Right now, `_, ok := provider.(Notifier); !ok` can mean one of two
things:
1. The provider does not support notification because the provided
content is static.
2. The implementor of the provider hasn't gotten around to implementing
Notifier yet.
These have very different implications. We should not force consumers of
these interfaces to have to figure out the static of Notifier across
sometimes numerous different implementations. Instead, we should force
implementors to implement Notifier, even if it's a noop.
Change-Id: Ie7a26697a9a17790bfaa58d67045663bcc71e3cb
Kubernetes-commit: 9b7d654a08d694d20226609f7075b112fb18639b
it turns out that setting a timeout on HTTP client affect watch requests made by the delegated authentication component.
with a 10 second timeout watch requests are being re-established exactly after 10 seconds even though the default request timeout for them is ~5 minutes.
this is because if multiple timeouts were set, the stdlib picks the smaller timeout to be applied, leaving other useless.
for more details see a937729c2c/src/net/http/client.go (L364)
instead of setting a timeout on the HTTP client we should use context for cancellation.
Kubernetes-commit: d690d71d27c78f2f7981b286f5b584455ff30246
This change updates the oidc authenticator to allow specifying an
oidc.KeySet as an input option. This makes it possible to
synchronously initialize the KeySet instead of relying on the
asynchronous initialization that is normally done to support
self-hosted providers. This makes it easier to use this code as a
library.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: b5a1a45d48b4e90e54f512fc829b2ab9866b282e
This change updates the OIDC authenticator code to use a subset of
the dynamiccertificates.CAContentProvider interface to provide the
root CA bytes. This removes the hard dependency on a file based CA
and makes it easier to use this code as a library.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: 5dd4c89df38d4a5389c0cbf2c7fe4f6a5d5534ce
- when we forward the request to the aggregated server, set the audit
ID in the new request header. This allows audit logs from aggregated
apiservers to be correlated with the kube-apiserver.
- use the audit ID in the current tracer
- use the audit ID in httplog
- when a request panics, log an error with the audit ID.
Kubernetes-commit: b607ca1bf3e1cf6152c446ea61ac7fdd9014e1f1
Manage the audit ID early in the request handling logic so that it can
be used by different layers to improve correlation.
- If the caller does not specify a value for Audit-ID in the request
header, we generate a new audit ID
- If a user specified Audit-ID is too large, we truncate it
- We echo the Audit-ID value to the caller via the response
Header 'Audit-ID'
Kubernetes-commit: 31653bacb9b979ee2f878ebece7e25f79d3f9aa6
This field is useful to namespace the managed field entries of a
subresource and differentiate them from the ones of the main resource.
Kubernetes-commit: 862d256195adf3be5475b1a6935e5feb78f884a5
Ensure that all label selectors are treated as atomic values,
to exclude situations when selectors are being corrupted by
different actors attempting to apply their overlapping definition
for this field with server-side-apply.
Kubernetes-commit: d8a7764b6396b90313ae7bd50a845f4da4705d67
webhook config manager: HasSynced returns true when the manager is synced with existing webhookconfig objects at startup
Kubernetes-commit: ae6ceaa78d6891f97589a0ffcf405f45c2caae79
Kubernetes Publisher
Mike Danese
Monis Khan
njuptlzf
Lukasz Szaszkiewicz
Kevin Delgado
pacoxu
Jordan Liggitt
Abu Kashem
Niekvdplas
John Howard
Brendan Burns
Antoine Pelisse
xiongzhongliang
Andrea Nodari
Danil-Grigorev
Han Kang
Haowei Cai
answer1991