d294e6b5b4
Update non-test code to use DefaultMutableFeatureGate
...
Kubernetes-commit: d440ecdd3b41a4fc4a207195e1bb976422d6d35e
2018-11-20 23:59:52 -05:00
ee7fb67d6e
Clarified syntax doc on --watch-cache-sizes
...
Noted that group must be omitted for resources of apiVersion v1 (the
legacy core API) and included for others.
Fixes #65393
Kubernetes-commit: fc20359fed5e3d0e89a60653b9b0d638d4d757d8
2018-11-12 14:45:45 -05:00
e485f8578d
kubeapiserver: rename '--experimental-encryption-provider-config' to '--encryption-provider-config'.
...
This change renames the '--experimental-encryption-provider-config'
flag to '--encryption-provider-config'. The old flag is accepted but
generates a warning.
In 1.14, we will drop support for '--experimental-encryption-provider-config'
entirely.
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Kubernetes-commit: 21c1bb883081b13244002271bccc9cf119d4db4f
2018-03-23 14:16:04 +03:00
877329b0f3
Add option to k8s apiserver to reject incoming requests upon audit failure
...
Kubernetes-commit: 7a10f4eda725f55bec9893eb1c03f2402dbcd32f
2018-07-03 14:40:55 +02:00
e2bc8e4617
Introduce kubeapiserver.config.k8s.io/v1 with EncryptionConfiguration and use a standard method for parsing config file.
...
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Kubernetes-commit: c21cb548e6c7d4ab019fce8a35c9b99c035c2071
2018-05-02 18:21:38 +02:00
f78d7e624c
fix a description error in DynamicAuditing feature
...
Kubernetes-commit: 84aa00c03df00eade6615ca009fa9b2943a98b8c
2018-11-17 01:49:02 +08:00
9fd62b6f47
adds dynamic audit configuration
...
Kubernetes-commit: eb89d3dddd3792b0a6cd724e64bbbc11d6c15380
2018-10-18 21:34:17 -05:00
2710b17b80
Move from glog to klog
...
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
2018-11-09 13:49:10 -05:00
631dda550e
kube-scheduler: enable secure ports 10259
...
Kubernetes-commit: cb95edafe8bf4f294beb53d0a7bc04d62584577c
2018-09-05 16:42:16 +08:00
032ec9d79b
Switch to sigs.k8s.io/yaml from ghodss/yaml
...
Change-Id: Ic72b5131bf441d159012d67a6a3d87088d0e6d31
Kubernetes-commit: 43f523d405b012fa8d90dd95b667f520e036f6bc
2018-11-02 16:41:57 -04:00
257a06e88a
add With method for allowed URL options on delegated authorization
...
Kubernetes-commit: 77b56ec9e36dd721c341ce838d608e8af10ce51f
2018-11-06 10:44:29 -05:00
136e478e9f
encryption-at-rest approvers/reviewers
...
Kubernetes-commit: 666c93a8343029a499ea64de8a6d09596097ccb3
2018-11-02 17:38:17 -04:00
83c8e657ed
allow delegated authorization to have privileged groups
...
Kubernetes-commit: 0b70b7a7c975589f7019e5017c334cf0ee6b819f
2018-11-05 16:23:20 -05:00
f8fa426bd3
Use `audit.k8s.io/v1` as default value of option --audit-webhook-version and --audit-log-version in release 1.13
...
Kubernetes-commit: 9671a035f7e7308ac804b4637af19bac2ecce0f4
2018-10-31 17:22:37 +08:00
22df332aff
Allow components to generate certificates in-memory
...
Kubernetes-commit: b7160d4ee2073f06293d7c3b20acdf4620fadf61
2018-10-16 17:22:13 -04:00
c7c9a358c2
etcd2 code cleanup, remove deserialization cache
...
Kubernetes-commit: c8db31b84adc40aa875917fbca27b2a787902088
2018-10-15 22:17:44 -04:00
13ab2dca08
Remove ericchiang from OWNERS files
...
Kept myself in the OpenID Connect ones for now.
