kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,085 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

288 Commits

Author SHA1 Message Date
Jiahui Feng 8f8266ef89 update to inject only the list of excluded resources. 
Kubernetes-commit: 6b03166beda6e550ebcbed1bb7d9ca2cc1d94df4
 2024-03-05 10:27:35 -08:00
Jiahui Feng a86b013fb6 make ValidatingAdmissionPolicy ignore excluded resources. 
Kubernetes-commit: 64ee859aa82c17daa8037e4e90e066ae4582d653
 2024-02-28 15:31:44 -08:00
Tim Hockin 5624a05672 Remove defunct references to "vendor" 
Kubernetes-commit: d772f7719dc55ebfec2e9461b6e14bf17f5301df
 2024-01-15 15:56:21 -08:00
Alexander Zielenski dd139db676 refactor: use shared CollectParams from VAP 
Kubernetes-commit: 4760e0cc44fb0ee2a92d12ee2b17f094e7ea94ec
 2024-02-15 17:00:45 -08:00
Alexander Zielenski 9a4b2b3543 refactor: use match from generic pkg in vap 
It is same exact code, but uses accessors now

Kubernetes-commit: 64cd09f7208e7a45d87ab6436c833c984fa6e594
 2024-02-20 09:22:18 -08:00
Alexander Zielenski ed64edd4e0 add generic policy dispatcher 
similar to the generic policy source, applies common match logic

for code sharing with validating/mutating

Kubernetes-commit: 96c418a7b73f2f85be530ad9b987d70eeeab14b0
 2024-02-21 13:09:49 -08:00
Alexander Zielenski 48e4f369ee test: infer gvk of objects 
avoids relying on the GVK to be written to the object

Kubernetes-commit: 11ed3032c091bab4c56d471c8d0049ccb9c20efb
 2024-02-16 10:43:05 -08:00
Alexander Zielenski eed515aa23 refactor: handle paramKind directly 
remove hacks that might conceal errors

Kubernetes-commit: acf1d850c6153aae10f26ef3d3e21fa8a63b20e0
 2024-02-20 09:22:35 -08:00
Alexander Zielenski 223ffcc3b0 add functions to policy accessors for getting match information and params 
Kubernetes-commit: 6d5133f3ecd4ddb38a29dac69641fb56576491a2
 2024-02-15 16:33:41 -08:00
Alexander Zielenski 8e917a7cef flake: avoid flake by ensuring params appear in the initial list 
sometimes they would not appear in the initial list if they were added while the informer was starting up due to ObjectTracker race

Kubernetes-commit: def05a20e22f069a60f4190755e8c7244d18781c
 2024-02-15 13:58:29 -08:00
Alexander Zielenski 7e9e7fe668 move OWNERS from validating to all new parent policy folder 
meant to do this in refactor PR

Kubernetes-commit: bd27c99262e73955af6af19a1d6d72fce6739522
 2024-02-14 16:32:08 -08:00
Alexander Zielenski 1672796601 bugfix: avoid NPE possibility by making composition environment global 
Kubernetes-commit: 3094395fa76210f33118d10d6a7c8214c50a7f33
 2024-01-29 13:45:27 -08:00
Alexander Zielenski 9fd47abbb1 refactor: implement VAP off of policy plugin fw 
Kubernetes-commit: 18fbc48b0155485cd78ec4d0e6050ccbb7d8e058
 2024-01-22 17:31:52 -08:00
Alexander Zielenski f8d65cf3a6 refactor: create generic policy plugin type similar to webhook 
Kubernetes-commit: a6366573d5ca328438b80d72d0ae5a5bf6b178be
 2024-01-22 17:31:34 -08:00
Alexander Zielenski 06be9d025c refactor: move matching logic into parent policy folder 
Kubernetes-commit: d697f43d73870679ad4cd46939ad28e06926b6d3
 2024-01-17 18:12:41 -08:00
Alexander Zielenski 57e06e43f7 refactor: move vap into parent `policy` folder 
also renames to remove stutter

comment

Kubernetes-commit: 8b14116509ac19234924878ab08f7e9e8f03549a
 2024-01-17 18:09:30 -08:00
Alexander Zielenski 3769e5c054 refactor: move celmetrics close to its usage in vap 
does not need to be accessed from anywhere else, and removed an excessive lonesome `cel` pkg with just the metrics

Kubernetes-commit: 8b26b6eec1b0d99518e7c53879e1d44ade2eebc7
 2024-01-17 17:05:53 -08:00
Jiahui Feng 6f620d4d18 add test case for error inside variables. 
Kubernetes-commit: 3e777540fda8dda01bb72702b1e39675f21d2955
 2024-02-08 13:39:25 -08:00
Jiahui Feng ab64beb117 add support of variables for Type Checking. 
Kubernetes-commit: dc832c6e59e98f8b842efe42d3f18a67e781779d
 2024-02-01 15:28:21 -08:00
Jiahui Feng 1501159ecb refactor type checking to use CompositedCompiler. 
Kubernetes-commit: 21ba0d59d3a29b5668d4ba712d5b130d458121c6
 2024-02-01 13:20:21 -08:00
José Carlos Chávez f099bff723 chore: adds consistent vanity import to files and provides tooling for verifying and updating them. (#120642) 
* chore: drops update vanity imports from script.

