a0dede6875
k8s.io/apiserver/storage: add some ResourceVersion validation in GetList unit tests
...
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Kubernetes-commit: baac8bb573c8efb314b037f4fbac116556c03c83
2023-10-11 10:46:30 -07:00
28ed1d7ad4
fix data race in apf unit test
...
Kubernetes-commit: 52c58d970e54bf10b78512c68602f70b0a970f31
2023-09-22 14:42:43 -04:00
87ef6687ab
Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests
...
These occasionally flake on CI:
https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312
=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
authentication_test.go:653: expect TCP connection: 1, actual: 2
--- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
--- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: cd5db9b7f23b0156bf5535fc0124361fbef0ce6a
2023-10-12 19:13:07 -04:00
445b713906
Prevent rapid reset http2 DOS on API server
...
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.
The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.
For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections. They can use http2, but with the performance of http1
(with keep-alive disabled).
Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default). For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection). An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.
For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
2023-10-07 21:50:37 -04:00
e15d4d2e0b
k8s.io/apiserver/storage/etcd: refactor getCurrentState.
...
Extract getCurrentState as a separate method that can be reused.
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Kubernetes-commit: ebca5d438d9cb2c82d0b99dbcb0aeca8879db441
2023-10-11 09:56:07 -07:00
e014cf25b9
Generated files
...
Kubernetes-commit: c65fe450d8a3229cfe531a3806939775dd52e7e0
2023-10-03 20:16:10 +08:00
d763e7d132
Fix API docs for audit APIs
...
The `*`s in the source comment is confusing the API reference generator.
They are treated as symbols for bold texts when generating reference docs.
This PR replaces the quote marks with backtiqs so that the reference
generator can properly handle them.
Kubernetes-commit: e7b2aeee930188eec125bbb91096d9d3fd6f3b5c
2023-10-03 17:18:23 +08:00
d35f091281
fix missing http.target trace attribute
...
Kubernetes-commit: 80269d5d3497acc8ad155cb9bfbfaa7fd9e20d1f
2023-10-06 18:09:29 +00:00
70eb989b94
k8s.io/apiserver: fix levelling of the name field in AuthorizationConfiguration
...
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
Kubernetes-commit: 11ce6d29157daf7437d6da7fdeb11cabf2e774aa
2023-10-04 10:33:58 +05:30
04acc93a12
apf: request ejected from queue should use reason 'time-out'
...
Kubernetes-commit: 6297067ff1afaa2d63d83183a23e8744865d7c2b
2023-08-29 16:30:02 -04:00
d64c9b18da
apf: remove RequestWaitLimit from queueset config
...
Kubernetes-commit: 11ef9514dad6f46a4315198978fee14132c4bbca
2023-08-29 12:11:08 -04:00
290096a4d0
apf: remove timeoutOldRequestsAndRejectOrEnqueueLocked function
...
Kubernetes-commit: da8a472206623d0727ba486489d34780c4b6c1d9
2023-08-28 17:26:11 -04:00
a2e63604f2
apf: use context for queue wait
...
Kubernetes-commit: f39213a7e44f21a8cedcdf38d3c2531456a526d6
2023-08-28 17:01:16 -04:00
2f3285287e
controlplane: make option structs uniformly optional
...
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Kubernetes-commit: 63950491764535a8635cb2c4810db59a9a1fad25
2023-09-24 11:50:38 +02:00
1c49f6c8ba
endpoints/metrics: define watchListLatencies metric and associated functions
...
Kubernetes-commit: a97f4b7a3123c9768ec7136b6ca32be926e16cd6
2023-09-19 03:05:37 +02:00
cd87b8f62d
handlers/watch: calculate and record WatchList latency metric.
...
Kubernetes-commit: 772b1f4cd84a738f632716e28d4067c00f0b7f13
2023-09-19 03:05:00 +02:00
db34e9b7c7
storage/util: introduce HasInitialEventsEndBookmarkAnnotation
...
