Generate a kubeconfig for use with controller-manager, kubelet,
scheduler etc. This kubeconfig should use the secure https
port of the api server with appropriate ca cert for the components
to talk to api server.
With this change, one can set API_PORT=0 to completely switch off
insecure access for testing admission controllers etc.
Fixes#33375
Automatic merge from submit-queue
make version an explicit choice so zero config and customized work
Makes `/version` key off of setting the version. This allows composers to add a version that is correct.
Automatic merge from submit-queue
Run rbac authorizer from cache
RBAC authorization can be run very effectively out of a cache. The cache is a normal reflector backed cache (shared informer).
I've split this into three parts:
1. slim down the authorizer interfaces
1. boilerplate for adding rbac shared informers and associated listers which conform to the new interfaces
1. wiring
@liggitt @ericchiang @kubernetes/sig-auth
Automatic merge from submit-queue
Change legacy API resource registration
Updates the legacy API resource registration to emphasize its different-ness and to simplify supporting objects. The option has to remain in the genericapiserverconfig for multiple prefixes to enable cases where composers/extenders had composed additional groupless APIs. See OpenShift as an example.
However this is now transparent to "normal" composers.
@ncdc since sttts is out.
Automatic merge from submit-queue
Set deserialization cache size based on target memory usage
**Special notes for your reviewer**:
This is the PR we talked about yesterday.
**Release note**:
```release-note
To reduce memory usage to reasonable levels in smaller clusters, kube-apiserver now sets the deserialization cache size based on the target memory usage.
```
Automatic merge from submit-queue
stop plumbing options to start
The API server should have sufficient information to start itself without relying on an `options` object from a different packages focused on CLI interaction. This provides that separation
@liggitt distinct from other changes
Automatic merge from submit-queue
Add OpenAPI specs to source tree
Similar to swagger spec, adding openapi specs in a separate folder api/openapi-spec
To make sure we generate a consistent spec, parameters need to be sorted first.
Automatic merge from submit-queue
Allow anonymous API server access, decorate authenticated users with system:authenticated group
When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users
It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.
This PR:
* Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow`
* Decorates user.Info returned from configured authenticators with the group `system:authenticated`.
This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.
```release-note
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
Authenticated users are decorated with a 'system:authenticated' group.
NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
```
c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
Our typical HTTP Response has a "Date" Header, if we don't add an
additional http header "Access-Control-Expose-Headers: Date" then
the browser based clients cannot use the Date HTTP Header.
Fixes#33231
Automatic merge from submit-queue
Store RequestInfo in Context instead of RequestInfoResolver dependency injection
**Depends on https://github.com/kubernetes/kubernetes/pull/33478**
The `RequestInfoResolver` is used in the proxy handler and in the authorization code. It is passed through half of the apiserver code base to be available at those locations. This PR uses the context instead, which is our natural dependency injection mechanism in the handlers.
`RequestInfo` and all tooling around is moved to `pkg/apiserver/request` temporarily to avoid dependency cycles. This is necessary as long as `pkg/apiserver` implements the proxy and other handlers. Those might move to `pkg/apiserver/handlers` probably later.
Automatic merge from submit-queue
Towards custom handler chains in genericapiserver
**Based on https://github.com/kubernetes/kubernetes/pull/33478**
This PR makes the handler chain construction independent from the genericapiserver instance (with the exception of the `RequestInfoFilter` which will be fixed in https://github.com/kubernetes/kubernetes/pull/33490), i.e. the `Config` is enough to create a custom handler chain.
Automatic merge from submit-queue
Use strongly-typed types.NodeName for a node name
We had another bug where we confused the hostname with the NodeName.
Also, if we want to use different values for the Node.Name (which is
an important step for making installation easier), we need to keep
better control over this.
A tedious but mechanical commit therefore, to change all uses of the
node name to use types.NodeName
We had another bug where we confused the hostname with the NodeName.
To avoid this happening again, and to make the code more
self-documenting, we use types.NodeName (a typedef alias for string)
whenever we are referring to the Node.Name.
A tedious but mechanical commit therefore, to change all uses of the
node name to use types.NodeName
Also clean up some of the (many) places where the NodeName is referred
to as a hostname (not true on AWS), or an instanceID (not true on GCE),
etc.
mbohlool