kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,085 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

3337 Commits

Author SHA1 Message Date
Jiahui Feng 8f8266ef89 update to inject only the list of excluded resources. 
Kubernetes-commit: 6b03166beda6e550ebcbed1bb7d9ca2cc1d94df4
 2024-03-05 10:27:35 -08:00
Jiahui Feng a86b013fb6 make ValidatingAdmissionPolicy ignore excluded resources. 
Kubernetes-commit: 64ee859aa82c17daa8037e4e90e066ae4582d653
 2024-02-28 15:31:44 -08:00
Jiahui Feng b1e2103ed5 add resource filter to admission initializer. 
Kubernetes-commit: 5b1fffa3e40b812e81ede244f671c90e3428e2ec
 2024-02-28 15:31:18 -08:00
Monis Khan 37809637af Fix AuthenticationConfiguration docs around nested claims via CEL 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 290f2a7e1b62d2bfce2363ec528155a9748e0adb
 2024-03-05 12:01:11 -05:00
Lukasz Szaszkiewicz b3f5f43260 storage/cacher: mark the addition of a metric for waitUntilFreshAndBlock as completed 
Kubernetes-commit: 221ad9f7c25cc4da36e97c5feca3fc60bbe5bbfa
 2024-03-05 10:23:23 +01:00
Monis Khan 9432b4df38 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153
 2024-02-27 17:11:18 -05:00
Jordan Liggitt 4d70dec65c Promote StructuredAuthorizationConfiguration feature gate to beta 
Kubernetes-commit: 30256c8909ab8c30a64f786361543768f2719c77
 2024-03-02 02:12:36 -05:00
Marek Siarkowicz 743b53428c Test that separation of streams work by using progress notifies 
Kubernetes-commit: 1cf4cec449cb29718a694e25f4750452af3f491d
 2024-02-29 17:51:46 +01:00
Marek Siarkowicz e810084a4b Prevent watch cache starvation, by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior 
Kubernetes-commit: 31d404b182d2985ce0d3c43f75d80c29a708beda
 2024-02-27 11:25:42 +01:00
Sean Sullivan 0376e5de57 adds comments to tunnelingResponseWriter 
Kubernetes-commit: 3d56ff21fd3c9c9da82ff22044691ef0671ac7b6
 2024-03-04 11:10:17 -08:00
Jordan Liggitt 9610424488 Fix headerInterceptingConn handling 
Kubernetes-commit: 2443b3fa694462ab0438f10dea38557edea4d4e7
 2024-03-02 17:57:39 -05:00
Sean Sullivan f4bc37078e portforward: tunnel spdy through websockets 
Kubernetes-commit: 8b447d8c97e8823b4308eb91cf7d75693e867c61
 2024-02-21 08:56:07 +00:00
Jordan Liggitt 9adb3ee3c0 Add authorization webhook duration/count/failopen metrics 
Kubernetes-commit: 79b344d85e3e2f8f3192a3dcabb384cfe87136a6
 2024-03-02 01:44:28 -05:00
Sunil Shivanand 9ffd1e2039 Add apiserver_watch_cache_read_wait metric to cache refresh time 
Signed-off-by: Sunil Shivanand <padlar@live.com>

Kubernetes-commit: e6ed0f37c65fb22c16f5afa408bc4de166070ebc
 2024-02-08 12:39:50 +01:00
xigang 2eff540b7c cleanup: if triggerValue has a value, fast break 
Signed-off-by: xigang <wangxigang2014@gmail.com>

Kubernetes-commit: d72448a41c24911a57b24cabdef3ca63ee048bd4
 2024-03-04 10:29:31 +08:00
Anish Ramasekar f2c6133c7f Add `DiscoveryURL` to AuthenticationConfiguration 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 84852ff56f952b4c3daab920d119d24c2e6a3476
 2024-02-07 01:41:52 +00:00
Jordan Liggitt 4153027735 Duplicate v1alpha1 AuthorizationConfiguration to v1beta1 
Kubernetes-commit: 0605a75c5e3590e2b0ab80d2163a76c4e77f4380
 2024-03-02 01:56:29 -05:00
Jordan Liggitt 59cba35b06 Fix discovery v2 conversion registration data race 
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
 2024-03-01 19:29:39 -05:00
Rita Zhang b7a30e3bfb add authz webhook matchcondition metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: e76fce75666beb2771dfa15a10700f18d2d15d85
 2024-02-29 20:55:32 -08:00
Anish Ramasekar 7b0c197f53 cleanup structured authn/authz error logic 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: c2c4f4616d4ecea9fad5b994cdc72e3f96728962
 2024-01-25 22:45:19 +00:00
Jefftree d8d3b8c351 Use v2 types with agg discovery 
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
 2024-01-19 16:13:47 -05:00
Jefftree 7c8cdebce9 Promote AggregatedDiscovery to GA 
Kubernetes-commit: 301e804c3f2fb3935c2cf3d2a04967f47921fc99
 2024-02-27 16:59:46 -05:00
Jefftree fc2ef69449 Remove test for disabling aggregated discovery 
Kubernetes-commit: 0593746f6093a5a59a7a047f03a4139275fcaf11
 2024-02-27 18:27:54 -05:00
Tim Hockin 5624a05672 Remove defunct references to "vendor" 
Kubernetes-commit: d772f7719dc55ebfec2e9461b6e14bf17f5301df
 2024-01-15 15:56:21 -08:00
Tim Hockin 541bc37de9 Fix go-to-protobuf wrt gengo/v2 
There's some very fishy-smelling logic in here, but this commit is
trying to be as focused as possible.

