Commit Graph

447 Commits (87fe4dca5e00d842186461a935ab76fd24116952)

Author SHA1 Message Date
Dr. Stefan Schimanski b798527793 Rename master/options/{APIServer -> ServerRunOptions} 2016-10-31 10:55:19 +01:00
Dr. Stefan Schimanski d6dc0e561f Apiserver cleanups
- remove unused genericapiserver Config.MasterServiceNamespace
- move init code into ApplyOptions
- initialize genericapiserver Config.MaxRequestsInFlight
- move ServiceReadWritePort to master
2016-10-31 10:55:19 +01:00
deads2k 3f9a4d51d5 wire up authenticating front proxy: 2016-10-28 08:36:46 -04:00
Dr. Stefan Schimanski 05fcc6b56a Update bazel 2016-10-22 14:31:56 +02:00
Dr. Stefan Schimanski cca05af615 Move swagger+openapi setup to routes and decouple from run 2016-10-22 13:42:22 +02:00
mbohlool 3e67cf8b9b Add authentication to openapi Spec 2016-10-22 02:43:42 -07:00
Mike Danese 3b6a067afc autogenerated 2016-10-21 17:32:32 -07:00
deads2k 9578523180 move proxytransport config out of the genericapiserver 2016-10-20 11:23:53 -04:00
Kubernetes Submit Queue f39e86c0a5 Merge pull request #34474 from liggitt/connection-info-refactor
Automatic merge from submit-queue

Remove static kubelet client, refactor ConnectionInfoGetter

Follow up to https://github.com/kubernetes/kubernetes/pull/33718

* Collapses the multi-valued return to a `ConnectionInfo` struct
* Removes the "raw" connection info method and interface, since it was only used in a single non-test location (by the "real" connection info method)
* Disentangles the node REST object from being a ConnectionInfoProvider itself by extracting an implementation of ConnectionInfoProvider that takes a node (using a provided NodeGetter) and determines ConnectionInfo
* Plumbs the KubeletClientConfig to the point where we construct the helper object that combines the config and the node lookup. I anticipate adding a preference order for choosing an address type in https://github.com/kubernetes/kubernetes/pull/34259
2016-10-18 13:20:25 -07:00
deads2k 5a9b16d40a make version an explicit choice so zero config and customized work 2016-10-17 16:10:07 -04:00
deads2k 14c164a328 add ownerref permission checks 2016-10-17 09:38:05 -04:00
Jordan Liggitt a082a2e749
Remove static kubelet client, refactor ConnectionInfoGetter 2016-10-15 22:15:04 -04:00
Kubernetes Submit Queue 864a7bacaa Merge pull request #34828 from deads2k/api-26-apiserver-annoyance
Automatic merge from submit-queue

default serializer

Everyone uses the same serializer.  Set it as the default, but still allow someone to take control if they want.

Found while trying to use genericapiserver for composition.
2016-10-15 07:29:59 -07:00
Kubernetes Submit Queue 19848dddfd Merge pull request #24980 from aveshagarwal/master-project-node-selector
Automatic merge from submit-queue

Add support for admission controller based on namespace node selectors.

This work is to upstream openshift's project node selectors based admission controller.

Fixes https://github.com/kubernetes/kubernetes/issues/17151
2016-10-14 18:37:33 -07:00
deads2k 7412be4465 default serializer 2016-10-14 11:27:32 -04:00
Kubernetes Submit Queue c3742a8fbe Merge pull request #34047 from deads2k/rbac-11-informer-cache
Automatic merge from submit-queue

Run rbac authorizer from cache

RBAC authorization can be run very effectively out of a cache.  The cache is a normal reflector backed cache (shared informer).

I've split this into three parts:
 1. slim down the authorizer interfaces
 1. boilerplate for adding rbac shared informers and associated listers which conform to the new interfaces
 1. wiring

@liggitt @ericchiang @kubernetes/sig-auth
2016-10-14 08:12:28 -07:00
Avesh Agarwal b902f857c6 Add support for admission controller based on namespace node selectors.
This work is to upstream openshift's project node selectors based admission controller.

