f8fa426bd3
Use `audit.k8s.io/v1` as default value of option --audit-webhook-version and --audit-log-version in release 1.13
...
Kubernetes-commit: 9671a035f7e7308ac804b4637af19bac2ecce0f4
2018-10-31 17:22:37 +08:00
22df332aff
Allow components to generate certificates in-memory
...
Kubernetes-commit: b7160d4ee2073f06293d7c3b20acdf4620fadf61
2018-10-16 17:22:13 -04:00
c7c9a358c2
etcd2 code cleanup, remove deserialization cache
...
Kubernetes-commit: c8db31b84adc40aa875917fbca27b2a787902088
2018-10-15 22:17:44 -04:00
13ab2dca08
Remove ericchiang from OWNERS files
...
Kept myself in the OpenID Connect ones for now.
Kubernetes-commit: 766f5875bfa0d8ce4d52cdb87d12faea527e1492
2018-10-11 18:11:15 -07:00
bd604a62aa
Remove deprecated --etcd-quorum-read flag
...
Kubernetes-commit: cff79c542130831f4a212099974570244a0c9586
2018-10-08 11:04:28 -04:00
92e87e143a
Update gofmt for go1.11
...
Kubernetes-commit: 97b2992dc191a357e2167eff5035ce26237a4799
2018-10-05 12:59:38 -07:00
41e5031224
Populate ClientCA in delegating auth setup
...
kubernetes/kubernetes#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code. This restores it.
Kubernetes-commit: 65cea86e4413cb5899c3b89bda375bb326de5093
2018-10-04 12:48:18 -04:00
3b6fc08803
Remove etcd2 storage backend
...
Kubernetes-commit: 85ae79500fba7d6e51292b12daff829027b59872
2018-10-01 16:48:14 -04:00
e9bce895cf
Lazily dial kms-plugin.
...
Kubernetes-commit: 07cbf2545f705d0448631f479a18d0b86b7055dc
2018-09-12 14:56:44 -07:00
1a58e1c6ad
apiserver: make InClusterConfig errs for delegated authn/z non-fatal
...
Kubernetes-commit: 04e793e65ad70df5c4ab280c42740864e54163cd
2018-09-05 09:12:19 +02:00
c8f47fd79c
apiserver: fix misleading delegated authn/z warnings
...
Kubernetes-commit: 059fce63b755ef6052db273fd6c91f3090036389
2018-09-05 09:11:45 +02:00
ecbc9eada2
Fix grammar in secure-port flag help
...
The phrasing made it difficult to understand the message.
Kubernetes-commit: c0ded2d9f5beb5eb02b356076166c365073a639a
2018-08-30 18:50:26 -04:00
c726863192
apiserver: make not-found external-apiserver-authn configmap non-fatal
...
Kubernetes-commit: 5d56e791bb932cc297de08db302540684e6f9d4c
2018-08-24 18:30:58 +02:00
7dbcbd39e2
Remove deprecated legacy audit logging code.
...
Kubernetes-commit: 3f730d4c255e7c8ee67a020eed0b8f0a8f634750
2018-07-05 13:57:17 +02:00
16d4968bf9
authn/z: optionally opt-out of mandatory authn/authz kubeconfig
...
Kubernetes-commit: a671d65673590f0dfcf5c2b673e1518d11510bdb
2018-08-22 11:56:07 +02:00
34ff0933dd
expose generic storage factory primitives
...
Kubernetes-commit: 81b9213ac2cc7744b8a62ac42b269b97c1d17b5a
2018-08-27 10:45:52 -04:00
cfb1e16b55
apiserver: unify handling of unspecified options in authn+z
...
Kubernetes-commit: 0ede948e47d33474a4e30c845d7896c58a319e39
2018-08-21 16:42:13 +02:00
a8bd1ddbf7
delegated authz: add AlwaysAllowPaths mechanism to exclude e.g. /healthz
...
Kubernetes-commit: 6142e2f8f7c8b1c5d32a2f9aa3715ea0b5baf167
2018-08-17 17:03:16 +02:00
c27f181946
add unit test func TestServerRunOptionsValidate
...
Kubernetes-commit: cdef8029d4aea52e607da4101ad44b1b4163f869
2018-08-22 10:19:13 +08:00
7e18a5d0a6
add unit test func TestToAuthenticationRequestHeaderConfig
...
Kubernetes-commit: 0da04d61ab4b70817083c8208af12397b818546a
2018-08-22 10:18:30 +08:00
769565b214
add unit test func TestAPIEnablementOptionsValidate
...
Kubernetes-commit: 73ee10495b5be414b9fae718e5129765c7c3ed19
2018-08-22 10:17:58 +08:00
c872082b0a
add unit test func TestEtcdOptionsValidate and TestParseWatchCacheSizes
...
Kubernetes-commit: 67a1d53bd74265637718b67c80f48a26b6e653cf
2018-08-22 10:17:26 +08:00
a549f2934f
kube-apiserver: switch apiserver's DeprecatedInsecureServingOptions
...
Kubernetes-commit: d787213d1b8802d370032d17157ac1de7573ad15
2018-08-06 16:31:23 +02:00
3698d7a898
apiserver: move controller-manager's insecure config into apiserver
...
Kubernetes-commit: 1d9a896066b3e10e8c1a0d506e00bc354b7772f0
2018-08-16 20:47:15 +02:00
8e1390d9d4
Synchronous & unbatched audit log writes
...
Kubernetes-commit: c9670d0652f8d7da662f71caac6fca2044296ae6
2018-03-15 00:44:46 -07:00
0fc525d3c8
fix typo
...
fix typo
Kubernetes-commit: 18f1ad7dc5392cb4537fa33bd73cdb8dc2c1e523
2018-08-13 17:36:15 +08:00
b0b043eda2
list the default enabled admission plugins
...
