github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
23,571 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

208 Commits (458eb5284abd6933c620ba8ea383032f225e0885)

Author SHA1 Message Date
Chao Xu 3dc5223f4f check if experimental is enabled during startup of client and server 2015-09-11 17:34:32 -07:00
Chao Xu dd6c121d7f massive changes 2015-09-11 17:31:47 -07:00
Daniel Smith ccd9e3e247 Run all automated tools 2015-09-11 16:11:08 -07:00
Daniel Smith 4c2adabf42 move; sed replace 2015-09-11 16:03:22 -07:00
k8s-merge-robot f867ba3ba1 Merge pull request #13682 from ryfow/block-startup-for-cert 
Auto commit by PR queue bot
 2015-09-10 00:24:23 -07:00
k8s-merge-robot 434f05c0e3 Merge pull request #13705 from liggitt/attach 
Auto commit by PR queue bot
 2015-09-09 18:19:35 -07:00
k8s-merge-robot 45742e885c Merge pull request #13452 from aveshagarwal/master-api-rate-burst-remove 
Auto commit by PR queue bot
 2015-09-09 00:42:59 -07:00
Jordan Liggitt b2268574c5 Add pods/attach to long running requests, protect in admission for privileged pods 2015-09-09 00:49:00 -04:00
k8s-merge-robot 015389eba1 Merge pull request #13672 from jayunit100/apiserver-cert-doc 
Auto commit by PR queue bot
 2015-09-08 11:42:28 -07:00
Ryan Fowler d22a29cf66 Block apiserver startup on certificate 
With some regularity, if the root certificate file needs to be generated
the apiserver could come up on the non-secure port before the cert
was generated.

`hack/local-up-cluster.sh` requires that apiserver.crt exists
before the replication controller starts. Otherwise service accounts
and secrets don't work.