Addresses #17151.
2016-10-13 13:14:19 -04:00
deads2k fbd5032da2 split genericapiserver configuration apart so that you can run without flag options 2016-10-13 13:09:53 -04:00
deads2k e1638f11a3 run authorization from a cache 2016-10-13 07:53:40 -04:00
Kubernetes Submit Queue ca75b47657 Merge pull request #32555 from pweil-/admission-authorizer
Automatic merge from submit-queue

WantsAuthorizer admission plugin support

The next step of PSP admission is to be able to limit the PSPs used based on user information.  To do this the admission plugin would need to make authz checks for the `user.Info` in the request.  This code allows a plugin to request the injection of an authorizer to allow it to make the authz checks.

Note:  this could be done with a SAR, however since admission is running in the api server using the SAR would incur an extra hop vs using the authorizer directly.

@deads2k @derekwaynecarr
2016-10-13 03:40:11 -07:00
mbohlool 5ba06cf2bc Make Kubernetes OpenAPI operation IDs unique 2016-10-12 14:54:12 -07:00
pweil- 5c66dcb526 inject authorizer when admission controller requests it 2016-10-12 13:05:34 -04:00
Kubernetes Submit Queue 8a72f11596 Merge pull request #33842 from deads2k/api-19-clean-structs
Automatic merge from submit-queue

clean api server cruft

Some cruft has developed over refactors.  Remove that cruft.

@liggitt probably last in the chain so far
2016-10-11 18:56:15 -07:00
deads2k 406c0a36ae cleanup cruft from API server structs 2016-10-11 10:56:05 -04:00
Kubernetes Submit Queue 1837914d8e Merge pull request #34029 from liggitt/service-account-rotation
Automatic merge from submit-queue

Enable service account signing key rotation

fixes #21007

```release-note
The kube-apiserver --service-account-key-file option can be specified multiple times, or can point to a file containing multiple keys, to enable rotation of signing keys.
```

This PR enables the apiserver authenticator to verify service account tokens signed by different private keys. This can be done two different ways:
* including multiple keys in the specified keyfile (e.g. `--service-account-key-file=keys.pem`)
* specifying multiple key files (e.g. `--service-account-key-file current-key.pem --service-account-key-file=old-key.pem`)

This is part of enabling signing key rotation:

1. update apiserver(s) to verify tokens signed with a new public key while still allowing tokens signed with the current public key (which is what this PR enables)
2. give controllermanager the new private key to sign new tokens with
3. remove old service account tokens (determined by verifying signature or by checking creationTimestamp) once they are no longer in use (determined using garbage collection or magic) or some other algorithm (24 hours after rotation, etc). For the deletion to immediately revoke the token, `--service-account-lookup` must be enabled on the apiserver.
4. once all old tokens are gone, update apiservers again, removing the old public key.
2016-10-10 21:54:03 -07:00
Kubernetes Submit Queue bd3664cbef Merge pull request #34000 from wojtek-t/set_cache_size
Automatic merge from submit-queue

Set deserialization cache size based on target memory usage

**Special notes for your reviewer**:

This is the PR we talked about yesterday.

**Release note**:

```release-note
To reduce memory usage to reasonable levels in smaller clusters, kube-apiserver now sets the deserialization cache size based on the target memory usage.
```
2016-10-05 14:23:39 -07:00
Wojciech Tyczynski 2bfcb1a850 Set deserialization cache size based on target memory usage 2016-10-05 10:00:02 +02:00
Jordan Liggitt 3c92eb75b3
Enable service account signing key rotation 2016-10-04 14:16:38 -04:00
deads2k 8eddc7158b stop plumbing options to start 2016-10-03 13:35:00 -04:00
Kubernetes Submit Queue 6a1622a723 Merge pull request #33785 from deads2k/api-16-pass-config-to-hook
Automatic merge from submit-queue

pass loopback config to poststart hooks

Updates post start hooks to take a clientconfig with the new loopback credentials for bootstrapping.