Kubernetes-commit: ee96a5638d21f0da111b1106a82976cc59bbbf67
2018-08-06 17:25:24 +08:00
4e7be504bf
Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA
...
This commit prevents extension API server from erroring out during bootstrap when the core
API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't
present in extension-apiserver-authentication ConfigMap in kube-system.
This can happen in cluster setups where core API server uses Webhook token authentication.
Fixes: https://github.com/kubernetes/kubernetes/issues/65724
Kubernetes-commit: db828a44406efe09e2db91e6dc88d1292c9a29e1
2018-07-18 15:07:09 -07:00
b40373204e
use Audit v1 api and add it to some unit tests
...
Kubernetes-commit: 716dc87a1095027f9ab08ee59abfffab1d15ec29
2018-07-27 14:06:29 +08:00
4c6f8fdc17
apiserver: make loopback logic in SecureServingOptions reusable
...
Kubernetes-commit: dc0a736d1ea924dfa35ece64cb59d551c2a0b51f
2018-07-04 17:08:23 +02:00
55957fdc66
apiserver: add SecureServingOptions.ExternalAddress
...
Before this the advertised IP (which shows up in the server cert) in case of
listening to loopback was the first host interface IP. This makes self-signed
certs non-constant, such that we cannot use fixtures.
Kubernetes-commit: c1c564fd4d21dd68ea14d7ea678d8619f47fe445
2018-07-06 12:32:01 +02:00
fa6b67b429
apiserver: use fixtures for self-signed certs in test server
...
Kubernetes-commit: 7deccb5b7a7c5224d3d90e1391dd22b2d1f1b9b9
2018-07-06 12:04:38 +02:00
9cfed8df8c
Convert TestServerRunWithSNI to subtests to isolate flake
...
This test is flaking - make it easier to pin down where and why by
converting to subtests and making cleanup logic easier. Also turn an
ignored listen error into a "fatal".
Make the test run in parallel to speed up individual runs and hopefully
flush out issues.
Kubernetes-commit: 09463975c379114ef9cd42d3c7efb6254b2c3b33
2018-07-09 21:32:15 -04:00
ad29bd83ae
kube-apiserver: disallow --secure-port 0
...
Kubernetes-commit: e15ac9eb72c4e105e7a3d84711e5a6056c0f6a48
2018-07-06 12:58:59 +02:00
25a00cd3c1
apiserver: get rid of ReadWritePort in config
...
Kubernetes-commit: e32f380fa5df4361894570787814d0459baada93
2018-07-04 17:01:49 +02:00
5746122767
apiserver: don't create self-signed certs with disabled secure serving
...
Kubernetes-commit: 798535164ae11a7e3c036ed7793aa884942edc88
2018-07-04 19:09:26 +02:00
8fe5561ce7
[trivial] fix option help message.
...
s/andif/and if/
Kubernetes-commit: 42b93ab7244765dd744257a793b0b9c138146bb3
2018-06-13 09:07:34 +08:00
0f7bbcadfb
Add missing error handling in schema-related code
...
Kubernetes-commit: bfe313d5f351dfae086a85a97e7103183173e5b5
2018-06-03 14:59:58 +10:00
554c4f1986
Fix MaxAge default audit log option
...
Kubernetes-commit: 3dae49c6977526aba09dc070639ebc789b458411
2018-06-18 14:36:50 -07:00
65f0646df4
apiserver: add context to authn/authz kubeconfig errors
...
Kubernetes-commit: 99eda24de01c8b1b84b54cb763b540de35084ade
2018-06-14 15:30:25 +02:00
8d6d8aa36e
Use actual etcd client for /healthz/etcd checks
...
Kubernetes-commit: b39cd00982c1696d8ae8afc99931919894044ee2
2018-06-12 14:33:48 -04:00
37be5e4c9f
Possible cipher suites values and tls versions in help for apiserver and kubelet
...
Kubernetes-commit: 3dfa22e3fd8c650789176b9f4a8e46ab43ef5ebf
2018-01-24 22:51:27 -05:00
f38497678f
add checks validation MinRequestTimeout of ServerRunOptions
...
Kubernetes-commit: ba20be9911091f16bb3987815172b3a348754fc2
2018-04-26 16:02:31 +08:00
c41d1d0993
simplify api registration
...
Kubernetes-commit: c5445d3c56e06ab366b9cca34bd69c5cc386ec47
2018-05-07 08:32:20 -04:00
b534ae405b
Don't panic is admission options is nil
...
Kubernetes-commit: bc04c091c3ca0320a6fa83ef35f891d21423afbb
2018-05-05 11:59:28 -07:00
53e0783ab7
Implemented truncating audit backend
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 52fae991305e3252ccc5c9c86a9b7abc04c149af
2018-03-23 16:13:34 +01:00
490c9a96c3
fix typo
...
Kubernetes-commit: 549fb0cad39daa74c528f7f775d627f908785b61
2018-04-04 16:03:17 +08:00
1075399c96
apiserver: enforce shared RequestContextMapper in delegation chain
...
Kubernetes-commit: 9f906618f04baceaf923e873530f9741e80ad2cb
2018-04-04 10:05:06 +02:00
28595d407b
apiserver: add warning about not trusting authz of aggregator
...
Kubernetes-commit: 50b98169ede9648769ce471150b1ab9ceb06bc0c
2018-03-19 13:37:52 +01:00
b2b70701e1
Make advanced audit output version configurable.
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: ad25d1f9ec398e5f9e91fd225cbbfdc5aa00973f
2018-02-19 21:15:49 +01:00
240b9cf032
remove unused rls-ca-file flag
...
Kubernetes-commit: 9c0803e14c0d76e2e8225db546c0d2ce0b522ab7
2018-03-20 15:26:31 +08:00
422369e23b
move EtcdServersOverrides to EtcdOptions flags validate
...
