github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
51,078 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

579 Commits (f32b390cf08a9afd9f9899e0d97a90eb162b32a8)

Author SHA1 Message Date
Maciej Szulik e6c327048e Forced using batch/v2alpha1 for storing ScheduledJob 2016-08-03 17:25:37 +02:00
k8s-merge-robot 2817674715 Merge pull request #29557 from deads2k/make-prefx-configurable 
Automatic merge from submit-queue

make the resource prefix in etcd configurable for cohabitation

This looks big, its not as bad as it seems.

When you have different resources cohabiting, the resource name used for the etcd directory needs to be configurable.  HPA in two different groups worked fine before.  Now we're looking at something like RC<->RS.  They normally store into two different etcd directories.  This code allows them to be configured to store into the same location.

To maintain consistency across all resources, I allowed the `StorageFactory` to indicate which `ResourcePrefix` should be used inside `RESTOptions` which already contains storage information.

@lavalamp affects cohabitation.
@smarterclayton @mfojtik prereq for our rc<->rs and d<->dc story.
 2016-07-28 03:01:28 -07:00
deads2k aa3db4d995 make the resource prefix in etcd configurable for cohabitation 2016-07-27 07:51:40 -04:00
k8s-merge-robot 0724a9c4dc Merge pull request #28828 from zte-cloud/failmodify 
Automatic merge from submit-queue

modify Failure to failed

use 'failed' is more suitable than 'Failure'
 2016-07-25 12:56:15 -07:00
Dominika Hodovska 037d116add Factory for SharedIndexInformers 2016-07-21 14:04:48 +02:00
Dominika Hodovska ba40a528e1 PluginInitializer as a new part of NewFromPlugins method 2016-07-20 12:53:52 +02:00
Dominika Hodovska fc0a3c6dcb Allow shareable resources for admission control plugins 2016-07-20 12:53:52 +02:00
k8s-merge-robot 411c32bc98 Merge pull request #27520 from olegshaldybin/format-apiserver-options 
Automatic merge from submit-queue

Format apiserver options

Trivial change, code formatting only: it was hard to read long lines, and my editor was really slow when scrolling through them.
 2016-07-19 19:58:01 -07:00
Lucas Käldström 88ea80b572 Remove GOMAXPROCS() calls because they are unnecessary 2016-07-19 11:08:21 +03:00
lojies 77c6176157 modify Failure to failed 2016-07-12 19:11:24 +08:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
Oleg Shaldybin e722a41c40 Format apiserver options 
Trivial change, code formatting only: it was really hard to read
apiserver options definition, formatted to follow the same pattern
throughout.
 2016-06-28 12:34:22 -07:00
Alex Mohr edda837142 Merge pull request #25599 from caesarxuchao/orphaning-finalizer 
Add orphaning finalizer logic to GC
 2016-05-26 13:19:19 -07:00
Eric Chiang ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
Chao Xu 1665546d2d add finalizer logics to the API server and the garbage collector; handling DeleteOptions.OrphanDependents in the API server 2016-05-24 13:07:28 -07:00
k8s-merge-robot 346f965871 Merge pull request #25694 from cjcullen/authncache 
Automatic merge from submit-queue

Cache Webhook Authentication responses

Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.

Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
 2016-05-21 10:48:38 -07:00
CJ Cullen 57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
Clayton Coleman 633683c08d
kube-apiserver options should be decoupled from impls 
A few months ago we refactored options to keep it independent of the
implementations, so that it could be used in CLI tools to validate
config or to generate config, without pulling in the full dependency
tree of the master.  This change restores that by separating
server_run_options.go back to its own package.

Also, options structs should never contain non-serializable types, which
storagebackend.Config was doing with runtime.Codec. Split the codec out.

Fix a typo on the name of the etcd2.go storage backend.

Finally, move DefaultStorageMediaType to server_run_options.
 2016-05-18 10:39:21 -04:00
nikhiljindal 5dffe4a969 Moving federation apiserver to use genericapiserver.ServerRunOptions 2016-05-11 23:42:55 -07:00
k8s-merge-robot 0ef4c6407b Merge pull request #24902 from cjcullen/webhookAuthn 
Automatic merge from submit-queue

Webhook Token Authenticator

Add a webhook token authenticator plugin to allow a remote service to make authentication decisions.
 2016-05-11 22:08:58 -07:00
Paul Weil 4970f0c02d PSP admission 2016-05-11 18:07:36 -04:00
CJ Cullen eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
nikhiljindal 2ffa3b4586 Moving StorageFactory building logic to genericapiserver 2016-05-10 00:57:11 -07:00
Kevin b7014561c1 Add admission controller to limit pod anti affinity topologykey to node level 2016-05-09 12:23:41 +00:00
Clayton Coleman e0ebcf4216
Split the storage and negotiation parts of Codecs 
The codec factory should support two distinct interfaces - negotiating
for a serializer with a client, vs reading or writing data to a storage
form (etcd, disk, etc). Make the EncodeForVersion and DecodeToVersion
methods only take Encoder and Decoder, and slight refactoring elsewhere.

In the storage factory, use a content type to control what serializer to
pick, and use the universal deserializer. This ensures that storage can
read JSON (which might be from older objects) while only writing
protobuf. Add exceptions for those resources that may not be able to
write to protobuf (specifically third party resources, but potentially
others in the future).
 2016-05-05 12:08:23 -04:00
nikhiljindal 16c0e0a21c Deleting duplicate code from federated-apiserver 2016-05-03 14:04:09 -07:00
Hongchao Deng c0071a1595 add flags to enable etcd3 2016-04-28 09:48:16 +08:00
nikhiljindal f9f1e21e08 Moving master.SSHTunneler to genericapiserver 2016-04-22 11:47:05 -07:00
deads2k 6670b73b18 make storage enablement, serialization, and location orthogonal 2016-04-21 08:18:55 -04:00
Prashanth Balasubramanian 0ac10c6cc2 PetSet type, apps apigroup 2016-04-20 18:49:31 -07:00
nikhiljindal 50a9aceabb Moving more logic to genericapiserver 2016-04-19 00:03:28 -07:00
k8s-merge-robot 62fd60565a Merge pull request #24048 from liggitt/apiserver-defaults 
Automatic merge from submit-queue

Use correct defaults when binding apiserver flags

defaults should be set in the struct-creating function, then the current struct field value used as the default when binding the flag
 2016-04-17 20:59:38 -07:00
k8s-merge-robot a275a045d1 Merge pull request #23914 from sky-uk/make-etcd-cache-size-configurable 
Automatic merge from submit-queue

Make etcd cache size configurable

Instead of the prior 50K limit, allow users to specify a more sensible size for their cluster.

