kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,575 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

161 Commits

Author SHA1 Message Date
Cici Huang 0381d1eed6 Promote cost enforcement feature gates to GA 
Kubernetes-commit: 4c64aa7a4eda6c379a3dec061dfef5beb311d66a
 2024-09-26 16:39:18 +00:00
Jefftree 38adb499b0 Port the rest of unversioned features 
Kubernetes-commit: a8390dcddda14274e5ce24dd517a19587118a198
 2024-09-27 19:04:47 +00:00
Omer Aplatony 6dc6d8d7fa chore: moving apiserver featuregates to versioned 
Signed-off-by: Omer Aplatony <omerap12@gmail.com>

Kubernetes-commit: ade730594005f93ac18e102ba54d61dbf23b616f
 2024-09-24 23:36:30 +03:00
Joe Betz 91a4bf232d Promote RetryGenerateName to GA 
Kubernetes-commit: e3cae09e63d72edef9cf841979418291acc31b17
 2024-09-10 12:34:36 -04:00
Adarsh-verma-14 5db4826844 fixing inconsistency between the comment and the actual feature gate definition 
Kubernetes-commit: 8f471803cb386c2a227fa61e922822aab168ec95
 2024-09-09 18:33:00 +05:30
Jefftree b93ecaaa38 remove duplicate unused feature InPlacePodVerticalScaling 
Kubernetes-commit: 14fe8e2a91ba5f6fc53617bea32223d79e1a060c
 2024-09-05 16:27:07 +00:00
Adarsh-verma-14 8a5b9105e9 add missing comment 
Kubernetes-commit: 8619996319a07d5c5f777b6e06f54ce3884a73b4
 2024-09-07 00:07:31 +05:30
Jefftree e778ced9b7 Remove example feature gate from pkg/apiserver/kube_features.go 
Kubernetes-commit: 79deb21ac1d0837fbafdf9e1556019062590c1d8
 2024-09-04 14:50:41 +00:00
Vinayak Goyal 491f6248d4 KEP-4633: Graduate to BETA. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>

Kubernetes-commit: 8a4e23ea30bb0af50aa425cea8af926998872ee4
 2024-08-22 01:28:57 +00:00
carlory af2142bfe4 Remove GAed feature gates ServerSideApply/ServerSideFieldValidation 
Kubernetes-commit: de7e4318d6b2ad0de4472dcaef7d97c34057d3d8
 2024-09-02 13:52:48 +08:00
Cici Huang fac4f5d2a0 Remove feature gate ValiatingAdmissionPolicy after stable. 
Kubernetes-commit: 0f19faf9be562f3d18880ed2ae12d6b9d059476c
 2024-08-12 12:11:02 -07:00
Monis Khan 272e9eba82 Remove KMSv2 and KMSv2KDF feature gates 
These have been GA since v1.29 and can be safely removed.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 6398b8a19fe0e113cf250c13b0639dea258a174f
 2024-08-14 15:59:01 -04:00
Marek Siarkowicz 9aa7a6ac61 Introduce ConcurrentWatchObjectDecode feature gate disabled by default 
Kubernetes-commit: 93a10a75698075e86344ee4fdb56701309468b95
 2024-07-30 16:28:48 +02:00
Marek Siarkowicz c470f38c60 Move ConsistentListFromCache to Beta default again 
This reverts commit aeb51a16e369d5b823a8ae6488d1d5e12c683516.

Kubernetes-commit: 2ca56aab87d0927e568f1d896d49692433d5d93a
 2024-07-30 22:49:47 +02:00
Ben Luddy 788e7ee758 Move APIServingWithRoutine to alpha and disabled by default. 
Kubernetes-commit: c8380040848fcbd0a0cc06600b9d4531b65098d2
 2024-07-30 16:33:31 -04:00
Jefftree e749b346fa CLE feature gate 
Kubernetes-commit: 9b16b0dc97c3f353f60eb935a8a532ec82b5e18e
 2024-07-21 20:04:36 +00:00
Cici Huang 5678a8c44d Remove feature gate CustomResourceValidationExpressions. 
Kubernetes-commit: 67a171a1422cc5861491aadd69e51ce718196434
 2024-07-16 10:39:00 -07:00
David Eads f26d4ed894 add field and label selectors to authorization attributes 
Co-authored-by: Jordan Liggitt <liggitt@google.com>

Kubernetes-commit: 92e3445e9d7a587ddb56b3ff4b1445244fbf9abd
 2024-05-23 15:12:26 -04:00
Lukasz Szaszkiewicz 708f0cf46b Revert "kube-apiserver: promote WatchList feature to beta" 
This reverts commit 0b15903b35d83ca32833e81997b6257ee4d4f369.