Kubernetes-commit: 766f5875bfa0d8ce4d52cdb87d12faea527e1492
2018-10-11 18:11:15 -07:00
bd604a62aa
Remove deprecated --etcd-quorum-read flag
...
Kubernetes-commit: cff79c542130831f4a212099974570244a0c9586
2018-10-08 11:04:28 -04:00
92e87e143a
Update gofmt for go1.11
...
Kubernetes-commit: 97b2992dc191a357e2167eff5035ce26237a4799
2018-10-05 12:59:38 -07:00
41e5031224
Populate ClientCA in delegating auth setup
...
kubernetes/kubernetes#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code. This restores it.
Kubernetes-commit: 65cea86e4413cb5899c3b89bda375bb326de5093
2018-10-04 12:48:18 -04:00
3b6fc08803
Remove etcd2 storage backend
...
Kubernetes-commit: 85ae79500fba7d6e51292b12daff829027b59872
2018-10-01 16:48:14 -04:00
e9bce895cf
Lazily dial kms-plugin.
...
Kubernetes-commit: 07cbf2545f705d0448631f479a18d0b86b7055dc
2018-09-12 14:56:44 -07:00
1a58e1c6ad
apiserver: make InClusterConfig errs for delegated authn/z non-fatal
...
Kubernetes-commit: 04e793e65ad70df5c4ab280c42740864e54163cd
2018-09-05 09:12:19 +02:00
c8f47fd79c
apiserver: fix misleading delegated authn/z warnings
...
Kubernetes-commit: 059fce63b755ef6052db273fd6c91f3090036389
2018-09-05 09:11:45 +02:00
ecbc9eada2
Fix grammar in secure-port flag help
...
The phrasing made it difficult to understand the message.
Kubernetes-commit: c0ded2d9f5beb5eb02b356076166c365073a639a
2018-08-30 18:50:26 -04:00
c726863192
apiserver: make not-found external-apiserver-authn configmap non-fatal
...
Kubernetes-commit: 5d56e791bb932cc297de08db302540684e6f9d4c
2018-08-24 18:30:58 +02:00
7dbcbd39e2
Remove deprecated legacy audit logging code.
...
Kubernetes-commit: 3f730d4c255e7c8ee67a020eed0b8f0a8f634750
2018-07-05 13:57:17 +02:00
16d4968bf9
authn/z: optionally opt-out of mandatory authn/authz kubeconfig
...
Kubernetes-commit: a671d65673590f0dfcf5c2b673e1518d11510bdb
2018-08-22 11:56:07 +02:00
34ff0933dd
expose generic storage factory primitives
...
Kubernetes-commit: 81b9213ac2cc7744b8a62ac42b269b97c1d17b5a
2018-08-27 10:45:52 -04:00
cfb1e16b55
apiserver: unify handling of unspecified options in authn+z
...
Kubernetes-commit: 0ede948e47d33474a4e30c845d7896c58a319e39
2018-08-21 16:42:13 +02:00
a8bd1ddbf7
delegated authz: add AlwaysAllowPaths mechanism to exclude e.g. /healthz
...
Kubernetes-commit: 6142e2f8f7c8b1c5d32a2f9aa3715ea0b5baf167
2018-08-17 17:03:16 +02:00
c27f181946
add unit test func TestServerRunOptionsValidate
...
Kubernetes-commit: cdef8029d4aea52e607da4101ad44b1b4163f869
2018-08-22 10:19:13 +08:00
7e18a5d0a6
add unit test func TestToAuthenticationRequestHeaderConfig
...
Kubernetes-commit: 0da04d61ab4b70817083c8208af12397b818546a
2018-08-22 10:18:30 +08:00
769565b214
add unit test func TestAPIEnablementOptionsValidate
...
Kubernetes-commit: 73ee10495b5be414b9fae718e5129765c7c3ed19
2018-08-22 10:17:58 +08:00
c872082b0a
add unit test func TestEtcdOptionsValidate and TestParseWatchCacheSizes
...