I'm not sure what a sensible default is here. I'm still experimenting on my own clusters. 50 gives me a 270MB max footprint. 50K caused my apiserver to run out of memory as it exceeded >2GB. I believe that number is far too large for most people's use cases.

There are some other fundamental issues that I'm not addressing here:
- Old etcd items are cached and potentially never removed (it stores using modifiedIndex, and doesn't remove the old object when it gets updated)
- Cache isn't LRU, so there's no guarantee the cache remains hot. This makes its performance difficult to predict. More of an issue with a smaller cache size.
- 1.2 etcd entries seem to have a larger memory footprint (I never had an issue in 1.1, even though this cache existed there). I suspect that's due to image lists on the node status.

This is provided as a fix for #23323
 2016-04-17 00:06:31 -07:00
Jordan Liggitt 6c1bcfa28d Use correct defaults when binding apiserver flags 2016-04-14 10:12:51 -04:00
k8s-merge-robot 429228d403 Merge pull request #23953 from nikhiljindal/u8sServer 
Automatic merge from submit-queue

moving genericapiserver command line flags to genericapiserver

cc @kubernetes/sig-api-machinery
 2016-04-13 23:15:24 -07:00
goltermann a3104ba96c Final vet fixes; enabling vet checks in verify scripts. 2016-04-13 13:51:51 -07:00
nikhiljindal 8d7a8c6ae6 moving genericapiserver command line flags to genericapiserver 2016-04-13 13:28:18 -07:00
James Ravn 5bb0595260 Make deserialization cache size configurable 
Instead of the default 50K entries, allow users to specify more sensible
sizes for their cluster.
 2016-04-12 13:42:27 +01:00
deads2k e8fb35d4d8 refactor resource overrides as positive logic interface 2016-03-28 09:24:49 -04:00
k8s-merge-robot 4e4ad61260 Merge pull request #23366 from goltermann/vet 
Auto commit by PR queue bot
 2016-03-24 21:50:56 -07:00
nikhiljindal 1cccfc7074 Disabling swagger ui by default. Adding a flag to enable it 2016-03-23 13:19:22 -07:00
k8s-merge-robot 76369c42be Merge pull request #22939 from resouer/util-sub-dir 
Auto commit by PR queue bot
 2016-03-23 03:34:33 -07:00
k8s-merge-robot 4af38b52b9 Merge pull request #22736 from resouer/fix-util-dev 
Auto commit by PR queue bot
 2016-03-22 19:54:58 -07:00
goltermann 34d4eaea08 Fixing several (but not all) go vet errors. Most are around string formatting, or unreachable code. 2016-03-22 17:26:50 -07:00
Marc Lough 27c6224abe The --etcd-config option has been removed from kube-apiserver so also remove the mention about it. 2016-03-22 20:14:48 +00:00
harry 343b1927d1 Refactor config map into sub pkg 2016-03-21 14:50:57 +08:00
harry f19d59cf35 Move flag into sub pkg 2016-03-14 21:30:38 +08:00
Brian Grant 532ba5a3c6 Merge pull request #21535 from AdoHe/restore_secure_etcd 
restore ability to run against secured etcd
 2016-03-11 12:14:06 -08:00
AdoHe 7228b9b987 restore ability to run against secured etcd 2016-03-11 11:21:16 -05:00
Wojciech Tyczynski 2f6d034cea Workaround long latency of POST pods 2016-03-03 10:45:43 +01:00
k8s-merge-robot d81d823ca5 Merge pull request #22393 from eparis/blunderbuss 
Auto commit by PR queue bot
 2016-03-02 18:51:56 -08:00
Eric Paris 5e5a823294 Move blunderbuss assignees into tree 2016-03-02 20:46:32 -05:00
Kris e664ef922f Move restclient to its own package 2016-02-29 12:05:13 -08:00
k8s-merge-robot 43792754d8 Merge pull request #21469 from wojtek-t/parallel_namespace_deletion 
Auto commit by PR queue bot
 2016-02-27 07:26:49 -08:00
Wojciech Tyczynski 506899008f Parallelization of namespace deletion 2016-02-25 16:33:25 +01:00
Eric Chiang 3116346161 *: add webhook implementation of authorizer.Authorizer plugin 2016-02-22 11:39:07 -08:00
Eric Tune ab8cfb968f Enabled batch API group in apiserver 2016-02-19 09:20:56 -08:00
Piotr Szczesniak 2b614179c7 Fixed options test 2016-02-15 21:39:00 +01:00
Piotr Szczesniak 264c64ec0d Enabled autoscaling API group in apiserver 2016-02-15 21:39:00 +01:00
Daniel Smith 74400c33ae changes for cross-group moves 2016-02-15 21:39:00 +01:00
k8s-merge-robot 43fb544a4a Merge pull request #21001 from ericchiang/oidc_groups 
Auto commit by PR queue bot
 2016-02-14 05:24:43 -08:00
Eric Chiang 92d37d5cc5 plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim 2016-02-12 09:58:18 -08:00
Chao Xu 184440f8ef rename release_1_2 to internalclientset 2016-02-05 14:02:28 -08:00
magicwang-cn d2cf858560 make watch cache sizes configuratable of kube-apiserver 2016-02-05 15:47:27 +08:00
Nikhil Jindal 59820827d4 Merge pull request #20513 from nikhiljindal/apiserverExampleTest 
Adding test for apiserver example
 2016-02-04 11:28:58 -08:00
nikhiljindal c7beb9078c Updating methods to return error rather than using glog.Fatalf 2016-02-03 16:00:45 -08:00
Chao Xu f9f5736b01 grep sed 2016-02-03 13:06:07 -08:00
k8s-merge-robot 843c11e06a Merge pull request #20452 from caesarxuchao/replace-client-kubelet 
Auto commit by PR queue bot
 2016-02-02 23:46:58 -08:00
Chao Xu cddd7b56a4 replace client with clientset in kubelet and other places 2016-02-02 20:28:45 -08:00
CJ Cullen 04eb90a5d4 Make tunneler hold tunnels open and healthcheck vs. reopening every 5 minutes. 
Also add a test for the Update() logic.
Reordered tunnels vs. storage initialization (prevent a nil ptr panic)
 2016-02-02 12:00:29 -08:00
mqliang b0e06c14e5 add a knob to enable quorum read 2016-01-30 20:32:12 +08:00
Clayton Coleman 4d127dc969 Initialize API servers with negotiated serializers 
Pass down into the server initialization the necessary interface for
handling client/server content type negotiation. Add integration tests
for the negotiation.
 2016-01-22 01:10:22 -05:00
Clayton Coleman 125ef6fbc8 Support content-type negotiation in the API server 
A NegotiatedSerializer is passed into the API installer (and
ParameterCodec, which abstracts conversion of query params) that can be
used to negotiate client/server request/response serialization. All
error paths are now negotiation aware, and are at least minimally
version aware.

