Commit Graph

771 Commits (25ce84b34e17c2368f526e6a3a95b815f5bca481)

Author SHA1 Message Date
deads2k 432e6ecdae allow impersonating user.Info.Extra 2016-08-22 07:43:52 -04:00
Kubernetes Submit Queue 5b5a4145da Merge pull request #30821 from ardnaxelarak/21076_change_isEmpty_to_Empty
Automatic merge from submit-queue

Rename IsEmpty to Empty

addresses #21076
2016-08-22 00:54:28 -07:00
Kubernetes Submit Queue 7979801e54 Merge pull request #28860 from ericchiang/separate-apiserver-authz-options
Automatic merge from submit-queue

pkg/genericapiserver/options: don't import pkg/apiserver

Refactor the authorization options for the API server so
pkg/apiserver isn't directly imported by the options package.

Closes #28544

cc @smarterclayton

@madhusudancs, @nikhiljindal I've updated `federation/cmd/federation-apiserver/app/server.go` to include the RBAC options with this change. I don't know if this was intentionally left out in the first place but would like your feedback.
2016-08-21 09:49:14 -07:00
Kubernetes Submit Queue 7272cd09e3 Merge pull request #26541 from sttts/sttts-kubectl-exec-rc
Automatic merge from submit-queue

Return container command exit codes in kubectl run/exec

Fixes https://github.com/kubernetes/kubernetes/issues/26424
Based on https://github.com/kubernetes/kubernetes/pull/25273.

TODO:
- [x] add e2e tests
- [x] investigate `kubectl run` exit code for `--restart=Never` (compare issue #24533 and PR #25253)
- [x] document exit codes
2016-08-21 00:44:55 -07:00
Kubernetes Submit Queue d07348dd84 Merge pull request #30803 from deads2k/impersonate-groups
Automatic merge from submit-queue

allow group impersonation

Adds an "Impersonate-Group" header that can be used to specify exactly which groups to use on an impersonation request.  

This also restructures the code to make it easier to add the scopes header next.  This closely parallels the "Impersonate-User" header, so I figured I'd start easy.

@kubernetes/sig-auth 
@ericchiang are you comfortable reviewing?
2016-08-20 10:10:32 -07:00
bindata-mockuser ce7f003f57 Add protocol versions to pkg/util/wsstream 2016-08-20 15:58:10 +02:00
Kubernetes Submit Queue 78cb692327 Merge pull request #30736 from liggitt/close-websocket-watch
Automatic merge from submit-queue

Close websocket watch when client closes

fixes https://github.com/kubernetes/kubernetes/issues/30735
2016-08-19 15:47:47 -07:00
Kara Alexandra d12a66a422 Rename IsEmpty to Empty
Signed-off-by: Kara Alexandra <kalexandra@us.ibm.com>
2016-08-19 14:19:19 -07:00
Eric Chiang b4eaf625a0 pkg/genericapiserver/options: don't import pkg/apiserver
Refactor the authorization options for the API server so
pkg/apiserver isn't directly imported by the options package.
2016-08-18 13:01:50 -07:00
Clayton Coleman 12a5eeea17
Introduce GroupVersioner for capturing desired target version
Convert single GV and lists of GVs into an interface that can handle
more complex scenarios (everything internal, nothing supported). Pass
the interface down into conversion.
2016-08-18 14:45:00 -04:00
deads2k fb56512ea2 allow group impersonation 2016-08-18 08:02:44 -04:00
Jordan Liggitt fdb7c93a97
Close websocket watch when client closes 2016-08-17 15:20:05 -04:00
PingWang 8760ae697e implement restful for InstallLogsSupport
Signed-off-by: PingWang <wang.ping5@zte.com.cn>

add ws.doc

Signed-off-by: PingWang <wang.ping5@zte.com.cn>

run hack/update-swagger-spec.sh

Signed-off-by: PingWang <wang.ping5@zte.com.cn>

update update-swagger-spec.sh

Signed-off-by: PingWang <wang.ping5@zte.com.cn>

update apiserver_test.go

Signed-off-by: PingWang <wang.ping5@zte.com.cn>

update comment

Signed-off-by: PingWang <wang.ping5@zte.com.cn>
2016-08-16 09:09:02 +08:00
Kubernetes Submit Queue 3a71e8c9f4 Merge pull request #30457 from ericchiang/reorder-autenticators
Automatic merge from submit-queue

pkg/apiserver/authenticator: reorder oidc plugin to auth after service accounts

Both plugins verify JWTs, but the OpenID Connect plugin performs
much worse when faced with cache misses. Reorder the plugins so
the service account plugin tries to authenticate a bearer token
first.

