builds on #62868
1. When the incoming patch specified a resourceVersion that failed as a precondition,
the patch handler would retry uselessly 5 times. This PR collapses onto GuaranteedUpdate,
which immediately stops retrying in that case.
2. When the incoming patch did not specify a resourceVersion, and persisting to etcd
contended with other etcd updates, the retry would try to detect patch conflicts with
deltas from the first 'current object' retrieved from etcd and fail with a conflict error
in that case. Given that the user did not provide any information about the starting version
they expected their patch to apply to, this does not make sense, and results in arbitrary
conflict errors, depending on when the patch was submitted relative to other changes made
to the resource. This PR changes the patch application to be performed on the object retrieved
from etcd identically on every attempt.
fixes#58017
SMP is no longer computed for CRD objects
fixes#42644
No special state is retained on the first attempt, so the patch handler correctly handles
the cached storage optimistically trying with a cached object first
Kubernetes-commit: fbd6f3808480d27a83643e82a11c217601b76cbc
This is the combination of a series of changes which individually don't
make any behavioral changes. The original commits are preserved in my
own fork in the refactor-patch-complete branch, as when squashed this is
impossible to review.
This turned a big function with lots of parameters and closures into an
object with multiple functions, fewer closures and more well documented
state transitions.
Kubernetes-commit: 349a99b80e7e6c0c92218c814ae0858fd71609fc
Since we have a custom handler for apiextensions-apiserver,
we need to record the metrics here.
Kubernetes-commit: 74cd45fb21b349dd037e3bfd844459ca5834cca1
Scheme conversion should support unstructured conversion natively to
allow going from unstructured to typed and back. It is not a higher
level responsibility to do that conversion because the scheme is the
only one who knows what types it supports.
Kubernetes-commit: 557f9ddfe6300ecdbdd70ea67dca63bf6b710ea7
Some errors are invoked outside of negotiation. These errors should
still have a kind and apiVersion (which is only set by structured
encoders, not always availabe). Ensure that all errors by default get a
status kind and version set.
Kubernetes-commit: a1e44fc69bf0faeb47e6d2ebfc2709bbc3f17221
We need the go struct tags `patchMergeKey` and `patchStrategy`
for fields that support a strategic merge patch. For native
resources, we can easily figure out these tags since we know
the fields.
Because custom resources are decoded as Unstructured and
because we're missing the metadata about how to handle
each field in a strategic merge patch, we can't find the
go struct tags. Hence, we can't easily do a strategic merge
for custom resources.
So we should fail fast and return an error.
Kubernetes-commit: 79349c93bddcc1125a9d6ea4528c6d63b172f083
Add interpretPatchError to return appropriate http code
(400 or 422) according to the error type.
We add this function in apiserver because we don't want
to mention the http code in apimachinery. The apimachinery
code is also used in kubectl. The client should not return
a server error.
Add a test to validate the http error code and error message.
Kubernetes-commit: e0a2168ecbf8b4e43f932a32fa55cd55215123cc
Allows a caller to know how many exec, log, proxy, and watch calls are
running at the current moment.
Kubernetes-commit: fabce1b893f96bdf466c1fdb1fcf825210c008ae
Remove the MonitorRequest method and replace with a method that takes
request.RequestInfo, which is our default way to talk about API objects.
Preserves existing semantics for calls.
Kubernetes-commit: 10e6dc5ed3573118c56fa8823b387e47c8e8ae06
Before this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
Kubernetes-commit: ab0918673728fc50fc539017c86bbc03fceb0adc
The deleted two functions will be called later in the function
SerializeObject(). Not necessary to call them twice.
Kubernetes-commit: f41eb67798c574b531b5dd542d3284604b142801
https://github.com/kubernetes/kubernetes/pull/47384 makes 403 errors
return Status Object. How the Content-Type is still "text/plain"
This change fix it.
Kubernetes-commit: 36e0a5ed14ae0fb9fd88980f0fce57d076216e2e
Add support for creating resources that are not immediately visible to
naive clients, but must first be initialized by one or more privileged
cluster agents. These controllers can mark the object as initialized,
allowing others to see them.
Permission to override initialization defaults or modify an initializing
object is limited per resource to a virtual subresource "RESOURCE/initialize"
via RBAC.
Initialization is currently alpha.
Kubernetes-commit: 331eea67d8000e5c4b37e2234a90903c15881c2f
All generic registries expose metadata output, and refactor endpoints to
allow negotiation to handle those responses. Add support for
PartialObjectMetadata being returned for objects as well.
Kubernetes-commit: f203e42cb98ed4bac7ad8ebbed717d3bd42f55b6
Subresources are very often completely different code paths and errors
generated on those code paths are important to distinguish.
Kubernetes-commit: ad431c454c1306fdcc2134a3626444984d350f46
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Kubernetes-commit: c354076aa41e3cf417b291d5f0eff2b70395ac30
Simple XSS scans might fetch /<script>alert('vulnerable')</script>, and
fail when the response body includes the script tag verbatim, despite
the headers directing the browser to interpret the response as text.
This isn't a real vulnerability, but it's easier to fix this here than
it is to fix the scanners.
Kubernetes-commit: dd4bb1213d8447632fa651195980cbfae2546fb3
The wrong json package was used, resulting in patches being unmarshaled
with numbers as float64 rather than int64.
This in turn confused HasConflicts() which expects numeric types to match.
The end result was false positives of meaningful conflicts, such as:
```
there is a meaningful conflict (firstResourceVersion: "8517",
currentResourceVersion: "8519"):
diff1={"metadata":{"resourceVersion":"8519"},"spec":{"replicas":0},"status":{"conditions":null,"fullyLabeledReplicas":null,"replicas":0}}
, diff2={"spec":{"replicas":0}}
```
Kubernetes-commit: 1ab6a33db486adc060e1b63eecbdc06aabdde1f6
These lines may contain information that cannot be safely logged to
disk. Only deal with known parameters, also bump to V(2) to be
consistent with other logging.
Kubernetes-commit: f6300555f4c105f60c5a4cb0a0cdfc01899b833d
jennybuckley