kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,728 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

6728 Commits

Author SHA1 Message Date
Kubernetes Publisher ae2fbe99b7 Merge pull request #121096 from alexzielenski/common-schema 
add rest of accessors to common.Schema

Kubernetes-commit: 088f8c0ec52a690189a0cec5d0660751d0e3f6b3
 2023-10-13 23:21:26 +00:00
Kubernetes Publisher 2ef0851b9f Merge pull request #121158 from siyuanfoundation/test-list 
k8s.io/apiserver/storage: add some ResourceVersion validation in GetList unit tests.

Kubernetes-commit: 0851995a61cb83645734183cb49250e0fc3b14a4
 2023-10-13 15:21:35 +00:00
Kubernetes Publisher 9bea6efd35 Merge pull request #120990 from tkashem/fix-race-apf-test 
APF: fix data race in unit tests

Kubernetes-commit: 86ba008787975a0a2bfd0a63247331750b67e42a
 2023-10-13 15:21:33 +00:00
Kubernetes Publisher 34269fdf41 Merge pull request #121203 from enj/enj/i/h2_dos_flake 
Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests

Kubernetes-commit: b40f1c00e26a5e4e90f85212d493793243c4460f
 2023-10-13 05:03:05 +02:00
Monis Khan 87ef6687ab Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests 
These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: cd5db9b7f23b0156bf5535fc0124361fbef0ce6a
 2023-10-12 19:13:07 -04:00
Kubernetes Publisher c183390d3f Merge pull request #121120 from enj/enj/i/h2_dos 
Prevent rapid reset http2 DOS on API server

Kubernetes-commit: cb713c15e99d59cb5b2f9015d1d978fee8142965
 2023-10-12 23:36:45 +00:00
Kubernetes Publisher 01f2ec510d Merge pull request #120735 from Jefftree/request-body 
Bump kube-openapi with v3 marshal and requestBody required marking

Kubernetes-commit: e93e8eac0ef1b26384e5481b67c7d04fe211a243
 2023-10-12 23:36:43 +00:00
Kubernetes Publisher 0c6dca8321 Merge pull request #121159 from siyuanfoundation/getCurrentState 
k8s.io/apiserver/storage/etcd: refactor getCurrentState.

Kubernetes-commit: 32ea66d524693b6760f4b1c776c4a6091c870a4a
 2023-10-12 23:36:42 +00:00
Kubernetes Publisher c453b3b056 Merge pull request #120976 from tengqm/fix-audit-apidoc 
Fix API docs for audit APIs

Kubernetes-commit: d4a6a674de061ef57558f0a5996fc5f2106c52a6
 2023-10-12 19:30:35 +00:00
Siyuan Zhang a0dede6875 k8s.io/apiserver/storage: add some ResourceVersion validation in GetList unit tests 
Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: baac8bb573c8efb314b037f4fbac116556c03c83
 2023-10-11 10:46:30 -07:00
Siyuan Zhang e15d4d2e0b k8s.io/apiserver/storage/etcd: refactor getCurrentState. 
Extract getCurrentState as a separate method that can be reused.

Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: ebca5d438d9cb2c82d0b99dbcb0aeca8879db441
 2023-10-11 09:56:07 -07:00
Kubernetes Publisher a98816fb0a Merge pull request #121111 from dashpole/update_otel_deps 
Update OpenTelemetry Dependencies

Kubernetes-commit: eafebcc9e368d6aeaab0ce5ec4fd56b94174d0c4
 2023-10-11 07:26:19 +00:00
Alexander Zielenski 3029a9f674 add rest of accessors to common.Schema 
needed for declarative validation, CRD ratcheting

Kubernetes-commit: 438c0daab7587bdb094e714e68b5ba2f9f6ae963
 2023-10-09 17:49:37 -07:00
Monis Khan 445b713906 Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
 2023-10-07 21:50:37 -04:00
David Ashpole d35f091281 fix missing http.target trace attribute 
Kubernetes-commit: 80269d5d3497acc8ad155cb9bfbfaa7fd9e20d1f
 2023-10-06 18:09:29 +00:00
John Howard 6e80c0dfa4 dependencies: update otel-go dependencies 
Kubernetes-commit: dc334b953d99f233b56ec2cd78bff218a00152a0
 2023-10-05 12:52:33 -07:00
Kubernetes Publisher e7db207bf4 Merge pull request #121117 from MadhavJivrajani/bump-x-net 
[CVE-2023-39325] .: bump golang.org/x/net to v0.17.0

Kubernetes-commit: 7ee2af5cc5fee6a6f837975a70a35ce681a8e9d4
 2023-10-10 19:27:11 +00:00
Madhav Jivrajani bdde7b6248 .: bump golang.org/x/net to v0.17.0 
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>

Kubernetes-commit: fc7c951d5a5b8b75dfa105e3bea7bbddaf4c792e
 2023-10-10 23:07:19 +05:30
Kubernetes Publisher fef0d75638 Merge pull request #121082 from pohly/ginkgo-gomega-update 
dependencies: ginkgo v2.13.0, gomega v1.28.0

Kubernetes-commit: 755644a169ad495a34bc5e1db502962fc6dd3750
 2023-10-10 15:27:37 +00:00
Patrick Ohly b82dc081b8 dependencies: ginkgo v2.13.0, gomega v1.28.0 
Besides simply staying up-to-date, ginkgo v2.13.0 adds a `PreviewSpecs` which
will be used for introspection of the E2E test suites.

