github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
41,069 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

161 Commits (733faf5280e334df018c7a09ec9df12265c91656)

Author SHA1 Message Date
CJ Cullen 38a1042199 Add a 5x exponential backoff on 429s & 5xxs to the webhook Authenticator/Authorizer. 2016-06-23 18:15:39 -07:00
CJ Cullen ae67a4e209 Check HTTP Status code in webhook authorizer/authenticator. 2016-06-22 11:15:33 -07:00
bin liu fd27cd47f7 fix some typos 
Signed-off-by: bin liu <liubin0329@gmail.com>
 2016-06-22 18:14:26 +08:00
Eric Chiang d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Eric Chiang c8ca49ec88 plugin/pkg/auth/authorizer/webhook: log request errors 
Currently the API server only checks the errors returned by an
authorizer plugin, it doesn't return or log them[0]. This makes
incorrectly configuring the wehbook authorizer plugin extremely
difficult to debug.

Add a logging statement if the request to the remove service fails
as this indicates misconfiguration.

[0] https://goo.gl/9zZFv4
 2016-06-08 13:19:23 -07:00
Eric Chiang ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
Hai Huang 235020ad64 getting emailAddress from TLS cert 2016-05-23 18:36:14 -04:00
CJ Cullen d03dbbcc14 Add LRU Expire cache to webhook authorizer. 2016-05-21 14:50:50 -07:00
k8s-merge-robot 346f965871 Merge pull request #25694 from cjcullen/authncache 
Automatic merge from submit-queue

Cache Webhook Authentication responses

Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.

Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
 2016-05-21 10:48:38 -07:00
Bobby Rullo e85940ed17 add tests for newOIDCAuthProvider 2016-05-18 17:03:11 -07:00
Bobby Rullo c990462d0f Refactor test oidc provider into its own package 
This makes it easier to test other OIDC code.
 2016-05-18 17:03:11 -07:00
CJ Cullen 57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
CJ Cullen eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
CJ Cullen 1d096d29cb Pull common webhook code into generic webhook plugin. 2016-05-10 14:41:14 -07:00
Clayton Coleman e0ebcf4216
Split the storage and negotiation parts of Codecs 
The codec factory should support two distinct interfaces - negotiating
for a serializer with a client, vs reading or writing data to a storage
form (etcd, disk, etc). Make the EncodeForVersion and DecodeToVersion
methods only take Encoder and Decoder, and slight refactoring elsewhere.

In the storage factory, use a content type to control what serializer to
pick, and use the universal deserializer. This ensures that storage can
read JSON (which might be from older objects) while only writing
protobuf. Add exceptions for those resources that may not be able to
write to protobuf (specifically third party resources, but potentially
others in the future).
 2016-05-05 12:08:23 -04:00
Wojciech Tyczynski 3aadafd411 Use NegotiatedSerializer in client 2016-05-04 10:57:36 +02:00
zhouhaibing089 bf1a3f99c0 Uncomment the code that cause by #19254 2016-04-25 23:21:31 +08:00
CJ Cullen e53aa93836 Add Subresource & Name to webhook authorizer. 2016-04-19 21:43:40 -07:00
Joe Finney ae79677fd0
Remove global var for OIDC retry/backoff, and remove retries from unit tests. 2016-04-07 14:18:29 -07:00
k8s-merge-robot 1ad3049ed6 Merge pull request #23288 from smarterclayton/refactor_codec 
Auto commit by PR queue bot
 2016-03-26 10:47:58 -07:00
Clayton Coleman 54eaa56b92 Add a streaming and "raw" abstraction to codec factory 2016-03-23 17:25:20 -04:00
zhouhaibing089 83248a9783 move keystone package to password since it is a password authenticator 2016-03-22 23:27:28 +08:00
harry b0900bf0d4 Refactor diff into sub pkg 2016-03-21 20:21:39 +08:00
Harry Zhang a4d04095d0 Refactor crlf & crypto 2016-03-21 20:20:05 +08:00
k8s-merge-robot 5d58c74398 Merge pull request #22304 from ericchiang/bump_go_oidc 
Auto commit by PR queue bot
 2016-03-11 02:57:09 -08:00
k8s-merge-robot d81d823ca5 Merge pull request #22393 from eparis/blunderbuss 
Auto commit by PR queue bot
 2016-03-02 18:51:56 -08:00
Eric Paris 5e5a823294 Move blunderbuss assignees into tree 2016-03-02 20:46:32 -05:00
Eric Chiang 8df55ddbe5 plugin/pkg/auth/authenticator/token/oidc: update test to new go-oidc types 
The provider config has changed a little bit in go-oidc. It is more
complete and now throws errors when unmarshaling provider configs
that are missing required fields (as defined by the OpenID Connect
Discovery spec).

