c2310e1279
Implement authz config file reloading
...
Kubernetes-commit: 5dc92ada068cb80a2866cfaa1f9aa760d2524680
2023-11-08 08:49:58 -06:00
7e9e7fe668
move OWNERS from validating to all new parent policy folder
...
meant to do this in refactor PR
Kubernetes-commit: bd27c99262e73955af6af19a1d6d72fce6739522
2024-02-14 16:32:08 -08:00
1bc99127a6
Add integration test for multiple audience in structured authn
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 0feb1d5173c94e28da79963fb296296b005dd6a1
2024-02-14 17:04:21 -08:00
6f648c15a2
Add retry around create
...
Kubernetes-commit: a05db0dd22a68a9c443a9f01cc1b8f6397fd6a9f
2024-01-19 16:10:30 -05:00
fb760be3fc
support multiple audiences with jwt authenticator
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 18c563546a764b559ce5b74f09eaaaf9c1f0e5fb
2024-01-24 17:15:11 +00:00
26996e3679
Add AudienceMatchPolicy to AuthenticationConfiguration
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 19da90d6396ce9471f612d6e9a31f1b1c8d605b1
2024-01-25 22:35:16 +00:00
1672796601
bugfix: avoid NPE possibility by making composition environment global
...
Kubernetes-commit: 3094395fa76210f33118d10d6a7c8214c50a7f33
2024-01-29 13:45:27 -08:00
9fd47abbb1
refactor: implement VAP off of policy plugin fw
...
Kubernetes-commit: 18fbc48b0155485cd78ec4d0e6050ccbb7d8e058
2024-01-22 17:31:52 -08:00
f8d65cf3a6
refactor: create generic policy plugin type similar to webhook
...
Kubernetes-commit: a6366573d5ca328438b80d72d0ae5a5bf6b178be
2024-01-22 17:31:34 -08:00
06be9d025c
refactor: move matching logic into parent policy folder
...
Kubernetes-commit: d697f43d73870679ad4cd46939ad28e06926b6d3
2024-01-17 18:12:41 -08:00
57e06e43f7
refactor: move vap into parent `policy` folder
...
also renames to remove stutter
comment
Kubernetes-commit: 8b14116509ac19234924878ab08f7e9e8f03549a
2024-01-17 18:09:30 -08:00
3769e5c054
refactor: move celmetrics close to its usage in vap
...
does not need to be accessed from anywhere else, and removed an excessive lonesome `cel` pkg with just the metrics
Kubernetes-commit: 8b26b6eec1b0d99518e7c53879e1d44ade2eebc7
2024-01-17 17:05:53 -08:00
f6b16dddb3
Add `apiserver_encryption_config_controller_automatic_reloads_total`
...
metric
- Adds `apiserver_encryption_config_controller_automatic_reloads_total`
metric with status label for encryption config reload success/failure.
- Deprecated `apiserver_encryption_config_controller_automatic_reload_failures_total` and `apiserver_encryption_config_controller_automatic_reload_success_total`
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 77241d31253baf051302fff7480c9601ad817399
2024-02-07 19:44:41 +00:00
6f620d4d18
add test case for error inside variables.
...
Kubernetes-commit: 3e777540fda8dda01bb72702b1e39675f21d2955
2024-02-08 13:39:25 -08:00
ab64beb117
add support of variables for Type Checking.
...
Kubernetes-commit: dc832c6e59e98f8b842efe42d3f18a67e781779d
2024-02-01 15:28:21 -08:00
1501159ecb
refactor type checking to use CompositedCompiler.
...
Kubernetes-commit: 21ba0d59d3a29b5668d4ba712d5b130d458121c6
2024-02-01 13:20:21 -08:00
f099bff723
chore: adds consistent vanity import to files and provides tooling for verifying and updating them. ( #120642 )
...
* chore: drops update vanity imports from script.
* chore: changes copyright year to 2024.
* chore: makes lint happy.
Kubernetes-commit: 6d6398ef9266abce3518a4c9a3d4e4d8feeffdc1
2024-02-08 14:10:27 +00:00
554c2d262b
apiserver: allow zero value for the 'nominalConcurrencyShares' field
...
