-13 14:05:47 -07:00
Alexander Zielenski a504910cff cleanup: consistently support nil receiver and document 
Kubernetes-commit: 60c90fc0854eb04b95e74d445d88f45c212900fe
 2023-10-13 13:57:55 -07:00
Alexander Zielenski 541189e16c cleanup: clarify correlatedOldValueForChildAtNewIndex comment 
Kubernetes-commit: abb68591afd30cf263b0d6bb2942f9693eb420d7
 2023-10-13 13:54:53 -07:00
Alexander Zielenski 2970233dd7 cleanup: consistent interface{} and any 
Kubernetes-commit: e1fa1df3ae8414104f3710c064014e323e45aade
 2023-10-13 13:50:52 -07:00
Alexander Zielenski fecc880526 cleanup: add godoc 
Kubernetes-commit: 0495616230a13dcc19c9da8ec7b8b2a38e2b6a33
 2023-10-13 13:50:19 -07:00
Alexander Zielenski 662079f048 test: fix boilerplate 
Kubernetes-commit: 4dedabf2a659ee702cbcd93a482c63296910d5c6
 2023-10-12 15:51:25 -07:00
Alexander Zielenski e501fcbbf6 test: few more correlatedobject test cases 
Kubernetes-commit: 0149c1f8b315d704d6d80c00861526e2899001e5
 2023-10-11 15:45:48 -07:00
Alexander Zielenski 4ec87cdde2 test: add correlatedobject test cases 
Kubernetes-commit: ba9347230e6577140eaa0ac3d9ef99d0163a7934
 2023-10-11 14:03:28 -07:00
Alexander Zielenski 5edc046b33 cleanup: add header and fix spelling 
Kubernetes-commit: c08a9321eed6a917a2fbc13b8e023d2f4122ee36
 2023-10-11 13:51:49 -07:00
Alexander Zielenski 1234a74f8e refactor: move correlatedObject to its own file 
no changes except package naming

Kubernetes-commit: 27cb869e5596525cec9884ecb9b02bfcfe5273e4
 2023-10-10 10:53:12 -07:00
Damien Grisonnet b5b4cd7758 apiserver: rename request body size metric 
Rename the apiserver_request_body_sizes metric to
apiserver_request_body_size_bytes to conform with Prometheus best
practices.

This can be done safely without deprecation because that metric wasn't
registered before.

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>

Kubernetes-commit: 08006c842fd6a584bb8e2511587c999ffe7ced9d
 2023-09-07 19:16:31 +02:00
Jiahui Feng 6b0a70e192 typed variables support. 
Kubernetes-commit: c03579bfa40dcb39e1ffe24c12f933720e4eb204
 2023-10-04 16:39:24 -07:00
Alexander Zielenski 3029a9f674 add rest of accessors to common.Schema 
needed for declarative validation, CRD ratcheting

Kubernetes-commit: 438c0daab7587bdb094e714e68b5ba2f9f6ae963
 2023-10-09 17:49:37 -07:00
Siyuan Zhang a0dede6875 k8s.io/apiserver/storage: add some ResourceVersion validation in GetList unit tests 
Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: baac8bb573c8efb314b037f4fbac116556c03c83
 2023-10-11 10:46:30 -07:00
Abu Kashem 28ed1d7ad4 fix data race in apf unit test 
Kubernetes-commit: 52c58d970e54bf10b78512c68602f70b0a970f31
 2023-09-22 14:42:43 -04:00
Monis Khan 87ef6687ab Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests 
These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: cd5db9b7f23b0156bf5535fc0124361fbef0ce6a
 2023-10-12 19:13:07 -04:00
Monis Khan 445b713906 Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
 2023-10-07 21:50:37 -04:00
Siyuan Zhang e15d4d2e0b k8s.io/apiserver/storage/etcd: refactor getCurrentState. 
Extract getCurrentState as a separate method that can be reused.

Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: ebca5d438d9cb2c82d0b99dbcb0aeca8879db441
 2023-10-11 09:56:07 -07:00
Qiming Teng e014cf25b9 Generated files 
Kubernetes-commit: c65fe450d8a3229cfe531a3806939775dd52e7e0
 2023-10-03 20:16:10 +08:00
Qiming Teng d763e7d132 Fix API docs for audit APIs 
The `*`s in the source comment is confusing the API reference generator.
They are treated as symbols for bold texts when generating reference docs.
This PR replaces the quote marks with backtiqs so that the reference
generator can properly handle them.