The *.pb.go diffs are the "name" encoded in the descriptor.  The
descriptor blobs can be decoded by this program (thanks StackOverflow!):

```
package main

import (
	"bytes"
	"compress/gzip"
	"encoding/json"
	"fmt"
	"os"

	"io/ioutil"

	proto "github.com/golang/protobuf/proto"
	dpb "github.com/golang/protobuf/protoc-gen-go/descriptor"
)

func main() {
	m := map[string][]byte{
		"before": blobv1,
		"after":  blobv2,
	}
	arg := os.Args[1]
	dump(m[arg])
}

func dump(bytes []byte) {
	fd, err := decodeFileDesc(bytes)
	if err != nil {
		panic(err)
	}
	b, err := json.MarshalIndent(fd, "", "  ")
	if err != nil {
		panic(err)
	}
	fmt.Println(string(b))
}

// decompress does gzip decompression.
func decompress(b []byte) ([]byte, error) {
	r, err := gzip.NewReader(bytes.NewReader(b))
	if err != nil {
		return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
	}
	out, err := ioutil.ReadAll(r)
	if err != nil {
		return nil, fmt.Errorf("bad gzipped descriptor: %v", err)
	}
	return out, nil
}

func decodeFileDesc(enc []byte) (*dpb.FileDescriptorProto, error) {
	raw, err := decompress(enc)
	if err != nil {
		return nil, fmt.Errorf("failed to decompress enc: %v", err)
	}

	fd := new(dpb.FileDescriptorProto)
	if err := proto.Unmarshal(raw, fd); err != nil {
		return nil, fmt.Errorf("bad descriptor: %v", err)
	}
	return fd, nil
}

var blobv1 = []byte{
	// insert proto "before" blob here
}

var blobv2 = []byte{
	// insert proto "after" blob here
}
```

Running this with "before" and "after" args, and diffing the output
yields something like:

```diff
--- /tmp/a	2023-12-23 23:57:04.748090836 -0800
+++ /tmp/b	2023-12-23 23:57:11.000040973 -0800
@@ -1,5 +1,5 @@
 {
-  "name": "k8s.io/kubernetes/vendor/k8s.io/api/admission/v1/generated.proto",
+  "name": "k8s.io/api/admission/v1/generated.proto",
   "package": "k8s.io.api.admission.v1",
   "dependency": [
     "github.com/gogo/protobuf/gogoproto/gogo.proto",
```

Kubernetes-commit: b0a70dec4ab4cb9f972cf39a81ca5e5555417227
 2023-12-24 10:01:42 -08:00
Igor Velichkovich fc7cf5fb84 kep-3716 GA, remove feature gate 
Kubernetes-commit: a51a5b462236d5eb87e6d690065f884c281a833c
 2024-02-28 10:45:51 -06:00
Anish Ramasekar b3e4dc29ef add min valid jwt payload to API docs for structured authn config 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3
 2024-02-22 16:33:24 -08:00
Lukasz Szaszkiewicz 816c9a3d12 apiserver/storage: improve RunWatchSemanticInitialEventsExtended test 
changes the test to populate the underlying data store with
more data to trigger potential ordering issues.

Kubernetes-commit: 20ded275705a6e11c1113cbeedad4de94e2dc666
 2024-01-10 11:08:35 +01:00
Joe Betz 414d2e2d63 Add selectableFields to CRDs 
Kubernetes-commit: 291703482d58ae030da71c6d671a96a6f960fc6f
 2024-02-28 14:06:06 -05:00
Wojciech Tyczyński 45b7f21179 Ensure that initial events are sorted for WatchList 
Kubernetes-commit: 92bdc7b3873800e6130176e49acdf5e17110e5b9
 2023-09-26 18:39:44 +02:00
Lukasz Szaszkiewicz e53bac21d8 storage/watch_cache: rework getAllEventsSinceLocked 
Kubernetes-commit: ecaf2093f51fed5f544520b0ac00fb33a474b7f5
 2024-02-26 12:22:05 +01:00
Lukasz Szaszkiewicz 19bd56380e storage/cacher: add TestGetWatchCacheResourceVersion, TestGetBookmarkAfterResourceVersionLockedFunc 
Kubernetes-commit: d629d3fa355ec90f618663b0933d28d335489c54
 2024-02-21 10:06:42 +01:00
Lukasz Szaszkiewicz 76172aaa1f storage/cacher: ensure the cache is at the Most Recent ResourceVersion when streaming was requested 
Kubernetes-commit: f90bcf649e0f3dc233f49882468f949b0f00ac4f
 2024-01-17 14:10:04 +01:00
Sean Sullivan b5f79f8dae streamtranslator counter metric by status code 
Kubernetes-commit: 03812ddb169725b0652744c2ecaa151f5c03887b
 2024-02-24 03:55:17 +00:00
Jiahui Feng 8485f72a96 add support for map 
to CEL mutation library.

