scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-04 04:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
105,366 Commits 1 Branch 0 Tags
b88b51c6e5191fa3a70d052438720672aa17462d
Commit Graph

160 Commits

Author SHA1 Message Date
Stanislav Laznicka
b67bd722a9 rootcacertpublisher: drop the namespace label from metrics to reduce its cardinality 
The `root_ca_cert_publisher_sync_duration_seconds` metric tracks the sync
duration in the root CA cert publisher per code and namespace. In
clusters with a high namespace turnover (like CI clusters), this may
cause the kube-controller-manager to expose over 100k series to
Prometheus, which may cause degradation of that service.

Drop the `namespace` label to remove the metrics' cardinality, tracking
this metric by namespace does not justify the impact of keeping it.
 2021-09-16 14:05:32 +02:00
wojtekt
e233feb99b Migrate to k8s.io/utils/clock in pkg/controller 2021-09-10 11:42:32 +02:00
Stephen Augustus
481cf6fbe7 generated: Run hack/update-gofmt.sh 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2021-08-24 15:47:49 -04:00
Jordan Liggitt
236e72cf8a Make CSR cleaner tolerate objects with invalid status.certificate 2021-07-21 10:35:17 -04:00
Monis Khan
cd91e59f7c csr: add expirationSeconds field to control cert lifetime 
This change updates the CSR API to add a new, optional field called
expirationSeconds.  This field is a request to the signer for the
maximum duration the client wishes the cert to have.  The signer is
free to ignore this request based on its own internal policy.  The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration.  The minimum allowed
value for this field is 600 seconds (ten minutes).

This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.

Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-07-01 23:38:15 -04:00
Monis Khan
7e891e5d6c csr: correctly handle backdating of short lived certs 
This change updates the backdating logic to only be applied to the
NotBefore date and not the NotAfter date when the certificate is
short lived. Thus when such a certificate is issued, it will not be
immediately expired.  Long lived certificates continue to have the
same lifetime as before.

Consolidated all certificate lifetime logic into the
PermissiveSigningPolicy.policy method.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-06-23 15:36:11 -04:00
Kubernetes Prow Robot
df9ad4d7d2 Merge pull request #96094 from Hellcatlk/m 
Some comments' typos
 2021-04-16 11:54:22 -07:00
Kubernetes Prow Robot
d51f15ed0d Merge pull request #100885 from enj/enj/i/auth_owners 
Update sig-auth OWNERS
 2021-04-12 22:18:49 -07:00
David Eads
443e4ea0df include description of what kube-root-ca.crt can be used to verify 2021-04-08 10:43:41 -04:00
Monis Khan
bca4993004 Update auth OWNERS files to only use aliases 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-04-07 10:46:03 -04:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
bbce0468d4 add metrics for rootcacertpublisher controller 2021-02-16 21:56:41 -08:00
Shihang Zhang
2c378beb64 abort if namespace doesn't exist or terminating 2020-11-05 11:12:15 -08:00
Shihang Zhang
d40f0c43c4 separate RootCAConfigMap from BoundServiceAccountTokenVolume 2020-11-04 17:10:39 -08:00
zouyu
7dd4622c84 Some comments' typos 
Signed-off-by: zouyu <zouy.fnst@cn.fujitsu.com>
 2020-11-02 15:05:23 +08:00
qingsenLi
30bfa7d078 remove unused const failedExpiration 2020-10-22 18:57:36 +08:00
Kubernetes Prow Robot
215d2c6bce Merge pull request #92983 from iotty/csr.clean 
[pkg/controller/certificates]: remove staled func comments
 2020-08-27 19:08:23 -07:00
Zhou Peng
80519cee5b [pkg/controller/certificates]: remove staled func comments 
This was introduced by commit: f04ce3cfba
Since this func is simple and clear enough, just not comment it anymore.

