github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
71,298 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

27 Commits (fdcd6de9c088ea1d9efe3bbea07589172d2afa08)

Author SHA1 Message Date
Cheng Xing c65d7c9a49 NodeAuthorizer and NodeRestriction integration test for CSINodeInfo permissions 2018-10-03 14:31:16 -07:00
Cheng Xing becc6a9c19 Implemented logic in kubelet for registering node info, including wiring to CSINodeInfo; added unit tests for node updates; updated RBAC, NodeAuthorizer, NodeRestriction. 2018-09-06 19:16:51 -07:00
Michael Taufen 1b7d06e025 Kubelet creates and manages node leases 
This extends the Kubelet to create and periodically update leases in a
new kube-node-lease namespace. Based on [KEP-0009](https://github.com/kubernetes/community/blob/master/keps/sig-node/0009-node-heartbeat.md),
these leases can be used as a node health signal, and will allow us to
reduce the load caused by over-frequent node status reporting.

- add NodeLease feature gate
- add kube-node-lease system namespace for node leases
- add Kubelet option for lease duration
- add Kubelet-internal lease controller to create and update lease
- add e2e test for NodeLease feature
- modify node authorizer and node restriction admission controller
to allow Kubelets access to corresponding leases
 2018-08-26 16:03:36 -07:00
yue9944882 f624a4efb8 externalize node admission 
fixes internal pod annotation reference

completely strip internal informers from authz initialization
 2018-08-21 23:33:03 +08:00
yue9944882 bc1fb1f7e8 node authz/ad externalization 2018-08-09 10:57:30 +08:00
Michael Taufen b5648c3f61 dynamic Kubelet config reconciles ConfigMap updates 2018-05-21 09:03:58 -07:00
Jordan Liggitt 736f5e2349
Revert "authz: nodes should not be able to delete themselves" 
This reverts commit 35de82094a.
 2018-05-11 09:37:21 -04:00
Jordan Liggitt 8161033be4
Make node restriction admission pod lookups use an informer 2018-05-10 07:53:46 -04:00
Michael Taufen c41cf55a2c explicit kubelet config key in Node.Spec.ConfigSource.ConfigMap 
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.

As part of this change, we are retiring ConfigMapRef for ConfigMap.
 2018-05-08 15:37:26 -07:00
Mike Danese 35de82094a authz: nodes should not be able to delete themselves 2018-04-20 10:22:07 -07:00
Michael Taufen ab8dc12333 node authorizer sets up access rules for dynamic config 
This PR makes the node authorizer automatically set up access rules for
dynamic Kubelet config.

I also added some validation to the node strategy, which I discovered we
were missing while writing this.
 2018-03-27 08:49:45 -07:00
Mike Danese b43cd7307d noderestriction: restrict nodes TokenRequest permission 
nodes should only be able to create TokenRequests if:
* token is bound to a pod
* binding has uid and name
* the pod exists
* the pod is running on that node
 2018-02-26 13:46:19 -08:00
Dr. Stefan Schimanski 4e0114b0dd apiserver: make SecureServingOptions and authz/n options re-usable 2018-02-13 11:16:38 +01:00
NickrenREN 7b9d2c046f Use v1beta1 VolumeAttachment 2018-01-31 18:46:11 +08:00
Jordan Liggitt ecfd18e2a6
Add get volumeattachments support to Node authorizer 2018-01-17 00:00:18 -05:00
Jordan Liggitt ba09fadecf
Plumb versioned informers to authz config 2018-01-16 23:30:53 -05:00
Eric Chiang ce0a8303d6 integration: add retries to node authorizer tests 2018-01-10 15:55:18 -08:00
Hemant Kumar 1b76b0b2ff Allow node to update PVC's status 
Implement node policy feature gates
Add tests for node policy update
 2017-11-22 14:32:50 -05:00
Dr. Stefan Schimanski 012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski 2452afffe0 admission: wire create+update validation func into kube registries 2017-11-02 09:29:16 +01:00
Dr. Stefan Schimanski 7773a30f67 pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
xilabao f14c138438 add selfsubjectrulesreview api 2017-09-01 19:09:43 +08:00
Huamin Chen 4525446af2 azure file volume: add secret namespace api 
Signed-off-by: Huamin Chen <hchen@redhat.com>
 2017-08-24 14:49:58 +00:00
Jordan Liggitt d65610bf2f
Remove default binding of system:node role to system:nodes group 2017-07-26 13:53:14 -04:00
Daniel Fernandes Martins 81ba522bbe Make NodeRestriction admission allow evictions for bounded pods 2017-07-20 14:20:03 -03:00
Eric Chiang e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jordan Liggitt fc8e915a4b
Add Node authorization mode based on graph of node-related objects 2017-05-30 16:53:03 -04:00