Commit Graph

93 Commits (733faf5280e334df018c7a09ec9df12265c91656)

Author SHA1 Message Date
Chao Xu 03d8820edc rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
Mike Danese c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00
xilabao 79b525e5a4 auth duplicate detect, add warning message 2016-12-07 09:06:39 +08:00
Kubernetes Submit Queue 81d788dd6e Merge pull request #37534 from smarterclayton/move_unversion
Automatic merge from submit-queue (batch tested with PRs 36816, 37534)

Move pkg/api/unversioned to pkg/apis/meta/v1

This moves code from using pkg/api/unversioned to pkg/apis/meta/v1 with the `metav1` local package name.

Built on top of #37532 (the first three commits related to ExportOptions)

Part of #37530
2016-12-03 18:30:48 -08:00
Clayton Coleman 3454a8d52c
refactor: update bazel, codec, and gofmt 2016-12-03 19:10:53 -05:00
Clayton Coleman 5df8cc39c9
refactor: generated 2016-12-03 19:10:46 -05:00
deads2k c4e2e19e51 allow auth proxy to set groups and extra 2016-12-01 09:00:30 -05:00
Clayton Coleman 35a6bfbcee
generated: refactor 2016-11-23 22:30:47 -06:00
Chao Xu bcc783c594 run hack/update-all.sh 2016-11-23 15:53:09 -08:00
Chao Xu b9e3ffb515 misc 2016-11-23 15:53:09 -08:00
Brendan Burns 860748c08f Fix some lint errors. 2016-11-12 21:25:09 -08:00
Di Xu dd6c980949 specify custom ca file to verify the keystone server 2016-11-04 15:11:41 +08:00
Chao Xu 850729bfaf include multiple versions in clientset
update client-gen to use the term "internalversion" rather than "unversioned";
leave internal one unqualified;
cleanup client-gen
2016-10-29 13:30:47 -07:00
deads2k 3f9a4d51d5 wire up authenticating front proxy: 2016-10-28 08:36:46 -04:00
deads2k 557e653785 add front proxy authenticator 2016-10-28 08:36:46 -04:00
deads2k f34bb50ce7 add x509 verifier 2016-10-28 08:05:16 -04:00
Mike Danese df713b478c fix tests by declaring testdata 2016-10-21 17:32:32 -07:00
Mike Danese 3b6a067afc autogenerated 2016-10-21 17:32:32 -07:00
Kubernetes Submit Queue 669efd72a4 Merge pull request #34041 from pigmej/fix_typos_plugin
Automatic merge from submit-queue

Fix typos and englishify plugin/pkg

**What this PR does / why we need it**:  Just typos

**Which issue this PR fixes**: `None`

**Special notes for your reviewer**: Just typos

**Release note**: `NONE`
2016-10-15 02:13:06 -07:00
Jordan Liggitt c984744cb1
Test x509 intermediates correctly 2016-10-11 01:48:43 -04:00
Jedrzej Nowak d2161c21d7 Fix typos and englishify plugin/pkg 2016-10-04 17:51:14 +02:00
deads2k 57039cfdfa make well-known users and groups into constants 2016-09-30 10:34:33 -04:00
deads2k 5080a575ad add anytoken authenticator 2016-09-29 14:14:06 -04:00
Jordan Liggitt 0c36c5e556
Add anonymous auth to the auth chain 2016-09-26 17:19:00 -04:00
Jordan Liggitt 174e454874
Allow short-circuiting union auth on error 2016-09-26 17:18:05 -04:00
Jordan Liggitt 0dbcad1763
Add anonymous authenticator 2016-09-26 17:18:05 -04:00
Eric Chiang 065ddab5d1 oidc authenticator: allow string value as groups claim
Allow the group claim to be a single string instead of an array of
strings. This means the following claim

    {
      "role": "admin"
    }

Will be mapped to the groups

   ["admin"]
2016-09-22 14:23:56 -07:00
Kubernetes Submit Queue 5af04d1dd1 Merge pull request #32876 from errordeveloper/more-cert-utils
Automatic merge from submit-queue

Refactor cert utils into one pkg, add funcs from bootkube for kubeadm to use

**What this PR does / why we need it**:

We have ended-up with rather incomplete and fragmented collection of utils for handling certificates. It may be worse to consider using `cfssl` for doing all of these things, but for now there is some functionality that we need in `kubeadm` that we can borrow from bootkube. It makes sense to move the utils from bookube into core, as discussed in #31221.

**Special notes for your reviewer**: I've taken the opportunity to review names of existing funcs and tried to make some improvements in that area (with help from @peterbourgon).