@ericchiang This is a little bit of plumbing, but mainly auth I think.
2016-10-01 10:27:04 -07:00
Kubernetes Submit Queue 30ca344361 Merge pull request #33565 from liggitt/ecdsa
Automatic merge from submit-queue

Add ECDSA support for service account tokens

Fixes #28180

```release-note
ECDSA keys can now be used for signing and verifying service account tokens.
```
2016-10-01 08:42:53 -07:00
deads2k 57039cfdfa make well-known users and groups into constants 2016-09-30 10:34:33 -04:00
deads2k 4c8959df59 pass loopback config to posthooks 2016-09-30 10:34:33 -04:00
deads2k 5080a575ad add anytoken authenticator 2016-09-29 14:14:06 -04:00
Kubernetes Submit Queue d187997c94 Merge pull request #32386 from liggitt/anonymous-authenticated-groups
Automatic merge from submit-queue

Allow anonymous API server access, decorate authenticated users with system:authenticated group

When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users

It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.

This PR:
* Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow`
* Decorates user.Info returned from configured authenticators with the group `system:authenticated`.

This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.

```release-note
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'. 

Authenticated users are decorated with a 'system:authenticated' group.

NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
```

c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
2016-09-29 10:47:49 -07:00
Dr. Stefan Schimanski 61409c821b Turn embedding into composition: master.Config.{Config -> GenericConfig} 2016-09-29 08:09:39 +02:00
Dr. Stefan Schimanski 8391a19b57 Decouple defaulting from genericapiserver and master 2016-09-28 23:16:09 +02:00
Dr. Stefan Schimanski b4c6a68036 Unify genericapiserver Config.New() and master Config.New() 2016-09-28 19:19:54 +02:00
Jordan Liggitt 6333d8fd86
Add ECDSA support 2016-09-27 12:44:54 -04:00
Jordan Liggitt 0c36c5e556
Add anonymous auth to the auth chain 2016-09-26 17:19:00 -04:00
Jordan Liggitt 2ac293a0bd
Put loopback authn/authz first in chain 2016-09-25 20:33:25 -04:00
deads2k f6882e8465 remove storage related fields from genericapiserver 2016-09-22 09:21:34 -04:00
Kubernetes Submit Queue c46bc88f04 Merge pull request #31491 from dims/fixes-issue-13598
Automatic merge from submit-queue

Allow secure access to apiserver from Admission Controllers

* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
  if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
  to talk to the api server
* Add a new authenticator that checks for this specific bearer token

Fixes #13598
2016-09-21 21:31:56 -07:00
mbohlool 38b2567d8b Move generated openAPI specs out of genericapiserver and make it configurable 2016-09-20 14:06:10 -07:00
Davanum Srinivas 25d4a70827 Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
  if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
  to talk to the api server
* Add a new authenticator that checks for this specific bearer token

Fixes #13598
2016-09-20 10:42:21 -04:00
deads2k a2a6423574 separate RESTStorage by API group 2016-09-20 08:00:50 -04:00
Kubernetes Submit Queue 12d916750e Merge pull request #32387 from sttts/sttts-handler-cleanup
Automatic merge from submit-queue

Cleanup non-rest apiserver handlers

- rename MuxHelper -> PathRecorderMux
- move non-rest handlers into routes packages within genericapiserver and `pkg/routes` (those from master)
- move ui and logs handlers out of genericapiserver (they are
  not generic)
- make version handler configurable (`config.EnableVersion`)
2016-09-16 08:58:06 -07:00
Mike Danese a765d59932 move informer and controller to pkg/client/cache
Signed-off-by: Mike Danese <mikedanese@google.com>
2016-09-15 12:50:08 -07:00
Dr. Stefan Schimanski 7f78661d0b Cleanup non-rest apiserver handlers
- rename MuxHelper -> PathRecorderMux
- move non-rest handlers into routes packages within genericapiserver and
  `pkg/routes` (those from master)
- move ui and logs handlers out of genericapiserver (they are
  not generic)
- make version handler configurable (`config.EnableVersion`)
2016-09-15 13:22:45 +02:00
Clayton Coleman acb4c00b39
EnableGarbageCollection should be a struct member on RESTOptions
Not a global. Now that we have RESTOptions this was an easy change.
2016-09-15 00:09:28 -04:00
Daniel Smith a291846cd1 Revert "Remove deprecated Namespace admission plug-ins" 2016-08-28 10:20:44 -07:00
derekwaynecarr c727fdc81f Remove deprecated namespace admission controllers 2016-08-26 11:14:55 -04:00
Kris 1740358573 Split the version metric out to its own package 2016-08-24 11:47:16 -07:00
Kubernetes Submit Queue ef2718620c Merge pull request #30900 from jsafrane/pvc-admission
Automatic merge from submit-queue

Add admission controller for default storage class.

