github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
63,876 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

93 Commits (12fd0a8aca14e727004d4b6c63734a07ec620ee8)

Author SHA1 Message Date
Michael Taufen ab8dc12333 node authorizer sets up access rules for dynamic config 
This PR makes the node authorizer automatically set up access rules for
dynamic Kubelet config.

I also added some validation to the node strategy, which I discovered we
were missing while writing this.
 2018-03-27 08:49:45 -07:00
xuzhonghu 70d5af6e7b stop using AlwaysAdmit admission 2018-03-13 20:02:56 +08:00
Mike Danese 024f57affe implement token authenticator for new id tokens 2018-02-27 17:20:46 -08:00
Mike Danese b43cd7307d noderestriction: restrict nodes TokenRequest permission 
nodes should only be able to create TokenRequests if:
* token is bound to a pod
* binding has uid and name
* the pod exists
* the pod is running on that node
 2018-02-26 13:46:19 -08:00
Mike Danese b2ceeedd67 tokenrequest: tokens bound to pods running as other svcaccts 2018-02-24 22:18:24 -08:00
Mike Danese 32bf28daed integration: refactor, cleanup, and add more tests for TokenRequest 2018-02-23 14:59:35 -08:00
Kubernetes Submit Queue 8b94ae8ca8
Merge pull request #58111 from mikedanese/id-registry 
Automatic merge from submit-queue (batch tested with PRs 60158, 60156, 58111, 57583, 60055). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add support for /token subresource in serviceaccount registry

I'm planning on implementing the registry bits (this) in one PR and followup with an authenticator that supports new id tokens.

https://github.com/kubernetes/kubernetes/issues/58790

@kubernetes/sig-auth-pr-reviews 

```release-note
NONE
```
 2018-02-21 22:10:31 -08:00
Mike Danese 8ad1c6655b add support for /token subresource in serviceaccount registry 2018-02-21 13:16:51 -08:00
Mike Danese 7b4722964d remove deprecated /proxy paths 
These were depercated in v1.2.
 2018-02-20 14:42:19 -08:00
Jeff Grafton ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Dr. Stefan Schimanski 4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
NickrenREN 7b9d2c046f Use v1beta1 VolumeAttachment 2018-01-31 18:46:11 +08:00
Kubernetes Submit Queue 621f3f3c0a
Merge pull request #58360 from liggitt/csi-node-authorizer 
Automatic merge from submit-queue (batch tested with PRs 58488, 58360). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add get volumeattachment to the node authorizer

Fixes #58355

Adds `get volumeattachment` authorization for nodes to the node authorizer when the CSI feature is enabled

```release-note
NONE
```
 2018-01-18 20:55:34 -08:00
Gavin f653d02b05 create auto-gen files 2018-01-17 16:23:03 +08:00
Gavin bb5e156aba Add generic Bootstrap Token constants and helpers to client-go 2018-01-17 16:22:37 +08:00
Jordan Liggitt ecfd18e2a6
Add get volumeattachments support to Node authorizer 2018-01-17 00:00:18 -05:00
Jordan Liggitt ba09fadecf
Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Eric Chiang ce0a8303d6 integration: add retries to node authorizer tests 2018-01-10 15:55:18 -08:00
Hemant Kumar 1b76b0b2ff Allow node to update PVC's status 
Implement node policy feature gates
Add tests for node policy update
 2017-11-22 14:32:50 -05:00
Dr. Stefan Schimanski bec617f3cc Update generated files 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski 012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Mike Danese 12125455d8 move authorizers over to new interface 2017-11-03 13:46:28 -07:00
Dr. Stefan Schimanski 2452afffe0 admission: wire create+update validation func into kube registries 2017-11-02 09:29:16 +01:00
Dr. Stefan Schimanski cad0364e73 Update bazel 2017-10-18 17:24:04 +02:00
Dr. Stefan Schimanski 7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
Jeff Grafton aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jordan Liggitt e45ed2d5b9
fix typo in health check url 2017-10-03 16:44:38 -04:00
Dr. Stefan Schimanski 7d09148ad7 apiserver: separate apiserver specific configs into ExtraConfig 2017-09-08 14:16:09 +02:00
xilabao f14c138438 add selfsubjectrulesreview api 2017-09-01 19:09:43 +08:00
Huamin Chen 4525446af2 azure file volume: add secret namespace api 
Signed-off-by: Huamin Chen <hchen@redhat.com>
 2017-08-24 14:49:58 +00:00
Jeff Grafton a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton 33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jordan Liggitt dd7be70a4a
Add rbac.authorization.k8s.io/v1 2017-08-09 17:04:54 -04:00
Jordan Liggitt d65610bf2f
Remove default binding of system:node role to system:nodes group 2017-07-26 13:53:14 -04:00
Kubernetes Submit Queue 4d2a721223 Merge pull request #48707 from danielfm/node-restriction-pod-eviction-subresource 
Automatic merge from submit-queue

Allow nodes to create evictions for its own pods in NodeRestriction admission controller

**What this PR does / why we need it**: This PR adds support for `pods/eviction` sub-resource to the NodeRestriction admission controller so it allows a node to evict pods bound to itself.

**Which issue this PR fixes**: fixes #48666

**Special notes for your reviewer**: The NodeRestriction already allows nodes to delete pods bound to itself, so allowing nodes to also delete pods via the Eviction API probably makes sense.

```release-note
NodeRestriction allows a node to evict pods bound to itself
```
 2017-07-23 04:16:51 -07:00
Daniel Fernandes Martins 81ba522bbe Make NodeRestriction admission allow evictions for bounded pods 2017-07-20 14:20:03 -03:00
Haoran Wang f02008338f add integration testing for bootstrap token auth 2017-07-20 22:34:21 +08:00
Eric Chiang e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jacob Simpson 8bcbbd4d08 Migrate api.Registry to testapi.Groups in tests. 2017-07-17 15:05:38 -07:00
Mike Danese 6ae11fdc5d use testmain in integration tests 2017-07-12 17:34:55 -07:00
Chao Xu 60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu cde4772928 run ./root-rewrite-all-other-apis.sh, then run make all, pkg/... compiles 2017-06-22 11:30:52 -07:00
Jordan Liggitt fc8e915a4b
Add Node authorization mode based on graph of node-related objects 2017-05-30 16:53:03 -04:00
deads2k be39283923 plumb stopch to post start hook index since many of them are starting go funcs 2017-05-11 09:16:13 -04:00
Mike Danese 21617a60ae don't use build tags to mark integration tests 2017-04-28 14:19:39 -07:00
Jordan Liggitt 7f4e5c5676
Use namespace from context 2017-03-07 14:02:13 -05:00
Jordan Liggitt 2a76fa1c8f
Switch RBAC subject apiVersion to apiGroup in v1beta1 2017-02-13 15:33:09 -05:00
Dr. Stefan Schimanski 536460e1d9 Mechanical fixup imports: pkg/genericapiserver 2017-02-03 08:15:45 +01:00
deads2k 0d8e6b8500 move genericapiserver authenticator and authorizer factories 2017-01-26 08:50:47 -05:00
Dr. Stefan Schimanski 4077e0bba7 genericapiserver: move authn plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00