This change just takes the certificate handling code out of the `go`.
 2015-09-08 11:35:32 -05:00
jay vyas 4283201aea [minor] cert file cmd line string fix 2015-09-08 09:50:15 -04:00
Ruddarraju, Uday Kumar Raju f8d6f13f7c Union of authorizers 2015-09-04 11:04:50 -07:00
derekwaynecarr ab1f4c5c2c Fix typo in api server flag 2015-09-04 11:38:36 -04:00
Piotr Szczesniak 48b9c365c7 Merge pull request #13308 from timothysc/watch-cache-disable 
Plumb through configuration option to disable watch cache
 2015-09-04 13:40:46 +02:00
Avesh Agarwal f0d0e2a089 Remove unused api-rate and api-burst params. 2015-09-03 17:57:35 -04:00
Piotr Szczesniak 7967642cf0 Implemented first version of InitialResources plugin. 2015-09-01 17:24:13 +02:00
Timothy St. Clair 2145371c45 Plumb through configuration option to disable watch cache 
because we are seeing anomolies on our cluster.
 2015-08-28 12:36:40 -05:00
Yu-Ju Hong 3bc2157889 Merge pull request #13100 from pweil-/cap-priv-sources 
use privileged source object
 2015-08-25 16:10:50 -07:00
Yifan Gu aca6368e3c plugin/oidc: add minor documentation details. 2015-08-24 15:25:26 -07:00
Paul Weil 709e654686 use privileged source object 2015-08-24 16:53:43 -04:00
Yifan Gu 6376e41850 plugin/pkg/auth: add OpenID Connect token authenticator. 
Also add related new flags to apiserver:
"--oidc-issuer-url", "--oidc-client-id", "--oidc-ca-file", "--oidc-username-claim",
to enable OpenID Connect authentication.
 2015-08-21 15:27:08 -07:00
Saad Ali c1a2c6dee7 Merge pull request #10713 from thockin/no-localhost-endpoints 
Check loopback and link-local multicast endpoints
 2015-08-19 12:48:33 -07:00
gmarek 3c907b33e1 Remove external function setting Kubelet flags 2015-08-19 13:20:41 +02:00
Tim Hockin 86f4535871 Check loopback and link-local multicast endpoints 
Previously we just disallowed link-local (unicast).  This disallows loopback
and link-local multicast.
 2015-08-18 21:50:27 -07:00
Kris Rousey ae6c64d9bb Moving everyone to unversioned client 2015-08-18 10:23:03 -07:00
Bin Wang 0547c52c2c Enforce specified service-cluster-ip-range is not too large 2015-08-18 10:35:21 +08:00
Eric Paris 347c7b5b82 Mark some flags as deprecated so thus don't show up in help 2015-08-14 19:28:03 -04:00
Ruddarraju, Uday Kumar Raju 937db3f70d Keystone authentication plugin 2015-08-13 09:46:30 -07:00
Bryan Stenson 9541414742 create cloudprovider "providers" package 
move all providers into new package
    update all references to old package path
 2015-08-11 22:36:51 -07:00
Eric Paris 1333fad22a Remove BindClientConfigFlags entirely 
They are unused.
 2015-08-11 16:26:24 -04:00
Alex Robinson 11fcd3bb39 Merge pull request #12478 from eparis/use-pflag-network 
Use pflags for net.IP and net.IPNet instead of custom flag types
 2015-08-10 11:55:54 -07:00
Eric Paris f3282ff4d2 Use pflag IPNet instead of our own helpers 
Since pflag can handle net.IPNet arguements use that code. This means
that our code no longer has casts back and forth and just natively uses
net.IPNet.
 2015-08-10 10:15:08 -04:00
Eric Paris fe6b633e2a Convert for util.IP to just use a net.IP 
pflag can handle IP addresses so use the pflag code instead of doing it
ourselves. This means our code just uses net.IP and we don't have all of
the useless casting back and forth!
 2015-08-10 10:15:05 -04:00
Veres Lajos 9f77e49109 typofix - https://github.com/vlajos/misspell_fixer 2015-08-08 22:31:48 +01:00
Eric Paris 7cbb52ce04 Use the pflag StringSlice instead of implementing it ourselves 
Saves code and makes our code easier to read because we just use normal
[]string instead of custom type.
 2015-08-06 19:16:13 -04:00
Mike Danese 17defc7383 run gofmt on everything we touched 2015-08-05 17:52:56 -07:00
Mike Danese 8e33cbfa28 rewrite go imports 2015-08-05 17:30:03 -07:00
Muhammed Uluyol 58a875ac2c Add (stopgap) support for an experimental API prefix. 2015-07-30 18:14:29 -07:00
Wojciech Tyczynski 99d6b0e9f4 Rename storage interfaces 2015-07-30 10:34:57 +02:00
Wojciech Tyczynski d17985f1ad Move StorageInterface to pkg/storage. 2015-07-30 09:32:04 +02:00
Brendan Burns 99b02bfe73 Add optional throttling to the proxy/exec/attach methods 2015-07-29 13:51:20 -07:00
Marek Grabowski 7cc1855c27 Merge pull request #11806 from wojtek-t/private_etcd_helper 
Make EtcdHelper private - expose only StorageInterface
 2015-07-27 11:21:28 +02:00
Marek Grabowski 00cd52dd68 Merge pull request #10656 from krousey/timeouts 
Adding proper timeouts.
 2015-07-27 10:56:58 +02:00
Wojciech Tyczynski 9d943df397 Private EtcdHelper 2015-07-27 09:20:13 +02:00
Mike Danese 859f440f74 Merge pull request #11666 from wojtek-t/refactor_etcd_helper 
Extract EtcdHelper interface
 2015-07-24 11:07:46 -07:00
Mike Danese ae1c8e55ef Merge pull request #11737 from thockin/cleanup-remove-v1beta3 
Remove v1beta3
 2015-07-24 10:25:56 -07:00
Wojciech Tyczynski fdb3f45077 Extract EtcdHelper interface 2015-07-24 09:28:02 +02:00
Vish Kannan 2a5a6b99cb Merge pull request #10635 from smarterclayton/cloud_provider_should_err 
Cloud provider should return an error
 2015-07-23 17:50:45 -07:00
Tim Hockin 1c3233a1d4 Remove v1beta3 2015-07-23 17:21:27 -07:00
Wojciech Tyczynski ee92aa3897 Prepare for extracting EtcdHelper interface 2015-07-23 09:37:39 +02:00
Kris Rousey 1d033b9912 Adding proper timeouts. 2015-07-10 14:42:59 -07:00
nikhiljindal c465a50891 Stop exposing v1beta3 by default 2015-07-08 15:27:41 -07:00
Eric Paris cde68d294b Do not create subject alt dns names for kubelet self signed certs 
PR #10643 Started adding the dns names for the kubernetes master to self
sign certs which were created. The kubelet uses this same code, and thus
the kubelet cert started saying it was valid for these name as well.
While hardless, the kubelet cert shouldn't claim to be these things. So
make the caller explicitly list both their ip and dns subject alt names.
 2015-07-04 23:01:01 -04:00
Eric Paris 7a29af4d2c Add Subject Alt Names to self signed apiserver certs 
A cert from GCE shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes,
- DNS:kubernetes.default
- DNS:kubernetes.default.svc
- DNS:kubernetes.default.svc.cluster.local
- DNS:e2e-test-zml-master

