Automatic merge from submit-queue (batch tested with PRs 63881, 64046, 63409, 63402, 63221). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kubelet config: Validate new config against future feature gates
This fixes an issue with KubeletConfiguration validation, where the
feature gates set by the new config were not taken into account.
Also fixes a validation issue with dynamic Kubelet config, where flag
precedence was not enforced prior to dynamic config validation in the
controller; this prevented rejection of dynamic configs that don't merge
well with values set via legacy flags.
Fixes#63305
```release-note
NONE
```
Kubernetes-commit: 6d510f52f266a9a38121435cfd16deb2c45714d7
Automatic merge from submit-queue (batch tested with PRs 59414, 64096). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix cyclic dependency of apiserver test for OpenAPI test
Fixes#41748
```release-note
NONE
```
Kubernetes-commit: f5fb740f068da84ac23faf5ef12adcdfbe93d5c5
Automatic merge from submit-queue (batch tested with PRs 60012, 63692, 63977, 63960, 64008). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use Dial with context
**What this PR does / why we need it**:
`net/http/Transport.Dial` field is deprecated:
```go
// DialContext specifies the dial function for creating unencrypted TCP connections.
// If DialContext is nil (and the deprecated Dial below is also nil),
// then the transport dials using package net.
DialContext func(ctx context.Context, network, addr string) (net.Conn, error)
// Dial specifies the dial function for creating unencrypted TCP connections.
//
// Deprecated: Use DialContext instead, which allows the transport
// to cancel dials as soon as they are no longer needed.
// If both are set, DialContext takes priority.
Dial func(network, addr string) (net.Conn, error)
```
This PR switches all `Dial` usages to `DialContext`. Fixes#63455.
**Special notes for your reviewer**:
Also related: https://github.com/kubernetes/kubernetes/pull/59287https://github.com/kubernetes/kubernetes/pull/58532https://github.com/kubernetes/kubernetes/issues/815https://github.com/kubernetes/community/pull/1166https://github.com/kubernetes/kubernetes/pull/58677https://github.com/kubernetes/kubernetes/pull/57932
**Release note**:
```release-note
HTTP transport now uses `context.Context` to cancel dial operations. k8s.io/client-go/transport/Config struct has been updated to accept a function with a `context.Context` parameter. This is a breaking change if you use this field in your code.
```
/sig api-machinery
/kind enhancement
/cc @sttts
Kubernetes-commit: ddf551c24b7d88454f8332ce6855e53281440958
Automatic merge from submit-queue (batch tested with PRs 63920, 63716, 63928, 60553, 63946). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add InstallPathHandler which allows for more then one path to be associated with health checking.
Currently it is only possible to have one group of checks which must all pass for the handler to report success.
Allowing multiple paths for these checks allows use of the same machinery for other kinds of checks, i.e. readiness.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 23d3b6fc79831688089d49a11c998de7bed7287c
Automatic merge from submit-queue (batch tested with PRs 63871, 63927, 63966, 63957, 63844). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove UID mutation from request.context
**What this PR does / why we need it**:
remove UID mutation from request.context, which is no use currently.
Fixes#59775
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove UID mutation from request.context.
```
Kubernetes-commit: c13bd2bec2987a850c6ca1993c4e833fc6096644
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow for listing & watching individual secrets from nodes
This PR:
- propagates value of `metadata.name` field from fieldSelector to `name` field in RequestInfo (for list and watch requests)
- authorizes list/watch for requests for single secrets/configmaps coming from nodes
As an example:
```
/api/v1/secrets/namespaces/ns?fieldSelector=metadata.name=foo =>
requestInfo.Name = "foo",
requestInfo.Verb = "list"
/api/v1/secrets/namespaces/ns?fieldSelector=metadata.name=foo&watch=true =>
requestInfo.Name = "foo",
requestInfo.Verb = "list"
```
```release-note
list/watch API requests with a fieldSelector that specifies `metadata.name` can now be authorized as requests for an individual named resource
```
Kubernetes-commit: b3837d004adab8e1f5f0eae7fdd2ddcd614258a0
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apimachinery: move schema reference object into smp patcher
The schema reference object is only used in the strategic merge patch code path. This PR moves the creation there.
This PR is a preparation to make the patcher compatible with the UnstructuredObjectConverter without internal types. It will allow us to return an error on missing kinds at https://github.com/kubernetes/kubernetes/pull/63830#discussion_r188171025.