Kubernetes-commit: 88f47b4b4df2f099cc20381fdc0fbcfe0afcee8e
 2024-07-18 09:29:24 +02:00
Monis Khan 17ba1a9a64 Revert "Move ConsistentListFromCache to Beta default" 
This reverts commit 0c0e19b343d48d4bea0e7fa735e3781c70298a34.

During stress test for SVM controller, the controller is unable to
make a list call due to following error:

resourceversion.go:155: I0716 21:49:26.973127] storage-version-migrator-controller: Error syncing SVM resource, retrying svm="crdsvm" err="error getting latest resourceVersion for stable.example.com/v1, Resource=testcrds: Timeout: Too large resource version: 28976, current: 20349"

With the feature disabled, the stress test passes.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: aeb51a16e369d5b823a8ae6488d1d5e12c683516
 2024-07-16 23:12:16 -04:00
Abu Kashem f553925235 apiserver: remove feature gate APIPriorityAndFairness 
Kubernetes-commit: ae647032a74bf8f671fa8db0602dee301cf865bf
 2024-07-02 12:55:43 -04:00
Wojciech Tyczyński a643e14347 Implement resilient watchcache initialization post-start-hook 
Kubernetes-commit: a5772bd42593f6492f5169eef49bc9884f95abba
 2024-06-13 11:02:18 +02:00
Lukasz Szaszkiewicz 8321755755 kube-apiserver: promote WatchList feature to beta 
Kubernetes-commit: 0b15903b35d83ca32833e81997b6257ee4d4f369
 2024-06-19 11:48:20 +02:00
Vinayak Goyal 77f498853b KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>

Kubernetes-commit: 5e6a4937f5a3e20dd77238946220461332ecddff
 2024-05-16 21:18:34 +00:00
Siyuan Zhang 22612a3528 apiserver: Add API emulation versioning. 
Co-authored-by: Siyuan Zhang <sizhang@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
Co-authored-by: Alex Zielenski <zielenski@google.com>

Signed-off-by: Siyuan Zhang <sizhang@google.com>

Kubernetes-commit: 403301bfdf2c7312591077827abd2e72f445a53a
 2024-01-19 16:07:00 -08:00
Marek Siarkowicz ddbe9fe28a Move ConsistentListFromCache to Beta default 
Kubernetes-commit: 0c0e19b343d48d4bea0e7fa735e3781c70298a34
 2024-02-26 14:34:53 +01:00
Wojciech Tyczyński 5a0e942d09 Implement ResilientWatchCacheInitialization 
Kubernetes-commit: a8ef6e9f0104a44023162bb8229fb677ec80beb1
 2024-04-29 14:19:46 +02:00
Cici Huang d44012e895 Adding the feature gates to fix cost for VAP and webhook matchConditions. 
Kubernetes-commit: d6e4115ead6b93d2accf688876471231b365ceae
 2024-05-01 16:26:41 -07:00
Joe Betz e721afc903 Promote RetryGenerateName to beta 
Kubernetes-commit: 1b59f3678fa95cb6bf647e349dd8ba023914eff0
 2024-05-01 20:34:21 -04:00
Marek Siarkowicz 13a815b7c8 Serve watch without resourceVersion from cache and introduce a WatchFromStorageWithoutResourceVersion feature gate to allow serving watch from storage. 
Kubernetes-commit: 0130072b053f85fb736c24d34552208cdd1bccfe
 2024-03-14 15:20:29 +01:00
Monis Khan aa18faf137 Mark StructuredAuthenticationConfiguration feature gate as beta 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: bc7aa13bf793148b0c6b3b51fd9a8e17bb412712
 2024-03-05 10:39:44 -05:00
cici37 be9c733e9d Promote ValidatingAdmissionPolicy to GA. 
Kubernetes-commit: de506ce7ac9981c8253b2f818478bb4093fb7bb6
 2024-01-23 22:10:40 +00:00
Jordan Liggitt 4d70dec65c Promote StructuredAuthorizationConfiguration feature gate to beta 
Kubernetes-commit: 30256c8909ab8c30a64f786361543768f2719c77
 2024-03-02 02:12:36 -05:00
Marek Siarkowicz e810084a4b Prevent watch cache starvation, by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior 
Kubernetes-commit: 31d404b182d2985ce0d3c43f75d80c29a708beda
 2024-02-27 11:25:42 +01:00
Jefftree 7c8cdebce9 Promote AggregatedDiscovery to GA 
Kubernetes-commit: 301e804c3f2fb3935c2cf3d2a04967f47921fc99
 2024-02-27 16:59:46 -05:00
Igor Velichkovich fc7cf5fb84 kep-3716 GA, remove feature gate 
Kubernetes-commit: a51a5b462236d5eb87e6d690065f884c281a833c
 2024-02-28 10:45:51 -06:00
Cici Huang c8d2257e3a [KEP-3962]Add feature gate for MAP (#123425) 
* Add feature gate for MAP