A similarly configured self signed cert shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes
- DNS:kubernetes.default
- DNS:kubernetes.default.svc

So we are missing the fqdn kubernetes.default.svc.cluster.local. The
apiserver does not even know the fqdn! it's defined entirely by the
kubelet! We also do not have the cluster name certificate. This may be
--cluster-name= argument to the apiserver but will take a bit more
research.
 2015-07-01 17:05:17 -04:00
Clayton Coleman d8bb4552de Cloud provider should return an error 
Not fatal - makes cloud provider useful in methods that
can return error.
 2015-07-01 14:41:49 -04:00
Aaron Levy e991a1543f Use blank default for old-etcd-prefix 2015-06-26 18:19:40 -07:00
Jordan Liggitt 64d61185eb Re-enable ECDSA private server key use 2015-06-16 23:03:29 -04:00
Mike Danese 677855f1a9 fix longRunningRequestRE to something that doesn'tt push -f orig match pretty much all requests. 2015-06-16 13:48:10 -07:00
Justin Santa Barbara 6f3879e3bb Actually pass down ServiceNodePortRange so it is used 
Also fix default range to match what we've documented (off-by-one)

Fix #9318
 2015-06-08 18:03:42 -04:00
krousey 5aa0219ada Merge pull request #9292 from cjcullen/test_pull_8946 
Add an ssh tunnel option to the /proxy endpoint
 2015-06-08 14:30:12 -07:00
CJ Cullen cb317604ab Some refactoring. Only selectively use ssh proxy. 
Add NetworkName to gce.Config.
Add locking to uses of master.tunnels.
 2015-06-05 14:55:16 -07:00
Brendan Burns 5115fd5703 Add key generation. 2015-06-05 14:55:15 -07:00
Brendan Burns 30a89968a4 Initial proxy tunnelling. 2015-06-05 14:54:20 -07:00
Prashanth Balasubramanian 50eb9ad598 Use https only for the kubelet port 2015-06-05 14:06:38 -07:00
Chao Xu ef61b031f5 make v1 enabled by default 2015-06-04 11:37:44 -07:00
Daniel Smith 1690617ee6 remove ro service 2015-06-03 16:45:54 -07:00
Prashanth Balasubramanian 0162529ea5 Default minRequestTimeout to 1800s 2015-06-03 08:47:45 -07:00
Prashanth Balasubramanian 448867073d Pipe minRequestTimeout as an arg to the apiserver 2015-06-03 08:44:14 -07:00
CJ Cullen 934c553c04 Clarify description/usage of --advertise-address, Master.PublicAddress 2015-06-02 15:23:32 -07:00
CJ Cullen 085a48a70e Add an advertise-address flag. This allows the address that the apiserver binds 
to (possibly 0.0.0.0) to be different than the address on which members of the cluster
can reach the apiserver (possibly not a local interface).
 2015-06-02 14:33:15 -07:00
Eric Tune 3db1f69eea Merge pull request #8764 from eparis/sd_notify 
API server explicitly notify systemd of successful startup
 2015-06-01 10:28:49 -07:00
Kris f4e2c738f6 Delete deprecated API versions 
pkg/service:

There were a couple of references here just as a reminder to change the
behavior of findPort. As of v1beta3, TargetPort was always defaulted, so
we could remove findDefaultPort and related tests.

pkg/apiserver:

The tests were using versioned API codecs for some of their encoding
tests. Necessary API types had to be written and registered with the
fake versioned codecs.

pkg/kubectl:

Some tests were converted to current versions where it made sense.
 2015-05-29 17:17:35 -07:00
Tim Hockin 3005471100 Add new apiserver flags for clusterIP (nee portal) 
Leave old flags but marked as deprecated
 2015-05-28 16:10:44 -07:00
Tim Hockin 4318ca5a8b Rename 'portal IP' to 'cluster IP' most everywhere 
This covers obvious transforms, but not --portal_net, $PORTAL_NET and
similar.
 2015-05-28 16:10:44 -07:00
Eric Paris 9d304774d4 report glog error if unable to tell systemd things worked 2015-05-28 16:01:27 -04:00
Eric Paris 28ac1b3395 API server explicitly notify systemd of successful startup 
Use the systemd $NOTIFY_SOCKET convention for kube-apiserver
startup. This allows it to be part of dependency trees and for
consumers to wait until it is listening on its ports.