Kubernetes-commit: f380ac8cec8061bf6533ccecd02ec49d9a5b016f
2018-03-05 11:32:59 +08:00
627fa76a8b
sync: initially remove files BUILD */BUILD BUILD.bazel */BUILD.bazel
2018-03-15 09:38:17 +00:00
d89e8e9460
Fix default auditing options.
...
- Log backend defaults to blocking mode (backwards compatability)
- Fix webhook validation
- Add options test
Kubernetes-commit: e004257919d779d56f27ad84c7f33799cc7ab580
2018-03-02 15:16:37 -08:00
6466b038b4
fix option --audit-webhook-initial-backoff
...
Before this change, --audit-webhook-initial-backoff has no effect
Kubernetes-commit: 5bc5cd1b2ccb0b9fb5e652b579b4fb379428cb56
2018-03-10 17:44:20 +08:00
9169f6d300
Add buffering to the log audit backend
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 881e6d4f6f905079b2c27299e7b631b6903b6815
2018-02-22 19:52:33 +01:00
aa5d4f9f32
Fixes for HTTP/2 max streams per connection setting
...
This PR makes two changes. One is to introduce a parameter
for the HTTP/2 setting that an api-server sends to its clients
telling them how many streams they may have concurrently open in
an HTTP/2 connection. If left at its default value of zero,
this means to use the default in golang's HTTP/2 code (which
is currently 250).
The other change is to make the recommended options for an aggregated
api-server set this limit to 1000. The limit of 250 is annoyingly low
for the use case of many controllers watching objects of Kinds served
by an aggregated api-server reached through the main api-server (in
its mode as a proxy for the aggregated api-server, in which it uses a
single HTTP/2 connection for all calls proxied to that aggregated
api-server).
Fixes #60042
Kubernetes-commit: 201c11f147c85b029665915bee3a62eea19d6d57
2018-02-19 14:18:07 -05:00
e36f8069aa
Add a metric exposing number of objects per type
...
Kubernetes-commit: f6e9ebffa2df10f7792fbea0a0fbe5ab8e388a26
2018-02-12 15:58:57 +00:00
45ac728887
set default enabled admission plugins by official document
...
Kubernetes-commit: 27f3fd2d79d2d669ddecdd987c8b099f1f43ce38
2018-01-23 20:12:10 +08:00
2aca9afa1d
sync: squashed up to merge cc7cea74ae668cd401d99cc472569605cb640517 in b3099bcf532bc470ff7075e93025b8741da09be4
2018-02-27 01:30:07 +00:00
1ab12b2dc8
Autogenerated: hack/update-bazel.sh
...
Kubernetes-commit: ef56a8d6bb3800ab7803713eafc4191e8202ad6e
2018-02-16 13:43:01 -08:00
bf5feefec3
add an admission decorator chain
...
Kubernetes-commit: 1ae856484b8a827b7ce6018ddfa103493a2cb97d
2018-02-14 09:27:25 -05:00
89b7bf377a
Update generated files
...
Kubernetes-commit: 5483ab7679dd055422131fd1c22a18eee39a775e
2018-02-08 19:37:08 +01:00
0520d284e2
controller-manager: add authz/n to options, nil by default
...
Kubernetes-commit: cecd663c21d139a3a5a15b43a8dda8de26180246
2018-02-08 14:19:02 +01:00
338a852bbb
apiserver: make SecureServingOptions and authz/n options re-usable
...
Kubernetes-commit: 4e0114b0dd3701b68c02d038edcf4fbe84515a68
2018-01-31 16:17:48 +01:00
808a483472
pass listener in integration test to prevent port in use flake
...
Kubernetes-commit: a6c43c6a5ca7cc4449684d5e68d73773be91cd41
2018-01-29 11:58:23 +08:00
43cefec1d0
Update endpoint value in test code
...
Kubernetes-commit: 31f74303fc48df5d88105c9742a103eae742f478
2018-02-09 01:23:25 +00:00
be4ee1ba37
Remove configfile for kms in encryption config
...
Kubernetes-commit: 5ae61ed386e3fbc3b7e91d343afadadd52ac027d
2018-01-26 11:53:24 +00:00
a32d2bb427
Update for review comments
...
Kubernetes-commit: 2e7af38d6b4c8ed9e1fb23930b98ed8d2ad68aa0
2018-01-25 05:39:48 +00:00
580a800cad
Only support unix socket for kms gRPC, also add Version method
...
Kubernetes-commit: a6368bb04c1100d1dce1c6bf680056882835b395
2017-12-18 09:29:56 +00:00
e4061faec3
Fix verify error and address review comments
...
Signed-off-by: Wu Qiang <qiang.q.wu@oracle.com>
Kubernetes-commit: 16b04d68b1ae180d61ea4ca06d1c8139c25a652f
2017-11-15 11:20:12 +08:00
dbe35e5c4e
Update kms provider config for gRPC client service
...
Kubernetes-commit: 31fb539f1735debd38e705fcb96a05ea0313c5f5
2017-11-14 09:05:52 +00:00
6f8c3a80da
fix typo in package apiserver
...
Kubernetes-commit: 0da91a8577ddfdeaff985cbb6c0da69d5a2ffc81
2018-02-01 03:04:33 +08:00
9e657b874d
deprecate insecure http flags and remove already deprecated public-address-override
...
Kubernetes-commit: 24c687fdad009fec01703ae0f93ab141b97c0028
2018-01-30 16:05:33 +08:00
0989af6244
remove --tls-ca-file which had no effect
...
Kubernetes-commit: 114711f77d1f12e10b1190db02ca17302992f5ad
2018-01-29 10:29:14 -05:00
b16b687dc5
generated
...
Kubernetes-commit: 4ce7bcced4cc68a833759a218f9c3be7f72fd1c0
2018-01-19 11:55:55 -05:00
6b198535d6
add options for min tls levels
...
Kubernetes-commit: ad1680347071cb5bb66ab49c7325eb21d83e143c
2018-01-19 11:50:47 -05:00
7eedbab968
run update bazel and staging-godep
...