* sort feature gates.

---------

Co-authored-by: Jiahui Feng <jhf@google.com>

Kubernetes-commit: 9bc5257c450f7dfda187bfadd96f32310a2eaa18
 2024-02-21 17:00:13 -08:00
Eric Lin 000601bdbe Add handler to run watch serving in separate goroutine 
This handler allows running execution prior to actual serving in a separate
goroutine when serving requests. Doing so benefits cases in serving long running
requests because it allows freeing memory used by the separate goroutine
and keeps the serving routines slim.

Signed-off-by: Eric Lin <exlin@google.com>

Kubernetes-commit: 7b2698a5e5c61b303481c2006847409fc8704746
 2023-10-10 08:53:26 +00:00
Joe Betz 6f648c15a2 Add retry around create 
Kubernetes-commit: a05db0dd22a68a9c443a9f01cc1b8f6397fd6a9f
 2024-01-19 16:10:30 -05:00
Abu Kashem 554c2d262b apiserver: allow zero value for the 'nominalConcurrencyShares' field 
Kubernetes-commit: 5f75c35edf1ea0a10a64615c43b5868484c94f46
 2024-01-26 14:27:09 -05:00
carlory 4e1e99b0ca remove GA featuregate RemoveSelfLink 
Kubernetes-commit: 3b67181c93be39244370b560f83fa7546f7c65c0
 2023-12-25 00:29:38 +08:00
Abu Kashem b3499eec62 apiserver: set APF featuregate to ga 
Kubernetes-commit: c7fcef187562e1b3ffdaa2e2109c65d800b8f5d5
 2023-10-31 08:35:52 -04:00
Abu Kashem b041969f97 apiserver: allow zero value for the 'nominalConcurrencyShares' field 
Kubernetes-commit: 9fd2ab419ad771790d3cb80ea7b8e6828d9ce305
 2023-10-27 19:26:08 -04:00
Cici Huang 789ac1ae18 Promote CRD validation rule to stable 
Kubernetes-commit: cbe3d897629691507c2992659ca748e32366da1a
 2023-10-19 20:31:17 +00:00
Rita Zhang 26219aabef [KMSv2] promote KMSv2 and KMSv2KDF to GA 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

Kubernetes-commit: a9b1adbafc7fe52f669dc98aada21bc3e46cdce3
 2023-10-24 09:50:45 -07:00
guangli.bao e59c50c660 Remove GAed feature gates OpenAPIV3 
Signed-off-by: guangli.bao <guangli.bao@daocloud.io>

Kubernetes-commit: 27bb40a9d839589ac9f97b6ce80b18a7635e9ae4
 2023-10-19 22:30:58 +08:00
Nabarun Pal 5873bbb7bf add feature gates for authorization config 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>

Kubernetes-commit: 007ef653ad089180d02a58782bbd3912e875354d
 2023-08-24 15:56:56 +05:30
Monis Khan 445b713906 Prevent rapid reset http2 DOS on API server 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
 2023-10-07 21:50:37 -04:00
Monis Khan 9c40486020 kmsv2: enable KMSv2KDF feature gate by default 
Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 657cc2045ee46922b00d4fd7c126f57d1e8ecc43
 2023-09-05 12:27:55 -04:00
Anish Ramasekar 1fbafe88b9 add StructuredAuthenticationConfiguration feature flag 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Kubernetes-commit: 1bf90f9484c5dbcd941251f0036af65fa25ee193
 2023-08-10 22:06:41 +00:00