Watch is specially coded to only allow application/json - a follow up
change will convert it to use negotiation.

Ensure the swagger scheme will include supported serializations - this
now includes application/yaml as a negotiated option.
 2016-01-22 00:12:50 -05:00
nikhiljindal 2ad642d370 Merge registered and latest and move to apimachinery 2016-01-21 14:42:21 -08:00
Harry Zhang 936a11e775 Use networking to hold network related pkgs 
Change names of unclear methods

Use net as pkg name for short
 2016-01-15 13:46:16 +08:00
nikhiljindal f8d6c56ba6 Extracting server run code to genericapiserver 2016-01-08 18:34:34 -08:00
Nagarjun c98364e79b insert space after comment character in cmd folder 2016-01-08 16:25:57 +05:30
Clayton Coleman c0c707d92d Split apiserver flags and initialization 
Make it easier to keep defaults and flags clearly identified.
 2016-01-06 21:14:30 -05:00
k8s-merge-robot cd097e3f86 Merge pull request #19088 from smarterclayton/separate_service_account 
Auto commit by PR queue bot
 2016-01-04 08:38:24 -08:00
Justin Santa Barbara f9a6ac077e Ubernetes Lite: Volumes can dictate zone scheduling 
For AWS EBS, a volume can only be attached to a node in the same AZ.
The scheduler must therefore detect if a volume is being attached to a
pod, and ensure that the pod is scheduled on a node in the same AZ as
the volume.

So that the scheduler need not query the cloud provider every time, and
to support decoupled operation (e.g. bare metal) we tag the volume with
our placement labels.  This is done automatically by means of an
admission controller on AWS when a PersistentVolume is created backed by
an EBS volume.

Support for tagging GCE PVs will follow.

Pods that specify a volume directly (i.e. without using a
PersistentVolumeClaim) will not currently be scheduled correctly (i.e.
they will be scheduled without zone-awareness).
 2015-12-31 12:27:01 -05:00
Clayton Coleman 9dad7e624c Split the serviceaccount package into two parts 
Public utility methods and JWT parsing, and controller specific logic.
Also remove the coupling between ServiceAccountTokenGetter and the
authenticator class.
 2015-12-26 21:28:12 -05:00
Clayton Coleman 3d5ed379b0 authn.go doesn't belong in pkg/apiserver 
apiserver does not need to know about specific authentication
mechanisms, and does not need to take dependencies on all the
authentication packages.
 2015-12-26 21:22:22 -05:00
Andy Goldstein f175a22443 Add admission controller to force image pulls 
Add an admission controller that forces every container's image pull policy to
Always when a pod is created.
 2015-12-22 10:32:40 -05:00
Mike Danese a09d85bd83 expose master count configuration in a cli option on apiserver 2015-12-18 13:10:41 -08:00
nikhiljindal 2d952aaa87 Extracting APIServer machinery code into a library 2015-12-16 13:54:23 -08:00
k8s-merge-robot 6716290903 Merge pull request #18388 from nikhiljindal/clusterName 
Auto commit by PR queue bot
 2015-12-16 03:50:11 -08:00
deads2k d0aaf13920 use constants for group names 2015-12-14 10:04:10 -05:00
nikhiljindal 724b098855 Deleting unused master.ClusterName param 2015-12-11 13:39:19 -08:00
deads2k ec87d74ecb update InterfacesFor to use GroupVersion 2015-12-11 13:45:41 -05:00
Timothy St. Clair 413d8d18fe Futher storage isolation and removal of the tools interface. 2015-12-09 11:04:14 -06:00
k8s-merge-robot 94752c12a8 Merge pull request #18128 from ZJU-SEL/fix-typo 
Auto commit by PR queue bot
 2015-12-07 15:59:08 -08:00
He Simei 387d861d4e deprecate confusing flag usage 2015-12-04 09:09:23 +08:00
nikhiljindal 5c556baa2f Removing duplicate NewEtcdStorage code 2015-12-03 01:37:44 -08:00
gmarek 459131fd92 Use KubeletPort reported in NodeStatus instead of cluster-wide master config, take 2. 2015-12-02 13:38:17 +01:00
k8s-merge-robot a836b1e261 Merge pull request #17326 from caesarxuchao/grooupVersion-lastest 
Auto commit by PR queue bot
 2015-12-01 05:05:40 -08:00
Chao Xu 6e192760e3 refactoring latest.go GroupVersion; 
clean up latest.go GroupVersions;
remove latest.GroupMeta.Group;
remove latest.GroupMeta.Version.
 2015-11-30 11:30:21 -08:00
harry 477da92002 Move hostIP detection from master to server 
Add PublicAddress in test files

