Skip to content
This repository has been archived by the owner on Apr 4, 2024. It is now read-only.

Commit

Permalink
update knative serving and grpc for security (#189)
Browse files Browse the repository at this point in the history 
* update knative serving and grpc for security

Signed-off-by: Kenny Leung <[email protected]>

* k8s

Signed-off-by: Kenny Leung <[email protected]>

---------

Signed-off-by: Kenny Leung <[email protected]>
  • Loading branch information
@k4leung4
k4leung4 authored Oct 25, 2023
1 parent 97f6b43 commit 65da63e
Show file tree
Hide file tree
Showing 475 changed files with 39,324 additions and 8,316 deletions.
32 changes: 31 additions & 1 deletion config/serving/200-imported/200-serving/100-resources/configuration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,19 @@ spec:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
type: integer
format: int32
grpc:
description: GRPC specifies an action involving a GRPC port.
type: object
required:
- port
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
type: integer
format: int32
service:
description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC."
type: string
httpGet:
description: HTTPGet specifies the http request to perform.
type: object
Expand Down Expand Up @@ -355,6 +368,19 @@ spec:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
type: integer
format: int32
grpc:
description: GRPC specifies an action involving a GRPC port.
type: object
required:
- port
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
type: integer
format: int32
service:
description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC."
type: string
httpGet:
description: HTTPGet specifies the http request to perform.
type: object
Expand Down Expand Up @@ -448,7 +474,7 @@ spec:
- type: string
x-kubernetes-int-or-string: true
requests:
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
additionalProperties:
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
Expand Down Expand Up @@ -603,6 +629,10 @@ spec:
serviceAccountName:
description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/'
type: string
shareProcessNamespace:
description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace
type: boolean
x-kubernetes-preserve-unknown-fields: true
timeoutSeconds:
description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided.
type: integer
Expand Down
117 changes: 2 additions & 115 deletions config/serving/200-imported/200-serving/100-resources/domain-mapping.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,121 +102,8 @@ spec:
CACerts:
description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
type: string
name:
description: Name is the name of the address.
type: string
url:
type: string
annotations:
description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
type: object
additionalProperties:
type: string
conditions:
description: Conditions the latest available observations of a resource's current state.
type: array
items:
description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties'
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
type: string
message:
description: A human readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
severity:
description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
observedGeneration:
description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
type: integer
format: int64
url:
description: URL is the URL of this DomainMapping.
type: string
- name: v1alpha1
served: true
storage: false
deprecated: true
deprecationWarning: The v1alpha1 version of DomainMapping has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1
subresources:
status: {}
schema:
openAPIV3Schema:
description: DomainMapping is a mapping from a custom hostname to an Addressable.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'Spec is the desired state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
required:
- ref
properties:
ref:
description: "Ref specifies the target of the Domain Mapping. \n The object identified by the Ref must be an Addressable with a URL of the form `{name}.{namespace}.{domain}` where `{domain}` is the cluster domain, and `{name}` and `{namespace}` are the name and namespace of a Kubernetes Service. \n This contract is satisfied by Knative types such as Knative Services and Knative Routes, and by Kubernetes Services."
type: object
required:
- kind
- name
properties:
address:
description: Address points to a specific Address Name.
type: string
apiVersion:
description: API version of the referent.
type: string
group:
description: 'Group of the API, without the version of the group. This can be used as an alternative to the APIVersion, and then resolved using ResolveGroup. Note: This API is EXPERIMENTAL and might break anytime. For more details: https://github.com/knative/eventing/issues/5086'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.'
type: string
tls:
description: TLS allows the DomainMapping to terminate TLS traffic with an existing secret.
type: object
required:
- secretName
properties:
secretName:
description: SecretName is the name of the existing secret used to terminate TLS traffic.
type: string
status:
description: 'Status is the current state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
properties:
address:
description: Address holds the information needed for a DomainMapping to be the target of an event.
type: object
properties:
CACerts:
description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
audience:
description: Audience is the OIDC audience for this address.
type: string
name:
description: Name is the name of the address.
Expand Down
32 changes: 31 additions & 1 deletion config/serving/200-imported/200-serving/100-resources/revision.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,19 @@ spec:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
type: integer
format: int32
grpc:
description: GRPC specifies an action involving a GRPC port.
type: object
required:
- port
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
type: integer
format: int32
service:
description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC."
type: string
httpGet:
description: HTTPGet specifies the http request to perform.
type: object
Expand Down Expand Up @@ -334,6 +347,19 @@ spec:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
type: integer
format: int32
grpc:
description: GRPC specifies an action involving a GRPC port.
type: object
required:
- port
properties:
port:
description: Port number of the gRPC service. Number must be in the range 1 to 65535.
type: integer
format: int32
service:
description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC."
type: string
httpGet:
description: HTTPGet specifies the http request to perform.
type: object
Expand Down Expand Up @@ -427,7 +453,7 @@ spec:
- type: string
x-kubernetes-int-or-string: true
requests:
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
additionalProperties:
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
Expand Down Expand Up @@ -582,6 +608,10 @@ spec:
serviceAccountName:
description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/'
type: string
shareProcessNamespace:
description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace
type: boolean
x-kubernetes-preserve-unknown-fields: true
timeoutSeconds:
description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided.
type: integer
Expand Down
3 changes: 3 additions & 0 deletions config/serving/200-imported/200-serving/100-resources/route.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@ spec:
CACerts:
description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
type: string
audience:
description: Audience is the OIDC audience for this address.
type: string
name:
description: Name is the name of the address.
type: string
Expand Down
Loading

0 comments on commit 65da63e

Please sign in to comment.