The admission controller adds a default class to PVCs that do not require any
specific class. This way, users (=PVC authors) do not need to care about
storage classes, administrator can configure a default one and all these PVCs
that do not care about class will get the default one.

The marker of default class is annotation "volume.beta.kubernetes.io/storage-class", which must be set to "true" to work. All other values (or missing annotation) makes the class non-default.

Based on @thockin's code, added tests and made it not to reject a PVC when no class is marked as default.
. 
@kubernetes/sig-storage
2016-08-24 03:32:46 -07:00
Quintin Lee 2be0b40c55 Actually link in ImagePolicyWebhook and run initialization. 2016-08-22 16:54:03 -07:00
Jan Safranek 5f6efefc40 [squash] Rename and move to storageclass/ 2016-08-22 14:11:01 +02:00
Kubernetes Submit Queue b51d5c3cc0 Merge pull request #30638 from krousey/metrics_registration
Automatic merge from submit-queue

Remove implicit Prometheus metrics from client

**What this PR does / why we need it**: This PR starts to cut away at dependencies that the client has.

**Release note**:
<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->
```release-note
The implicit registration of Prometheus metrics for request count and latency have been removed, and a plug-able interface was added. If you were using our client libraries in your own binaries and want these metrics, add the following to your imports in the main package: "k8s.io/pkg/client/metrics/prometheus". 
```

cc: @kubernetes/sig-api-machinery @kubernetes/sig-instrumentation @fgrzadkowski  @wojtek-t
2016-08-21 16:47:05 -07:00
Kubernetes Submit Queue 7979801e54 Merge pull request #28860 from ericchiang/separate-apiserver-authz-options
Automatic merge from submit-queue

pkg/genericapiserver/options: don't import pkg/apiserver

Refactor the authorization options for the API server so
pkg/apiserver isn't directly imported by the options package.

Closes #28544

cc @smarterclayton

@madhusudancs, @nikhiljindal I've updated `federation/cmd/federation-apiserver/app/server.go` to include the RBAC options with this change. I don't know if this was intentionally left out in the first place but would like your feedback.
2016-08-21 09:49:14 -07:00
Chao Xu f7a1ef8189 enable gc by default 2016-08-19 10:42:05 -07:00
Kris 8d6ce0dcc6 Remove implicit Prometheus metrics from client 2016-08-19 10:11:45 -07:00
mbohlool c5f1d63d6f Generates OpenAPI (aka Swagger 2.0) Spec on /swagger.json path 2016-08-18 15:32:04 -07:00
Eric Chiang b4eaf625a0 pkg/genericapiserver/options: don't import pkg/apiserver
Refactor the authorization options for the API server so
pkg/apiserver isn't directly imported by the options package.
2016-08-18 13:01:50 -07:00
Jan Safranek 82d35fb461 Add admission controller for default storage class.
The admission controller adds a default class to PVCs that do not require any
specific class. This way, users (=PVC authors) do not need to care about
storage classes, administrator can configure a default one and all these PVCs
that do not care about class will get the default one.
2016-08-18 18:55:35 +02:00
Hongchao Deng d0938094d9 move new etcd storage into cacher 2016-08-12 18:40:20 -07:00
Kubernetes Submit Queue f53a35fb76 Merge pull request #29147 from caesarxuchao/cut-client-repo-staging
Automatic merge from submit-queue

Cut the client repo, staging it in the main repo

Tracking issue: #28559
ref: https://github.com/kubernetes/kubernetes/pull/25978#issuecomment-232710174

This PR implements the plan a few of us came up with last week for cutting client into its own repo:
1. creating "_staging" (name is tentative) directory in the main repo, using a script to copy the client and its dependencies to this directory
2. periodically publishing the contents of this staging client to k8s.io/client-go repo
3. converting k8s components in the main repo to use the staged client. They should import the staged client as if the client were vendored. (i.e., the import line should be `import "k8s.io/client-go/<pacakge name>`). This requirement is to ease step 4.
4. In the future, removing the staging area, and vendoring the real client-go repo.

The advantage of having the staging area is that we can continuously run integration/e2e tests with the latest client repo and the latest main repo, without waiting for the client repo to be vendored back into the main repo. This staging area will exist until our test matrix is vendoring both the client and the server.