Kubernetes-commit: 5f75c35edf1ea0a10a64615c43b5868484c94f46
2024-01-26 14:27:09 -05:00
e6f368f3b9
apiserver: refactor handleError in endpoints/filters
...
Kubernetes-commit: 9e37ccedc7fbbbacf07ecc79949c75e1e250ba58
2024-01-09 13:32:09 -05:00
c60b23f298
use authentication.kubernetes.io/issued-credential-id audit annotation in serviceaccount token registry endpoint
...
Kubernetes-commit: 7f12735fffdc490eae59e98d0f03638067b028de
2024-02-02 16:57:16 +00:00
586f61dd0f
Fix the syntax error in the comment of the checkQuotas method. ( #121428 )
...
* Update controller.go
Fix comment error.
From "It there was no quota change mark the waiter as succeeded." to "If there was no quota change mark the waiter as succeeded."
* Adjust the comments to maintain consistent tense throughout.
Adjust the comments to maintain consistent tense throughout.
Kubernetes-commit: 5855f5178f42dbc114b6c5ac1964a5dd62bb0957
2024-02-06 00:45:00 +08:00
eff38efc48
apiserver: warning should not panic when request times out
...
Kubernetes-commit: 7cab0ad2d2b2688575c1d6c8b5ecee2bfa5a39ff
2023-01-26 08:56:10 -05:00
bc8676d59a
Add decoding time to the audit log
...
Kubernetes-commit: 20fe2a3539e90f7554f94359ac3b4058a5bbb363
2023-10-25 22:52:11 +08:00
43f24ff9ee
fix comment of rbac decision for NoOpinion
...
Signed-off-by: lowang_bh <lhui_wang@163.com>
Kubernetes-commit: 3579674df2df72956b34fa2593e526c02beea9d6
2023-06-06 22:36:14 +08:00
69adaecb9e
bugfix: dont skip reconcile for unchanged policy if last sync failed
...
Kubernetes-commit: 71559bd02670f53a2d6640714eeb4e7fbc554e86
2024-01-26 18:57:30 -08:00
95a53374a5
convert the expectedValues to be cel.Val.
...
Kubernetes-commit: c89dcf52b12bf5e32f71f3ed600315242f7e44f6
2024-01-25 13:52:39 -08:00
f0c47558ed
extra case for affirmative has(map) test.
...
Kubernetes-commit: d6991638029be493e5c197b6cd0d268d8ce55457
2024-01-25 13:36:42 -08:00
eb407cc3dd
fix convertField and its comments.
...
Kubernetes-commit: d0c323fb8fbfa5c1b91ae445cbda60a416e85e65
2024-01-23 16:47:33 -08:00
3a5a43790e
add support for equality check.
...
Kubernetes-commit: df9620c9f6f6a60f7cbcacb3ad9fa40d79d1d73e
2024-01-23 16:07:39 -08:00
8b89a41f3f
mutation library for CEL.
...
- TypeRef, TypeProvider interfaces.
- TypeRef, TypeProvider, ObjectVal, FieldType implementations
for unstructured.
- Tests for using optional in mutation.
Kubernetes-commit: 9bbdbc510ebf8e2dcb243d6fbbf57449f895196e
2024-01-19 17:03:34 -08:00
f709e954ab
drop deprecated pointer package
...
Signed-off-by: liyuerich <yue.li@daocloud.io>
Kubernetes-commit: e490439262fad619d83c5647a42a5382cb9c787b
2023-09-15 21:03:36 +08:00
8b49df5c88
Update env version, Add cost for previous func, add tests, etc.
...
Kubernetes-commit: 3fb679016423e80b87cf3e540d296471223460e6
2023-12-05 23:26:13 +00:00
ca8d0aaf91
client-go/reflector: make UseWatchList a pointer
...
until #115478(use streaming against the etcd storage)
is resolved the cacher need a way to disable the streaming.
Kubernetes-commit: 41e706600aea7468f486150d951d3b8948ce89d5
2024-01-19 13:48:29 +01:00
ff6a2dc722
Negative index regression test for json-patch ( #122625 )
...