Kubernetes-commit: eff1f20ff14cc450968788974d77b472c82fface
2018-01-20 17:21:44 +08:00
f5af0796fc
pass APIEnablement through apiserver chain
...
Kubernetes-commit: 2f403b7ad18a179514f1de77e29f1a2549ef030a
2017-12-21 11:27:20 +08:00
215ca01104
run update bazel
...
Kubernetes-commit: 5c9e020d7dfb369d3cdfb765baa3dff922d8e83d
2018-01-13 18:09:47 +08:00
d395a1e811
update admission test cases
...
Kubernetes-commit: 82c3d2492cb43f9f81e8a18e1dce2e8ab7e4e56a
2018-01-15 14:58:09 +08:00
b636311708
refactor admission flag: add two admission flags and make plugins auto in recommended order
...
Kubernetes-commit: 7c5f9e0bbaff15570f1709e70b7fa6952395d7cd
2018-01-15 14:58:57 +08:00
e090ce7de2
Fix loading structured admission plugin config
...
Kubernetes-commit: 34328ea87dc9ac61bd036228102c952017cb81d0
2018-01-18 02:32:28 -05:00
08a8cccb0a
Adding support for custom TLS ciphers in api server and kubelet
...
Kubernetes-commit: d7dbc96c70d480f0b81cd83ae3abd34b69c1e70d
2017-07-12 23:49:41 -07:00
574b95f04b
admission: do not leak admission config types outside of the plugins
...
Kubernetes-commit: 1a552bbe149373c056ee004304d7e5abaa89f4c6
2017-11-27 14:44:04 +01:00
3365692578
sync: squashed up to merge eb7be2699bcbecb2703d3c046b27c2a8e8b1b6dd in 188e6ebcdbcfd0617dc12e51e8e6a66ce89f3955
2018-01-13 19:39:22 +00:00
551699fb67
Pass RecommendedConfig into ExtraAdmissionInitializers
...
Kubernetes-commit: 5a3cfd27ed818b971f36032d85e2de2db586a4e5
2018-01-02 09:32:04 +01:00
73975eaf19
Simplify extra initializer logic
...
Kubernetes-commit: a8127df3bb396717b4fb2a7f688c1f98e6bef6b4
2017-12-20 12:17:44 +01:00
82b64e7264
add admission into RecommendedOption
...
Kubernetes-commit: 6149df089e2667fefb740e408ece883fd76dd40e
2017-12-01 11:07:28 +08:00
0f7253ee99
validate admission-control param
...
Kubernetes-commit: 64a7c60e00a1f6cf92710415e0e3dee133ebab7c
2017-11-30 14:34:36 +08:00
c8a97ee31a
Autogenerate BUILD files
...
Kubernetes-commit: efee0704c60a2ee3049268a41535aaee7f661f6c
2017-12-23 13:06:26 -08:00
0d11a9c252
Use []byte in place of string in envelope.Service.
...
Kubernetes-commit: 5005a541d6b5b7d950ed621d9c9fd247abb9b4af
2017-11-07 04:24:53 +05:30
8977dcee4a
Make audit batch webhook backend configurable
...
Signed-off-by: Mik Vyatskov <vmik@google.com>
Kubernetes-commit: 7e717ef3a6a57d31251ccee94d9e2dd29a70c27b
2017-11-30 18:47:48 +01:00
53b8960359
move the MutatingAdmissionWebhook to the last in the mutating amdission
...
plugin chain.
Kubernetes-commit: 8e8e32fa05f02331f724930933dfa34be995247c
2017-11-17 14:16:37 -08:00
e16244b0bc
Merge pull request #55812 from deads2k/admission-17-external
...
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md ">here</a>.
Make versioned types for webhook admission config
Versioned webhook admission config type as promised in https://github.com/kubernetes/kubernetes/pull/54414 .
@kubernetes/sig-api-machinery-pr-reviews
@ericchiang as promised. fyi.
```yaml
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: GenericAdmissionWebhook
configuration:
kind: WebhookAdmission
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /path/to/my/file
```
`ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh`
Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
2017-12-07 04:34:43 +00:00
170e8ac6dd
pass listener to genericapiserver
...
Kubernetes-commit: 6ba30f678c232793430a98770e7a851f1e814fd2
2017-11-16 13:32:12 +08:00
2ee052ccdf
admission: make metrics compositional and move to metrics sub-package
...
Kubernetes-commit: baba0c827bfddfdc56b69c88e19406966ef900a2
2017-11-17 11:49:55 +01:00
4406561b46
add detail to flag help
...
Kubernetes-commit: 2956314cde74f0481be1da6107cc266f56127173
2017-11-17 15:22:53 -08:00
1b638a5be7
generated bazel
...
Kubernetes-commit: 6193360eb52b00727df08f67eb8fc364a8df85e9
2017-11-15 16:21:28 -08:00
cb8d15718f
Adding the mutating webhook
...
Kubernetes-commit: ea123f82aae5bc46b9a91c4543c8f742d0db52da
2017-11-14 16:36:28 -08:00
f88f0f12a1
Reorganize the admission webhook code.
...
Moved client and kubeconfig related code to webhook/config;
Moved the rule matcher to webhook/rules;
Left TODOs saying we are going to move some other common utilities;
Other code is moved to webhook/validation.
Kubernetes-commit: 1adfacc7eb41da109e970a9c2985fd55b4cbbdfd
2017-11-05 18:11:47 -08:00
c37db061da
remove redundant code in admission initializer
...
Kubernetes-commit: 9d1e6d3e2cc25db8e07db446d00390059c8264f8
2017-11-08 10:54:06 +08:00
3843f2885c
remove the nesting directory webhook/webhook
...
Kubernetes-commit: ca8131877ad4fcab76388360e04ff9eb05af41a4
2017-10-26 14:19:49 -07:00
3cb246ace6
move webhook admission to generic apiserver
...