Move valid public addr into util
 2015-11-30 16:17:37 +08:00
deads2k a87d927588 update client.Config to use GroupVersion 2015-11-21 08:29:26 -05:00
feisky 13dce74adb Gendocs for docs/admin/kube-* 2015-10-25 19:24:23 +08:00
nikhiljindal 72914fd81b Updating documentation to reflect the latest status of extension resources 2015-10-21 13:03:33 -07:00
nikhiljindal 7bcc4a6755 Allowing runtimeConfig to support enabling/disabling specific extension resources 2015-10-15 14:24:22 -07:00
k8s-merge-robot 8c753c84eb Merge pull request #15191 from caesarxuchao/validate-UID 
Auto commit by PR queue bot
 2015-10-15 04:20:24 -07:00
Chao Xu be0754750f add common fields validation before updaing a resource; make the repair of malformed update request flippable by a flag. 2015-10-13 16:28:32 -07:00
Jordan Liggitt 1043126135 Refactor SSH tunneling, fix proxy transport TLS/Dial extraction 2015-10-12 11:17:01 -04:00
k8s-merge-robot 95b265390e Merge pull request #14900 from mqliang/log 
Auto commit by PR queue bot
 2015-10-10 09:29:53 -07:00
Chao Xu 53eab7ef1e gofmt 2015-10-09 16:04:43 -07:00
Chao Xu 80f213c376 "experimental" -> "extensions" 2015-10-09 15:14:03 -07:00
Chao Xu 0b7e3c7dd1 experimental/v1alpha1->extensions/v1beta1 2015-10-09 15:01:33 -07:00
mqliang 5a349aeb58 capitalize the first letter of log files in module cmd 2015-10-06 13:56:37 +08:00
jayvyas be2a2ec3cd NodePort apiserver option for exposing KubernetesMasterService NodePort on startup. 2015-10-05 20:34:25 -04:00
Wojciech Tyczynski 0f1cbe37a4 Events in separate etcd 2015-10-05 10:54:24 +02:00
eulerzgy b1be6bc8ea add log err value 2015-09-29 17:09:25 +08:00
Chao Xu c449baea46 Remove ExpStorageVersion and Add StorageVersions to APIServer struct 2015-09-24 17:44:59 -07:00
Chao Xu ae1293418b move experimental/v1 to experimental/v1alpha1; 
use "group/version" in many places where used to expect "version" only.
 2015-09-24 15:32:11 -07:00
k8s-merge-robot 6c30a0e170 Merge pull request #13955 from caesarxuchao/API-discovery 
Auto commit by PR queue bot
 2015-09-21 14:01:36 -07:00
Chao Xu 1278771b34 let apiserver support api discovery 2015-09-21 12:20:24 -07:00
Federico Simoncelli f21d9ac9e4 Support pods with containers using host ipc 
Add a HostIPC field to the Pod Spec to create containers sharing
the same ipc of the host.

This feature must be explicitly enabled in apiserver using the
option host-ipc-sources.

Signed-off-by: Federico Simoncelli <fsimonce@redhat.com>
 2015-09-18 21:13:39 +02:00
k8s-merge-robot 445fde3dc5 Merge pull request #13447 from pweil-/pid-mode 
Auto commit by PR queue bot
 2015-09-16 23:34:35 -07:00
Chao Xu 9bef5ff99d register experimental apis as apis/experimental/.. 
mark --api-version as deprecated
 2015-09-15 11:25:01 -07:00
Paul Weil ed80c2b940 pid mode 2015-09-15 13:51:44 -04:00
Chao Xu c733124920 address lavalamp's comments 2015-09-11 17:34:32 -07:00
Chao Xu 3dc5223f4f check if experimental is enabled during startup of client and server 2015-09-11 17:34:32 -07:00
Chao Xu dd6c121d7f massive changes 2015-09-11 17:31:47 -07:00
Daniel Smith ccd9e3e247 Run all automated tools 2015-09-11 16:11:08 -07:00
Daniel Smith 4c2adabf42 move; sed replace 2015-09-11 16:03:22 -07:00
k8s-merge-robot f867ba3ba1 Merge pull request #13682 from ryfow/block-startup-for-cert 
Auto commit by PR queue bot
 2015-09-10 00:24:23 -07:00
k8s-merge-robot 434f05c0e3 Merge pull request #13705 from liggitt/attach 
Auto commit by PR queue bot
 2015-09-09 18:19:35 -07:00
k8s-merge-robot 45742e885c Merge pull request #13452 from aveshagarwal/master-api-rate-burst-remove 
Auto commit by PR queue bot
 2015-09-09 00:42:59 -07:00
Jordan Liggitt b2268574c5 Add pods/attach to long running requests, protect in admission for privileged pods 2015-09-09 00:49:00 -04:00
k8s-merge-robot 015389eba1 Merge pull request #13672 from jayunit100/apiserver-cert-doc 
Auto commit by PR queue bot
 2015-09-08 11:42:28 -07:00
Ryan Fowler d22a29cf66 Block apiserver startup on certificate 
With some regularity, if the root certificate file needs to be generated
the apiserver could come up on the non-secure port before the cert
was generated.

`hack/local-up-cluster.sh` requires that apiserver.crt exists
before the replication controller starts. Otherwise service accounts
and secrets don't work.