* add testcase with negative index
* exercise successful negative index patching
* use different values for testing
Co-authored-by: Chris Bandy <bandy.chris@gmail.com>
---------
Co-authored-by: Chris Bandy <bandy.chris@gmail.com>
Kubernetes-commit: 83ff8a2f49f820fb355b24c65b8629710dca8a54
2024-01-18 09:31:12 +00:00
aa358081a5
fix evaluate resource quota if a resource is updated when the InPlacePodVerticalScaling feature-gate is on
...
Kubernetes-commit: 041e97af1f0ee40029dcd44abd63f84514eca59e
2024-01-11 16:04:02 +08:00
285e6ec394
Clean up encryption config reading and hashing logic
...
This is a no-op change that makes the internal encryption config
hash more specific to it use and explicitly marks it as unstable.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 9387a66c71fd85840cb199b468610b8fa950253f
2024-01-10 14:48:30 -05:00
fa628fd528
Use http/2 for localhost webhook
...
Signed-off-by: Eric Lin <exlin@google.com>
Kubernetes-commit: 246e69fb99007412c4903fe8e7ad1d8c5f25cd8e
2024-01-03 13:49:51 +00:00
7751f0aa90
remove import hack about k8s.io/utils/clock/testing
...
Kubernetes-commit: 81d040d538101b89bd8edd51bb78a58ea5bf793c
2023-11-16 12:30:14 +08:00
4e1e99b0ca
remove GA featuregate RemoveSelfLink
...
Kubernetes-commit: 3b67181c93be39244370b560f83fa7546f7c65c0
2023-12-25 00:29:38 +08:00
e7eedd15ec
move encryption config types to standard API server config location
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: 75695dae1093cc08cb56a4930c0be8e7e4433be1
2023-12-16 00:00:21 +00:00
6bad17ce50
[StructuredAuthnConfig] add comment for extra keys unique requirement
...
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Kubernetes-commit: af8da8e01c28286feedf528e94683781a0387a99
2024-01-02 19:58:20 +00:00
febd537a31
use build-in max and min func to instead of k8s.io/utils/integer funcs
...
Kubernetes-commit: eb8f3f194fed16484162aebdaab69168e02f8cb4
2023-12-15 15:09:11 +08:00
a2e6b85db4
handlers/watch: refactor watch serving to prepare offloading
...
Signed-off-by: Eric Lin <exlin@google.com>
Kubernetes-commit: 87d817e62d8c6e93cf45bf90a7ecadfe4156ab1f
2023-11-27 10:06:50 +00:00
b6487a8ac1
Fix etcd repository path to prevent redirects.
...
Signed-off-by: James Blair <mail@jamesblair.net>
Kubernetes-commit: b6c1f8ef08c3451f17048447e107c509a8ed950e
2023-11-02 09:31:37 +13:00
ccc28d3f49
Add tests for CIDR type
...
Kubernetes-commit: b3285fa8df494ef174bbee1ccffcc5e3a58afcdd
2023-12-15 11:01:55 +00:00
f16e0c2a18
Add tests for IP type
...
Kubernetes-commit: 31f9384646a5cfd001f176454feb9c1040591e96
2023-12-08 18:16:30 +00:00
e5f605855d
Add costing estimations for IP and CIDR
...
Kubernetes-commit: e1f9aa450b7ecd62ce7284486a159d14f66c1761
2023-11-17 17:34:46 +00:00
e4fb1f737e
Add IP and CIDR libraries to CEL environment for 1.30
...
Kubernetes-commit: 4710f085b3d4dbf242085f4cb53708efc7ebbefd
2023-11-17 13:57:29 +00:00
f4ae0b7ca6
Add CIDR network CEL extension
...
This adds new CEL functions to the library for validating if a string is a CIDR notation.
This will work in conjunction with the IPAddr to allow checking if an IPAddr exists within a particular network.
Kubernetes-commit: 2f585b451232814d6563329241e96f09bfd1cb73
2023-11-15 19:04:48 +00:00
3fe1439ba9
Add special IP validations to IP CEL type
...
Kubernetes-commit: 13b22b23a1a5f8976fa608c7bc8b3048470b5c51
2023-11-17 12:51:32 +00:00
Jordan Liggitt