Kubernetes-commit: dc4c92f5a5646ed8d131a8bb8ff96b5e6b3e4bb8
 2024-02-27 13:55:08 -08:00
Alexander Zielenski dd139db676 refactor: use shared CollectParams from VAP 
Kubernetes-commit: 4760e0cc44fb0ee2a92d12ee2b17f094e7ea94ec
 2024-02-15 17:00:45 -08:00
Alexander Zielenski 9a4b2b3543 refactor: use match from generic pkg in vap 
It is same exact code, but uses accessors now

Kubernetes-commit: 64cd09f7208e7a45d87ab6436c833c984fa6e594
 2024-02-20 09:22:18 -08:00
Alexander Zielenski ed64edd4e0 add generic policy dispatcher 
similar to the generic policy source, applies common match logic

for code sharing with validating/mutating

Kubernetes-commit: 96c418a7b73f2f85be530ad9b987d70eeeab14b0
 2024-02-21 13:09:49 -08:00
Alexander Zielenski 48e4f369ee test: infer gvk of objects 
avoids relying on the GVK to be written to the object

Kubernetes-commit: 11ed3032c091bab4c56d471c8d0049ccb9c20efb
 2024-02-16 10:43:05 -08:00
Alexander Zielenski eed515aa23 refactor: handle paramKind directly 
remove hacks that might conceal errors

Kubernetes-commit: acf1d850c6153aae10f26ef3d3e21fa8a63b20e0
 2024-02-20 09:22:35 -08:00
Alexander Zielenski 223ffcc3b0 add functions to policy accessors for getting match information and params 
Kubernetes-commit: 6d5133f3ecd4ddb38a29dac69641fb56576491a2
 2024-02-15 16:33:41 -08:00
Cici Huang c8d2257e3a [KEP-3962]Add feature gate for MAP (#123425) 
* Add feature gate for MAP

* sort feature gates.

---------

Co-authored-by: Jiahui Feng <jhf@google.com>

Kubernetes-commit: 9bc5257c450f7dfda187bfadd96f32310a2eaa18
 2024-02-21 17:00:13 -08:00
Tim Hockin d38e8187d9 Cleanup: s/depreciated/deprecated/g 
Kubernetes-commit: 9f4b82bf3b079fe868effbd2498b61464db6d459
 2024-02-18 14:50:55 -08:00
Han Kang f615696539 bump the stability level of apiserver_storage_size_bytes to STABLE 
Kubernetes-commit: f38852768e312fe7b9775b92f7228371a0a96f90
 2024-02-16 09:13:46 -08:00
Alexander Zielenski 8e917a7cef flake: avoid flake by ensuring params appear in the initial list 
sometimes they would not appear in the initial list if they were added while the informer was starting up due to ObjectTracker race

Kubernetes-commit: def05a20e22f069a60f4190755e8c7244d18781c
 2024-02-15 13:58:29 -08:00
Jordan Liggitt fe847b31f4 Add allowed/denied metrics for authorizers 
Kubernetes-commit: d5d3eddb95b657f03677c21498f185d70d87cdda
 2024-02-16 02:26:18 -05:00
Eric Lin 000601bdbe Add handler to run watch serving in separate goroutine 
This handler allows running execution prior to actual serving in a separate
goroutine when serving requests. Doing so benefits cases in serving long running
requests because it allows freeing memory used by the separate goroutine
and keeps the serving routines slim.

Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 7b2698a5e5c61b303481c2006847409fc8704746
 2023-10-10 08:53:26 +00:00
Jordan Liggitt c2310e1279 Implement authz config file reloading 
Kubernetes-commit: 5dc92ada068cb80a2866cfaa1f9aa760d2524680
 2023-11-08 08:49:58 -06:00
Alexander Zielenski 7e9e7fe668 move OWNERS from validating to all new parent policy folder 
meant to do this in refactor PR

Kubernetes-commit: bd27c99262e73955af6af19a1d6d72fce6739522
 2024-02-14 16:32:08 -08:00
Anish Ramasekar 1bc99127a6 Add integration test for multiple audience in structured authn 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1
 2024-02-14 17:04:21 -08:00