The $NOTIFY_SOCKET protocol is described here:

http://www.freedesktop.org/software/systemd/man/sd_notify.html

Currently this is limited to the kube-apiserver process. Other
kube processes are internal kubernetes moving points. The API
server is the entry point relied on by callers.

100% stolen from Stef Walter from:
https://github.com/GoogleCloudPlatform/kubernetes/pull/8316
 2015-05-28 15:59:26 -04:00
Justin Santa Barbara 3bb2fe2425 Create port allocator, based on IP allocator mechanism 
Including some refactoring of IP allocator
 2015-05-22 19:14:28 -04:00
Prashanth Balasubramanian 8a5445d3db Randomize apiserver watch timeouts 2015-05-21 20:52:33 -07:00
Cesar Wong e95d9c416d Admission control to prevent exec on privileged pods 2015-05-21 13:56:51 -04:00
Jordan Liggitt d90e7409e4 Prevent auth recursion for service account tokens 2015-05-16 23:39:07 -04:00
nikhiljindal fa9f864782 Adding a script to update etcd objects 2015-05-15 16:20:35 -07:00
David Oppenheimer 7a21d7ab1f Merge pull request #8053 from jdef/upstream_mesos_cloud 
integrate mesos cloud provider with k8s proper
 2015-05-14 13:57:39 -07:00
Nikhil Jindal d75bd8bf2a Merge pull request #7101 from liggitt/service_account 
ServiceAccounts
 2015-05-12 10:23:41 -07:00
James DeFelice 652c14d8d7 integrate mesos cloud provider into kube apps 2015-05-12 16:02:38 +00:00
Brendan Burns d8f48290e9 Add a flag to disable legacy APIs 2015-05-11 16:09:25 -07:00
Jordan Liggitt 7e14a80f63 ServiceAccount admission plugin 2015-05-11 17:18:06 -04:00
Jordan Liggitt db1f0dc906 JWT token generation/verification 2015-05-11 17:18:06 -04:00
Clayton Coleman e200d5a317 Make PortalIP alloc HA 
* Add an allocator which saves state in etcd
* Perform PortalIP allocation check on startup and periodically afterwards

Also expose methods in master for downstream components to handle IP allocation
/ master registration themselves.
 2015-05-08 13:34:16 -04:00
Brendan Burns 5461231c1c Merge pull request #7567 from endocode/kbeecher/wip_etcd_migrate_keys 
WIP: Add startup code to apiserver to migrate etcd keys
 2015-05-07 10:05:41 -07:00
Zach Loafman 875e83a741 Revert "Revert "Security context - types, kubelet, admission"" 2015-05-05 16:02:13 -07:00
Zach Loafman f48904fd5e Revert "Security context - types, kubelet, admission" 2015-05-05 15:20:39 -07:00
Paul Weil 982bf19c20 security context initial implementation - squash 2015-05-05 13:46:13 -04:00
Karl Beecher 0473f652fd Add startup code to apiserver to migrate etcd keys 
Refs: #3476
 2015-05-05 12:28:14 +02:00
Eric Paris 6b3a6e6b98 Make copyright ownership statement generic 
Instead of saying "Google Inc." (which is not always correct) say "The
Kubernetes Authors", which is generic.
 2015-05-01 17:49:56 -04:00
Brian Grant a4316aa638 Merge pull request #7454 from nikhiljindal/v1 
Cloning v1beta3 as v1 and exposing it in the apiserver
 2015-04-28 18:06:57 -07:00
nikhiljindal c4d7e19c8c Cloning v1beta3 as v1 and exposing it in the apiserver 2015-04-28 16:06:03 -07:00
Brendan Burns c9f4d8e57e Merge pull request #7425 from roberthbailey/basic-auth-headers 
Set the 'WWW-Authenticate' header on 401 responses when basic auth is enabled
 2015-04-28 11:10:05 -07:00
Daniel Smith 19ae113fe0 Merge pull request #7353 from wojtek-t/too_many_dials 
Increase maxIdleConnection limit when creating etcd client in apiserver.
 2015-04-28 11:03:12 -07:00
Robert Bailey 4304b1d24a Set the 'WWW-Authenticate' header on 401 responses when basic 
auth is enabled. This is required for basic auth to work with
web browsers.
 2015-04-28 11:00:05 -07:00
Robert Bailey 6d85dcb4a0 Add support for HTTP basic auth to the kube-apiserver. 2015-04-28 10:33:51 -07:00