This change just takes the certificate handling code out of the `go`.
 2015-09-08 11:35:32 -05:00
jay vyas 4283201aea [minor] cert file cmd line string fix 2015-09-08 09:50:15 -04:00
Ruddarraju, Uday Kumar Raju f8d6f13f7c Union of authorizers 2015-09-04 11:04:50 -07:00
derekwaynecarr ab1f4c5c2c Fix typo in api server flag 2015-09-04 11:38:36 -04:00
Piotr Szczesniak 48b9c365c7 Merge pull request #13308 from timothysc/watch-cache-disable 
Plumb through configuration option to disable watch cache
 2015-09-04 13:40:46 +02:00
Avesh Agarwal f0d0e2a089 Remove unused api-rate and api-burst params. 2015-09-03 17:57:35 -04:00
Piotr Szczesniak 7967642cf0 Implemented first version of InitialResources plugin. 2015-09-01 17:24:13 +02:00
Timothy St. Clair 2145371c45 Plumb through configuration option to disable watch cache 
because we are seeing anomolies on our cluster.
 2015-08-28 12:36:40 -05:00
Yu-Ju Hong 3bc2157889 Merge pull request #13100 from pweil-/cap-priv-sources 
use privileged source object
 2015-08-25 16:10:50 -07:00
Yifan Gu aca6368e3c plugin/oidc: add minor documentation details. 2015-08-24 15:25:26 -07:00
Paul Weil 709e654686 use privileged source object 2015-08-24 16:53:43 -04:00
Yifan Gu 6376e41850 plugin/pkg/auth: add OpenID Connect token authenticator. 
Also add related new flags to apiserver:
"--oidc-issuer-url", "--oidc-client-id", "--oidc-ca-file", "--oidc-username-claim",
to enable OpenID Connect authentication.
 2015-08-21 15:27:08 -07:00
Saad Ali c1a2c6dee7 Merge pull request #10713 from thockin/no-localhost-endpoints 
Check loopback and link-local multicast endpoints
 2015-08-19 12:48:33 -07:00
gmarek 3c907b33e1 Remove external function setting Kubelet flags 2015-08-19 13:20:41 +02:00
Tim Hockin 86f4535871 Check loopback and link-local multicast endpoints 
Previously we just disallowed link-local (unicast).  This disallows loopback
and link-local multicast.
 2015-08-18 21:50:27 -07:00
Kris Rousey ae6c64d9bb Moving everyone to unversioned client 2015-08-18 10:23:03 -07:00
Bin Wang 0547c52c2c Enforce specified service-cluster-ip-range is not too large 2015-08-18 10:35:21 +08:00
Eric Paris 347c7b5b82 Mark some flags as deprecated so thus don't show up in help 2015-08-14 19:28:03 -04:00
Ruddarraju, Uday Kumar Raju 937db3f70d Keystone authentication plugin 2015-08-13 09:46:30 -07:00
Bryan Stenson 9541414742 create cloudprovider "providers" package 
move all providers into new package
    update all references to old package path
 2015-08-11 22:36:51 -07:00
Eric Paris 1333fad22a Remove BindClientConfigFlags entirely 
They are unused.
 2015-08-11 16:26:24 -04:00
Alex Robinson 11fcd3bb39 Merge pull request #12478 from eparis/use-pflag-network 
Use pflags for net.IP and net.IPNet instead of custom flag types
 2015-08-10 11:55:54 -07:00
Eric Paris f3282ff4d2 Use pflag IPNet instead of our own helpers 
Since pflag can handle net.IPNet arguements use that code. This means
that our code no longer has casts back and forth and just natively uses
net.IPNet.
 2015-08-10 10:15:08 -04:00
Eric Paris fe6b633e2a Convert for util.IP to just use a net.IP 
pflag can handle IP addresses so use the pflag code instead of doing it
ourselves. This means our code just uses net.IP and we don't have all of
the useless casting back and forth!
 2015-08-10 10:15:05 -04:00
Veres Lajos 9f77e49109 typofix - https://github.com/vlajos/misspell_fixer 2015-08-08 22:31:48 +01:00
Eric Paris 7cbb52ce04 Use the pflag StringSlice instead of implementing it ourselves 
Saves code and makes our code easier to read because we just use normal
[]string instead of custom type.
 2015-08-06 19:16:13 -04:00
Mike Danese 17defc7383 run gofmt on everything we touched 2015-08-05 17:52:56 -07:00
Mike Danese 8e33cbfa28 rewrite go imports 2015-08-05 17:30:03 -07:00
Muhammed Uluyol 58a875ac2c Add (stopgap) support for an experimental API prefix. 2015-07-30 18:14:29 -07:00
Wojciech Tyczynski 99d6b0e9f4 Rename storage interfaces 2015-07-30 10:34:57 +02:00
Wojciech Tyczynski d17985f1ad Move StorageInterface to pkg/storage. 2015-07-30 09:32:04 +02:00
Brendan Burns 99b02bfe73 Add optional throttling to the proxy/exec/attach methods 2015-07-29 13:51:20 -07:00
Marek Grabowski 7cc1855c27 Merge pull request #11806 from wojtek-t/private_etcd_helper 
Make EtcdHelper private - expose only StorageInterface
 2015-07-27 11:21:28 +02:00
Marek Grabowski 00cd52dd68 Merge pull request #10656 from krousey/timeouts 
Adding proper timeouts.
 2015-07-27 10:56:58 +02:00
Wojciech Tyczynski 9d943df397 Private EtcdHelper 2015-07-27 09:20:13 +02:00
Mike Danese 859f440f74 Merge pull request #11666 from wojtek-t/refactor_etcd_helper 
Extract EtcdHelper interface
 2015-07-24 11:07:46 -07:00
Mike Danese ae1c8e55ef Merge pull request #11737 from thockin/cleanup-remove-v1beta3 
Remove v1beta3
 2015-07-24 10:25:56 -07:00
Wojciech Tyczynski fdb3f45077 Extract EtcdHelper interface 2015-07-24 09:28:02 +02:00
Vish Kannan 2a5a6b99cb Merge pull request #10635 from smarterclayton/cloud_provider_should_err 
Cloud provider should return an error
 2015-07-23 17:50:45 -07:00
Tim Hockin 1c3233a1d4 Remove v1beta3 2015-07-23 17:21:27 -07:00
Wojciech Tyczynski ee92aa3897 Prepare for extracting EtcdHelper interface 2015-07-23 09:37:39 +02:00
Kris Rousey 1d033b9912 Adding proper timeouts. 2015-07-10 14:42:59 -07:00
nikhiljindal c465a50891 Stop exposing v1beta3 by default 2015-07-08 15:27:41 -07:00
Eric Paris cde68d294b Do not create subject alt dns names for kubelet self signed certs 
PR #10643 Started adding the dns names for the kubernetes master to self
sign certs which were created. The kubelet uses this same code, and thus
the kubelet cert started saying it was valid for these name as well.
While hardless, the kubelet cert shouldn't claim to be these things. So
make the caller explicitly list both their ip and dns subject alt names.
 2015-07-04 23:01:01 -04:00
Eric Paris 7a29af4d2c Add Subject Alt Names to self signed apiserver certs 
A cert from GCE shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes,
- DNS:kubernetes.default
- DNS:kubernetes.default.svc
- DNS:kubernetes.default.svc.cluster.local
- DNS:e2e-test-zml-master

A similarly configured self signed cert shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes
- DNS:kubernetes.default
- DNS:kubernetes.default.svc

