apiserver

Commit Graph

Author	SHA1	Message	Date
Tim Hockin	9641d30242	Use randfill, do API renames Kubernetes-commit: e54719bb6674fac228671e0786d19c2cf27b08a3	2025-02-20 09:45:22 -08:00
Patrick Ohly	b84662911c	remove import doc comments The "// import <path>" comment has been superseded by Go modules. We don't have to remove them, but doing so has some advantages: - They are used inconsistently, which is confusing. - We can then also remove the (currently broken) hack/update-vanity-imports.sh. - Last but not least, it would be a first step towards avoiding the k8s.io domain. This commit was generated with sed -i -e 's;^package $.$ // import.;package \1;' $(git grep -l '^package.*// import' \| grep -v 'vendor/') Everything was included, except for package labels // import k8s.io/kubernetes/pkg/util/labels because that package is marked as "read-only". Kubernetes-commit: 8a908e0c0bd96a3455edf7e3b5f5af90564e65b0	2024-12-02 14:43:58 +01:00
Rita Zhang	882c7896e7	Add webhookmatchcondition doc comment Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com> Co-authored-by: Jordan Liggitt <jordan@liggitt.net> Kubernetes-commit: 151599d47a9b866a7d7b8dffc5714557817bbcf2	2024-11-04 16:26:42 -08:00
Jordan Liggitt	08766af90d	KEP-3221: Promote StructuredAuthorizationConfiguration to GA Kubernetes-commit: ad808e609a599723cf17f7fcdfb73ca37bcf78fc	2024-10-17 21:48:30 -04:00
Dr. Stefan Schimanski	bf20cce32f	apiserver/validation: fix some sets.NewString deprecations Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Kubernetes-commit: c44fc280871f1c4de177ed70367afcc9a9b06175	2024-09-25 11:39:53 +02:00
Dr. Stefan Schimanski	4b46916a7b	apiserver/authconfig: wire CEL compiler through lower layers to allow sharing Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Kubernetes-commit: 4024390d8c8a19056ab7ced95eef5cce43c8096d	2024-09-20 12:34:08 +02:00
xuzhenglun	3abc312093	add test coverage for cohabitating resources in StroageFactory Kubernetes-commit: d994895dc4580101f17661eb573fc282d4b8517d	2024-09-12 16:59:08 +08:00
Anish Ramasekar	fed75d52d6	Disallow k8s.io and kubernetes.io namespaced extra key in structured authn config Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 89c619f4fe698bf5b208ce86bce5da6833ca77b6	2024-08-05 16:09:00 -07:00
Anish Ramasekar	febd487238	Validate structured authn feature is enabled for discovery url/multiple audiences Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: f80c73248f872769d72b620e567747a1018f8a2b	2024-07-23 15:04:02 -07:00
Jordan Liggitt	eabf12957a	Add structured labelSelector / fieldSelector to authorization webhook match conditions Kubernetes-commit: a1398a8ccaeb7f881acb65d1276392f4cac259e8	2024-06-26 17:17:43 -04:00
Vinayak Goyal	fd1f3aafaf	Fix typo in error message for anonymous field in AuthenticationConfiguration. Kubernetes-commit: 27e8923c70c8bf95e0db02aeb7a0d45908ae9d62	2024-07-09 21:04:28 +00:00
Vinayak Goyal	77f498853b	KEP-4633: Allow health-only anonymous auth mode. Signed-off-by: Vinayak Goyal <vinaygo@google.com> Kubernetes-commit: 5e6a4937f5a3e20dd77238946220461332ecddff	2024-05-16 21:18:34 +00:00
Cici Huang	d44012e895	Adding the feature gates to fix cost for VAP and webhook matchConditions. Kubernetes-commit: d6e4115ead6b93d2accf688876471231b365ceae	2024-05-01 16:26:41 -07:00
Marek Siarkowicz	74fb076497	Cleanup defer from SetFeatureGateDuringTest function call Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3	2024-04-23 10:39:47 +02:00
Andrew DeMaria	81abb60d67	generate fully qualified type references Currently type references for non-local names are output as relative types which is subject to the resolution rules as defined at https://protobuf.com/docs/language-spec#reference-resolution This works fine within the k8s.io namespace where no subpackages are named k8s, but other users of go-to-protobuf likely have k8s in their package name. This causes conflicts in the search resolution when executing `go-to-protobuf`: ``` company.example.com/k8s/custom/pkg/apis/custom.k8s.example.com/v1/generated.proto:64:12: "k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta" is resolved to "company.example.com.k8s.custom.pkg.apis.custom.k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta", which is not defined. The innermost scope is searched first in name resolution. Consider using a leading '.'(i.e., ".k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta") to start from the outermost scope. ``` To avoid this we can output fully qualified type references using a preceding dot (.) This results in a change for k8s generated.proto files, but the effect is a noop. Fixes kubernetes/code-generator#147 Signed-off-by: Andrew DeMaria <ademaria@cloudflare.com> Kubernetes-commit: 9edf1fc51c56d565348c48f3765cf094518ba7ed	2023-03-20 18:02:14 -06:00