Kubernetes-commit: 0e42990eee7705bc95d58647a1e9baef496d926a
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move cached_discovery to client-go/discovery
**Release note**:
```release-note
NONE
```
Moves the cmd/util CachedDiscoveryClient to client-go
cc @soltysh @deads2k
Kubernetes-commit: f2ea83bef88f9d2783abe0c00de563db13ec04f4
Automatic merge from submit-queue (batch tested with PRs 63792, 63495, 63742, 63332, 63779). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Track a metrics of number of registered watchers in apiserver
Kubernetes-commit: bd0d093701099fdf68221d23c031c931e7a847ac
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
avoid duplicate status in audit events
Fixes: https://github.com/kubernetes/kubernetes/issues/60108
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @sttts @tallclair
**Release note**:
```
Action required: When Response is a metav1.Status, it is no longer copied into the audit.Event status. Only the "status", "reason" and "code" fields are set.
```
Kubernetes-commit: d0f4a8fa17221f79babad9338955be38b8716e78
Automatic merge from submit-queue (batch tested with PRs 63603, 63557, 62015). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: Fail if dry-run query param is specified
Adds a dry-run query parameter now that does nothing but reject the request. The sooner we have this check in master, the safer it will be for clients to send dry-run requests that are not going to be applied nonetheless.
```release-note
Create a new `dryRun` query parameter for mutating endpoints. If the parameter is set, then the query will be rejected, as the feature is not implemented yet. This will allow forward compatibility with future clients; otherwise, future clients talking with older apiservers might end up modifying a resource even if they include the `dryRun` query parameter.
```
Kubernetes-commit: 6aa6051fabacc7ef8dcdfc53deb77a3550e4ccb7
Automatic merge from submit-queue (batch tested with PRs 55511, 63372, 63400, 63100, 63769). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create pkg/scheduling/apis/v1beta1 and move priorityClass to beta
**What this PR does / why we need it**:
This is for creating pkg/apis/scheduling/v1beta1 so that priorityClasses could be moved to beta.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of #57471
**Special notes for your reviewer**:
/cc @bsalamat @aveshagarwal
**Release note**:
```release-note
The `PriorityClass` API is promoted to `scheduling.k8s.io/v1beta1`
```
Kubernetes-commit: a1b54f3c99f2ae4d7d10c269939e5c0bb6d03e6f
Automatic merge from submit-queue (batch tested with PRs 63246, 63185). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add checks validation MinRequestTimeout of ServerRunOptions
**What this PR does / why we need it**:
add checks validation MinRequestTimeout of ServerRunOptions
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
I think we should check MinRequestTimeout > 0 (like RequestTimeout), in Validate() of ServerRunOptions. If it is not necessary, close this PR.Thanks
**Release note**:
```release-note
NONE
```
Kubernetes-commit: afd93b6e466a5abd435fba8dd7fab693512ef2ea
Automatic merge from submit-queue (batch tested with PRs 59727, 63468). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix annotation of APIGroupInfo
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: e59ae29fbc8158503538faa3f6c7f07711a412e8
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
should use time.Since instead of time.Now().Sub
**What this PR does / why we need it**:
should use time.Since instead of time.Now().Sub
**Special notes for your reviewer**:
Kubernetes-commit: 7eb88f11d23d2be7dc3a91f727a1a77a0abac5e8
Automatic merge from submit-queue (batch tested with PRs 62665, 62194, 63616, 63672, 63450). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Correct the returned message
Line 73 and line 103:
return fmt.Errorf("expected ResponseBody to be nil, got non-nill '%s'", events[i].ResponseObject.Raw)
"non-nill" should be changed to "non-nil"
Kubernetes-commit: 0bdb73c05d0cc0741e40a53ccdf9ff7ce062c204
Currently it is only possible to have one group of checks which must all pass for the handler to report success.
Allowing multiple paths for these checks allows use of the same machinery for other kinds of checks, i.e. readiness.
Kubernetes-commit: 2082a0f42851c47620ce31f257dcb5536abae014
Automatic merge from submit-queue (batch tested with PRs 63593, 63539). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix typo in envelope transform error message
genvelope -> envelope
```release-note
NONE
```
Kubernetes-commit: 662f543ebf5c0936f139992eb462422ffb7bd71e
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Return error when has no RequestInfo in handlerchain
**What this PR does / why we need it**:
we should return error when has no RequestInfo.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 5d6997ad0298fda8280c1aee4fa7aab8ddcecd1c
Automatic merge from submit-queue (batch tested with PRs 63364, 63464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
simplify api registration
The current registration and groupmeta is only use to determine a preferred ordering to versions. The scheme already knows about all versions, so this simply makes that knowledge official. After doing that, the announce, registered, and apimachinery/pkg/apimachinery all drop out.
With this change we'll be able to create `install` packages for each external apigroup that accept a scheme and have suggested orderings. This will make it possible to close the consistency gap with kubectl, client, and apiserver.
