kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,629 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

887 Commits

Author SHA1 Message Date
Abhijit Hoskeri b4437b251e Remove unused field from APIGroupVersion 
RootScopedKinds is only present in unit tests, and
is not referenced anywhere else.

Kubernetes-commit: 90c49ab2eda2f786d143117f6f2133f1fa90af34
 2024-05-18 12:47:42 -07:00
Abu Kashem 7b1424d930 fixup! add test to document behavior of net/http read/write deadline 
Kubernetes-commit: f91cdf768dcd893e2d18a5705071b899f979374d
 2024-08-30 11:05:23 -04:00
Abu Kashem 85ab93cd5f add test to document behavior of net/http read/write deadline 
Kubernetes-commit: 2abe3a5dfab04d22362aafd8a8e9f0da80c419b0
 2024-06-18 16:33:52 -04:00
Lukasz Szaszkiewicz 36e57697d1 apiserver/handlers/watch: encode initialEventsListBlueprint with watchEncoder (#127587) 
* apiserver/handlers/get: construct versionedList

* storage/cacher: document caching the serialization of bookmark events

* endpoints/handlers/response: add watchListTransformer

* endpoints/handlers/watch: wire watchListTransformer

Kubernetes-commit: fbf1a0dc181ccbeb9925ad9c284d913a25c16562
 2024-10-01 11:55:50 +00:00
Matthieu MOREL e32a42cf11 fix: enable expected-actual rule from testifylint in module `k8s.io/apiserver` 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Kubernetes-commit: fbd773ecb82aa0afef3c02274db901afe1788220
 2024-09-27 07:49:07 +02:00
CasperLiu 1bb7b2e6ab introduce a proper trace context 
Signed-off-by: carlory <baofa.fan@daocloud.io>
Co-authored-by: CasperLiu <qiuyuzhe521@gmail.com>

Kubernetes-commit: 5b2632f70763aeadfc334df1364946fe39fc10bb
 2024-04-07 17:58:59 +08:00
Lukasz Szaszkiewicz 8cb411e993 adds watchListEndpointRestrictions for watchlist requests (#126996) 
* endpoints/handlers/get: intro watchListEndpointRestrictions

* consistencydetector/list_data_consistency_detector: expose IsDataConsistencyDetectionForListEnabled

* e2e/watchlist: extract common function for adding unstructured secrets

* e2e/watchlist: new e2e scenarios for convering watchListEndpointRestrict

Kubernetes-commit: ae35048cb0b9b177891aab41346b6d6cc504582f
 2024-09-25 12:48:33 +00:00
Mangirdas Judeikis b09ab6e398 Add GroupLister interface to discovery GroupManager 
Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>

Kubernetes-commit: ee55200440c8236248f47cbe2dd783ba1a717614
 2024-09-21 18:43:56 +03:00
Abhishek Kr Srivastav 17ab6c21d5 Fix Go vet errors for master golang 
Co-authored-by: Rajalakshmi-Girish <rajalakshmi.girish1@ibm.com>
Co-authored-by: Abhishek Kr Srivastav <Abhishek.kr.srivastav@ibm.com>

Kubernetes-commit: 95860cff1c418ea6f5494e4a6168e7acd1c390ec
 2024-09-12 18:15:22 +05:30
Stanislav Láznička b9e6a66c69 requestheaders: add a "requestheader-uid-headers" flag and wire it up 
Kubernetes-commit: 7fabd06c2be41f4134f425fa967d79ac31dc5756
 2023-02-16 11:28:50 +01:00
Monis Khan cc8ff8f965 ForbiddenStatusError: make linter happy on error construction 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: bff6ce4a38077c29cdf2e1ac2fce1a551082ebfe
 2024-08-05 10:50:51 -04:00
Monis Khan 757565c389 SSA: improve create authz error message 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 857127f7c44a029f6f8dd44b0b40364aa00aa13d
 2024-08-02 17:20:53 -04:00
David Eads f26d4ed894 add field and label selectors to authorization attributes 
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
 2024-05-23 15:12:26 -04:00
Matthieu MOREL 8705baa8b2 fix: enable empty and len rules from testifylint on pkg package 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>

Co-authored-by: Patrick Ohly <patrick.ohly@intel.com>

Kubernetes-commit: f014b754fb5925dfbca6e27a44d0c3968b157e14
 2024-06-28 21:20:13 +02:00
Eric Lin 5d14d72b5c Fix httplog not logging watch duration in separate goroutines 
Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 06c7058115e623126884d05c54a30db511a9cb71
 2024-06-21 10:03:31 +00:00
Vinayak Goyal 77f498853b KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>

