Add support for creating resources that are not immediately visible to
naive clients, but must first be initialized by one or more privileged
cluster agents. These controllers can mark the object as initialized,
allowing others to see them.
Permission to override initialization defaults or modify an initializing
object is limited per resource to a virtual subresource "RESOURCE/initialize"
via RBAC.
Initialization is currently alpha.
Kubernetes-commit: 331eea67d8000e5c4b37e2234a90903c15881c2f
Add location transformer, config for transformers
Location transformer helps choose the most specific transformer for
read/write operations depending on the path of resource being accessed.
Configuration allows use of --experimental-encryption-provider-config
to set up encryption providers. Only AEAD is supported at the moment.
Add new files to BUILD, AEAD => k8s-aes-gcm
Use group resources to select encryption provider
Update tests for configuration parsing
Remove location transformer
Allow specifying providers per resource group in configuration
Add IdentityTransformer configuration option
Fix minor issues with initial AEAD implementation
Unified parsing of all configurations
Parse configuration using a union struct
Run configuration parsing in APIserver, refactor parsing
More gdoc, fix minor bugs
Add test coverage for combined transformers
Use table driven tests for encryptionconfig
Kubernetes-commit: 9760d00d08ef0619e30a7b1b90fd290cab960069
This change makes it so that errors during watch decoding panic the
server if it is in a test environment. This allows us to catch coder
errors related to storing incompatible types at the same location in
etcd.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: a13f026fd012859f04467e6007e2cafe4a788927
The underlying storage has always returned the old object on watch
delete events when filtering. The cache watcher does not, which means a
downsteam caller gets different behavior.
This fixes the cache watcher to be consistent with our long term
behavior for watch. It may result in a behavior change (the filter
becomes more precise) but this was a regression in behavior.
Kubernetes-commit: e9e69356e4907fa4d0f45ea7e7768357ba71aba9
Tweak the ValueTransformer interface slightly to support additional
context information (to allow authenticated data to be generated by the
store and passed to the transformer). Add a prefix transformer that
looks for known matching prefixes and uses them. Add an AES GCM
transformer that performs AEAD on the values coming in and out of the
store.
Kubernetes-commit: f418468c87d3071c5d9ed14ce850996c77251080
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Kubernetes-commit: c354076aa41e3cf417b291d5f0eff2b70395ac30
This change clean up the environment for etcd3 unit test.
Without this change, "make test" will leave some socket files in
workspace. And these socket files make hack/verify-generated-protobuf.sh
fails.
Kubernetes-commit: 4e9dcf3da536a9b956eb092fe9dbc5b2081cfb9d
Allows a transformer (such as an encrypter) to force an update if a new
key is in use, thus allowing simple writes to the REST layer to
trivially migrate keys.
This adds a new value transformer to the etcd2 store that can transform
the value from etcd on read and write. This will allow the store to
implement encryption at rest or otherwise transform the value prior to
persistence.
David Ashpole
Clayton Coleman
Saksham Sharma
Wojciech Tyczynski
Monis Khan
deads2k
Chao Xu
Mike Danese
Cao Shufeng
Jordan Liggitt
Dr. Stefan Schimanski
Derek Carr
fate-grand-order