So we are missing the fqdn kubernetes.default.svc.cluster.local. The
apiserver does not even know the fqdn! it's defined entirely by the
kubelet! We also do not have the cluster name certificate. This may be
--cluster-name= argument to the apiserver but will take a bit more
research.
 2015-07-01 17:05:17 -04:00
Clayton Coleman d8bb4552de Cloud provider should return an error 
Not fatal - makes cloud provider useful in methods that
can return error.
 2015-07-01 14:41:49 -04:00
Aaron Levy e991a1543f Use blank default for old-etcd-prefix 2015-06-26 18:19:40 -07:00
Jordan Liggitt 64d61185eb Re-enable ECDSA private server key use 2015-06-16 23:03:29 -04:00
Mike Danese 677855f1a9 fix longRunningRequestRE to something that doesn'tt push -f orig match pretty much all requests. 2015-06-16 13:48:10 -07:00
Justin Santa Barbara 6f3879e3bb Actually pass down ServiceNodePortRange so it is used 
Also fix default range to match what we've documented (off-by-one)

Fix #9318
 2015-06-08 18:03:42 -04:00
krousey 5aa0219ada Merge pull request #9292 from cjcullen/test_pull_8946 
Add an ssh tunnel option to the /proxy endpoint
 2015-06-08 14:30:12 -07:00
CJ Cullen cb317604ab Some refactoring. Only selectively use ssh proxy. 
Add NetworkName to gce.Config.
Add locking to uses of master.tunnels.
 2015-06-05 14:55:16 -07:00
Brendan Burns 5115fd5703 Add key generation. 2015-06-05 14:55:15 -07:00
Brendan Burns 30a89968a4 Initial proxy tunnelling. 2015-06-05 14:54:20 -07:00
Prashanth Balasubramanian 50eb9ad598 Use https only for the kubelet port 2015-06-05 14:06:38 -07:00
Chao Xu ef61b031f5 make v1 enabled by default 2015-06-04 11:37:44 -07:00
Daniel Smith 1690617ee6 remove ro service 2015-06-03 16:45:54 -07:00
Prashanth Balasubramanian 0162529ea5 Default minRequestTimeout to 1800s 2015-06-03 08:47:45 -07:00
Prashanth Balasubramanian 448867073d Pipe minRequestTimeout as an arg to the apiserver 2015-06-03 08:44:14 -07:00
CJ Cullen 934c553c04 Clarify description/usage of --advertise-address, Master.PublicAddress 2015-06-02 15:23:32 -07:00
CJ Cullen 085a48a70e Add an advertise-address flag. This allows the address that the apiserver binds 
to (possibly 0.0.0.0) to be different than the address on which members of the cluster
can reach the apiserver (possibly not a local interface).
 2015-06-02 14:33:15 -07:00
Eric Tune 3db1f69eea Merge pull request #8764 from eparis/sd_notify 
API server explicitly notify systemd of successful startup
 2015-06-01 10:28:49 -07:00
Kris f4e2c738f6 Delete deprecated API versions 
pkg/service:

There were a couple of references here just as a reminder to change the
behavior of findPort. As of v1beta3, TargetPort was always defaulted, so
we could remove findDefaultPort and related tests.

pkg/apiserver:

The tests were using versioned API codecs for some of their encoding
tests. Necessary API types had to be written and registered with the
fake versioned codecs.

pkg/kubectl:

Some tests were converted to current versions where it made sense.
 2015-05-29 17:17:35 -07:00
Tim Hockin 3005471100 Add new apiserver flags for clusterIP (nee portal) 
Leave old flags but marked as deprecated
 2015-05-28 16:10:44 -07:00
Tim Hockin 4318ca5a8b Rename 'portal IP' to 'cluster IP' most everywhere 
This covers obvious transforms, but not --portal_net, $PORTAL_NET and
similar.
 2015-05-28 16:10:44 -07:00
Eric Paris 9d304774d4 report glog error if unable to tell systemd things worked 2015-05-28 16:01:27 -04:00
Eric Paris 28ac1b3395 API server explicitly notify systemd of successful startup 
Use the systemd $NOTIFY_SOCKET convention for kube-apiserver
startup. This allows it to be part of dependency trees and for
consumers to wait until it is listening on its ports.

The $NOTIFY_SOCKET protocol is described here:

http://www.freedesktop.org/software/systemd/man/sd_notify.html

Currently this is limited to the kube-apiserver process. Other
kube processes are internal kubernetes moving points. The API
server is the entry point relied on by callers.

100% stolen from Stef Walter from:
https://github.com/GoogleCloudPlatform/kubernetes/pull/8316
 2015-05-28 15:59:26 -04:00
Justin Santa Barbara 3bb2fe2425 Create port allocator, based on IP allocator mechanism 
Including some refactoring of IP allocator
 2015-05-22 19:14:28 -04:00
Prashanth Balasubramanian 8a5445d3db Randomize apiserver watch timeouts 2015-05-21 20:52:33 -07:00
Cesar Wong e95d9c416d Admission control to prevent exec on privileged pods 2015-05-21 13:56:51 -04:00
Jordan Liggitt d90e7409e4 Prevent auth recursion for service account tokens 2015-05-16 23:39:07 -04:00
nikhiljindal fa9f864782 Adding a script to update etcd objects 2015-05-15 16:20:35 -07:00
David Oppenheimer 7a21d7ab1f Merge pull request #8053 from jdef/upstream_mesos_cloud 
integrate mesos cloud provider with k8s proper
 2015-05-14 13:57:39 -07:00
Nikhil Jindal d75bd8bf2a Merge pull request #7101 from liggitt/service_account 
ServiceAccounts
 2015-05-12 10:23:41 -07:00
James DeFelice 652c14d8d7 integrate mesos cloud provider into kube apps 2015-05-12 16:02:38 +00:00
Brendan Burns d8f48290e9 Add a flag to disable legacy APIs 2015-05-11 16:09:25 -07:00
Jordan Liggitt 7e14a80f63 ServiceAccount admission plugin 2015-05-11 17:18:06 -04:00
Jordan Liggitt db1f0dc906 JWT token generation/verification 2015-05-11 17:18:06 -04:00
Clayton Coleman e200d5a317 Make PortalIP alloc HA 
* Add an allocator which saves state in etcd
* Perform PortalIP allocation check on startup and periodically afterwards