In the above plan, the tricky part is step 3. This PR achieves it by creating a symlink under ./vendor, pointing to the staging area, so packages in the main repo can refer to the client repo as if it's vendored. To prevent the godep tool from messing up the staging area, we export the staged client to GOPATH in hack/godep-save.sh so godep will think the client packages are local and won't attempt to manage ./vendor/k8s.io/client-go.

This is a POC. We'll rearrange the directory layout of the client before merge.

@thockin @lavalamp @bgrant0607 @kubernetes/sig-api-machinery

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.kubernetes.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.kubernetes.io/reviews/kubernetes/kubernetes/29147)
<!-- Reviewable:end -->
2016-08-09 17:12:14 -07:00
mksalawa a806351cc3 Extract etcd options from genericapiserver. 2016-08-09 13:35:53 +02:00
Wojciech Tyczynski 8a8cd06ea4 Configurable cache sizes of cachers 2016-08-09 09:41:48 +02:00
Chao Xu a771578a1c move pkg/util/ files to their own package to reduce client-go dependencies 2016-08-05 23:32:02 -07:00
Maciej Szulik e6c327048e Forced using batch/v2alpha1 for storing ScheduledJob 2016-08-03 17:25:37 +02:00
k8s-merge-robot 2817674715 Merge pull request #29557 from deads2k/make-prefx-configurable
Automatic merge from submit-queue

make the resource prefix in etcd configurable for cohabitation

This looks big, its not as bad as it seems.

When you have different resources cohabiting, the resource name used for the etcd directory needs to be configurable.  HPA in two different groups worked fine before.  Now we're looking at something like RC<->RS.  They normally store into two different etcd directories.  This code allows them to be configured to store into the same location.

To maintain consistency across all resources, I allowed the `StorageFactory` to indicate which `ResourcePrefix` should be used inside `RESTOptions` which already contains storage information.

@lavalamp affects cohabitation.
@smarterclayton @mfojtik prereq for our rc<->rs and d<->dc story.
2016-07-28 03:01:28 -07:00
deads2k aa3db4d995 make the resource prefix in etcd configurable for cohabitation 2016-07-27 07:51:40 -04:00
k8s-merge-robot 0724a9c4dc Merge pull request #28828 from zte-cloud/failmodify
Automatic merge from submit-queue

modify Failure to failed

use 'failed' is more suitable than 'Failure'
2016-07-25 12:56:15 -07:00
Dominika Hodovska 037d116add Factory for SharedIndexInformers 2016-07-21 14:04:48 +02:00
Dominika Hodovska ba40a528e1 PluginInitializer as a new part of NewFromPlugins method 2016-07-20 12:53:52 +02:00
Dominika Hodovska fc0a3c6dcb Allow shareable resources for admission control plugins 2016-07-20 12:53:52 +02:00
k8s-merge-robot 411c32bc98 Merge pull request #27520 from olegshaldybin/format-apiserver-options
Automatic merge from submit-queue

Format apiserver options

Trivial change, code formatting only: it was hard to read long lines, and my editor was really slow when scrolling through them.
2016-07-19 19:58:01 -07:00
Lucas Käldström 88ea80b572 Remove GOMAXPROCS() calls because they are unnecessary 2016-07-19 11:08:21 +03:00
lojies 77c6176157 modify Failure to failed 2016-07-12 19:11:24 +08:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
Oleg Shaldybin e722a41c40 Format apiserver options
Trivial change, code formatting only: it was really hard to read
apiserver options definition, formatted to follow the same pattern
throughout.
2016-06-28 12:34:22 -07:00
Alex Mohr edda837142 Merge pull request #25599 from caesarxuchao/orphaning-finalizer
Add orphaning finalizer logic to GC
2016-05-26 13:19:19 -07:00
Eric Chiang ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
Chao Xu 1665546d2d add finalizer logics to the API server and the garbage collector; handling DeleteOptions.OrphanDependents in the API server 2016-05-24 13:07:28 -07:00
k8s-merge-robot 346f965871 Merge pull request #25694 from cjcullen/authncache
Automatic merge from submit-queue

Cache Webhook Authentication responses

Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.

Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
2016-05-21 10:48:38 -07:00
CJ Cullen 57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
Clayton Coleman 633683c08d
kube-apiserver options should be decoupled from impls
A few months ago we refactored options to keep it independent of the
implementations, so that it could be used in CLI tools to validate
config or to generate config, without pulling in the full dependency
tree of the master.  This change restores that by separating
server_run_options.go back to its own package.

Also, options structs should never contain non-serializable types, which
storagebackend.Config was doing with runtime.Codec. Split the codec out.

Fix a typo on the name of the etcd2.go storage backend.

Finally, move DefaultStorageMediaType to server_run_options.
2016-05-18 10:39:21 -04:00
nikhiljindal 5dffe4a969 Moving federation apiserver to use genericapiserver.ServerRunOptions 2016-05-11 23:42:55 -07:00
k8s-merge-robot 0ef4c6407b Merge pull request #24902 from cjcullen/webhookAuthn
Automatic merge from submit-queue

Webhook Token Authenticator

Add a webhook token authenticator plugin to allow a remote service to make authentication decisions.
2016-05-11 22:08:58 -07:00
Paul Weil 4970f0c02d PSP admission 2016-05-11 18:07:36 -04:00
CJ Cullen eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
nikhiljindal 2ffa3b4586 Moving StorageFactory building logic to genericapiserver 2016-05-10 00:57:11 -07:00
Kevin b7014561c1 Add admission controller to limit pod anti affinity topologykey to node level 2016-05-09 12:23:41 +00:00
Clayton Coleman e0ebcf4216
Split the storage and negotiation parts of Codecs
The codec factory should support two distinct interfaces - negotiating
for a serializer with a client, vs reading or writing data to a storage
form (etcd, disk, etc). Make the EncodeForVersion and DecodeToVersion
methods only take Encoder and Decoder, and slight refactoring elsewhere.

In the storage factory, use a content type to control what serializer to
pick, and use the universal deserializer. This ensures that storage can
read JSON (which might be from older objects) while only writing
protobuf. Add exceptions for those resources that may not be able to
write to protobuf (specifically third party resources, but potentially
others in the future).
2016-05-05 12:08:23 -04:00
nikhiljindal 16c0e0a21c Deleting duplicate code from federated-apiserver 2016-05-03 14:04:09 -07:00
Hongchao Deng c0071a1595 add flags to enable etcd3 2016-04-28 09:48:16 +08:00
nikhiljindal f9f1e21e08 Moving master.SSHTunneler to genericapiserver 2016-04-22 11:47:05 -07:00
deads2k 6670b73b18 make storage enablement, serialization, and location orthogonal 2016-04-21 08:18:55 -04:00
Prashanth Balasubramanian 0ac10c6cc2 PetSet type, apps apigroup 2016-04-20 18:49:31 -07:00
nikhiljindal 50a9aceabb Moving more logic to genericapiserver 2016-04-19 00:03:28 -07:00
k8s-merge-robot 62fd60565a Merge pull request #24048 from liggitt/apiserver-defaults
Automatic merge from submit-queue

Use correct defaults when binding apiserver flags

defaults should be set in the struct-creating function, then the current struct field value used as the default when binding the flag
2016-04-17 20:59:38 -07:00
k8s-merge-robot a275a045d1 Merge pull request #23914 from sky-uk/make-etcd-cache-size-configurable
Automatic merge from submit-queue

Make etcd cache size configurable

Instead of the prior 50K limit, allow users to specify a more sensible size for their cluster.

I'm not sure what a sensible default is here. I'm still experimenting on my own clusters. 50 gives me a 270MB max footprint. 50K caused my apiserver to run out of memory as it exceeded >2GB. I believe that number is far too large for most people's use cases.

There are some other fundamental issues that I'm not addressing here:
- Old etcd items are cached and potentially never removed (it stores using modifiedIndex, and doesn't remove the old object when it gets updated)
- Cache isn't LRU, so there's no guarantee the cache remains hot. This makes its performance difficult to predict. More of an issue with a smaller cache size.
- 1.2 etcd entries seem to have a larger memory footprint (I never had an issue in 1.1, even though this cache existed there). I suspect that's due to image lists on the node status.

