The old flag name doesn't make sense with the renamed API Priority and
Fairness feature, and it's still safe to change the flag since it hasn't done
anything useful in a released k8s version yet.
Kubernetes-commit: 711c1e17209cc410440eecd3723e7b4906ca0e42
Beta OS/arch labels have been deprecated since 1.14.
This change replaces these labels with the GA ones.
Kubernetes-commit: bcd975aa6575ae37ec3be3481e44cd0dccd02337
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
Kubernetes-commit: 5a176ac77241ff059f22609fc569ac219334238c
Downstreams assume process restarts when counters decrement. Currently,
the "active" label is expected to decrement but the "ok" and "error"
labels are intended to be handled as counters. This is unneccesary and
hard to deal with. This changes consolidate "blocking" and "in_flight"
tracking into a single guage, which allows fetch completion to be a pure
counter.
Kubernetes-commit: dc5934f58456d95b0264665871c0c48e16ee6469
I've also moved the deserialization of the object outside the benchmark
since we're not trying to benchmark the yaml parser.
Kubernetes-commit: a52776fbfb305374d87bb553739f712e055b2206
Added LockingWriteMultipleOnly and LockingWriteOnceOnly interfaces,
so that further extensions are possible (in this package or others).
Moved common SetLocked behavior into promisoid.
Made comments say things that were implied.
Kubernetes-commit: cbdd3a279e6161d73f2c4e8a2b916ae74b258621
Previously, a `decisionCancel` could overwrite a `decisionReject` or
`decisionExecute`, causing confusion. Now a request gets exactly one
decision and there is no confusion.
Also added write-once to the promise package and refactored.
Kubernetes-commit: 1c092bf635954bde9c9c363672fa156b9430206b
So that errors can be detected before resolving concurrency shares
into concurrency counts.
Kubernetes-commit: 1e170637c3ce6c4ccd378275d9e52192f4be12b7
This PR fixes oversights and adds validation that rejects writes
of wrong Spec values for the four mandatory objects.
Kubernetes-commit: ec5321c6a9f23e5ad26cf88a41fda9dba0c5ce89
Jefftree
Jonathan Tomer
Jordan Liggitt
Antoine Pelisse
immutablet
Tim Allclair
Vincent C
yue9944882
Fabian Ruff
Ted Yu
Mike Spreitzer
Yu-Ju Hong
Charles Eckman
jennybuckley
shaloulcy
Joe Betz
Mike Danese
Dao Hoang Son
Han Kang
David Eads
Davanum Srinivas