Kubernetes-commit: 8c1fe1f61a1de754a2cfed1966f4a1f8024ca618
2017-10-24 08:48:05 -04:00
d3f753a815
update admission webhook to accept client config
...
Kubernetes-commit: 0859798e8e278ec382dcbeb77914f40bf2c78a2c
2017-10-18 12:57:59 -04:00
f4dbe23125
update BUILD files
...
Kubernetes-commit: aee5f457dbfd70c2d15c33e392dce6a3ca710116
2017-10-12 13:52:10 -07:00
670d5651ed
rename test file name
...
Kubernetes-commit: 81d87466c89772c11b460cdb02df488ffb58d770
2017-09-29 14:51:55 +08:00
19cfabed24
Mark etcd-quorum-read as deprecated.
...
Kubernetes-commit: 2a454dcea0b867bab44796a86a8b27f04b49528d
2017-10-12 19:42:12 +08:00
136304ddb2
removes k8s.io/kubernetes/pkg/api dependency from the webhook plugin.
...
Kubernetes-commit: fa96700b76de3df759b3dddb747da575c909acec
2017-10-09 22:15:25 +02:00
9074f20eb7
generated
...
Kubernetes-commit: bbac32c299eb0660e89870a7fbc698c79af04b51
2017-10-04 17:27:09 -07:00
9696b0c05e
move initializer to the generic apiserver
...
move k8s.io/kubernetes/plugin/pkg/admission/initialization to
k8s.io/apiserver/pkg/admission/plugin/initialization/initialization.go;
move k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration to
k8s.io/apiserver/pkg/admission/configuration.
Kubernetes-commit: 89a0511fcb22caf23427587c026952b2a387f293
2017-10-04 16:54:08 -07:00
3cfc602704
apimachinery: mechanical removal of ObjectCopier plumbing
...
Kubernetes-commit: 509df603b18d356777176953e5d160b6f3d0bba9
2017-10-06 13:30:12 +02:00
f189d35f0e
removes Authorizer and ExternalClientSet from kubeapiserver's admission initializer.
...
Kubernetes-commit: 6b1f1d14148fe3962594d8f4c9ca15d1c6171819
2017-10-03 18:08:30 +02:00
a7bf68f0d6
storage, etcd3: add an option for configuring interval of compaction requests from apiserver
...
This commit adds an option for controlling request of compaction to
etcd3 from apiserver. There is a situation that apiserver cannot fully
own its etcd cluster (e.g. sharing it with canal). In such a case,
apiserver should have limited access in terms of etcd's auth
functionality so it don't have a priviledge to issue compaction
requests. It means that the compaction requests should be issued by
other component and apiserver's compaction requests are needless.
For such use cases, this commit adds a new flag
`storagebackend.Config.CompactionInterval`. If the flag is non 0,
apiserver issues the compaction requests like current behaviour (the
default is 5 minutes). If it is 0, apiserver doesn't issue the
requests. It can be configured with a newly added option of apiserver
`--etcd-compaction-interval`.
Kubernetes-commit: 87d4d3e92be6b93517f189082b0451cee6957ee5
2017-09-01 14:06:25 +09:00
941c87ca76
moved admission interfaces WantsClientCert, WantsAuthorizer and WantsExternalKubeClientSet to apiserver
...
Kubernetes-commit: 475493ced69f47dd78d72ff98bf2c5853fc5ea19
2017-09-27 22:05:34 +02:00
1c446c37e3
adds two new fields to AdmissionOption.
...
The first one being RecommendedPluginOrder the second one being DefaultOffPlugins.
In case a cluster-admin did not provide plugin names they will be derived from these fields.
Kubernetes-commit: 7a92947588070a8eedd0bf50edcfbf0fcc1d4096
2017-08-24 21:36:39 +02:00
65c833f23a
Fix apiserver help message
...
Kubernetes-commit: acad74670dd1167ea0e90b2eeef6946d3871bdbf
2017-09-04 17:22:25 +08:00
644d9a8cf1
Allow watch cache to be disabled per type
...
Currently setting watch cache size for a given resource does not disable
the watch cache. This commit adds a new `default-watch-cache-size` flag
to map to the existing field, and refactors how watch cache sizes are
calculated to bring all of the code into one place. It also adds debug
logging to startup to allow us to verify watch cache enablement in
production.
Kubernetes-commit: fc2d201e155296f311ae0a9278b00dcae2d68708
2017-09-09 21:44:33 +00:00
9f41d17af2
Update bazel
...
Kubernetes-commit: fbd310dbc7312fcae4267dd64326a1e7b4a0a8ae
2017-09-09 21:44:32 +00:00
a063c5336d
apiserver: avoid panics on nil sub-option structs
...
Kubernetes-commit: b153268da79d2acf14e042945959801c3dba8221
2017-09-09 21:44:32 +00:00
97e22b00fa
apiserver: split core API creation from secure serving
...
Kubernetes-commit: 2b64d3a0fd2ccdad4b2f21acb484a36e04381856
2017-09-09 21:44:32 +00:00
75cf96f31e
apiserver: stratify versioned informer construction
...
Kubernetes-commit: ca3f7453464f6866a3bf467c8b9d8e132484cfb4
2017-09-09 21:44:32 +00:00
8ec769da6b
apiserver: allow disabling authz/n via options
...
Kubernetes-commit: dffe50f8bd820295f7f1fbc56a6269b6b8c6966b
2017-09-09 21:44:32 +00:00
d2f7a0c820
Log a warning when --audit-policy-file not passed to apiserver
...
Kubernetes-commit: 3b91f1cc0d32278a9baf2a4b9b4e416cbfb2457f
2017-09-09 21:44:31 +00:00
0c7ac2906f
set AdvancedAuditing feature gate to true by default
...
