scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-12-24 16:57:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
126,037 Commits 1 Branch 0 Tags
f28d97a888b4b92c998045ec57e73a8ec4269da4
Commit Graph

603 Commits

Author SHA1 Message Date
Patrick Ohly
2e34e187c9 node authorizer: lock down access for NodeResourceSlice 
The kubelet running on one node should not be allowed to access
NodeResourceSlice objects belonging to some other node, as defined by the
NodeResourceSlice.NodeName field.
 2024-03-07 16:15:52 +01:00
Kubernetes Prow Robot
05cb0a55c8 Merge pull request #123696 from aramase/aramase/f/kep_3331_v1beta1_api 
Duplicate v1alpha1 AuthenticationConfiguration to v1beta1
 2024-03-06 15:35:28 -08:00
John Mcgrath
edb0287cb1 DisableServiceLinks admission controller 2024-03-06 00:39:23 -06:00
cici37
de506ce7ac Promote ValidatingAdmissionPolicy to GA. 2024-03-05 16:00:21 -08:00
Jiahui Feng
6b03166bed update to inject only the list of excluded resources. 2024-03-05 11:11:10 -08:00
Anish Ramasekar
b502aa6f31 Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-03-05 09:10:34 -08:00
Monis Khan
bc7aa13bf7 Mark StructuredAuthenticationConfiguration feature gate as beta 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-05 11:34:30 -05:00
Kubernetes Prow Robot
26600b17ab Merge pull request #123561 from enj/enj/i/validate_jwt_sa_iss 
Prevent conflicts between service account and jwt issuers
 2024-03-04 20:07:24 -08:00
Jordan Liggitt
79b344d85e Add authorization webhook duration/count/failopen metrics 2024-03-04 14:01:15 -05:00
Monis Khan
05e1eff793 Prevent conflicts between service account and jwt issuers 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-03-04 11:40:02 -05:00
Kubernetes Prow Robot
8845c4c657 Merge pull request #123135 from munnerz/4193-beta-promotion 
KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta
 2024-03-01 19:48:18 -08:00
Rita Zhang
e76fce7566 add authz webhook matchcondition metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Jordan Liggitt <liggitt@google.com>
Co-authored-by: Jordan Liggitt <liggitt@google.com>
 2024-03-01 14:41:27 -08:00
Jiahui Feng
b115df227a update tests due to change of NewPluginInitializer. 2024-02-28 15:56:14 -08:00
Jiahui Feng
5b1fffa3e4 add resource filter to admission initializer. 2024-02-28 15:31:18 -08:00
Kubernetes Prow Robot
f139450e9b Merge pull request #122885 from claudiubelu/unittests-10 
unittests: Fixes unit tests for Windows (part 10)
 2024-02-28 05:38:40 -08:00
Jordan Liggitt
d5d3eddb95 Add allowed/denied metrics for authorizers 2024-02-16 08:20:59 -05:00
Kubernetes Prow Robot
66d038d84d Merge pull request #121946 from liggitt/reload-authz 
KEP-3221: Implement authorization configuration file reloading
 2024-02-15 18:37:13 -08:00
Kubernetes Prow Robot
72c3c7c924 Merge pull request #123282 from enj/enj/i/authn_config_algs 
Support all key algs with structured authn config
 2024-02-14 18:08:32 -08:00
Jordan Liggitt
5dc92ada06 Implement authz config file reloading 2024-02-14 18:09:15 -05:00
Jordan Liggitt
3a98e60a71 Move authz construction to reloader 2024-02-14 18:03:21 -05:00
Jordan Liggitt
2b00035b5f Split construction of authorizer / ruleResolver 2024-02-14 17:06:18 -05:00
Jordan Liggitt
1fddc948ed Split node/rbac/abac construction 2024-02-14 17:03:10 -05:00
Jordan Liggitt
49124293c3 Store constructed node/rbac/abac authorizers 2024-02-14 17:03:07 -05:00
Jordan Liggitt
5f4cb8b09a Move kube-apiserver authz validation functions 2024-02-14 10:00:11 -05:00
Monis Khan
b5e0068325 Support all key algs with structured authn config 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2024-02-14 09:40:25 -05:00
Alexander Zielenski
8b14116509 refactor: move vap into parent policy folder 
also renames to remove stutter

comment
 2024-02-12 10:58:24 -08:00
James Munnelly
e087acc791 refuse to allow apiserver to startup if ServiceAccountTokenNodeBinding is enabled without ServiceAccountTokenNodeBindingValidation 2024-02-06 14:03:50 +00:00
Claudiu Belu
b8df7e7684 unittests: Fixes unit tests for Windows (part 10) 
Currently, there are some unit tests that are failing on
Windows due to various reasons:

- Different "File not found" error messages on Windows.
- Files need to be closed on Windows before removing them.
- The default RootHnsEndpointName (root-hnsendpoint-name) flag value is 'cbr0'
- On Windows, Unix Domain sockets are not checked in the same way in golang, which is why
  hostutils_windows.go checks for it differently. GetFileType will return an error in this
  case. We need to check for it, and see if it's actually a Unix Domain Socket.
 2024-01-22 13:43:42 +00:00
Mahe Tardy
73bec0f6d9 api: remove SecurityContextDeny admission plugin 2024-01-05 15:11:18 +00:00
Jordan Liggitt
1f40e0916e Only default mode to AlwaysAllow when config file is unspecified 2023-11-08 11:24:28 -06:00
Jordan Liggitt
2e2f51a441 Plumb failure policy from config to webhook construction 2023-11-02 16:56:51 -04:00
Antonio Ojea
391b25197b add apis to apiserver storage 
Change-Id: I33dfbdad98695a6438c55d841139476cb1d740d7
 2023-10-31 21:05:04 +00:00
Kubernetes Prow Robot
dba565193c Merge pull request #121104 from carlory/kep-3751-api-changes 
[KEP-3571] introduce the VolumeAttributesClass API
 2023-10-31 20:23:50 +01:00
Kubernetes Prow Robot
064e86b3d0 Merge pull request #121223 from ritazh/authz-cel 
[StructuredAuthorizationConfig] - CEL integration
 2023-10-31 13:13:56 +01:00
Rita Zhang
31c76e9abb authz: add cel expression to webhook matchconditions 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-10-30 21:48:00 -07:00
carlory
ae90a69677 volumeattributesclass and core api changes 2023-10-31 11:18:56 +08:00
James Munnelly
76463e21d4 KEP-4193: bound service account token improvements 2023-10-30 21:15:10 +00:00
Kubernetes Prow Robot
b7e5cbf1cf Merge pull request #121301 from sttts/sttts-validate-cloud-provider-2 
kubeapiserver/options: fix cloud provider validation
 2023-10-26 01:08:14 +02:00
Nabarun Pal
22e5a806a7 Add --authorization-config flag to apiserver 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-18 11:58:47 +05:30
Kubernetes Prow Robot
d22e315c4a Merge pull request #120910 from palnabarun/3221/fix-kubeconfig-file-type-name 
staging/apiserver: correct KubeConfig type name in authorization types
 2023-10-17 18:50:33 +02:00
Dr. Stefan Schimanski
72e67e0ef0 kubeapiserver/options: fix cloud provider validation 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-17 17:50:25 +02:00
Nabarun Pal
2bf2c4f3a4 staging/apiserver: correct KubeConfigFile type in authorization types 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-17 20:01:27 +05:30
Kubernetes Prow Robot
91c172e670 Merge pull request #121108 from sttts/sttts-validate-cloud-provider 
kube-apiserver: move cloud provider validation into options
 2023-10-17 16:14:10 +02:00
Kubernetes Prow Robot
ac66f3d466 Merge pull request #121010 from Jefftree/decouple-openapi-v2v3-config 
Decouple openapi v2v3 config
 2023-10-16 23:41:11 +02:00
Jefftree
b30c6bdff8 Fix v3 spec 2023-10-16 15:05:13 -04:00
Antonio Ojea
c2d473f0d4 remove ClusterCIDR 
KEP-2593 proposed to expand the existing node-ipam controller
to be configurable via a ClusterCIDR objects, however, there
were reasonable doubts on the SIG about the feature and after
several months of dicussions we decided to not move forward
with the KEP intree, hence, we are going to remove the existing
code, that is still in alpha.

https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ

Change-Id: Ieaf2007b0b23c296cde333247bfb672441fe6dfc
 2023-10-14 19:06:22 +00:00
Dr. Stefan Schimanski
0f989046d0 kube-apiserver: move cloud provider validation into options 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-10-10 22:43:23 +02:00
Nabarun Pal
3de0d9afbb pkg/kubeapiserver: pass authorizer in top level while building from legacy options 
Signed-off-by: Nabarun Pal <pal.nabarun95@gmail.com>
 2023-10-04 14:17:16 +05:30
Kubernetes Prow Robot
26c3f66887 Merge pull request #120903 from dims/deprecate-cloud-provider-and-config-cli-params 
Deprecate cloud-provider/cloud-config in apiserver CLI
 2023-09-27 18:17:33 -07:00
Dr. Stefan Schimanski
6395049176 controlplane: make option structs uniformly optional 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2023-09-27 11:22:37 +02:00