Kubernetes-commit: 67a1d53bd74265637718b67c80f48a26b6e653cf
2018-08-22 10:17:26 +08:00
a549f2934f
kube-apiserver: switch apiserver's DeprecatedInsecureServingOptions
...
Kubernetes-commit: d787213d1b8802d370032d17157ac1de7573ad15
2018-08-06 16:31:23 +02:00
3698d7a898
apiserver: move controller-manager's insecure config into apiserver
...
Kubernetes-commit: 1d9a896066b3e10e8c1a0d506e00bc354b7772f0
2018-08-16 20:47:15 +02:00
8e1390d9d4
Synchronous & unbatched audit log writes
...
Kubernetes-commit: c9670d0652f8d7da662f71caac6fca2044296ae6
2018-03-15 00:44:46 -07:00
0fc525d3c8
fix typo
...
fix typo
Kubernetes-commit: 18f1ad7dc5392cb4537fa33bd73cdb8dc2c1e523
2018-08-13 17:36:15 +08:00
b0b043eda2
list the default enabled admission plugins
...
Kubernetes-commit: ee96a5638d21f0da111b1106a82976cc59bbbf67
2018-08-06 17:25:24 +08:00
4e7be504bf
Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA
...
This commit prevents extension API server from erroring out during bootstrap when the core
API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't
present in extension-apiserver-authentication ConfigMap in kube-system.
This can happen in cluster setups where core API server uses Webhook token authentication.
Fixes: https://github.com/kubernetes/kubernetes/issues/65724
Kubernetes-commit: db828a44406efe09e2db91e6dc88d1292c9a29e1
2018-07-18 15:07:09 -07:00
b40373204e
use Audit v1 api and add it to some unit tests
...
Kubernetes-commit: 716dc87a1095027f9ab08ee59abfffab1d15ec29
2018-07-27 14:06:29 +08:00
4c6f8fdc17
apiserver: make loopback logic in SecureServingOptions reusable
...
Kubernetes-commit: dc0a736d1ea924dfa35ece64cb59d551c2a0b51f
2018-07-04 17:08:23 +02:00
55957fdc66
apiserver: add SecureServingOptions.ExternalAddress
...
Before this the advertised IP (which shows up in the server cert) in case of
listening to loopback was the first host interface IP. This makes self-signed
certs non-constant, such that we cannot use fixtures.
Kubernetes-commit: c1c564fd4d21dd68ea14d7ea678d8619f47fe445
2018-07-06 12:32:01 +02:00
fa6b67b429
apiserver: use fixtures for self-signed certs in test server
...
Kubernetes-commit: 7deccb5b7a7c5224d3d90e1391dd22b2d1f1b9b9
2018-07-06 12:04:38 +02:00
9cfed8df8c
Convert TestServerRunWithSNI to subtests to isolate flake
...
This test is flaking - make it easier to pin down where and why by
converting to subtests and making cleanup logic easier. Also turn an
ignored listen error into a "fatal".
Make the test run in parallel to speed up individual runs and hopefully
flush out issues.
Kubernetes-commit: 09463975c379114ef9cd42d3c7efb6254b2c3b33
2018-07-09 21:32:15 -04:00
ad29bd83ae
kube-apiserver: disallow --secure-port 0
...
Kubernetes-commit: e15ac9eb72c4e105e7a3d84711e5a6056c0f6a48
2018-07-06 12:58:59 +02:00
25a00cd3c1
apiserver: get rid of ReadWritePort in config
...
Kubernetes-commit: e32f380fa5df4361894570787814d0459baada93
2018-07-04 17:01:49 +02:00
5746122767
apiserver: don't create self-signed certs with disabled secure serving
...
Kubernetes-commit: 798535164ae11a7e3c036ed7793aa884942edc88
2018-07-04 19:09:26 +02:00
8fe5561ce7
[trivial] fix option help message.
...
s/andif/and if/
Kubernetes-commit: 42b93ab7244765dd744257a793b0b9c138146bb3
2018-06-13 09:07:34 +08:00
Jordan Liggitt