Also expose methods in master for downstream components to handle IP allocation
/ master registration themselves.
 2015-05-08 13:34:16 -04:00
Brendan Burns 5461231c1c Merge pull request #7567 from endocode/kbeecher/wip_etcd_migrate_keys 
WIP: Add startup code to apiserver to migrate etcd keys
 2015-05-07 10:05:41 -07:00
Zach Loafman 875e83a741 Revert "Revert "Security context - types, kubelet, admission"" 2015-05-05 16:02:13 -07:00
Zach Loafman f48904fd5e Revert "Security context - types, kubelet, admission" 2015-05-05 15:20:39 -07:00
Paul Weil 982bf19c20 security context initial implementation - squash 2015-05-05 13:46:13 -04:00
Karl Beecher 0473f652fd Add startup code to apiserver to migrate etcd keys 
Refs: #3476
 2015-05-05 12:28:14 +02:00
Eric Paris 6b3a6e6b98 Make copyright ownership statement generic 
Instead of saying "Google Inc." (which is not always correct) say "The
Kubernetes Authors", which is generic.
 2015-05-01 17:49:56 -04:00
Brian Grant a4316aa638 Merge pull request #7454 from nikhiljindal/v1 
Cloning v1beta3 as v1 and exposing it in the apiserver
 2015-04-28 18:06:57 -07:00
nikhiljindal c4d7e19c8c Cloning v1beta3 as v1 and exposing it in the apiserver 2015-04-28 16:06:03 -07:00
Brendan Burns c9f4d8e57e Merge pull request #7425 from roberthbailey/basic-auth-headers 
Set the 'WWW-Authenticate' header on 401 responses when basic auth is enabled
 2015-04-28 11:10:05 -07:00
Daniel Smith 19ae113fe0 Merge pull request #7353 from wojtek-t/too_many_dials 
Increase maxIdleConnection limit when creating etcd client in apiserver.
 2015-04-28 11:03:12 -07:00
Robert Bailey 4304b1d24a Set the 'WWW-Authenticate' header on 401 responses when basic 
auth is enabled. This is required for basic auth to work with
web browsers.
 2015-04-28 11:00:05 -07:00
Robert Bailey 6d85dcb4a0 Add support for HTTP basic auth to the kube-apiserver. 2015-04-28 10:33:51 -07:00
Wojciech Tyczynski 07400f9d2b Increase maxIdleConnection limit in etcd client. 2015-04-28 09:50:56 +02:00
Tim Hockin a3d45fada8 Change flags to use dashes in help 2015-04-27 15:11:03 -07:00
Karl Beecher a7623ca6cc Adds ability to define a prefix for etcd paths 
The API server can be supplied (via a command line flag) with a custom
prefix that is prepended to etcd resources paths.

Refs: #3476
 2015-04-24 12:12:39 +02:00
Kenjiro Nakayama c7d3a72c6a Fix gofmt complaint 2015-04-21 09:36:41 +09:00
Kenjiro Nakayama 5e2e59e728 Add more help description to cert_dir flag 2015-04-20 00:35:56 +09:00
Kenjiro Nakayama 51d0443dde Add cert_dir option to kube-apiserver 2015-04-19 17:40:08 +09:00
Alex Robinson 2b14fc1d14 Remove the cloud provider field from the services REST handler and the master 
now that load balancers are handled by the ServiceController.
 2015-04-14 18:56:47 +00:00
Eric Paris 036937227f Use Fprintf to print formatted strings 
Shouldn't be using Fprint() with a format string.
 2015-04-14 10:51:57 -04:00
Eric Paris 8e7d14196f Fix printing errors from failed binary runs 
I had the kublet die on startup and the only error was "0x401da0"  Which
I assume is an address of the err.Error function.  The other way to fix
this, I think, would be to use err.Error(), however that could cause
fmt.Fprintf() problems, debuging on the error message people used.

Now I get a nice clean error I can understand:

