scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 19:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
128,068 Commits 1 Branch 0 Tags
87fcae2bc765e4f752bcf7dfbd0c57f75ec751a3
Commit Graph

296 Commits

Author SHA1 Message Date
Samuel Davidson
7936d64e03 Replace IsExternalSigner boolean with ExtendedSigningDuration throughout apiserver to ensure consistent token signing length between local and external token signing. 2025-01-29 17:49:22 +00:00
carlory
b209a62483 Fix OIDC flags 2024-11-07 12:28:03 -08:00
Harshal Neelkamal
6fdacf0411 Add plugin and key-cache for ExternalJWTSigner integration 2024-11-07 03:16:23 +00:00
Joe Betz
25e11cd1c1 Add MutatingAdmissionPolicy plugin to admission chain 
This expands the generic plugin support to both validating and mutating policies.  It also adds the
mutating policy admission plugin using the generics plugin support.

This also implements both ApplyConfiguration and JSONPatch support.

Co-authored-by: Alexander Zielensk <alexzielenski@gmail.com>
 2024-11-04 21:40:54 -05:00
Kubernetes Prow Robot
7adcad3138 Merge pull request #128169 from liggitt/4193-ga 
KEP-4193: Promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo, ServiceAccountTokenNodeBindingValidation to stable
 2024-10-18 17:39:11 +01:00
Jordan Liggitt
0771f601e1 KEP-4193: Promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo, ServiceAccountTokenNodeBindingValidation to stable 2024-10-17 21:25:09 -04:00
Dr. Stefan Schimanski
4024390d8c apiserver/authconfig: wire CEL compiler through lower layers to allow sharing 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-10-17 22:56:20 +02:00
Kubernetes Prow Robot
1b71b94b73 Merge pull request #127711 from elmiko/correct-provider-deprecation-logic 
Correct cloud provider detection logic to be more representative of deprecation and disablement status
 2024-09-30 20:37:24 +01:00
elmiko
38fe239ac4 factor our cloudprovider.DeprecationWarningForProvider 
this change removes the deprecation warning function in favor of using
the `cloudprovider.DisableWarningForProvider`. it also fixes some of the
logic to ensure that non-external providers are properly detected and
warned about.
 2024-09-30 12:20:25 -04:00
Matthieu MOREL
f736cca0e5 fix: enable expected-actual rule from testifylint in module k8s.io/kubernetes 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
 2024-09-27 07:56:31 +02:00
elmiko
d1d05d3eba remove IsDeprecatedInternal from cloudprovider.plugins 
The internal cloud controller loops are disabled at this point, this
function should not be used as it does not return accurate information.
In its place we check for the presence of the external cloud provider as
that is the only acceptable value.
 2024-09-26 14:55:25 -04:00
Mangirdas Judeikis
4783af9a49 fix npe when running in limited config in generic-control-plane mode 2024-09-22 19:06:45 +03:00
Stanislav Láznička
7fabd06c2b requestheaders: add a "requestheader-uid-headers" flag and wire it up 2024-09-05 14:28:31 +02:00
Abhijit Hoskeri
c383823228 Fix formatting of the authnz config usage. 
- Reword to be less verbose, more in line with the
  writing style in other flags.
- Add spaces after the end of sentences.
 2024-07-27 14:26:46 -07:00
Dr. Stefan Schimanski
b6aebb0e4b options/authentication: fix serviceaccount TokenGetter with ServiceAccountTokenNodeBindingValidation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-07-22 18:21:26 +02:00
Dr. Stefan Schimanski
dc0bcd62e3 options/authentication: revert extra serviceaccount TokenGetter function silently enabling serviceaccounts 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-07-22 18:21:26 +02:00
Kubernetes Prow Robot
0c8b3e5f30 Merge pull request #125986 from vinayakankugoyal/typo 
Fix typo in error message for anonymous field in AuthenticationConfig…
 2024-07-09 20:45:05 -07:00
Vinayak Goyal
27e8923c70 Fix typo in error message for anonymous field in AuthenticationConfiguration. 2024-07-09 21:04:28 +00:00
Mangirdas Judeikis
a72266ff9d Add test for WithTokenGetter 2024-07-02 17:26:53 +03:00
Mangirdas Judeikis
a15b22cd98 wire in optional tokenGetter provider 2024-07-01 18:09:46 +03:00
Kubernetes Prow Robot
522e2e5066 Merge pull request #124917 from vinayakankugoyal/kep4633 
KEP-4633: Only allow anonymous auth for configured endpoints.
 2024-06-27 20:39:51 -07:00
Vinayak Goyal
5e6a4937f5 KEP-4633: Allow health-only anonymous auth mode. 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 2024-06-28 00:30:05 +00:00
Jordan Liggitt
3e037070bb Move public key getter to interface 2024-06-25 18:10:08 -04:00
John McGrath
e72788d58e Revert "DisableServiceLinks admission controller" 2024-05-20 12:20:46 -05:00
Mangirdas Judeikis
b14936f679 move to generics for sets in kubeapiserver 2024-05-12 11:49:42 +03:00
Jan Safranek
e7a6ed2e3d Remove PersistentVolumeLabel admission plugin 
Remove useless admission plugin.