This is provided as a fix for #23323
2016-04-17 00:06:31 -07:00
Jordan Liggitt 6c1bcfa28d Use correct defaults when binding apiserver flags 2016-04-14 10:12:51 -04:00
k8s-merge-robot 429228d403 Merge pull request #23953 from nikhiljindal/u8sServer
Automatic merge from submit-queue

moving genericapiserver command line flags to genericapiserver

cc @kubernetes/sig-api-machinery
2016-04-13 23:15:24 -07:00
goltermann a3104ba96c Final vet fixes; enabling vet checks in verify scripts. 2016-04-13 13:51:51 -07:00
nikhiljindal 8d7a8c6ae6 moving genericapiserver command line flags to genericapiserver 2016-04-13 13:28:18 -07:00
James Ravn 5bb0595260 Make deserialization cache size configurable
Instead of the default 50K entries, allow users to specify more sensible
sizes for their cluster.
2016-04-12 13:42:27 +01:00
deads2k e8fb35d4d8 refactor resource overrides as positive logic interface 2016-03-28 09:24:49 -04:00
k8s-merge-robot 4e4ad61260 Merge pull request #23366 from goltermann/vet
Auto commit by PR queue bot
2016-03-24 21:50:56 -07:00
nikhiljindal 1cccfc7074 Disabling swagger ui by default. Adding a flag to enable it 2016-03-23 13:19:22 -07:00
k8s-merge-robot 76369c42be Merge pull request #22939 from resouer/util-sub-dir
Auto commit by PR queue bot
2016-03-23 03:34:33 -07:00
k8s-merge-robot 4af38b52b9 Merge pull request #22736 from resouer/fix-util-dev
Auto commit by PR queue bot
2016-03-22 19:54:58 -07:00
goltermann 34d4eaea08 Fixing several (but not all) go vet errors. Most are around string formatting, or unreachable code. 2016-03-22 17:26:50 -07:00
Marc Lough 27c6224abe The --etcd-config option has been removed from kube-apiserver so also remove the mention about it. 2016-03-22 20:14:48 +00:00
harry 343b1927d1 Refactor config map into sub pkg 2016-03-21 14:50:57 +08:00
harry f19d59cf35 Move flag into sub pkg 2016-03-14 21:30:38 +08:00
Brian Grant 532ba5a3c6 Merge pull request #21535 from AdoHe/restore_secure_etcd
restore ability to run against secured etcd
2016-03-11 12:14:06 -08:00
AdoHe 7228b9b987 restore ability to run against secured etcd 2016-03-11 11:21:16 -05:00
Wojciech Tyczynski 2f6d034cea Workaround long latency of POST pods 2016-03-03 10:45:43 +01:00
k8s-merge-robot d81d823ca5 Merge pull request #22393 from eparis/blunderbuss
Auto commit by PR queue bot
2016-03-02 18:51:56 -08:00
Eric Paris 5e5a823294 Move blunderbuss assignees into tree 2016-03-02 20:46:32 -05:00
Kris e664ef922f Move restclient to its own package 2016-02-29 12:05:13 -08:00
k8s-merge-robot 43792754d8 Merge pull request #21469 from wojtek-t/parallel_namespace_deletion
Auto commit by PR queue bot
2016-02-27 07:26:49 -08:00
Wojciech Tyczynski 506899008f Parallelization of namespace deletion 2016-02-25 16:33:25 +01:00
Eric Chiang 3116346161 *: add webhook implementation of authorizer.Authorizer plugin 2016-02-22 11:39:07 -08:00
Eric Tune ab8cfb968f Enabled batch API group in apiserver 2016-02-19 09:20:56 -08:00
Piotr Szczesniak 2b614179c7 Fixed options test 2016-02-15 21:39:00 +01:00
Piotr Szczesniak 264c64ec0d Enabled autoscaling API group in apiserver 2016-02-15 21:39:00 +01:00
Daniel Smith 74400c33ae changes for cross-group moves 2016-02-15 21:39:00 +01:00
k8s-merge-robot 43fb544a4a Merge pull request #21001 from ericchiang/oidc_groups
Auto commit by PR queue bot
2016-02-14 05:24:43 -08:00
Eric Chiang 92d37d5cc5 plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim 2016-02-12 09:58:18 -08:00
Chao Xu 184440f8ef rename release_1_2 to internalclientset 2016-02-05 14:02:28 -08:00
magicwang-cn d2cf858560 make watch cache sizes configuratable of kube-apiserver 2016-02-05 15:47:27 +08:00
Nikhil Jindal 59820827d4 Merge pull request #20513 from nikhiljindal/apiserverExampleTest
Adding test for apiserver example
2016-02-04 11:28:58 -08:00
nikhiljindal c7beb9078c Updating methods to return error rather than using glog.Fatalf 2016-02-03 16:00:45 -08:00
Chao Xu f9f5736b01 grep sed 2016-02-03 13:06:07 -08:00
k8s-merge-robot 843c11e06a Merge pull request #20452 from caesarxuchao/replace-client-kubelet
Auto commit by PR queue bot
2016-02-02 23:46:58 -08:00
Chao Xu cddd7b56a4 replace client with clientset in kubelet and other places 2016-02-02 20:28:45 -08:00
CJ Cullen 04eb90a5d4 Make tunneler hold tunnels open and healthcheck vs. reopening every 5 minutes.
Also add a test for the Update() logic.
Reordered tunnels vs. storage initialization (prevent a nil ptr panic)
2016-02-02 12:00:29 -08:00
mqliang b0e06c14e5 add a knob to enable quorum read 2016-01-30 20:32:12 +08:00
Clayton Coleman 4d127dc969 Initialize API servers with negotiated serializers
Pass down into the server initialization the necessary interface for
handling client/server content type negotiation. Add integration tests
for the negotiation.
2016-01-22 01:10:22 -05:00
Clayton Coleman 125ef6fbc8 Support content-type negotiation in the API server
A NegotiatedSerializer is passed into the API installer (and
ParameterCodec, which abstracts conversion of query params) that can be
used to negotiate client/server request/response serialization. All
error paths are now negotiation aware, and are at least minimally
version aware.