"cAdvisor.New() err = mountpoint for cpu not found"
 2015-04-10 17:56:47 -04:00
Timothy St. Clair 2b60111fca Performance change to option enable client.QPS, client.Burst 
and change default on max_requests_inflight.
 2015-04-10 07:53:54 -05:00
Timothy St. Clair 9177baa64c Enable profiling by default re: #6623 2015-04-09 10:52:37 -05:00
Tim Hockin f2c8decffe Clarify network-related flags in the master 
Rename and rejigger flags to make it more obvious what is happening.  Change
the default listen from ChooseHostInterface() to 0.0.0.0.
 2015-04-07 15:55:51 -07:00
Eric Tune e49424785e Merge pull request #6380 from roberthbailey/kubelet-ssl 
Configure the kubelet to use HTTPS (take 2)
 2015-04-03 13:43:00 -07:00
Quinton Hoole 4a2000c4aa Merge pull request #6207 from brendandburns/server 
Add a limit to the number of in-flight requests that a server processes.
 2015-04-02 15:46:54 -07:00
Robert Bailey f15e34a1bf Revert "Merge pull request #6309 from GoogleCloudPlatform/revert-6243-kubelet-ssl" 
This reverts commit 96a0a0d618, reversing
changes made to 2af9b54147.
 2015-04-02 10:44:37 -07:00
Brendan Burns f327e97661 Add a limit to the number of in-flight requests that a server processes. 2015-04-01 15:06:15 -07:00
Robert Bailey 22d9c67cb7 Merge pull request #6190 from liggitt/client_cert_auth 
Add client cert authentication
 2015-04-01 14:11:29 -07:00
Robert Bailey 32a1c052dc Revert "Configure the kubelet to use HTTPS" 2015-04-01 13:59:31 -07:00
Jordan Liggitt c797a91e36 Add client cert authentication 2015-04-01 13:42:26 -04:00
Robert Bailey 58bc792e68 Configure the master to connect to the kubelet using HTTPS. 2015-04-01 09:09:29 -07:00
Brian Grant af858c99e2 Merge pull request #6098 from nikhiljindal/enableInMaster 
Enabling v1beta3 api version by default in master
 2015-03-31 15:31:18 -07:00
derekwaynecarr 9bd7f05ffc Remove ResourceDefaults plugin 2015-03-31 10:05:28 -04:00
nikhiljindal 478b7d5edf Repurposing enableV1beta3 to disableV1beta3 in master config to enable v1beta3 by default 2015-03-30 11:50:10 -07:00
Brian Grant 984bc8d5f6 Merge pull request #5635 from ravigadde/master 
Add timeout to kubelet client
 2015-03-26 14:55:24 -07:00
Brendan Burns 7c684e4331 Pipe through the ability to set the external hostname for swagger URLs. 2015-03-25 21:08:05 -07:00
Victor Marmol cf7e2756b5 Add HostNetworkSources capability to limit use of HostNetwork. 2015-03-25 11:23:06 -07:00
Filip Grzadkowski 74da3b14b0 Delete pod_cache and rely on updating pod status by kublet. 2015-03-25 15:08:09 +01:00
Ravi Gadde 5871e53060 Add timeout to kubelet client 2015-03-20 18:46:45 -07:00
derekwaynecarr 8aa807bc33 NamespaceLifecycle admission control plugin 2015-03-20 13:23:49 -04:00
nikhiljindal 7e36bbab3c Updating integration tests to test both API versions - v1beta1 and 3 2015-03-18 15:24:11 -07:00
Timothy St. Clair 7eebf674d4 Update to option enable profiling on the master daemon processes. 
--profiling=true , default is false
 2015-03-13 10:45:01 -05:00
saadali 7e258b85bd Reduce TTL for events in etcd from 48hrs to 1hr 2015-03-11 12:41:45 -07:00
Filip Grzadkowski 86b1c90097 Add flag to control probing pods statuses from kubelets. 2015-03-02 16:06:14 +01:00
Satnam Singh 19b927ea57 Name a cluster and use it to make forwarding rules for GCE 2015-02-23 17:04:33 -08:00
Tim Hockin cb09571768 keep hyperkube noise in one place 2015-02-20 08:49:12 -08:00
Tim Hockin 899d30f16a move pkg/master/server to cmd/kube-apiserver/app 2015-02-20 08:49:12 -08:00
Daniel Smith fcddefa184 Set GOMAXPROCS. Print errors on stderr. 2015-02-19 10:30:31 -08:00
Joe Beda 6bdede6925 Convert kube-apiserver to hyperkube. 
Part of #108.

Also:
* Added hyperkube cmd (not built by default yet).
* Added version support to hyperkube
* Remove health_check_minions flag from apiserver as it is no longer used with #3733
 2015-01-30 13:06:28 -08:00
Satnam Singh d8bda4006a Increase API rate limit on read only port of apiserver 2015-01-30 11:58:59 -08:00
Deyuan Deng c793c4f0ab Sync node status from node controller to master. 2015-01-29 23:17:15 -05:00
Satnam Singh 7d9845fc83 Parameterize API rate limits for apiserver 2015-01-28 15:08:08 -08:00
derekwaynecarr 4887d71c51 Implement resource quota admission plugin 2015-01-28 15:03:19 -05:00
derekwaynecarr 74f368f50e Modified LimitRangeItem.Kind to LimitRangeItem.Type, added example files 2015-01-27 16:41:28 -05:00
Joe Beda 224ffa4567 Merge pull request #3480 from jbeda/all_pflag 
Convert all main binaries to pflag library
 2015-01-15 11:26:41 -08:00
Eric Tune bc25748b36 Merge pull request #3472 from derekwaynecarr/default_cpu_mem 
Admission control plugin for resource defaults
 2015-01-15 09:35:17 -08:00
Joe Beda 6bd6b905f5 Address code review comments 
Add some documentation.
Create new util.InitFlags() function to merge and parse in one step.
 2015-01-15 09:12:20 -08:00
Joe Beda dcd00c936e Move all kubernetes to posix flags 2015-01-15 09:12:19 -08:00
Paul Morie fd834ae84d Pods should see services only from their own ns 2015-01-14 17:06:36 -05:00
derekwaynecarr 7f724867c2 Admission control plugin for resource defaults 2015-01-14 15:28:59 -05:00
Clayton Coleman 7fd887df61 Enable v1beta3 API via --runtime_config=api/v1beta3 flag 
This exposes the proper v1beta3 API endpoint when the user specifies
the --runtime_config=api/v1beta3 argument to the apiserver. v1beta3
is still considered experimental and subject to change.

--runtime_config is a map of string keys and values, that can be
specified by providing

    --runtime_config=a=b,b=c,d,e

Only the key must be specified, the value can be omitted.

Enables v1beta3 in hack/local-up-cluster.sh and hack/test-cmd.sh
 2015-01-08 13:01:24 -05:00
derekwaynecarr a56087cdf8 Remove client from attributes, remove admission control interface, fix-up error codes 2015-01-07 14:42:31 -05:00
derekwaynecarr 520ae3ef27 Implement basic admission control framework 2015-01-07 14:42:31 -05:00
Jordan Liggitt b36a44f036 Automatically serve API on https with self-signed cert 2015-01-06 09:36:29 -05:00
Clayton Coleman cd4135666e Make Swagger API support optional, so that consumers can define their own 
OpenShift would like to also enable swagger, but we need to register our
services as swagger services prior to the SwaggerAPI being started. I've
added a bool (default false) to master.Config to enable swagger, and split
the method in master out so that a downstream consumer can call it.
 2014-12-15 15:29:55 -05:00
Jordan Liggitt 2475123d3c Bump minimum TLS version from SSLv3 to TLSv1.0 2014-12-10 09:13:15 -05:00
Jordan Liggitt 09ba404fb7 x509 request authenticator 2014-12-09 09:34:16 -05:00
Jordan Liggitt c895331277 Make master take authenticator.Request interface instead of tokenfile 2014-11-19 15:07:51 -05:00
Eric Paris a99c3c7963 rename kube server binaries to kube- 
apiserver becomes kube-apiserver
controller-manager -> kube-controller-manager
scheduler and proxy similarly.

Only thing I promise is that right now hack/build-go.sh and
build/release.sh exit with 0.  That's it.  Who knows if any of this
actually works....
 2014-11-13 20:08:26 -05:00