github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
32,963 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

54 Commits (c8ea7af912f86e05e22f1e8d0d0b90c8b9fc90d7)

Author SHA1 Message Date
deads2k 60dd4a5d26 interesting changes to add tokenreviews endpoint to implement webhook 2016-08-03 08:37:45 -04:00
Wojciech Tyczynski 4d0d115690 Revert "add tokenreviews endpoint to implement webhook" 2016-07-21 09:40:35 +02:00
deads2k 2c4a9f2e8d interesting changes to add tokenreviews endpoint to implement webhook 2016-07-20 15:11:56 -04:00
Davanum Srinivas 2b0ed014b7 Use Go canonical import paths 
Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
 2016-07-16 13:48:21 -04:00
k8s-merge-robot 0c696dc95b Merge pull request #27848 from liubin/fix-typos 
Automatic merge from submit-queue

fix some typos

Just a minor typos fix.


Signed-off-by: bin liu <liubin0329@gmail.com>
 2016-07-06 23:36:49 -07:00
k8s-merge-robot 4d91f0f763 Merge pull request #25137 from huang195/tls_user_emailaddress 
Automatic merge from submit-queue

getting emailAddress from TLS cert

Kubernetes if using TLS cert to perform authentication will use the CommonName field of the cert as the authenticating user. In https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authenticator/request/x509/x509.go#L106, alternative methods are defined to use emailAddress or DNSName as the authenticating user. The method that uses the emailAddress is not comprehensive as this information can be encoded in different places of the certificate. This PR fixes this.
 2016-07-06 19:45:01 -07:00
bin liu 426fdc431a Merge branch 'master' into fix-typos 2016-07-04 11:20:47 +08:00
k8s-merge-robot 038ac428f4 Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable 
Automatic merge from submit-queue

oidc auth plugin: don't hard fail if provider is unavailable

When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.

cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
 2016-06-30 13:02:16 -07:00
Eric Chiang 2f6db37ff5 oidc auth plugin: don't hard fail if provider is unavailable 
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.
 2016-06-29 23:20:26 -07:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
CJ Cullen 38a1042199 Add a 5x exponential backoff on 429s & 5xxs to the webhook Authenticator/Authorizer. 2016-06-23 18:15:39 -07:00
CJ Cullen ae67a4e209 Check HTTP Status code in webhook authorizer/authenticator. 2016-06-22 11:15:33 -07:00
bin liu fd27cd47f7 fix some typos 
Signed-off-by: bin liu <liubin0329@gmail.com>
 2016-06-22 18:14:26 +08:00
Hai Huang 235020ad64 getting emailAddress from TLS cert 2016-05-23 18:36:14 -04:00
k8s-merge-robot 346f965871 Merge pull request #25694 from cjcullen/authncache 
Automatic merge from submit-queue

Cache Webhook Authentication responses

Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.

Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
 2016-05-21 10:48:38 -07:00
Bobby Rullo e85940ed17 add tests for newOIDCAuthProvider 2016-05-18 17:03:11 -07:00
Bobby Rullo c990462d0f Refactor test oidc provider into its own package 
This makes it easier to test other OIDC code.
 2016-05-18 17:03:11 -07:00
CJ Cullen 57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
CJ Cullen eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
zhouhaibing089 bf1a3f99c0 Uncomment the code that cause by #19254 2016-04-25 23:21:31 +08:00
Joe Finney ae79677fd0
Remove global var for OIDC retry/backoff, and remove retries from unit tests. 2016-04-07 14:18:29 -07:00
zhouhaibing089 83248a9783 move keystone package to password since it is a password authenticator 2016-03-22 23:27:28 +08:00
Harry Zhang a4d04095d0 Refactor crlf & crypto 2016-03-21 20:20:05 +08:00
Eric Chiang 8df55ddbe5 plugin/pkg/auth/authenticator/token/oidc: update test to new go-oidc types 
The provider config has changed a little bit in go-oidc. It is more
complete and now throws errors when unmarshaling provider configs
that are missing required fields (as defined by the OpenID Connect
Discovery spec).