Kubernetes-commit: 5e6a4937f5a3e20dd77238946220461332ecddff
 2024-05-16 21:18:34 +00:00
Joe Betz b5d1135b94 Apply feedback 
Kubernetes-commit: 13f809478f9322341a04715cda1b3912a9e470d5
 2024-06-03 14:59:31 -04:00
Joe Betz dfdf159360 Handle unstructured objects correctly in IgnoreManagedFieldsTimestampsTransformer 
Kubernetes-commit: c942ab6900ddb7b6e3e7c550c521409693180968
 2024-05-31 21:25:25 -04:00
Joe Betz 30fd718497 Fix apply equality check to allow empty map to be equal to nil for builtin types 
Kubernetes-commit: f8a33e3679488e5ee3700d37dd45cee8b346e89e
 2024-06-04 12:11:00 -04:00
TommyStarK 2c2eb3836c kube-apiserver: remove deprecated otel NewNoopTracerProvider 
Signed-off-by: TommyStarK <thomasmilox@gmail.com>

Kubernetes-commit: cce8551272de44882a3cd4fc7c06805247941086
 2024-06-07 19:57:37 +02:00
Harish Kuna eecd18b483 Annotate APF Wait Queue Latnecyto understand at the request level 
Kubernetes-commit: 9a0d922a296e837b344d5538c0829d9e222c2ef6
 2024-03-13 21:54:59 +00:00
Stephen Kitt 942c16fb6a Use canonical json-patch v4 import 
The canonical import for json-patch v4 is
gopkg.in/evanphx/json-patch.v4 (see
https://github.com/evanphx/json-patch/blob/master/README.md#get-it for
reference).

Using the v4-specific path should also reduce the risk of unwanted v5
upgrade attempts, because they won't be offered as automated upgrades
by dependency upgrade management tools, and they won't happen through
indirect dependencies (see
https://github.com/kubernetes/kubernetes/pull/120327 for context).

Signed-off-by: Stephen Kitt <skitt@redhat.com>

Kubernetes-commit: 5300466a5c8988b479a151ceb77f49dd00065c83
 2024-02-16 13:57:24 +01:00
Marek Siarkowicz 74fb076497 Cleanup defer from SetFeatureGateDuringTest function call 
Kubernetes-commit: 3ee81787685e47a7a5da22423c8ca4455577ecb3
 2024-04-23 10:39:47 +02:00
Ziqi Zhao 39347989da fix for comments to ignore the request without request info 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 91af1145bf7b0e18a6b520a78875a1db6db29d96
 2024-03-15 09:42:42 +08:00
Ziqi Zhao 54b3a0e7f5 add http method to span name 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 1aeb0ba314016f2a2cd94b0450ba097c2b165e5d
 2024-03-13 13:25:36 +08:00
Ziqi Zhao 29913c19e4 change the integration test 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 02154293c76a0ea54293c82236c9025b96ea0125
 2024-03-12 22:49:38 +08:00
Ziqi Zhao 68eb5caed4 rename apiserver trace span to http server guidelines 
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>

Kubernetes-commit: 84b9fbbdefa3f0bcfb1c4787093aa7840079b7ce
 2024-02-29 19:03:43 +08:00
Marek Siarkowicz 3a83dc12eb Fix SetFeatureGateDuringTest handling of Parallel tests 
Stop using defer as parallel subtest will might result in main test
finishing before subtest.

Fatal when same flag is set twice.

Kubernetes-commit: 9fcf279e2b91e7549190a433373f256fb5aebe85
 2024-03-05 21:56:40 +01:00
Tim Allclair 337f031e71 Stop appending AppArmor status to node ready condition 
Kubernetes-commit: 24537a91317f9fd125ee805cd0b781358ac86f35
 2024-02-21 13:11:07 -08:00
Jordan Liggitt 59cba35b06 Fix discovery v2 conversion registration data race 
Kubernetes-commit: 0e9cdf76ad2e21166dd5b72f7b0c2450d648c906
 2024-03-01 19:29:39 -05:00
Jefftree d8d3b8c351 Use v2 types with agg discovery 
Kubernetes-commit: 462dd326c2e98d937a96d49002883000efe4b2d6
 2024-01-19 16:13:47 -05:00
Jefftree fc2ef69449 Remove test for disabling aggregated discovery 
Kubernetes-commit: 0593746f6093a5a59a7a047f03a4139275fcaf11
 2024-02-27 18:27:54 -05:00
Joe Betz 414d2e2d63 Add selectableFields to CRDs 
Kubernetes-commit: 291703482d58ae030da71c6d671a96a6f960fc6f
 2024-02-28 14:06:06 -05:00
Eric Lin 000601bdbe Add handler to run watch serving in separate goroutine 
This handler allows running execution prior to actual serving in a separate
goroutine when serving requests. Doing so benefits cases in serving long running
requests because it allows freeing memory used by the separate goroutine
and keeps the serving routines slim.

Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 7b2698a5e5c61b303481c2006847409fc8704746
 2023-10-10 08:53:26 +00:00
Abu Kashem e6f368f3b9 apiserver: refactor handleError in endpoints/filters 
Kubernetes-commit: 9e37ccedc7fbbbacf07ecc79949c75e1e250ba58
 2024-01-09 13:32:09 -05:00
HirazawaUi bc8676d59a Add decoding time to the audit log 
Kubernetes-commit: 20fe2a3539e90f7554f94359ac3b4058a5bbb363
 2023-10-25 22:52:11 +08:00
Vandit Singh ff6a2dc722 Negative index regression test for json-patch (#122625) 
* add testcase with negative index

* exercise successful negative index patching

* use different values for testing

Co-authored-by: Chris Bandy <bandy.chris@gmail.com>

---------

Co-authored-by: Chris Bandy <bandy.chris@gmail.com>

Kubernetes-commit: 83ff8a2f49f820fb355b24c65b8629710dca8a54
 2024-01-18 09:31:12 +00:00
Eric Lin a2e6b85db4 handlers/watch: refactor watch serving to prepare offloading 
Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 87d817e62d8c6e93cf45bf90a7ecadfe4156ab1f
 2023-11-27 10:06:50 +00:00
Wojciech Tyczyński 697d456e35 Minor cleanup in watch handlers 
Kubernetes-commit: d907062308563b1a9e52152c48f4240a6e11aade
 2023-11-29 22:31:05 +01:00
Wojciech Tyczyński 442cc39449 Unify watch handler across http and websockets 
Kubernetes-commit: 55e60db88b126013f00135f49df3296f52b2572a
 2023-11-29 21:57:39 +01:00
Wojciech Tyczyński d64b183dbd Address review comments 
Kubernetes-commit: 0dd495e6dc253f94b0ad0bb92178fb5e8981116b
 2023-10-13 10:48:16 +02:00
Wojciech Tyczyński 65d3be7b39 Refactor watch event serialization to allow caching 
Kubernetes-commit: 7ff866463af46b5f7cf068ba8d51c68e417b9ece
 2023-08-25 15:41:14 +02:00
Yao Cheng 2b3f11cba2 Register metrics for apiserver handlers 
Signed-off-by: Yao Cheng <chengyao09@hotmail.com>

Kubernetes-commit: 18c3b6fce43edd76620a07707af2d851b52c3fad
 2023-09-06 17:25:12 +00:00
carlory 5ac339fec6 update pretty param description 
Kubernetes-commit: 75f20ee64da5317f4473de643eac43686fe9215e
 2023-10-16 16:36:31 +08:00
Damien Grisonnet b5b4cd7758 apiserver: rename request body size metric 
Rename the apiserver_request_body_sizes metric to
apiserver_request_body_size_bytes to conform with Prometheus best
practices.

This can be done safely without deprecation because that metric wasn't
registered before.

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>

Kubernetes-commit: 08006c842fd6a584bb8e2511587c999ffe7ced9d
 2023-09-07 19:16:31 +02:00
Monis Khan 87ef6687ab Skip TestUnauthenticatedHTTP2ClientConnectionClose http1 tests 
These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: cd5db9b7f23b0156bf5535fc0124361fbef0ce6a
 2023-10-12 19:13:07 -04:00
Monis Khan 445b713906 Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
 2023-10-07 21:50:37 -04:00
David Ashpole d35f091281 fix missing http.target trace attribute 
Kubernetes-commit: 80269d5d3497acc8ad155cb9bfbfaa7fd9e20d1f
 2023-10-06 18:09:29 +00:00
Lukasz Szaszkiewicz 1c49f6c8ba endpoints/metrics: define watchListLatencies metric and associated functions 
Kubernetes-commit: a97f4b7a3123c9768ec7136b6ca32be926e16cd6
 2023-09-19 03:05:37 +02:00
Lukasz Szaszkiewicz cd87b8f62d handlers/watch: calculate and record WatchList latency metric. 
Kubernetes-commit: 772b1f4cd84a738f632716e28d4067c00f0b7f13
 2023-09-19 03:05:00 +02:00