I had a fun time with this by writing an OpenID Connect provider that stores its data in third party resources. When it's running in the cluster it uses a service account and caused some interesting behavior when the keys expired.

Our OpenID Connect plugin needs a more sophisticated caching model to avoid continuously re-requesting keys when seeing a lot of tokens it doesn't recognize. However, I feel this reordering is generally useful since service accounts will be more common than OpenID Connect tokens.

cc @kubernetes/sig-auth
2016-08-15 09:39:02 -07:00
Kubernetes Submit Queue 3a8b21b3a5 Merge pull request #29724 from brendandburns/thirdparty3
Automatic merge from submit-queue

Fix third party APIResource reporting

@polvi @caesarxuchao @deads2k 

This "fixes" some additional bugs in third party `APIResourceList` reporting.

This code needs a bunch of cleanup, and more tests, but sending it out for a quick smell check review in case I'm doing something stupid.

Fixes the bug referenced here:  https://github.com/kubernetes/kubernetes/pull/28414#issuecomment-235346108 and in https://github.com/kubernetes/kubernetes/issues/23831

Fixes https://github.com/kubernetes/kubernetes/issues/25570
2016-08-13 17:10:20 -07:00
Brendan Burns b3658c7b16 Fix third party APIResource reporting 2016-08-13 15:51:34 -07:00
Maciej Szulik 24f1e1eaf6 Basic audit log 2016-08-12 12:27:19 +02:00
Eric Chiang 9b5ce5218f pkg/apiserver/authenticator: move oidc after service accounts
Both plugins verify JWTs, but the OpenID Connect plugin performs
much worse when faced with cache misses. Reorder the plugins so
the service account plugin tries to authenticate a bearer token
first.
2016-08-11 09:41:50 -07:00
Kubernetes Submit Queue 64af5b074e Merge pull request #29594 from xiang90/fix_panic
Automatic merge from submit-queue

apiserver: fix timeout handler

Protect access of the original writer. Panics if anything has wrote
into the original writer or the writer is hijacked when times out.

Fix #29001 

/cc @smarterclayton @lavalamp 

The next step would be respect the request context once 1.7 is out.

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.kubernetes.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.kubernetes.io/reviews/kubernetes/kubernetes/29594)
<!-- Reviewable:end -->
2016-08-09 17:48:33 -07:00
Xiang Li c995050ee3 apiserver: fix timeout handler
Protect access of the original writer. Panics if anything has wrote
into the original writer or the writer is hijacked when times out.
2016-08-09 12:39:40 -07:00
Timothy St. Clair 24993b0343 Update generated files due to dependency shift.
Also minor bug fix in federation api.
2016-08-09 10:41:09 -05:00
Chao Xu 4d2350632c only store typeMeta and objectMeta in the gc store 2016-08-08 17:23:13 -07:00
Kubernetes Submit Queue 2537f66f0e Merge pull request #29230 from luxas/goimport
Automatic merge from submit-queue

Run goimport for the whole repo

While removing GOMAXPROC and running goimports, I noticed quite a lot of other files also needed a goimport format. Didn't commit `*.generated.go`, `*.deepcopy.go` or files in `vendor`

This is more for testing if it builds.
The only strange thing here is the gopkg.in/gcfg.v1 => github.com/scalingdata/gcfg replace.
cc @jfrazelle @thockin
2016-08-05 16:22:01 -07:00
Andrey Kurilin dfa18ceb5f Fix various typos in apiserver pkg 2016-08-04 01:15:15 +03:00
Lucas Käldström c88a07ce1a Run goimports 2016-08-02 15:12:39 +03:00
DongXiugang 418b9c1ca2 fix a wrong word in the comment
the wrong word in this sentence "If msg is empty, a suitable default message with be sent." “with” change to "will".
2016-07-27 09:13:34 +08:00
Klaus Ma d0c67d8fee Removed unnecessary empty line. 2016-07-21 18:07:36 +08:00
Ivan Shvedunov 02baa44948 Fix update validation for pods w/init containers. 2016-07-20 00:30:12 +03:00
k8s-merge-robot 1e9edfc5c3 Merge pull request #29045 from lixiaobing10051267/mastererrNotAcceptable
Automatic merge from submit-queue

Type define note "errNotAcceptable" should be "errUnsupportedMediaType"

In file "pkg\apiserver\errors.go", line 129:
"// errNotAcceptable indicates Content-Type is not recognized"
Here "errNotAcceptable" shuould be "errUnsupportedMediaType", thus consistent with line 131:
"type errUnsupportedMediaType struct"
2016-07-19 01:10:41 -07:00
k8s-merge-robot 8d46d9b0c7 Merge pull request #28281 from nhlfr/authorize-return-bool
Automatic merge from submit-queue