Signed-off-by: Zhou Peng <p@ctriple.cn>
 2020-07-11 17:08:28 +08:00
David Eads
1233a6f63e generated 2020-07-09 08:14:55 -04:00
David Eads
e88fecf26b allow setting different certificates for kube-controller-managed CSR signers 2020-07-09 08:14:55 -04:00
Kobayashi Daisuke
4ae11dac2e Replace StartLogging(klog.Infof) with StartStructuredLogging(0) 2020-06-15 17:48:35 +09:00
Jordan Liggitt
db4ca87d9d Switch CSR approver/signer/cleaner controllers to v1 2020-06-05 18:45:34 -04:00
Jordan Liggitt
7049149181 Generated files 2020-05-28 16:53:23 -04:00
Jordan Liggitt
94fd1d76ca Switch issued check to inspect certificate length 2020-05-28 12:20:40 -04:00
Jordan Liggitt
d33a19cee7 Clean failed CSRs 2020-05-28 12:20:40 -04:00
Jordan Liggitt
57eddd5e04 Record Failed condition in signer controller 2020-05-28 12:20:40 -04:00
Davanum Srinivas
07d88617e5 Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
David Eads
83035890ad refactor the CSR controller into distinct controllers to allow easy configuration of multiple signing keys 2020-05-05 10:18:04 -04:00
Jordan Liggitt
d8abacba40 client-go: update expansions callers 2020-03-06 16:50:41 -05:00
Mike Danese
c58e69ec79 automated refactor 2020-03-05 14:59:46 -08:00
James Munnelly
d5dae04898 certificates: update controllers to understand signerName field 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2020-02-27 15:54:31 +00:00
James Munnelly
a983356caa Add signerName field to CSR resource spec 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2020-02-27 10:17:55 +00:00
taesun_lee
79680b5d9b Fix pkg/controller typos in some error messages, comments etc 
- applied review results by LuisSanchez
- Co-Authored-By: Luis Sanchez <sanchezl@redhat.com>

genernal -> general
iniital -> initial
initalObjects -> initialObjects
intentionaly -> intentionally
inforer -> informer
anotother -> another
triger -> trigger
mutli -> multi
Verifyies -> Verifies
valume -> volume
unexpect -> unexpected
unfulfiled -> unfulfilled
implenets -> implements
assignement -> assignment
expectataions -> expectations
nexpected -> unexpected
boundSatsified -> boundSatisfied
externel -> external
calcuates -> calculates
workes -> workers
unitialized -> uninitialized
afater -> after
Espected -> Expected
nodeMontiorGracePeriod -> NodeMonitorGracePeriod
estimateGrracefulTermination -> estimateGracefulTermination
secondrary -> secondary
ShouldRunDaemonPodOnUnscheduableNode -> ShouldRunDaemonPodOnUnschedulableNode
rrror -> error
expectatitons -> expectations
foud -> found
epackage -> package
succesfulJobs -> successfulJobs
namesapce -> namespace
ConfigMapResynce -> ConfigMapResync
 2020-02-27 00:15:33 +09:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
David Eads
5c2d2c5ef1 rename dynamic cert loading to be more accurate 2020-01-22 15:00:46 -05:00
David Eads
6ccfc3aecf add dynamic reloading for CSR signing controllers 2020-01-22 15:00:46 -05:00
Jordan Liggitt
054e3846fc Use v1 subjectaccessreview API in controller-manager CSR approver 2020-01-13 15:55:52 -05:00
danielqsj
5bc0e26c19 unify alias of api errors under pkg and staging 2019-12-26 16:42:28 +08:00
yuxiaobo
81e9f21f83 Correct spelling mistakes 
Signed-off-by: yuxiaobo <yuxiaobogo@163.com>
 2019-11-06 20:25:19 +08:00
Mike Danese
6a004d0c18 support URI SANs in local signer 2019-11-04 10:56:06 -08:00
Mike Danese
fe51712288 refactor into seperate authority package 2019-11-04 10:56:06 -08:00
Mike Danese
4bd2c3998f don't use cfssl in signer 2019-11-04 10:56:06 -08:00
Ryan Phillips
f87da3fdfa fixes for tests to pass with FIPS compiler 
* use P256 ECDSA key since P224 is not supported
* regen test certs to be 2048bits
 2019-10-30 10:10:11 -05:00
wojtekt
7b6bcdf780 Autogenerated code 2019-10-24 20:21:00 +02:00
Yassine TIJANI
c1487840bc move util/metrics to component-base 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-10-08 14:42:31 +02:00
David Eads
e8b5781499 add identification for particular certificate controllers 2019-09-03 14:05:04 -04:00
Yassine TIJANI
7e4c3096fe move WaitForCacheSync to the sharedInformer package 
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
 2019-08-22 16:13:41 +01:00