Monis Khan	5b4b237d07	Require email_verified to be used when email is set as username via CEL Signed-off-by: Monis Khan <mok@microsoft.com> Kubernetes-commit: 121607e80963370c1838f9f620c2b8552041abfc	2024-03-05 17:20:18 -05:00
Anish Ramasekar	bc65af8e04	Support multiple JWT authenticators with structured authn config Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 39e1c9108c0802024ebb01ad2286b2f09f63798e	2024-02-21 15:19:25 -08:00
Anish Ramasekar	f09dddfc89	Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: b502aa6f31d3f55ce87cafdf3eb5e3fb87e74b50	2024-03-04 23:37:31 -08:00
Monis Khan	37809637af	Fix AuthenticationConfiguration docs around nested claims via CEL Signed-off-by: Monis Khan <mok@microsoft.com> Kubernetes-commit: 290f2a7e1b62d2bfce2363ec528155a9748e0adb	2024-03-05 12:01:11 -05:00
Monis Khan	9432b4df38	Prevent conflicts between service account and jwt issuers Signed-off-by: Monis Khan <mok@microsoft.com> Kubernetes-commit: 05e1eff7933a440595f4bea322b54054d3c1b153	2024-02-27 17:11:18 -05:00
Anish Ramasekar	f2c6133c7f	Add `DiscoveryURL` to AuthenticationConfiguration Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 84852ff56f952b4c3daab920d119d24c2e6a3476	2024-02-07 01:41:52 +00:00
Jordan Liggitt	4153027735	Duplicate v1alpha1 AuthorizationConfiguration to v1beta1 Kubernetes-commit: 0605a75c5e3590e2b0ab80d2163a76c4e77f4380	2024-03-02 01:56:29 -05:00
Jordan Liggitt	59cba35b06	Fix discovery v2 conversion registration data race Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906	2024-03-01 19:29:39 -05:00
Anish Ramasekar	7b0c197f53	cleanup structured authn/authz error logic Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: c2c4f4616d4ecea9fad5b994cdc72e3f96728962	2024-01-25 22:45:19 +00:00
Jefftree	d8d3b8c351	Use v2 types with agg discovery Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6	2024-01-19 16:13:47 -05:00
Tim Hockin	541bc37de9	Fix go-to-protobuf wrt gengo/v2 There's some very fishy-smelling logic in here, but this commit is trying to be as focused as possible. The .pb.go diffs are the "name" encoded in the descriptor. The descriptor blobs can be decoded by this program (thanks StackOverflow!): ``` package main import ( "bytes" "compress/gzip" "encoding/json" "fmt" "os" "io/ioutil" proto "github.com/golang/protobuf/proto" dpb "github.com/golang/protobuf/protoc-gen-go/descriptor" ) func main() { m := map[string][]byte{ "before": blobv1, "after": blobv2, } arg := os.Args[1] dump(m[arg]) } func dump(bytes []byte) { fd, err := decodeFileDesc(bytes) if err != nil { panic(err) } b, err := json.MarshalIndent(fd, "", " ") if err != nil { panic(err) } fmt.Println(string(b)) } // decompress does gzip decompression. func decompress(b []byte) ([]byte, error) { r, err := gzip.NewReader(bytes.NewReader(b)) if err != nil { return nil, fmt.Errorf("bad gzipped descriptor: %v", err) } out, err := ioutil.ReadAll(r) if err != nil { return nil, fmt.Errorf("bad gzipped descriptor: %v", err) } return out, nil } func decodeFileDesc(enc []byte) (dpb.FileDescriptorProto, error) { raw, err := decompress(enc) if err != nil { return nil, fmt.Errorf("failed to decompress enc: %v", err) } fd := new(dpb.FileDescriptorProto) if err := proto.Unmarshal(raw, fd); err != nil { return nil, fmt.Errorf("bad descriptor: %v", err) } return fd, nil } var blobv1 = []byte{ // insert proto "before" blob here } var blobv2 = []byte{ // insert proto "after" blob here } ``` Running this with "before" and "after" args, and diffing the output yields something like: ```diff --- /tmp/a 2023-12-23 23:57:04.748090836 -0800 +++ /tmp/b 2023-12-23 23:57:11.000040973 -0800 @@ -1,5 +1,5 @@ { - "name": "k8s.io/kubernetes/vendor/k8s.io/api/admission/v1/generated.proto", + "name": "k8s.io/api/admission/v1/generated.proto", "package": "k8s.io.api.admission.v1", "dependency": [ "github.com/gogo/protobuf/gogoproto/gogo.proto", ``` Kubernetes-commit: b0a70dec4ab4cb9f972cf39a81ca5e5555417227	2023-12-24 10:01:42 -08:00
Anish Ramasekar	b3e4dc29ef	add min valid jwt payload to API docs for structured authn config Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: b57d7d6ad79ed0a2a8359144c07eadeef0ea3fd3	2024-02-22 16:33:24 -08:00
Tim Hockin	d38e8187d9	Cleanup: s/depreciated/deprecated/g Kubernetes-commit: 9f4b82bf3b079fe868effbd2498b61464db6d459	2024-02-18 14:50:55 -08:00