Kubernetes-commit: 70ae9c441cee9d78a88c0526592796ac4f491096
2023-09-18 11:39:08 +02:00
90ba08909c
storage/etcd: the watcher supports the API streaming
...
Kubernetes-commit: ca562fd280a9dd5db952eb8c14b93fcf6668cc49
2023-08-22 14:02:39 +02:00
e7424d8207
storage/testing/watcher_tests: add new flavour to RunWatchSemantics test and fill the gap
...
the new flavour proves that a storage layer follows RV
which is equal to the global rv
Kubernetes-commit: 0e238c4c28f11d1ec7cf5f506c81195c1cc463fe
2023-09-22 09:32:23 +02:00
91aa0e1c62
Add namespace to apiserver tracing
...
Kubernetes-commit: 45b9b0df41fb67cf2c71263b3577f3b3daff4899
2023-09-03 21:50:47 +08:00
f5f4a6148a
Add subresource to apiserver tracing
...
Kubernetes-commit: c83eb6dcaaacfe8b5706f7fdc969000fbef2d119
2023-09-03 21:37:13 +08:00
2b665e42e6
Add name to apiserver tracing
...
Kubernetes-commit: bcb59a03ebb50a966cc6921dea016cc68e0bf843
2023-09-03 21:33:48 +08:00
79f4968b20
Add api-version to apiserver tracing
...
Kubernetes-commit: 646053d73dbda9cae5df5fd105a720661ff051dc
2023-09-03 21:24:13 +08:00
c51632c143
Add group to apiserver tracing
...
Kubernetes-commit: 8c34208a62f09904cd270906889d57c7a613b5d6
2023-09-03 21:11:08 +08:00
f0dfb17949
storage/testing/watcher_tests: refactor RunWatchSemantics tests
...
Kubernetes-commit: dc5cfe3cff289ecb97153716bfd5817579d00fb3
2023-09-21 12:16:16 +02:00
c8dcfeed34
storage/testing/watcher_tests: make TestCacherWatchSemantics storage agnostic
...
Kubernetes-commit: 91bb75883c613d45563f3b7c01a69dde8194bfdc
2023-09-15 12:28:36 +02:00
c13e210d56
storage/testing/watcher_tests: move TestCacherWatchSemantics (no-op)
...
Kubernetes-commit: afbb1a6ef98b548b9e57b168614ca6e15fd0034c
2023-09-14 11:19:36 +02:00
3c3bb86696
storage/testing/utils: add helper functions
...
Kubernetes-commit: 3a96baf3fa8e837159b27b98b05c5024143b06a3
2023-09-15 12:26:11 +02:00
fe7ae035ef
storage/etcd3/watcher_test: refactor TestWatchErrorWhenNoNewFunc to a table test
...
Kubernetes-commit: 4b60c18183f11207d0cb2d89bf28090156222c61
2023-09-19 10:35:09 +02:00
1eae2482e2
Bootstrap API Types for Structured Authorization Configuration
...
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
Kubernetes-commit: 52c582ca77c775ee13300a999a29f8c4180750a2
2023-09-14 19:19:29 +05:30
f5adfca95e
storage/testing: a simple refactor
...
Kubernetes-commit: 39af594f312ad46715dfb705d71ad4e607e27e5d
2023-09-14 11:16:10 +02:00
bd7db816d7
promote component SLIs to GA; remove feature gates for component slis
...
Kubernetes-commit: e6435e98eda93fbf96e94110af6ca5a10ad1e926
2023-09-11 08:52:50 -07:00
98d028d0d0
clarify the description of the metric apiserver_storage_objects
...