Update the oidc plugin to use the new type.
 2016-03-01 11:39:18 -08:00
Kris e664ef922f Move restclient to its own package 2016-02-29 12:05:13 -08:00
k8s-merge-robot 00d99ac261 Merge pull request #20347 from ericchiang/authz_grpc 
Auto commit by PR queue bot
 2016-02-26 22:00:42 -08:00
k8s-merge-robot 7f1b699880 Merge pull request #21071 from soltysh/server_close 
Auto commit by PR queue bot
 2016-02-23 06:34:27 -08:00
Eric Chiang 3116346161 *: add webhook implementation of authorizer.Authorizer plugin 2016-02-22 11:39:07 -08:00
k8s-merge-robot f366baeaeb Merge pull request #21128 from yifan-gu/fix_oidc_tailing_slash_issuer 
Auto commit by PR queue bot
 2016-02-15 17:46:49 -08:00
k8s-merge-robot 43fb544a4a Merge pull request #21001 from ericchiang/oidc_groups 
Auto commit by PR queue bot
 2016-02-14 05:24:43 -08:00
Eric Chiang 92d37d5cc5 plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim 2016-02-12 09:58:18 -08:00
Dan Williams 905dfd9b77 Fix another instance of golang #12262 
Reliably reproducible on two up-to-date Fedora 23 machines using
go 1.5.3, both one Core i7-4770R and a Core i7-4790.

https://github.com/golang/go/issues/12262
 2016-02-12 10:04:48 -06:00
Yifan Gu 36bd693d3a oidc: Remove tailing slash before fetching the provider config. 2016-02-12 16:40:45 +08:00
Maciej Szulik 72654d347c Comment out calls to httptest.Server.Close() to work around 
https://github.com/golang/go/issues/12262 . See #19254 for
more details. This change should be reverted when we upgrade
to Go 1.6.
 2016-02-11 16:16:11 +01:00
Arsen Mamikonyan 8b5e9e2885 Change repository references to https://github.com/kubernetes/kubernetes 2016-01-22 10:23:14 -05:00
Harry Zhang 936a11e775 Use networking to hold network related pkgs 
Change names of unclear methods

Use net as pkg name for short
 2016-01-15 13:46:16 +08:00
David Oppenheimer 8ac484793d Comment out calls to httptest.Server.Close() to work around 
https://github.com/golang/go/issues/12262 . See #19254 for
more details. This change should be reverted when we upgrade
to Go 1.6.
 2016-01-11 23:02:11 -08:00
Yifan Gu 04db432fb4 auth: Add Close() for OIDC authenticator. 2015-12-23 01:26:20 -08:00
Yifan Gu 207fb721b9 Godeps: bump go-oidc to fix the race in tests. 2015-12-14 13:32:16 -08:00
Kris 0a4ee958c7 Use http's basic auth instead of manual encoding 2015-11-06 10:19:01 -08:00
Rohith ee691aa1ab [tokenfile] 
- the groups field has been changed to a single column option as requested in https://github.com/kubernetes/kubernetes/pull/15704

[docs]
- updated the docs related the the tokefile along with an example
 2015-10-21 10:37:35 +01:00
Rohith f02c80584b [plugin/auth/tokenfile] 
- allowing for variable length groups to be added to the static token file

[docs/admin/authentication]
- updating the documentation for token file
 2015-10-19 17:14:14 +01:00
eulerzgy f8f9afb874 alias local packagename for pkg/util/errors 2015-10-18 09:37:46 +08:00
Jordan Liggitt 2a1286c8f2 Add util to set transport defaults 2015-10-02 02:29:46 -04:00
Yifan Gu ae22bd5710 plugin/pkg/auth: add tests for OpenID Connect authenticator. 2015-08-21 15:27:08 -07:00
Yifan Gu 6376e41850 plugin/pkg/auth: add OpenID Connect token authenticator. 
Also add related new flags to apiserver:
"--oidc-issuer-url", "--oidc-client-id", "--oidc-ca-file", "--oidc-username-claim",
to enable OpenID Connect authentication.
 2015-08-21 15:27:08 -07:00
Ruddarraju, Uday Kumar Raju 937db3f70d Keystone authentication plugin 2015-08-13 09:46:30 -07:00
Mike Danese 8e33cbfa28 rewrite go imports 2015-08-05 17:30:03 -07:00
Eric Paris 6b3a6e6b98 Make copyright ownership statement generic 
Instead of saying "Google Inc." (which is not always correct) say "The
Kubernetes Authors", which is generic.
 2015-05-01 17:49:56 -04:00
Robert Bailey 6d85dcb4a0 Add support for HTTP basic auth to the kube-apiserver. 2015-04-28 10:33:51 -07:00
Tim Hockin 4fcd496d59 change everything to use new util/errors 2015-01-08 22:10:03 -08:00
Rohit Jnagal 62ecd5f3ff Fix few vet errors. 
There are quite a few 'composite literal uses unkeyed fields' errors that I have kept out of this patch.
And there's a couple where vet just seems confused. These are the easiest ones.
 2015-01-07 08:40:16 +00:00
George Kuan 5e1fc1f4e0 Fixes #1605: make ErrorList introspectable by replacing ErrorList and 
ErrorList#ToError with []error and util.SliceToError() respectively
 2014-12-12 10:56:31 -08:00
Jordan Liggitt 09ba404fb7 x509 request authenticator 2014-12-09 09:34:16 -05:00
deads2k d8d889ef73 add union auth request handler 2014-11-26 10:51:23 -05:00
Jordan Liggitt 3532be3c82 Add basicauth and password authenticators 2014-11-24 17:52:10 -05:00
Jordan Liggitt c895331277 Make master take authenticator.Request interface instead of tokenfile 2014-11-19 15:07:51 -05:00