Kubernetes-commit: e7b2aeee930188eec125bbb91096d9d3fd6f3b5c
 2023-10-03 17:18:23 +08:00
David Ashpole d35f091281 fix missing http.target trace attribute 
Kubernetes-commit: 80269d5d3497acc8ad155cb9bfbfaa7fd9e20d1f
 2023-10-06 18:09:29 +00:00
Nabarun Pal 70eb989b94 k8s.io/apiserver: fix levelling of the name field in AuthorizationConfiguration 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 11ce6d29157daf7437d6da7fdeb11cabf2e774aa
 2023-10-04 10:33:58 +05:30
Abu Kashem 04acc93a12 apf: request ejected from queue should use reason 'time-out' 
Kubernetes-commit: 6297067ff1afaa2d63d83183a23e8744865d7c2b
 2023-08-29 16:30:02 -04:00
Abu Kashem d64c9b18da apf: remove RequestWaitLimit from queueset config 
Kubernetes-commit: 11ef9514dad6f46a4315198978fee14132c4bbca
 2023-08-29 12:11:08 -04:00
Abu Kashem 290096a4d0 apf: remove timeoutOldRequestsAndRejectOrEnqueueLocked function 
Kubernetes-commit: da8a472206623d0727ba486489d34780c4b6c1d9
 2023-08-28 17:26:11 -04:00
Abu Kashem a2e63604f2 apf: use context for queue wait 
Kubernetes-commit: f39213a7e44f21a8cedcdf38d3c2531456a526d6
 2023-08-28 17:01:16 -04:00
Dr. Stefan Schimanski 2f3285287e controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 63950491764535a8635cb2c4810db59a9a1fad25
 2023-09-24 11:50:38 +02:00
Lukasz Szaszkiewicz 1c49f6c8ba endpoints/metrics: define watchListLatencies metric and associated functions 
Kubernetes-commit: a97f4b7a3123c9768ec7136b6ca32be926e16cd6
 2023-09-19 03:05:37 +02:00
Lukasz Szaszkiewicz cd87b8f62d handlers/watch: calculate and record WatchList latency metric. 
Kubernetes-commit: 772b1f4cd84a738f632716e28d4067c00f0b7f13
 2023-09-19 03:05:00 +02:00
Lukasz Szaszkiewicz db34e9b7c7 storage/util: introduce HasInitialEventsEndBookmarkAnnotation 
Kubernetes-commit: 70ae9c441cee9d78a88c0526592796ac4f491096
 2023-09-18 11:39:08 +02:00
Lukasz Szaszkiewicz 90ba08909c storage/etcd: the watcher supports the API streaming 
Kubernetes-commit: ca562fd280a9dd5db952eb8c14b93fcf6668cc49
 2023-08-22 14:02:39 +02:00
Lukasz Szaszkiewicz e7424d8207 storage/testing/watcher_tests: add new flavour to RunWatchSemantics test and fill the gap 
the new flavour proves that a storage layer follows RV
which is equal to the global rv

Kubernetes-commit: 0e238c4c28f11d1ec7cf5f506c81195c1cc463fe
 2023-09-22 09:32:23 +02:00
HirazawaUi 91aa0e1c62 Add namespace to apiserver tracing 
Kubernetes-commit: 45b9b0df41fb67cf2c71263b3577f3b3daff4899
 2023-09-03 21:50:47 +08:00
HirazawaUi f5f4a6148a Add subresource to apiserver tracing 
Kubernetes-commit: c83eb6dcaaacfe8b5706f7fdc969000fbef2d119
 2023-09-03 21:37:13 +08:00
HirazawaUi 2b665e42e6 Add name to apiserver tracing 
Kubernetes-commit: bcb59a03ebb50a966cc6921dea016cc68e0bf843
 2023-09-03 21:33:48 +08:00
HirazawaUi 79f4968b20 Add api-version to apiserver tracing 
Kubernetes-commit: 646053d73dbda9cae5df5fd105a720661ff051dc
 2023-09-03 21:24:13 +08:00
HirazawaUi c51632c143 Add group to apiserver tracing 
Kubernetes-commit: 8c34208a62f09904cd270906889d57c7a613b5d6
 2023-09-03 21:11:08 +08:00
Lukasz Szaszkiewicz f0dfb17949 storage/testing/watcher_tests: refactor RunWatchSemantics tests 
Kubernetes-commit: dc5cfe3cff289ecb97153716bfd5817579d00fb3
 2023-09-21 12:16:16 +02:00
Lukasz Szaszkiewicz c8dcfeed34 storage/testing/watcher_tests: make TestCacherWatchSemantics storage agnostic 
Kubernetes-commit: 91bb75883c613d45563f3b7c01a69dde8194bfdc
 2023-09-15 12:28:36 +02:00
Lukasz Szaszkiewicz c13e210d56 storage/testing/watcher_tests: move TestCacherWatchSemantics (no-op) 
Kubernetes-commit: afbb1a6ef98b548b9e57b168614ca6e15fd0034c
 2023-09-14 11:19:36 +02:00
Lukasz Szaszkiewicz 3c3bb86696 storage/testing/utils: add helper functions 
Kubernetes-commit: 3a96baf3fa8e837159b27b98b05c5024143b06a3
 2023-09-15 12:26:11 +02:00
Lukasz Szaszkiewicz fe7ae035ef storage/etcd3/watcher_test: refactor TestWatchErrorWhenNoNewFunc to a table test 
Kubernetes-commit: 4b60c18183f11207d0cb2d89bf28090156222c61
 2023-09-19 10:35:09 +02:00
Nabarun Pal 1eae2482e2 Bootstrap API Types for Structured Authorization Configuration 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 52c582ca77c775ee13300a999a29f8c4180750a2
 2023-09-14 19:19:29 +05:30
Lukasz Szaszkiewicz f5adfca95e storage/testing: a simple refactor 
Kubernetes-commit: 39af594f312ad46715dfb705d71ad4e607e27e5d
 2023-09-14 11:16:10 +02:00
Han Kang bd7db816d7 promote component SLIs to GA; remove feature gates for component slis 
Kubernetes-commit: e6435e98eda93fbf96e94110af6ca5a10ad1e926
 2023-09-11 08:52:50 -07:00