Anish Ramasekar	1bc99127a6	Add integration test for multiple audience in structured authn Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1	2024-02-14 17:04:21 -08:00
Anish Ramasekar	fb760be3fc	support multiple audiences with jwt authenticator Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 18c563546a764b559ce5b74f09eaaaf9c1f0e5fb	2024-01-24 17:15:11 +00:00
Anish Ramasekar	26996e3679	Add AudienceMatchPolicy to AuthenticationConfiguration Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 19da90d6396ce9471f612d6e9a31f1b1c8d605b1	2024-01-25 22:35:16 +00:00
Anish Ramasekar	e7eedd15ec	move encryption config types to standard API server config location Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 75695dae1093cc08cb56a4930c0be8e7e4433be1	2023-12-16 00:00:21 +00:00
Anish Ramasekar	6bad17ce50	[StructuredAuthnConfig] add comment for extra keys unique requirement Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: af8da8e01c28286feedf528e94683781a0387a99	2024-01-02 19:58:20 +00:00
Tim Hockin	7674c1a859	Fix list_type_missing in k8s.io/apiserver Kubernetes-commit: eddf65849dfa1b3c351597d7018a2700371d8955	2023-11-17 11:46:28 -08:00
Jordan Liggitt	374f72b704	Require match condition version only if matchConditions are specified Kubernetes-commit: a000af25ff3bcc79fe7d8da299225ad252c9894a	2023-11-02 13:54:39 -04:00
Anish Ramasekar	78b670287d	Implement CEL and wire it with OIDC authenticator Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 26e3a03d12d71e6e97bc7c40542cb7519051dd73	2023-09-20 23:11:37 +00:00
Anish Ramasekar	9032e4e6da	add new fields in v1alpha1 StructuredAuthenticationConfiguration Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 6b971153d75534a768a67a6b50ee44423611f5b0	2023-09-07 22:30:28 +00:00
Rita Zhang	cca4910d25	authz: add cel expression to webhook matchconditions Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com> Kubernetes-commit: 31c76e9abb22faaf833acd54ce75cc71465136e4	2023-10-06 17:47:23 -07:00
Abu Kashem	b041969f97	apiserver: allow zero value for the 'nominalConcurrencyShares' field Kubernetes-commit: 9fd2ab419ad771790d3cb80ea7b8e6828d9ce305	2023-10-27 19:26:08 -04:00
Abu Kashem	0b0a995736	apiserver: apf controller, bootstrap, tests should use flowcontrol v1 API Kubernetes-commit: 17bda3c3e05a75943591f61f37d7fdc0d07870ec	2023-10-11 09:20:41 -04:00
Nabarun Pal	4693682515	Add --authorization-config flag to apiserver Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com> Kubernetes-commit: 22e5a806a73e48486a90491fc3eb03d208b520a0	2023-09-25 09:18:11 +05:30
Nabarun Pal	b259861486	staging/apiserver: correct KubeConfigFile type in authorization types Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com> Kubernetes-commit: 2bf2c4f3a413d3a2e070fe61aeba6fb309bf2e5e	2023-09-27 17:48:38 +05:30
Qiming Teng	e014cf25b9	Generated files Kubernetes-commit: c65fe450d8a3229cfe531a3806939775dd52e7e0	2023-10-03 20:16:10 +08:00
Qiming Teng	d763e7d132	Fix API docs for audit APIs The `*`s in the source comment is confusing the API reference generator. They are treated as symbols for bold texts when generating reference docs. This PR replaces the quote marks with backtiqs so that the reference generator can properly handle them. Kubernetes-commit: e7b2aeee930188eec125bbb91096d9d3fd6f3b5c	2023-10-03 17:18:23 +08:00
Nabarun Pal	70eb989b94	k8s.io/apiserver: fix levelling of the name field in AuthorizationConfiguration Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com> Kubernetes-commit: 11ce6d29157daf7437d6da7fdeb11cabf2e774aa	2023-10-04 10:33:58 +05:30
Nabarun Pal	1eae2482e2	Bootstrap API Types for Structured Authorization Configuration Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com> Kubernetes-commit: 52c582ca77c775ee13300a999a29f8c4180750a2	2023-09-14 19:19:29 +05:30
Anish Ramasekar	25d893ad5f	add loading config and wire feature flag Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 9e1ff1e51201ac41ddb1eed0d5cc015b4b6aa3df	2023-08-10 22:45:07 +00:00
Anish Ramasekar	fdfc990c33	wiring existing oidc flags with internal API struct Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 1bad3cbbf59a61805a48f609b8cc0a2a40c168ef	2023-06-28 06:04:45 +00:00
Anish Ramasekar	496ba1943b	add AuthenticationConfiguration v1alpha1 api Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: f909eb630cac310adf7267b85922f1340508ca79	2023-06-27 21:07:47 +00:00
Abu Kashem	dfc035926b	apf: add validation to exempt for borrowing Signed-off-by: Mike Spreitzer <mspreitz@us.ibm.com> Kubernetes-commit: f8e4e8abac8637f6510838d7d476a838ce612659	2023-05-15 12:08:18 -04:00

1 2 3 4 5 ...

264 Commits