Kubernetes-commit: 1388426898f46de5e8730c3f71ce3ccaf50337b8
2017-09-09 21:44:30 +00:00
3c2866020c
Switch audit output to v1beta1
...
Kubernetes-commit: f3487f08c6c2444adde9ba110263c9132769332b
2017-09-03 14:04:14 +00:00
460257fd61
Server side implementation of paging for etcd3
...
Add a feature gate in the apiserver to control whether paging can be
used. Add controls to the storage factory that allow it to be disabled
per resource. Use a JSON encoded continuation token that can be
versioned. Create a 410 error if the continuation token is expired.
Adds GetContinue() to ListMeta.
Kubernetes-commit: 8952a0cb722b77459cf2701632a30f5b264f5aba
2017-09-03 14:04:12 +00:00
b9e05868ba
Unify cloudprovided and normal KMS plugins
...
Kubernetes-commit: 6a4afc897c2ed4fb80f1b6121a06f86bc8095cd8
2017-09-01 16:37:07 +00:00
e1e8bebf50
Add --request-timeout to allow the global request timeout of 60 seconds to be configured.
...
Kubernetes-commit: cb764756c6f152bfb866b161315369bc47ebf13c
2017-08-29 13:18:50 +00:00
e74487ab1a
set --audit-log-format default to json
...
Updates: https://github.com/kubernetes/kubernetes/issues/48561
Kubernetes-commit: 130f5d10adf13492f3435ab85a50d357a6831f6e
2017-08-29 13:18:49 +00:00
49516f112c
Remove deprecated flag "long-running-request-regexp".
...
Kubernetes-commit: 72f4ab70e28a945ce25d40524696d0a486f8969e
2017-08-29 13:18:48 +00:00
504f70acec
Add enj as reviewer to OWNERS
...
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: dd06794bc20ef1e0889af576c7a4f7a2f607e49d
2017-08-29 13:16:16 +00:00
24a3b34c79
audit: disable new v1beta1 types until incompatible changes are done
...
Kubernetes-commit: 1dc251a1604b1576258f123ac8dd8390bba2e4a9
2017-08-29 13:16:13 +00:00
7313c11a9e
add validation for fed-apiserver
...
Kubernetes-commit: f2ea31fd925f764f8c684710d9cd345663e88d17
2017-08-29 13:16:11 +00:00
6c539a43c6
Use buildozer to delete licenses() rules except under third_party/
...
Kubernetes-commit: a7f49c906df816123e7d4ccbd4cebab411519465
2017-08-29 13:15:24 +00:00
6caa2933ae
Use buildozer to remove deprecated automanaged tags
...
Kubernetes-commit: 33276f06be5e872bf53ca62a095fcf0a6b6c11a8
2017-08-29 13:15:24 +00:00
f8c99c82f6
Autogenerate BUILD files
...
Kubernetes-commit: cf55f9ed45e6df2431d47cfc5b9c9b30758527f1
2017-08-29 13:15:23 +00:00
31be6bf988
validate kube-apiserver options
...
Kubernetes-commit: de406f83cfafc4033a935821a05cd8d8e5f50099
2017-08-29 13:15:23 +00:00
5cfd8381c1
add some checks for fedration-apiserver options
...
Kubernetes-commit: 172ab88ce848d2c2e6c344535d3011d4ac558a37
2017-08-29 13:15:23 +00:00
44942b068a
Run hack/update-bazel.sh to generate BUILD files
...
Kubernetes-commit: 3579017b865ddbc5449d6bba87346f086e4b93ff
2017-08-29 13:13:51 +00:00
7dfcb9c56f
This adds an etcd health check endpoint to kube-apiserver
...
addressing https://github.com/kubernetes/kubernetes/issues/48215 .
Kubernetes-commit: 47d748c5dc989ea46142569bf42636c622fe128a
2017-08-29 13:13:05 +00:00
fe5fc30248
Add cloudprovidedkms provider support
...
Kubernetes-commit: 68a32c06b4d69970ac2489ff5177d5703ca604cd
2017-08-01 23:56:38 +00:00
55fe632ce2
Add unit tests for KMS transformer initialization
...
Kubernetes-commit: b76c63a9f086d978532c5b7ca565cb3ccd90b32e
2017-08-01 23:56:38 +00:00
c75b59c1cd
Add KMS plugin registry
...
Kubernetes-commit: 49989439d7dab525d22b73936d533ae736b50491
2017-08-01 23:56:38 +00:00
a2a05bd86f
ParseEncryptionConfiguration: simplify code.
...
Also improves function name in godoc and many error messages.
Kubernetes-commit: bf51722ffbfa5521b8c516b8751435f004aacacf
2017-07-28 13:56:11 +00:00
5f2f70a255
Validate --storage-backend type.
...
Kubernetes-commit: fcf2df9ad7ea688d75b2e9abb036b9d7abcc6e7c
2017-07-28 13:56:10 +00:00
530dec4a81
adding validations on kube-apiserver audit log options
...
Signed-off-by: huangjiuyuan <jiuyuan.huang@daocloud.io>
Kubernetes-commit: 21d0f815645ca3452719faf1ad69c63a9c3f3db2
2017-07-19 03:49:08 +00:00
8bc6800aeb
support json output for log backend of advanced audit
...
Kubernetes-commit: bc94370e9cbf3e54dc7dab1dbfc7404815eafb4c
2017-07-16 04:08:41 +00:00
924adf12df
Add Validate() function for audit options
...
Kubernetes-commit: cf8e3ccf1959942342ed0c10f6b43d46beb65e04
2017-07-05 08:39:49 +00:00
c4948f98da
incluster config will be used when creating external shared informers.
...
previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
Kubernetes-commit: 074544b3b024156e4ce91de5778281dbe1b47a72
2017-06-28 00:14:31 +00:00
205eddae2b
Fix typo in secretbox transformer prefix
...