Kubernetes-commit: 79355caa565cc34e8726c427562c9f109ebe0e34
 2023-10-09 19:27:06 +02:00
Kubernetes Publisher 6ec195f3b2 Merge pull request #120985 from palnabarun/3221/fix-authorizer-name 
[StructuredAuthorizationConfiguration] Fix the level at which authorizer name is surfaced

Kubernetes-commit: 6f5fa2eb2f4dc731243b00f7e781e95589b5621f
 2023-10-05 03:42:16 +00:00
Nabarun Pal 70eb989b94 k8s.io/apiserver: fix levelling of the name field in AuthorizationConfiguration 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 11ce6d29157daf7437d6da7fdeb11cabf2e774aa
 2023-10-04 10:33:58 +05:30
Qiming Teng e014cf25b9 Generated files 
Kubernetes-commit: c65fe450d8a3229cfe531a3806939775dd52e7e0
 2023-10-03 20:16:10 +08:00
Kubernetes Publisher 22545bb551 Merge pull request #120222 from tkashem/apf-queue-wait-ctx 
apf: manage request queue wait with context in APF Filter

Kubernetes-commit: 6a84edb2cee68fc60d3f4bd15eb461a184303236
 2023-10-03 10:31:18 +00:00
Qiming Teng d763e7d132 Fix API docs for audit APIs 
The `*`s in the source comment is confusing the API reference generator.
They are treated as symbols for bold texts when generating reference docs.
This PR replaces the quote marks with backtiqs so that the reference
generator can properly handle them.

Kubernetes-commit: e7b2aeee930188eec125bbb91096d9d3fd6f3b5c
 2023-10-03 17:18:23 +08:00
Kubernetes Publisher 3acfc3ce16 Merge pull request #119865 from charles-chenzz/bump_deps 
bump github.com/emicklei/go-restful/v3 to v3.11.0

Kubernetes-commit: bf1fa0c6691bb3bc6c5c03f900c53ed609e580a4
 2023-09-28 14:57:16 +00:00
Kubernetes Publisher 6bff95ab99 Merge pull request #120908 from sttts/sttts-optional-authz 
controlplane/apiserver: don't crash if authz or other options are explicitly disabled in options

Kubernetes-commit: 1020678366f741834f06b9f0087e57e48f93ffba
 2023-09-27 18:31:56 +00:00
Kubernetes Publisher a8f5357696 Merge pull request #120490 from p0lyn0mial/upstream-watch-list-cache-metrics 
collect watch-list requests latency metric

Kubernetes-commit: bdedc21fd9579d2838f1e330bb4a93d4cb8b5cbd
 2023-09-27 18:31:54 +00:00
Jefftree 5bfa063b10 bump kube-openapi 
Kubernetes-commit: 555c1b8091c2312e7b3f9002fc8a4787e759ef31
 2023-09-27 14:02:53 -04:00
Dr. Stefan Schimanski 2f3285287e controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>

Kubernetes-commit: 63950491764535a8635cb2c4810db59a9a1fad25
 2023-09-24 11:50:38 +02:00
Abu Kashem 28ed1d7ad4 fix data race in apf unit test 
Kubernetes-commit: 52c58d970e54bf10b78512c68602f70b0a970f31
 2023-09-22 14:42:43 -04:00
Lukasz Szaszkiewicz 1c49f6c8ba endpoints/metrics: define watchListLatencies metric and associated functions 
Kubernetes-commit: a97f4b7a3123c9768ec7136b6ca32be926e16cd6
 2023-09-19 03:05:37 +02:00
Lukasz Szaszkiewicz cd87b8f62d handlers/watch: calculate and record WatchList latency metric. 
Kubernetes-commit: 772b1f4cd84a738f632716e28d4067c00f0b7f13
 2023-09-19 03:05:00 +02:00
Kubernetes Publisher cd865f28a6 Merge pull request #120872 from p0lyn0mial/upstream-has-initial-events-annotation 
storage/util: introduce HasInitialEventsEndBookmarkAnnotation