* It has been deprecated for years.
* All in-tree cloud providers were removed, so the admission plugin does not have
  any way to get PV labels.
* There is a replacement in https://github.com/kubernetes-sigs/cloud-pv-admission-labeler
 2024-05-09 11:10:14 +02:00
Marek Siarkowicz
3ee8178768 Cleanup defer from SetFeatureGateDuringTest function call 2024-04-24 20:25:29 +02:00
Kubernetes Prow Robot
6faeecc87d Merge pull request #122631 from jmcgrath207/disable-service-links 
DisableServiceLinks admission controller
 2024-04-18 00:00:28 -07:00
Kubernetes Prow Robot
8f80e01467 Merge pull request #123719 from enj/enj/f/authn_config_beta 
Mark StructuredAuthenticationConfiguration feature gate as beta
 2024-03-09 17:09:56 -08:00
Anish Ramasekar
62ac88b9ea Add metrics for authentication config reload 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-09 14:40:22 -08:00
Monis Khan
b4935d910d Add dynamic reload support for authentication configuration 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-09 14:29:33 -05:00
John Mcgrath
edb0287cb1 DisableServiceLinks admission controller 2024-03-06 00:39:23 -06:00
Anish Ramasekar
b502aa6f31 Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-05 09:10:34 -08:00
Monis Khan
bc7aa13bf7 Mark StructuredAuthenticationConfiguration feature gate as beta 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-05 11:34:30 -05:00
Monis Khan
05e1eff793 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-04 11:40:02 -05:00
Kubernetes Prow Robot
8845c4c657 Merge pull request #123135 from munnerz/4193-beta-promotion 
KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta
 2024-03-01 19:48:18 -08:00
Kubernetes Prow Robot
f139450e9b Merge pull request #122885 from claudiubelu/unittests-10 
unittests: Fixes unit tests for Windows (part 10)
 2024-02-28 05:38:40 -08:00
Kubernetes Prow Robot
66d038d84d Merge pull request #121946 from liggitt/reload-authz 
KEP-3221: Implement authorization configuration file reloading
 2024-02-15 18:37:13 -08:00
Kubernetes Prow Robot
72c3c7c924 Merge pull request #123282 from enj/enj/i/authn_config_algs 
Support all key algs with structured authn config
 2024-02-14 18:08:32 -08:00
Jordan Liggitt
5dc92ada06 Implement authz config file reloading 2024-02-14 18:09:15 -05:00
Jordan Liggitt
5f4cb8b09a Move kube-apiserver authz validation functions 2024-02-14 10:00:11 -05:00
Monis Khan
b5e0068325 Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-02-14 09:40:25 -05:00
Alexander Zielenski
8b14116509 refactor: move vap into parent policy folder 
also renames to remove stutter

comment
 2024-02-12 10:58:24 -08:00
James Munnelly
e087acc791 refuse to allow apiserver to startup if ServiceAccountTokenNodeBinding is enabled without ServiceAccountTokenNodeBindingValidation 2024-02-06 14:03:50 +00:00
Claudiu Belu
b8df7e7684 unittests: Fixes unit tests for Windows (part 10) 
Currently, there are some unit tests that are failing on
Windows due to various reasons:

- Different "File not found" error messages on Windows.
- Files need to be closed on Windows before removing them.
- The default RootHnsEndpointName (root-hnsendpoint-name) flag value is 'cbr0'
- On Windows, Unix Domain sockets are not checked in the same way in golang, which is why
  hostutils_windows.go checks for it differently. GetFileType will return an error in this
  case. We need to check for it, and see if it's actually a Unix Domain Socket.
 2024-01-22 13:43:42 +00:00
Mahe Tardy
73bec0f6d9 api: remove SecurityContextDeny admission plugin 2024-01-05 15:11:18 +00:00
Jordan Liggitt
1f40e0916e Only default mode to AlwaysAllow when config file is unspecified 2023-11-08 11:24:28 -06:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Kubernetes Prow Robot
b7e5cbf1cf Merge pull request #121301 from sttts/sttts-validate-cloud-provider-2 
kubeapiserver/options: fix cloud provider validation
 2023-10-26 01:08:14 +02:00
Nabarun Pal
22e5a806a7 Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-18 11:58:47 +05:30