Watch is specially coded to only allow application/json - a follow up
change will convert it to use negotiation.

Ensure the swagger scheme will include supported serializations - this
now includes application/yaml as a negotiated option.
2016-01-22 00:12:50 -05:00
nikhiljindal 2ad642d370 Merge registered and latest and move to apimachinery 2016-01-21 14:42:21 -08:00
Harry Zhang 936a11e775 Use networking to hold network related pkgs
Change names of unclear methods

Use net as pkg name for short
2016-01-15 13:46:16 +08:00
nikhiljindal f8d6c56ba6 Extracting server run code to genericapiserver 2016-01-08 18:34:34 -08:00
Nagarjun c98364e79b insert space after comment character in cmd folder 2016-01-08 16:25:57 +05:30
Clayton Coleman c0c707d92d Split apiserver flags and initialization
Make it easier to keep defaults and flags clearly identified.
2016-01-06 21:14:30 -05:00
k8s-merge-robot cd097e3f86 Merge pull request #19088 from smarterclayton/separate_service_account
Auto commit by PR queue bot
2016-01-04 08:38:24 -08:00
Justin Santa Barbara f9a6ac077e Ubernetes Lite: Volumes can dictate zone scheduling
For AWS EBS, a volume can only be attached to a node in the same AZ.
The scheduler must therefore detect if a volume is being attached to a
pod, and ensure that the pod is scheduled on a node in the same AZ as
the volume.

So that the scheduler need not query the cloud provider every time, and
to support decoupled operation (e.g. bare metal) we tag the volume with
our placement labels.  This is done automatically by means of an
admission controller on AWS when a PersistentVolume is created backed by
an EBS volume.

Support for tagging GCE PVs will follow.

Pods that specify a volume directly (i.e. without using a
PersistentVolumeClaim) will not currently be scheduled correctly (i.e.
they will be scheduled without zone-awareness).
2015-12-31 12:27:01 -05:00
Clayton Coleman 9dad7e624c Split the serviceaccount package into two parts
Public utility methods and JWT parsing, and controller specific logic.
Also remove the coupling between ServiceAccountTokenGetter and the
authenticator class.
2015-12-26 21:28:12 -05:00
Clayton Coleman 3d5ed379b0 authn.go doesn't belong in pkg/apiserver
apiserver does not need to know about specific authentication
mechanisms, and does not need to take dependencies on all the
authentication packages.
2015-12-26 21:22:22 -05:00