Kubernetes-commit: 9410de78b23eb4f88de900552d90638bc67ffcd4
 2023-09-25 07:47:25 -07:00
Lukasz Szaszkiewicz db34e9b7c7 storage/util: introduce HasInitialEventsEndBookmarkAnnotation 
Kubernetes-commit: 70ae9c441cee9d78a88c0526592796ac4f491096
 2023-09-18 11:39:08 +02:00
Kubernetes Publisher 9419689f30 Merge pull request #119557 from p0lyn0mial/upstream-watch-list-etcd-store 
Add support for API streaming to the etcd store implementation

Kubernetes-commit: fcfc2d05a4737646c7951943cc70c5900bf61145
 2023-09-25 14:31:28 +00:00
Kubernetes Publisher 10be293530 Merge pull request #120836 from jkh52/knp-0.28.0 
Bump Konnectivity to 0.28.0

Kubernetes-commit: c5cf0ac1889f55ab51749798bec684aed876709d
 2023-09-23 14:33:03 +00:00
Joseph Anttila Hall ec568d7c18 Bump Konnectivity to 0.28.0 
Kubernetes-commit: 1b602ffd9a412fccf87de9658da56a30e1ec1a0b
 2023-09-22 11:42:00 -07:00
Kubernetes Publisher 49162f0981 Merge pull request #120807 from p0lyn0mial/upstream-extend-generic-watch-semantic-tests 
Extend RunWatchSemantics test by a new flavour and fill the gap

Kubernetes-commit: 7a941176a7aca28845c83f450000d1e881267348
 2023-09-22 14:34:15 +00:00
Lukasz Szaszkiewicz e7424d8207 storage/testing/watcher_tests: add new flavour to RunWatchSemantics test and fill the gap 
the new flavour proves that a storage layer follows RV
which is equal to the global rv

Kubernetes-commit: 0e238c4c28f11d1ec7cf5f506c81195c1cc463fe
 2023-09-22 09:32:23 +02:00
Kubernetes Publisher c52221aa17 Merge pull request #120388 from HirazawaUi/add-group-to-apiserver-tracing 
Add group, version, namespace, name, and subresource to apiserver tracing

Kubernetes-commit: 1e862b0fec39999fd55b42cf592ab5249b2651e8
 2023-09-21 22:30:46 +00:00
Kubernetes Publisher c1b34a994c Merge pull request #120797 from p0lyn0mial/upstream-refactor-generic-watch-semantic-tests 
storage/testing/watcher_tests: refactor RunWatchSemantics tests

Kubernetes-commit: 0a2a56863965987d5c0058f4aaa9fb8f0180c851
 2023-09-21 18:37:18 +00:00
Lukasz Szaszkiewicz f0dfb17949 storage/testing/watcher_tests: refactor RunWatchSemantics tests 
Kubernetes-commit: dc5cfe3cff289ecb97153716bfd5817579d00fb3
 2023-09-21 12:16:16 +02:00
Kubernetes Publisher 696768606f Merge pull request #120695 from p0lyn0mial/upstream-move-watch-semantic-tests 
storage/testing: make WatchSemantics tests storage agnostic

Kubernetes-commit: 408e45a66a82a566e4684d6a97f9810127b985f9
 2023-09-19 14:33:20 +00:00
Kubernetes Publisher a4c66a9ba7 Merge pull request #120747 from p0lyn0mial/upstream-refactor-watch-error-test 
storage/etcd3/watcher_test: refactor TestWatchErrorWhenNoNewFunc

Kubernetes-commit: ef1aed8cd80a6955dd6ef9e59e8e2f378336cf4f
 2023-09-19 10:30:36 +00:00
Lukasz Szaszkiewicz fe7ae035ef storage/etcd3/watcher_test: refactor TestWatchErrorWhenNoNewFunc to a table test 
Kubernetes-commit: 4b60c18183f11207d0cb2d89bf28090156222c61
 2023-09-19 10:35:09 +02:00
Kubernetes Publisher 78af3642d2 Merge pull request #119099 from palnabarun/authz-config 
[StructuredAuthorizationConfiguration] Implement API types and wire kube-apiserver to use them

Kubernetes-commit: 9d6180559ba84cbaf00bcb2a51e387d9591f9687
 2023-09-18 14:33:26 +00:00
Lukasz Szaszkiewicz c8dcfeed34 storage/testing/watcher_tests: make TestCacherWatchSemantics storage agnostic 
Kubernetes-commit: 91bb75883c613d45563f3b7c01a69dde8194bfdc
 2023-09-15 12:28:36 +02:00
Nabarun Pal 1eae2482e2 Bootstrap API Types for Structured Authorization Configuration 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 52c582ca77c775ee13300a999a29f8c4180750a2
 2023-09-14 19:19:29 +05:30
Kubernetes Publisher 8fe7663421 Merge pull request #119526 from sttts/sttts-idiomatic-cached 
kube-openapi/cached: bump and adapt to more go-idiomatic caching library

Kubernetes-commit: f551940626532e790c05094293e0d8bb5b76e3d5
 2023-09-15 22:42:22 +00:00