**Release note**:

```release-note
NONE
```
2016-09-22 01:29:46 -07:00
Davanum Srinivas 25d4a70827 Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
  if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
  to talk to the api server
* Add a new authenticator that checks for this specific bearer token

Fixes #13598
2016-09-20 10:42:21 -04:00
Ilya Dmitrichenko 386fae4592
Refactor utils that deal with certs
- merge `pkg/util/{crypto,certificates}`
- add funcs from `github.com/kubernetes-incubator/bootkube/pkg/tlsutil`
- ensure naming of funcs is fairly consistent
2016-09-19 09:03:42 +01:00
Kubernetes Submit Queue dbdaf2c22b Merge pull request #32597 from liggitt/webhook-re-refactor
Automatic merge from submit-queue

Revert "Revert "Allow webhook authenticator to use TokenReviewsInterface""

Reverts https://github.com/kubernetes/kubernetes/pull/32591 (commit 0a02c8275d)
Readds https://github.com/kubernetes/kubernetes/pull/32547

Holding until GKE webhook authenticator is updated by @cjcullen
2016-09-15 03:56:10 -07:00
Kubernetes Submit Queue 4135988880 Merge pull request #32589 from ericchiang/add-ericchiang-to-owners
Automatic merge from submit-queue

plugin/pkg: add ericchiang to owners for OpenID Connect plugins

On the CoreOS side I'm taking over these components.

@erictune has suggested `pkg/registry/{cluster}role{binding}s/OWNERS` as well but I'd feel more comfortable as a reviewer for those specific parts of RBAC for a couple more cycles since @liggitt and @deads2k have had way more experience in the registry code.

Beyond that the only existing OWNERS files for auth are `pkg/auth/OWNERS` and `plugin/pkg/auth/OWNERS` both of which include @liggitt and @erictune. There's also nothing in the `plugin/pkg/client` path. I'm a little unclear on the implications for future PRs that are assigned to me (e.g. webhook or RBAC reviews).

cc @kubernetes/sig-auth
2016-09-14 13:10:33 -07:00
Jordan Liggitt 52c3081f6f
Revert "Revert "Allow webhook authenticator to use TokenReviewsInterface""
This reverts commit 0a02c8275d.
2016-09-13 16:23:17 -04:00
Joe Finney 0a02c8275d Revert "Allow webhook authenticator to use TokenReviewsInterface"
This reverts commit e9914f2c4a.
2016-09-13 11:48:43 -07:00
Eric Chiang 26830b8db9 plugin/pkg: add ericchiang to owners for OpenID Connect plugins 2016-09-13 11:14:16 -07:00
Jordan Liggitt e9914f2c4a
Allow webhook authenticator to use TokenReviewsInterface 2016-09-13 00:42:02 -04:00
Eric Chiang e5d7f01b91 x509 authenticator: get groups from subject's organization field 2016-08-10 12:32:28 -07:00
Kubernetes Submit Queue 5230bb7a8e Merge pull request #29860 from ericchiang/fix-openid-connect-provider-with-trailing-slash
Automatic merge from submit-queue

oidc authentication plugin: don't trim issuer URLs with trailing slashes

The issuer URL passed to the plugin must identically match the issuer
URL returned by OpenID Connect discovery. However, the plugin currently
trims all trailing slashes from issuer URLs, causing a mismatch. Since
the go-oidc client already handles this case correctly, don't trim the
path.

Closes #29749

cc @hanikesn @kubernetes/sig-auth
2016-08-04 16:25:49 -07:00
deads2k 60dd4a5d26 interesting changes to add tokenreviews endpoint to implement webhook 2016-08-03 08:37:45 -04:00
Eric Chiang bc3dc12203 oidc authentication plugin: don't trim issuer URLs with trailing slashes
The issuer URL passed to the plugin must identically match the issuer
URL returned by OpenID Connect discovery. However, the plugin currently
trims all trailing slashes from issuer URLs, causing a mismatch. Since
the go-oidc client already handles this case correctly, don't trim the
path.
2016-08-01 11:23:05 -07:00
Wojciech Tyczynski 4d0d115690 Revert "add tokenreviews endpoint to implement webhook" 2016-07-21 09:40:35 +02:00
deads2k 2c4a9f2e8d interesting changes to add tokenreviews endpoint to implement webhook 2016-07-20 15:11:56 -04:00
Davanum Srinivas 2b0ed014b7 Use Go canonical import paths
Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-16 13:48:21 -04:00
k8s-merge-robot 0c696dc95b Merge pull request #27848 from liubin/fix-typos
Automatic merge from submit-queue

fix some typos

Just a minor typos fix.


Signed-off-by: bin liu <liubin0329@gmail.com>
2016-07-06 23:36:49 -07:00
k8s-merge-robot 4d91f0f763 Merge pull request #25137 from huang195/tls_user_emailaddress
Automatic merge from submit-queue

getting emailAddress from TLS cert

Kubernetes if using TLS cert to perform authentication will use the CommonName field of the cert as the authenticating user. In https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authenticator/request/x509/x509.go#L106, alternative methods are defined to use emailAddress or DNSName as the authenticating user. The method that uses the emailAddress is not comprehensive as this information can be encoded in different places of the certificate. This PR fixes this.
2016-07-06 19:45:01 -07:00
bin liu 426fdc431a Merge branch 'master' into fix-typos 2016-07-04 11:20:47 +08:00
k8s-merge-robot 038ac428f4 Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable
Automatic merge from submit-queue

oidc auth plugin: don't hard fail if provider is unavailable

When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.

cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
2016-06-30 13:02:16 -07:00
Eric Chiang 2f6db37ff5 oidc auth plugin: don't hard fail if provider is unavailable
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.
2016-06-29 23:20:26 -07:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
CJ Cullen 38a1042199 Add a 5x exponential backoff on 429s & 5xxs to the webhook Authenticator/Authorizer. 2016-06-23 18:15:39 -07:00