@kubernetes/sig-api-machinery-pr-reviews
@lavalamp @smarterclayton @liggitt @sttts
```release-note
NONE
```
Kubernetes-commit: f929502282b370ceb3adae4816074142d6702c8b
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor hard code in rest_test.go
**What this PR does / why we need it**:
Refactor hard code in rest_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: a848537dbbbfcd96f4b21103e91f41984845d368
Automatic merge from submit-queue (batch tested with PRs 61455, 63346, 63130, 63404). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump kube-openapi dependency
**What this PR does / why we need it**:
Pick up https://github.com/kubernetes/kube-openapi/pull/64
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63218
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig api-machinery
/cc @mbohlool @liggitt
Kubernetes-commit: 89e6895e1c550658b7c145436868b70fb3cabbcd
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate repair-malformed-updates flag, move object meta mutation into BeforeCreate
closes#23297
```release-note
NONE
```
Kubernetes-commit: 4e3efbe36496fb6a8b62eec437ba2298b4b2e4d4
This fixes an issue with KubeletConfiguration validation, where the
feature gates set by the new config were not taken into account.
Also fixes a validation issue with dynamic Kubelet config, where flag
precedence was not enforced prior to dynamic config validation in the
controller; this prevented rejection of dynamic configs that don't merge
well with values set via legacy flags.
Kubernetes-commit: 647e90341ca08640ab8fb3d49edb8027faf4836f
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implements OIDC distributed claims.
Next step to enable this feature is to enable claim caching.
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
Example claim:
```
{
... (other normal claims)...
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://www.example.com",
"access_token": "f005ba11"
},
},
}
```
Example response to a followup request to https://www.example.com is a
JWT-encoded claim token:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": ["team1", "team2"],
"exp": 9876543210
}
```
Apart from the indirection, the distributed claim behaves exactly
the same as a standard claim. For Kubernetes, this means that the
token must be verified using the same approach as for the original OIDC
token. This requires the presence of "iss", "aud" and "exp" claims in
addition to "groups".
All existing OIDC options (e.g. groups prefix) apply.
Any claim can be made distributed, even though the "groups" claim is
the primary use case.
Allows groups to be a single string due to
https://github.com/kubernetes/kubernetes/issues/33290, even though
OIDC defines "groups" claim to be an array of strings. So, this will
be parsed correctly:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": "team1",
"exp": 9876543210
}
```
Expects that distributed claims endpoints return JWT, per OIDC specs.
In case both a standard and a distributed claim with the same name
exist, standard claim wins. The specs seem undecided about the correct
approach here.
Distributed claims are resolved serially. This could be parallelized
for performance if needed.
Aggregated claims are silently skipped. Support could be added if
needed.
**What this PR does / why we need it**: Makes it possible to retrieve many group memberships by offloading to a dedicated backend for groups resolution.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62920
**Special notes for your reviewer**:
There are a few TODOs that seem better handled in separate commits.
**Release note**:
```release-note
Lays groundwork for OIDC distributed claims handling in the apiserver authentication token checker.
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
For details, see:
http://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
```
Kubernetes-commit: ab9f64afa997c3e7164c7f3705c915fa68a3ffb1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update all script shebangs to use /usr/bin/env interpreter instead of /bin/interpreter
This is required to support systems where bash doesn't reside in /bin (such as NixOS, or the *BSD family) and allow users to specify a different interpreter version through $PATH manipulation.
https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
```release-note
Use /usr/bin/env in all script shebangs to increase portability.
```
Kubernetes-commit: b5f61ac129019d314e473584c1491b7ca62144c7
Automatic merge from submit-queue (batch tested with PRs 63349, 63294). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Decorator for Create should be called on out, not obj
Kubernetes-commit: 9e72003b9d3c80a510e5913af432fad740519c32
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove rootscopedkinds from groupmeta
builds on https://github.com/kubernetes/kubernetes/pull/63206
Since, a RESTMapping can only be determined based on a connection to a server, the only thing that needs to know the namespaced-ness of a resource is the code doing the registration. Everything else is derived from that source of truth. This removes the other dangling references and collapses down onto the existing namespaced-ness methods in the strategies backing the stores.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Kubernetes-commit: dc7f07421351cf75ce3491c63f955d857426e835
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove incorrect static restmapper from type registry
A RESTMapping can only be determined by inspecting a server since discovery is the authoritative source of mapping decisions. This removes a deceptive method from the type registry and makes the old logic available for existing tests in a separate, clearly labeled package.
@kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-cli-maintainers
```release-note
NONE
```
Kubernetes-commit: f03f83a20ad6bdda650a19f52f16102962ea17d9
Kubernetes Publisher
Mikhail Mazurskiy
xuzhonghu
Dr. Stefan Schimanski
wojtekt
Antoine Pelisse
Jeff Chan
Jacob Tanenbaum
ravisantoshgudimetla
Justin Santa Barbara
Haowei Cai
juanvallejo
fisherxu
hangaoshuai
David Eads
tamal
Michael Taufen
Clayton Coleman