* chore: changes copyright year to 2024.

* chore: makes lint happy.

Kubernetes-commit: 6d6398ef9266abce3518a4c9a3d4e4d8feeffdc1
 2024-02-08 14:10:27 +00:00
buddie.wei 586f61dd0f Fix the syntax error in the comment of the checkQuotas method. (#121428) 
* Update controller.go

Fix comment error.
From "It there was no quota change mark the waiter as succeeded." to "If there was no quota change mark the waiter as succeeded."

* Adjust the comments to maintain consistent tense throughout.

Adjust the comments to maintain consistent tense throughout.

Kubernetes-commit: 5855f5178f42dbc114b6c5ac1964a5dd62bb0957
 2024-02-06 00:45:00 +08:00
Alexander Zielenski 69adaecb9e bugfix: dont skip reconcile for unchanged policy if last sync failed 
Kubernetes-commit: 71559bd02670f53a2d6640714eeb4e7fbc554e86
 2024-01-26 18:57:30 -08:00
carlory aa358081a5 fix evaluate resource quota if a resource is updated when the InPlacePodVerticalScaling feature-gate is on 
Kubernetes-commit: 041e97af1f0ee40029dcd44abd63f84514eca59e
 2024-01-11 16:04:02 +08:00
Jiahui Feng 59297e78dd use context for lazy evaluation. 
Kubernetes-commit: 4fa3247a61e21abcb31778f8bfb85af844a6bd03
 2023-10-30 11:29:57 -07:00
Jiahui Feng 9493e52cdc opportunistically attempt to refresh RESTMapper 
if GVK resolution fails.

Kubernetes-commit: 38fecc8319d884aa4d4b98b013bf853e6072aa77
 2023-10-26 10:24:21 -07:00
Jiahui Feng 6b0a70e192 typed variables support. 
Kubernetes-commit: c03579bfa40dcb39e1ffe24c12f933720e4eb204
 2023-10-04 16:39:24 -07:00
Divya Sri Sanaganapalli 956f1b4799 Incorporating feedback on 119341 
Kubernetes-commit: 24877f96fbb60f34c1c808e7ac76870019eee86b
 2023-08-21 15:20:30 +00:00
Stephen Kitt 7fb4ad7511 api-machinery: stop using deprecated io/ioutil 
This replaces deprecated ioutil functions as follows:

* ioutil.ReadAll -> io.ReadAll
* ioutil.ReadFile -> os.ReadFile
* ioutil.TempDir -> os.MkdirTemp
* ioutil.TempFile -> os.CreateTemp
* ioutil.WriteFile -> os.WriteFile

Signed-off-by: Stephen Kitt <skitt@redhat.com>

Kubernetes-commit: b60a3a58df2791ae67764f6325be31aea5eca5a0
 2023-05-02 15:08:18 +02:00
Alexander Zielenski 09a47412b5 bugfix: use matched resource for AdmissionRequest.resource, not the resource it was converted from 
use existing admission request for audit annotation eval

populate matchResource in empty rules case

Kubernetes-commit: e1b0bc3d0a7fb89a1e60f4ec1ee34b10de22d00a
 2023-07-21 18:13:24 -07:00
Alexander Zielenski a690957dd1 update codegen 
Kubernetes-commit: d6479587445a5a6fa736ee7fb3012a29f4e6e5e7
 2023-07-19 16:21:22 -07:00
Alexander Zielenski df86e524c7 refactor: replace usage of v1alpha1 with v1beta1 
v1alpha -> v1beta

fill in DenyAction where there is no ParameterNotFoundAction

Kubernetes-commit: ef8670c946d53fda523341658919f9d8bd242d40
 2023-07-19 15:53:31 -07:00
Alexander Zielenski d501de662c feature: add multiple params capability to VAP controller 
Kubernetes-commit: b5e9e0168cf9383dacbd730893c6bc426581e64b
 2023-07-10 18:40:45 -07:00
Alexander Zielenski 1f9118f187 refactor: make scope of ParamKind available to vap controller 
Kubernetes-commit: 3f63a2d17d4f70dc3ac191a52ad36897086efa7c
 2023-07-11 12:04:07 -07:00
Alexander Zielenski 6a8d8652f7 refactor: use the provided sharedInformerFactory for params 
Kubernetes-commit: 6323c106e9b5b0edd452a2a223d569a5dae8a832
 2023-06-12 18:19:33 -07:00
Divya Sri Sanaganapalli e613190aba Skip apiserver_admission_webhook_request_total during context-canceled 
Kubernetes-commit: d3c506133f1d5da6b8681423fc855d0513e8647e
 2023-07-17 19:52:43 +00:00
Divya Sri Sanaganapalli 437ae54e84 Ignore context canceled from validate and mutate webhook failopen metric 
Kubernetes-commit: 1732b23a343bc0cedbab3dd1df3b7eee4d280036
 2023-07-14 20:20:33 +00:00
Cici Huang 04b26c4697 ValidatingAdmissionPolicy: support namespace access (#118267) 
* Support namespace access from cel expression in validatingadmissionpolicy.

