upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-03-21 18:11:55 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/api/api-rules
History
Damiano Donati 53b163298d
Add --tls-curve-preferences flag for configuring TLS key exchange mechanisms 
Introduce support for specifying allowed TLS key exchange mechanisms
(IANA TLS Supported Groups) via a new --tls-curve-preferences flag,
following the same pattern as --tls-cipher-suites.

Curve preferences are specified as numeric IANA TLS Supported Group IDs
(e.g. 23,29,4588) rather than string names. This avoids maintaining a
hardcoded name-to-ID map that would become stale with each Go release,
and ensures new curves (such as Go 1.26's SecP256r1MLKEM768 and
SecP384r1MLKEM1024) work automatically when rebuilding with a newer Go
version -- no code changes required.

Changes:
- Add curves_flag.go in component-base/cli/flag with a simple
  int-to-tls.CurveID cast function
- Add CurvePreferences field ([]int32) to SecureServingOptions, registered
  via IntSliceVar, and wire it through to tls.Config

The order of the list is ignored; Go selects from the set using an
internal preference order. If omitted, Go defaults are used. The set of
accepted values depends on the Go version used to build the binary; see
https://pkg.go.dev/crypto/tls#CurveID for reference.
2026-03-13 14:26:05 +01:00
..
aggregator_violation_exceptions.list Update violation exceptions 2025-09-10 15:52:59 -04:00
apiextensions_violation_exceptions.list fix lint errors 2025-09-10 20:10:13 -04:00
codegen_violation_exceptions.list Update violation exceptions 2025-09-10 15:52:59 -04:00
README.md Remove generated file rules in make 2022-10-04 08:50:30 -07:00
sample_apiserver_violation_exceptions.list fix lint errors 2025-09-10 20:10:13 -04:00
sample_controller_violation_exceptions.list Regenerate openapi for sample-controller 2026-02-24 16:19:10 +08:00
violation_exceptions.list Add --tls-curve-preferences flag for configuring TLS key exchange mechanisms 2026-03-13 14:26:05 +01:00

README.md

Existing API Rule Violations

This folder contains the checked-in report file of known API rule violations. The file violation_exceptions.list is used by Make rule during OpenAPI spec generation to make sure that no new API rule violation is introduced into our code base.

API Rule Violation Format

The report file violation_exceptions.list is in format of:

  • API rule violation: <RULE>,<PACKAGE>,<TYPE>,<FIELD>

e.g.

  • API rule violation: names_match,k8s.io/api/core/v1,Event,ReportingController

And the violation list is sorted alphabetically in each of the <RULE>, <PACKAGE>, <TYPE>, <FIELD> levels.

How to resolve API Rule Check Failure

Make rule returns an error when the newly generated violation report differs from this checked-in violation report.

Our goal is that exceptions should never be added to this list, only fixed and removed. For new APIs, this is a hard requirement. For APIs that are e.g. being moved between versions or groups without other changes, it is OK for your API reviewer to make an exception.

If you're removing violations from the exception list, or if you have good reasons to add new violations to this list, please update the file using:

  • UPDATE_API_KNOWN_VIOLATIONS=true ./hack/update-codegen.sh

It is up to API reviewers to review the list and make sure new APIs follow our API conventions.

NOTE: please don't hide changes to this file in a "generated changes" commit, treat it as source code instead.

API Rules Being Enforced

For more information about the API rules being checked, please refer to https://github.com/kubernetes/kube-openapi/tree/master/pkg/generators/rules