Kubernetes-commit: 2c820c205073ec96acf8c0cf140db2381f377425
2017-06-15 22:11:39 +00:00
f1876a2211
Add configuration for AESCBC, Secretbox encryption
...
Add tests for new transformers
Kubernetes-commit: 13073407422c62ee2131968060c85ce8b6488de4
2017-06-13 20:47:32 +00:00
8401e3b61b
change the default storage location to avoid double prefixing
...
Kubernetes-commit: bc3434c084e405769417a08195700cd6be02211f
2017-06-13 20:47:32 +00:00
fcc6b93d70
Load initializers from dynamic config
...
Handle failure cases on startup gracefully to avoid causing cascading
errors and poor initialization in other components. Initial errors from
config load cause the initializer to pause and hold requests. Return
typed errors to better communicate failures to clients.
Add code to handle two specific cases - admin wants to bypass
initialization defaulting, and mirror pods (which want to bypass
initialization because the kubelet owns their lifecycle).
Kubernetes-commit: 772ab8e1b4163c17d285a2789321762a8f2dc9f3
2017-06-13 20:47:31 +00:00
8ab96afbb9
Avoid * in filenames
...
Kubernetes-commit: b5e5e93201ccbc1b4ed1da0378c1f550508bfc4f
2017-06-13 20:47:31 +00:00
5fa08b8c5e
Allow initialization of resources
...
Add support for creating resources that are not immediately visible to
naive clients, but must first be initialized by one or more privileged
cluster agents. These controllers can mark the object as initialized,
allowing others to see them.
Permission to override initialization defaults or modify an initializing
object is limited per resource to a virtual subresource "RESOURCE/initialize"
via RBAC.
Initialization is currently alpha.
Kubernetes-commit: 331eea67d8000e5c4b37e2234a90903c15881c2f
2017-06-13 20:47:30 +00:00
0b1c13686c
Add configuration options for encryption providers
...
Add location transformer, config for transformers
Location transformer helps choose the most specific transformer for
read/write operations depending on the path of resource being accessed.
Configuration allows use of --experimental-encryption-provider-config
to set up encryption providers. Only AEAD is supported at the moment.
Add new files to BUILD, AEAD => k8s-aes-gcm
Use group resources to select encryption provider
Update tests for configuration parsing
Remove location transformer
Allow specifying providers per resource group in configuration
Add IdentityTransformer configuration option
Fix minor issues with initial AEAD implementation
Unified parsing of all configurations
Parse configuration using a union struct
Run configuration parsing in APIserver, refactor parsing
More gdoc, fix minor bugs
Add test coverage for combined transformers
Use table driven tests for encryptionconfig
Kubernetes-commit: 9760d00d08ef0619e30a7b1b90fd290cab960069
2017-06-13 20:47:30 +00:00
efae6ed84b
Pre-generate SNI test certs
...
Kubernetes-commit: 6554dfc4456869e299b8f6a8f686e8c3cee073d9
2017-06-13 20:47:30 +00:00
be1a712a68
apiserver: add a webhook implementation of the audit backend
...
Kubernetes-commit: a88e0187f9f6083ed68d18e939a776c44c728e4b
2017-06-13 20:47:30 +00:00
42d367c84c
register all generic admission plugins when AdmissionOptions are created.
...
lifecycle plugin: make use of the libraries under k8s.io/client-go/pkg/api and k8s.io/client-go/kubernetes
for the client libraries instead of k8s.io/kubernetes/client/*
move registration to AdmissionOptions
Kubernetes-commit: 77eb2f39500f1fcf66899ea557791e7bca851449
2017-06-13 20:47:29 +00:00
10de73bc53
move CRD behind TPR
...
Kubernetes-commit: 18177e2bdeafbddeb3d66fec0b8cb88794cd69ff
2017-06-13 20:47:29 +00:00
8ff532a4cb
Implement audit policy logic
...
Kubernetes-commit: a5de309ee261aea15bb1cc12647b32640c2ac196
2017-06-13 20:47:28 +00:00
ecba80695f
remove init blocks from all admission plugins
...
Kubernetes-commit: c5019bf6962475ffff94ef4993bdc651b79f650c
2017-06-13 20:47:28 +00:00
94ea219615
Update bazel
...
Kubernetes-commit: 9fdc36a47ada0bc34ee53b68edd085d368ed9012
2017-06-13 20:47:28 +00:00
f7d766d92d
audit: add audit event to the context and fill in handlers
...
Kubernetes-commit: 0b5bcb021932355b3ff7c2b45fb579f4adad84bf
2017-06-13 20:47:28 +00:00
b10e93e2f5
bazel update
...
Kubernetes-commit: 7b0950b298c876668d469d4b5b2ad7a4dcd344fc
2017-05-16 17:27:51 +00:00
ceeef3670c
This PR implements AdmissionOptions.ApplyTo
...
ApplyTo adds the admission chain to the server configuration the method lazily initializes a generic plugin
that is appended to the list of pluginInitializers.
apiserver.Config will hold an instance of SharedInformerFactory to ensure we only have once instance.
The field will be initialized in apisever.SecureServingOptions
Kubernetes-commit: 8cea69aa9812d6627ebdfa4f8b9c1d7624a8f3f5
2017-05-16 17:27:50 +00:00
49f3eb05d8
refactor names for the apiserver handling chain
...
Kubernetes-commit: 4389f715768661731f0aae7438b2cc8414c9746a
2017-05-12 17:30:09 +00:00
234a9303e9
apiserver: tri-state watch cache capacity: off, default, value
...
Kubernetes-commit: b799e62e1aa82a1f1ff87597e762734cd702cdee
2017-05-12 17:30:09 +00:00
e640e78936
apiserver: fix --tls-sni-cert-key doc string
...
Kubernetes-commit: 53365880086f0d0d53002de7ce816284da41f4d0
2017-05-12 17:30:08 +00:00
1512c30ca6
Delete "hard-coded" default value in flags usage.