Kubernetes-commit: 084deb7a7cf147bbafd131ab1a36852a79f08a64
2023-09-12 11:16:36 +02:00
cdb2cea24a
kms: remove livez check
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Kubernetes-commit: 7710128636a16c73045291d4729675339a7d57f7
2023-09-11 16:47:29 -07:00
2bed5d11d9
kmsv2: add apiserver identity to metrics
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Kubernetes-commit: 43ccf6c4e8f173d981edebb6146c58b523fc21b7
2023-09-05 13:03:18 -07:00
9c40486020
kmsv2: enable KMSv2KDF feature gate by default
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 657cc2045ee46922b00d4fd7c126f57d1e8ecc43
2023-09-05 12:27:55 -04:00
9b1c514777
register API types only once for encryption config
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 418af0f4dcbe15147b21462b9e5db5a5ba769c12
2023-09-01 17:24:20 +00:00
25d893ad5f
add loading config and wire feature flag
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 9e1ff1e51201ac41ddb1eed0d5cc015b4b6aa3df
2023-08-10 22:45:07 +00:00
1fbafe88b9
add StructuredAuthenticationConfiguration feature flag
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 1bf90f9484c5dbcd941251f0036af65fa25ee193
2023-08-10 22:06:41 +00:00
87aad93082
kmsv2: add legacy data integration test
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 95121fe846f875c4f3feb2b1bf42a9553566f097
2023-09-01 11:21:38 -04:00
49c6151dee
kmsv2: fix race in simpleCache.set when setting cache size metric
...
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: b10697c7880848d7ec110fd6b3e67015bbe74fa8
2023-08-27 15:14:04 -04:00
957c305d94
storage/etcd: add TestWatchDispatchBookmarkEvents unit test
...
Kubernetes-commit: 875b00137fdfbc74756a0fc5b1c9b2adbeb78e55
2023-09-01 13:45:44 +02:00
51e79bdd97
storage: document ProgressNotify from storage.ListOptions
...
At first glance, it seems that the fields storage.ListOptions.ProgressNotify and storage.ListOptions.Predicate.AllowWatchBookmarks
are the same. Unfortunately, this is not the case.
This PR documents the differences and motivations for why these fields are actually distinct.
Kubernetes-commit: 6058540f3d0edc405a1f1b8a96bd82ceca99c240
2023-09-01 10:48:36 +02:00
8b7824a7e8
Avoid creating local variables that don't change
...
Having local variables gives false impression that this is overwritten
in the function block.
Kubernetes-commit: e01bd641447a315e28fab8148e99ac6afba9bcd7
2023-08-30 16:51:40 +02:00
90adbb75eb
Flatten switch case
...
Kubernetes-commit: 10553a1966892e305252c65ebeb9043416304f48
2023-08-30 16:42:34 +02:00
5f9b5dda94
Refactor common WithRange case
...
From API call WithRange and WithPrefix work the same, they just set the range end.
The difference is when the range end is provided:
* WithRange(end) requires providing the end while calling
* WithPrefix() calculates the end based on key provided to the Get.
For example, those are equal:
* client.Get(ctx, "/pods/", WithPrefix())
* client.Get(ctx, "/pods/", WithRange(GetPrfixRangeEnd("/pods/")))
As keyPrefix is equal preparedKey there should not be a difference.
Kubernetes-commit: 1f4f2a5d6014dc8f98b25a9484d4a6064a6ae18e
2023-08-30 16:26:20 +02:00
3bcdefc0fd
Refactor transformers for watch to implement Encoder interface
...
Kubernetes-commit: 160589a0edb2038f2e22e376b6a0b71a24d21f22
2023-08-11 21:43:49 +02:00
70b023f369
Minor cleanup tranformers interface
...
Kubernetes-commit: 3fcc045bce9d77704f872d6089d7c09342e26a44
2023-08-09 19:49:59 +02:00
6311828461
Cleanup setting non-nil Items field
...
Kubernetes-commit: 172a41192c65324b1dc9dc4d90903552c538d664
2023-08-07 21:17:03 +02:00
3fd71eeb11
Refactor WatchServer to prepare for using encoders
...
Kubernetes-commit: ff56d3b6914dbc9e16683ab731eb8c0a485b4ab4
2023-08-03 21:50:08 +02:00
Siyuan Zhang