* Whitelist the exposed fields in namespace object and add test

* better handling of cluster-scoped resources.

* [API REVIEW] namespaceObject in Expression doc.

* compatibility with composition.

* generated: ./hack/update-codegen.sh && ./hack/update-openapi-spec.sh

* workaround namespace of namespace is unexpectedly set.

* basic test coverage for namespaceObject.

---------

Co-authored-by: Jiahui Feng <jhf@google.com>

Kubernetes-commit: 13172cba5c0e1c6a076dbda4aeebbccaf658c7f1
 2023-07-15 01:33:59 +00:00
Igor Velichkovich a541a7b473 remove todo/spelling 
Kubernetes-commit: 8a4a29d59177699a78f6194861f83789763aac25
 2023-07-14 11:08:00 -05:00
Igor Velichkovich 496cd9c142 matchCondition metrics 
Kubernetes-commit: 01b9f4b6eb819e4cd4a6d192d703961b34841f18
 2023-07-13 19:59:27 -05:00
Amine 408cf7b500 Improve naming and code comments 
Kubernetes-commit: 0695853a3061ece0f602c1f267c82ced3f8c880d
 2023-07-12 16:20:14 +01:00
Amine 83bf64e6cc Properly handle parameter in `shareInformer.DeleteFunc` 
Kubernetes-commit: aeefb762ece0f866e99def259d6714aa4deb6d31
 2023-05-17 18:42:56 -05:00
Amine daa816b27c Fix webhook accessors caching pattern 
Kubernetes-commit: a01a8cb07e7bfe6dacadc51206ae4ef93d5f4352
 2023-05-17 10:54:17 -05:00
Amine d886c0446d Webhook Accessors Smart Recompilation 
Addresses https://github.com/kubernetes/kubernetes/issues/116588

This is an WIP patch trying to avoid recompiling CELs expressions when
recreation Validating/Mutating WebhookAccessors.

Maybe we should also concider using generatic.Controller from
5f59f44983/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/controller.go

Kubernetes-commit: 99875b3fb73728caad3efb62556428b555ce02f4
 2023-05-09 16:47:11 -05:00
Jiahui Feng 7eadaa66c4 ValidatingAdmissionPolicy: Variable Composition (#118642) 
* [API REVIEW] Variable Composition

* lazy map.

* variable composition implementation.

* check variables during VAP validation.

* generated: ./hack/update-vendor.sh

* generated: UPDATE_COMPATIBILITY_FIXTURE_DATA

(cd staging/src/k8s.io/api/ && env UPDATE_COMPATIBILITY_FIXTURE_DATA=true go test)

* cost calucation.

* tests for cost calculations.

* e2e test for variables.

* fix doc for Validation.Expression.

* generated: ./hack/update-codegen.sh

* fix missing utilruntime import.

* generated: ./hack/update-openapi-spec.sh

Kubernetes-commit: b635f2a401fd03715f6a33c4a19f11c509c0ce03
 2023-07-14 01:49:55 +00:00
Jiahui Feng 36de07c4e7 ValidatingAdmissionPolicy controller for Type Checking (#117377) 
* [API REVIEW] ValidatingAdmissionPolicyStatucController config.

worker count.

* ValidatingAdmissionPolicyStatus controller.

* remove CEL typechecking from API server.

* fix initializer tests.

* remove type checking integration tests

from API server integration tests.

* validatingadmissionpolicy-status options.

* grant access to VAP controller.

* add defaulting unit test.

* generated: ./hack/update-codegen.sh

* add OWNERS for VAP status controller.

* type checking test case.

Kubernetes-commit: 049614f884e61d87fc5e277cf9fd7cb2e6571217
 2023-07-13 13:41:50 -07:00
Joe Betz e04cbed587 CEL lib: Expose errors on authz decisions instead of raising them from check(). 
Co-authored-by: Ben Luddy <bluddy@redhat.com>

Kubernetes-commit: 1053d1bbcf581f20300a821a951a14ae77915246
 2023-03-10 22:38:21 -05:00
Jiahui Feng ef6545eca1 expended type checking. 
Kubernetes-commit: e655931274f91a7023fc2d5a26d8fe8ecaa1fa39
 2023-07-09 19:41:44 -07:00
Jiahui Feng 9eebea091a add test for authorizer type checking. 
Kubernetes-commit: 7ccc23178396fb7c50cd59a16a62e7d79ba973a9
 2023-06-08 15:51:05 -07:00
Jiahui Feng c85cef6cc3 add support for authorizer to type checking. 
Kubernetes-commit: 04fa4184ed349d6ccce5be4daa7561356eebeea3
 2023-06-07 10:11:30 -07:00