...
Kubernetes-commit: 420caf200cdb1ba41d6af43c5695c29de2082851
2017-04-29 20:35:54 +00:00
fdb6bac0df
bazel update
...
Kubernetes-commit: 4a3dcff3bfb49317cee8fb209f6b915fc9e82f1a
2017-04-21 20:35:37 +00:00
3422dafac7
Split out AdmissionOptions
...
In the long term AdmissionOptions will accepts various dependencies
and spit out AdmissionControl
Kubernetes-commit: de9706bc15ffc3a6a4ef30a00d5c7ea9a8881396
2017-04-21 20:35:37 +00:00
2aab760a2a
autogenerated
...
Kubernetes-commit: a05c3c0efdc5822049e34b1a5a1ee259c5fb1906
2017-04-15 20:35:23 +00:00
320e34b1d9
pkg/admission: make plugin registry non-global
...
Kubernetes-commit: 63f547e1b15ed94ef91c69a7e294b3506bd8c918
2017-04-12 20:35:22 +00:00
38fb6e78f7
move legacy insecure options out of the main flow
...
Kubernetes-commit: cd297546807fc08546905a2b96879d13bcf3a30b
2017-03-31 20:37:15 +00:00
c2afcd59a6
move insecure options to kubeapiserver
...
Kubernetes-commit: c2f8ef1b1a4e0e60379b7b7447d59a87b0b0ccf9
2017-03-31 20:37:15 +00:00
b3af46c0dc
wire in aggregation
...
Kubernetes-commit: 8e26fa25da6d3b1deb333fe2484f794795d1c6b9
2017-03-31 20:37:15 +00:00
8c644986dc
require codecfactory
...
Kubernetes-commit: 087a03022106c02f82a497f65b945f3cbab3f643
2017-03-31 20:37:15 +00:00
91f0fac434
force callers to specify the cert dns names
...
Kubernetes-commit: f31eb0a77f0616a5c4c3477b6d87a5a6726845cc
2017-03-31 20:37:15 +00:00
1e6581d944
use - to indicate audit log goes to system out
...
Kubernetes-commit: 91f461283ec25dd43d55db97f981723a94f208b8
2017-03-31 20:37:15 +00:00
0f41d276a9
Force etcd2 to use application/json, add base64-wrapper decoder as fallback
...
Kubernetes-commit: 87e32c75321bad09707683cb15d6a0c41f4b6f0d
2017-03-18 19:56:09 +00:00
33e10a040b
Add pprof trace support
...
Add pprof trace support and --enable-contention-profiling to those
components that don't already have it.
Kubernetes-commit: b011529d8a1486bc2316a049db35759086d2994b
2017-03-18 19:56:09 +00:00
8aacf17ba5
allow incluster authentication info lookup
...
Kubernetes-commit: 3d039f60cf998746a95181cacf5d3d69b83b46b0
2017-03-18 19:56:09 +00:00
9c5ae42f4d
add aggregation integration test
...
Kubernetes-commit: 5cfe26dece13c77bd17fd10e47d2c00bf5da9b6d
2017-03-18 19:56:09 +00:00
7170396682
tweak defaults for recommended apiserver options
...
Kubernetes-commit: acba2cbd6d188a34f4c3032c933921ba22a0f77c
2017-03-18 19:56:08 +00:00
954f7be538
apiserver: self-signed in-memory cert for loopback
2017-02-27 15:10:34 -05:00
1e2d8fe122
remove cycle that snuck into tests
2017-02-23 09:48:09 -05:00
73c30cda7e
staging/src/*: run gofmt
2017-02-23 09:48:09 -05:00
585aca0c2c
k8s.io/apiserver: straighten EtcdOptions, backend Config and kube RESTOptionsFactory
2017-02-16 08:03:03 -05:00
147d3934cf
auto-create the loopback token
2017-02-14 14:04:06 -05:00
c2c4ecb2ff
create sample-apiserver repo for people to inspect
2017-02-13 07:36:42 -05:00
9d21f84d8f
streamline etcd options for aggregated api server
2017-02-13 07:36:42 -05:00
5566a0ef65
move storage serialization type to etcd options
2017-02-13 07:36:42 -05:00
2e34520350
add feature enablement options to recommendedoptions
2017-02-13 07:36:42 -05:00
8c39f8c871
move --runtime-config to kubeapiserver
2017-02-13 07:36:42 -05:00
d3c1c03062
move auditoptions to separate struct
2017-02-13 07:36:42 -05:00
aed020968e
add recommended aggregated api server options
2017-02-13 07:36:42 -05:00
284a95797b
apiserver command line options lead to config
2017-02-13 07:36:41 -05:00
6025c228e6
pkg/storage/etcd: cut off pkg/api scheme
2017-02-02 09:36:48 -05:00
Chao Wang
Jordan Liggitt
Eric Chiang
Christoph Blecker
Solly Ross
immutablet
Dr. Stefan Schimanski
Justin Santa Barbara
Marian Lobur
David Eads
hangaoshuai
Tim Allclair
fqsghostcloud
Tripathi
Cao Shufeng
Clayton Coleman
Mikhail Mazurskiy
Jordan Liggitt
Victor Garcia
tamal
Mik Vyatskov
hzxuzhonghu
Kubernetes Publisher
Mike Spreitzer
Marek Grabowski
steveperry-53
Jeff Grafton
Wu Qiang
Wu Qiang
halfcrazy
Yu Liao
Saksham Sharma
Chao Xu
Kubernetes Submit Queue
Daniel Smith
xiangpengzhao
p0lyn0mial
Hitoshi Mitake
tengqm
Maciej Szulik
Joe Betz
Monis Khan
m1093782566
bjhaid
Slava Semushin
huangjiuyuan
Saksham Sharma
Tim St. Clair
Mike Danese
Andy Goldstein