Return (bool, error) in Authorizer.Authorize()

Before this change, Authorize() method was just returning an error, regardless of whether the user is unauthorized or whether there is some other unrelated error. Returning boolean with information about user authorization and error (which should be unrelated to the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 21:40:26 -07:00
k8s-merge-robot 6108725869 Merge pull request #29047 from lixiaobing10051267/masterServe
Automatic merge from submit-queue

Apiserver ServeHTTP() modify

In File "pkg\apiserver\watch.go", line 123:
"// Serve serves a series of encoded events via HTTP with Transfer-Encoding: chunked"
Here "Serve" should be "ServeHTTP" because the func name is ServeHTTP:
"func (s *WatchServer) ServeHTTP(w http.ResponseWriter, req *http.Request)"
2016-07-18 12:43:04 -07:00
Michal Rostecki fa0dd46ab7 Return (bool, error) in Authorizer.Authorize()
Before this change, Authorize() method was just returning an error,
regardless of whether the user is unauthorized or whether there
is some other unrelated error. Returning boolean with information
about user authorization and error (which should be unrelated to
the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 12:06:54 +02:00
Davanum Srinivas 2b0ed014b7 Use Go canonical import paths
Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-16 13:48:21 -04:00
lixiaobing10051267 97219275b1 Apiserver ServeHTTP() modify 2016-07-16 12:29:11 +08:00
lixiaobing10051267 7ecae85493 Type define note "errNotAcceptable indicates Content-Type is not recognized" wrong 2016-07-16 11:31:52 +08:00
Daniel Smith 78c02cd052 Stop eating panics 2016-07-13 11:12:59 -07:00
k8s-merge-robot 038ac428f4 Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable
Automatic merge from submit-queue

oidc auth plugin: don't hard fail if provider is unavailable

When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.

cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
2016-06-30 13:02:16 -07:00
Eric Chiang 2f6db37ff5 oidc auth plugin: don't hard fail if provider is unavailable
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.
2016-06-29 23:20:26 -07:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
k8s-merge-robot 6fbf99b11a Merge pull request #26753 from ericchiang/rbac-authorizer-tests
Automatic merge from submit-queue

add unit and integration tests for rbac authorizer

This PR adds lots of tests for the RBAC authorizer. 

The plan over the next couple days is to add a lot more test cases.

Updates #23396

cc @erictune
2016-06-19 19:19:08 -07:00
k8s-merge-robot ba771e7135 Merge pull request #27192 from smarterclayton/signature_change
Automatic merge from submit-queue

Remove EncodeToStream(..., []unversioned.GroupVersion)

Was not being used. Is a signature change and is necessary for post 1.3 work on Templates and other objects that nest objects.

Extracted from #26044
2016-06-19 16:13:07 -07:00
Eric Chiang d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Clayton Coleman 36a5ffbe2f
Remove EncodeToStream(..., []unversioned.GroupVersion)
Was not being used.
2016-06-10 18:43:12 -04:00
Andy Goldstein e3af3451c8
ObjectMeta, ListMeta, and TypeMeta should implement their interfaces
Make unversioned.ListMeta implement List. Update all the *List types so they implement GetListMeta.
This helps avoid using reflection to get list information.

Remove all unnecessary boilerplate, move the interfaces to the right
places, and add a test that verifies that objects implement one, the
other, but never both.
2016-06-10 13:28:54 -04:00
k8s-merge-robot dfe5de3bcb Merge pull request #25731 from Pensu/master
Automatic merge from submit-queue

Adding version.Info in apiserver.go

Fixes #17176
2016-06-06 12:06:32 -07:00
Peeyush Gupta 1a9f7e9a0c Adding version.Info in apiserver.go 2016-06-06 14:15:24 +05:30
k8s-merge-robot ce788c45ef Merge pull request #26085 from smarterclayton/delay_flush
Automatic merge from submit-queue

Delay flush if the watch queue has pending items

Simple deferral of flush can reduce Syscalls when watch queues build up.

Simpler version of #24768

Fixes #24729

@xiang90 @wojtek-t
2016-05-28 11:53:51 -07:00
k8s-merge-robot e543bd6452 Merge pull request #26007 from smarterclayton/watch_opt
Automatic merge from submit-queue

Additional optimizations to the encode/decode paths

Builds on top of #25983 with a number of other optimizations.
2016-05-28 06:27:00 -07:00
Eric Chiang ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
Jordan Liggitt 29252acd1a Change rest storage Update interface to retrieve updated object
Add OldObject to admission attributes

Update resthandler Patch/Update admission plumbing
2016-05-23 21:09:26 -04:00