Update the oidc plugin to use the new type.
 2016-03-01 11:39:18 -08:00
k8s-merge-robot 7f1b699880 Merge pull request #21071 from soltysh/server_close 
Auto commit by PR queue bot
 2016-02-23 06:34:27 -08:00
k8s-merge-robot f366baeaeb Merge pull request #21128 from yifan-gu/fix_oidc_tailing_slash_issuer 
Auto commit by PR queue bot
 2016-02-15 17:46:49 -08:00
k8s-merge-robot 43fb544a4a Merge pull request #21001 from ericchiang/oidc_groups 
Auto commit by PR queue bot
 2016-02-14 05:24:43 -08:00
Eric Chiang 92d37d5cc5 plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim 2016-02-12 09:58:18 -08:00
Dan Williams 905dfd9b77 Fix another instance of golang #12262 
Reliably reproducible on two up-to-date Fedora 23 machines using
go 1.5.3, both one Core i7-4770R and a Core i7-4790.

https://github.com/golang/go/issues/12262
 2016-02-12 10:04:48 -06:00
Yifan Gu 36bd693d3a oidc: Remove tailing slash before fetching the provider config. 2016-02-12 16:40:45 +08:00
Maciej Szulik 72654d347c Comment out calls to httptest.Server.Close() to work around 
https://github.com/golang/go/issues/12262 . See #19254 for
more details. This change should be reverted when we upgrade
to Go 1.6.
 2016-02-11 16:16:11 +01:00
Arsen Mamikonyan 8b5e9e2885 Change repository references to https://github.com/kubernetes/kubernetes 2016-01-22 10:23:14 -05:00
Harry Zhang 936a11e775 Use networking to hold network related pkgs 
Change names of unclear methods

Use net as pkg name for short
 2016-01-15 13:46:16 +08:00
David Oppenheimer 8ac484793d Comment out calls to httptest.Server.Close() to work around 
https://github.com/golang/go/issues/12262 . See #19254 for
more details. This change should be reverted when we upgrade
to Go 1.6.
 2016-01-11 23:02:11 -08:00
Yifan Gu 04db432fb4 auth: Add Close() for OIDC authenticator. 2015-12-23 01:26:20 -08:00
Yifan Gu 207fb721b9 Godeps: bump go-oidc to fix the race in tests. 2015-12-14 13:32:16 -08:00
Kris 0a4ee958c7 Use http's basic auth instead of manual encoding 2015-11-06 10:19:01 -08:00
Rohith ee691aa1ab [tokenfile] 
- the groups field has been changed to a single column option as requested in https://github.com/kubernetes/kubernetes/pull/15704

[docs]
- updated the docs related the the tokefile along with an example
 2015-10-21 10:37:35 +01:00
Rohith f02c80584b [plugin/auth/tokenfile] 
- allowing for variable length groups to be added to the static token file

[docs/admin/authentication]
- updating the documentation for token file
 2015-10-19 17:14:14 +01:00
eulerzgy f8f9afb874 alias local packagename for pkg/util/errors 2015-10-18 09:37:46 +08:00
Jordan Liggitt 2a1286c8f2 Add util to set transport defaults 2015-10-02 02:29:46 -04:00
Yifan Gu ae22bd5710 plugin/pkg/auth: add tests for OpenID Connect authenticator. 2015-08-21 15:27:08 -07:00
Yifan Gu 6376e41850 plugin/pkg/auth: add OpenID Connect token authenticator. 
Also add related new flags to apiserver:
"--oidc-issuer-url", "--oidc-client-id", "--oidc-ca-file", "--oidc-username-claim",
to enable OpenID Connect authentication.
 2015-08-21 15:27:08 -07:00
Ruddarraju, Uday Kumar Raju 937db3f70d Keystone authentication plugin 2015-08-13 09:46:30 -07:00
Mike Danese 8e33cbfa28 rewrite go imports 2015-08-05 17:30:03 -07:00
Eric Paris 6b3a6e6b98 Make copyright ownership statement generic 
Instead of saying "Google Inc." (which is not always correct) say "The
Kubernetes Authors", which is generic.
 2015-05-01 17:49:56 -04:00
Robert Bailey 6d85dcb4a0 Add support for HTTP basic auth to the kube-apiserver. 2015-04-28 10:33:51 -07:00
Tim Hockin 4fcd496d59 change everything to use new util/errors 2015-01-08 22:10:03 -08:00
Rohit Jnagal 62ecd5f3ff Fix few vet errors. 
There are quite a few 'composite literal uses unkeyed fields' errors that I have kept out of this patch.
And there's a couple where vet just seems confused. These are the easiest ones.
 2015-01-07 08:40:16 +00:00
George Kuan 5e1fc1f4e0 Fixes #1605: make ErrorList introspectable by replacing ErrorList and 
ErrorList#ToError with []error and util.SliceToError() respectively
 2014-12-12 10:56:31 -08:00