Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix using defer in loop in cors test
**What this PR does / why we need it**:
fix bug in cors test
**Special notes for your reviewer**:
a small bug fix, wrap defer in a closure
**Release note**:
```release-note
NONE
```
Kubernetes-commit: b5387effe82f94ebc13fc5a924f0d389e8600bf0
Automatic merge from submit-queue (batch tested with PRs 57824, 58806, 59410, 59280). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add some package to code-generator
**What this PR does / why we need it**:
add some package to code-generator and regenerated files.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/cc @sttts
**Release note**:
```release-note
NONE
```
Kubernetes-commit: b309c2f4f034dc5a73f9258199d2359d3f6ec81d
Automatic merge from submit-queue (batch tested with PRs 57824, 58806, 59410, 59280). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add Annotations to advanced audit api
**Release note**:
```release-note
Annotations is added to advanced audit api
```
Kubernetes-commit: db1ed10534231739f17f48895ae0dce861aa1c1c
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559c5c0ab8a2e50b1ee11cc62f9ebb3a8
So we don't need this older style / hard coded / experimental code
anymore.
Kubernetes-commit: 18590378c4491eacdea5cd05f98c92fe84020263
When users or groups are set in a rule, this rule should not match
attribute with unauthorized request where user and group are nil.
Kubernetes-commit: 9a7acaae1d5015886cc7c3bc46fc3d973045dc2a
Automatic merge from submit-queue (batch tested with PRs 59158, 38320, 59059, 55516, 59357). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Promote v1alpha1 meta to v1beta1
No code changes, just renames. We can discuss if there are any field / naming changes here or in a follow-up
Parent #58536Fixes#53224
Prereq to #55637
@kubernetes/sig-api-machinery-pr-reviews @deads2k
```release-note
The `meta.k8s.io/v1alpha1` objects for retrieving tabular responses from the server (`Table`) or fetching just the `ObjectMeta` for an object (as `PartialObjectMetadata`) are now beta as part of `meta.k8s.io/v1beta1`. Clients may request alternate representations of normal Kubernetes objects by passing an `Accept` header like `application/json;as=Table;g=meta.k8s.io;v=v1beta1` or `application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1`. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their `Accept` header like `application/json` - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response.
```
Kubernetes-commit: 9ee71b720ed2300d6298bb936d0a7873b5ecf2ac
The registry abstraction is unnecessary and adds direct coupling to the
core types. By using a wrapper, we carry through the default
implementations of the non-mutating operations. The DeleteCollection
method is explicitly patched out since it cannot be correctly
implemented on the storage currently.
As a result, TableConvertor is now exposed.
A few other minor refactorings
* Corrected the case of some variables
* Used functions instead of methods for several helper methods
* Removed the legacy Deleter - service was the only remaining consumer
Kubernetes-commit: 110b064d630ca39220696225dd597e7d33b95f4f
This is revealed by the go/types package, which is stricter than
the Go compiler about unused variables. See also: golang/go#8560
Kubernetes-commit: e04b91facf180c17557a44e8e462858ea2936301
Automatic merge from submit-queue (batch tested with PRs 57683, 59116, 58728, 59140, 58976). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
doc: fix typo in package apiserver
**What this PR does / why we need it**:
fix typo in package apiserver
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 7d07810c6ded46254ed6fb0a86ce895411636887
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some typos in apiserver filters
**What this PR does / why we need it**:
fix some typos
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: ca17c82b37f3eef25ae71a8a4bb1b16097aa4ff1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add a comment on specical case on authorization
In file /staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go,
function WithAuthorization() returns DecisionAllow before error check.
It is intentional to avoid leaking authorization errors to attackers.
This patch add a comment here to give a hint
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 8f71d6d84013ddbe54a3087b879186bcd7ee4ce1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
deprecate insecure http flags and remove already deprecated flags
**What this PR does / why we need it**:
1. deprecate `insecure-bind-address` `insecure-port` flags
2. remove flags `public-address-override` `address` `port` They are mark deprecated in #36604, which is more than a year ago.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58951
**Special notes for your reviewer**:
**Release note**:
```release-note
Deprecate insecure flags `--insecure-bind-address`, `--insecure-port` and remove `--public-address-override`.
```
Kubernetes-commit: 2f175bc43279a1a4552610a42af0a006f4c6fba2
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove dead testing code
Removes a deprecated etcd server init function and stops starting an etc server during unit tests that we never use.
Kubernetes-commit: 52c3ff3ab84391cc9658ba1501ad0e70aff5edcc
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove --tls-ca-file which had no effect
The flag has had no effect since we started configuring loopback based on the direct cert. I've marked it deprecated this release so we don't break launch scripts right away, but its coming. I think we should remove it in 1.11.
```release-note-action-required
kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before ugprading to 1.11.
```
Kubernetes-commit: d8f32b291751a707d1682003c0c695a530572afa
Automatic merge from submit-queue (batch tested with PRs 56995, 58498, 57426, 58902, 58863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cleanup enable/disable api resources code
**What this PR does / why we need it**:
After #57228, `runtime-config` flag has stop support enable/disable resources of a specific groupVersion,
so this pr does some clean work about this.
Mainly delete unused code in `k8s.io/apiserver/pkg/server/storage/resource_config.go`
**Special notes for your reviewer**:
/assign @deads2k @sttts
**Release note**:
```release-note
NONE
```
/kind cleanup
Kubernetes-commit: 5ab8f8cea957ca71b3da4436b6bbcd0abf76546b
Automatic merge from submit-queue (batch tested with PRs 56995, 58498, 57426, 58902, 58863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
flag precedence redo
Changes the Kubelet configuration flag precedence order so that flags take precedence over config from files/ConfigMaps.
This should fix the re-parse issue with #56097 that led to revert.
Fixes#56171.
In order to prevent global flags (registered in 3rd party libs, etc.) from leaking into the command's help text, this PR turns off Cobra's flag parsing in the `kubelet` command and re-implements help and usage funcs for the Kubelet. Cobra's default funcs automatically merge all global flags into the command's flagset, which results in incorrect help text. I tried to keep the formatting as close as possible to the what the Kubelet currently produces.
Diff between Kubelet's help text on `upstream/master` vs `mtaufen/kc-flags-precedence-redo`, which shows a leaked flag being removed, but no change to the formatting:
```
diff --git a/upstream.master.help b/mtaufen.kc-flags-precedence-redo.help
index 798a030..0797869 100644
--- a/upstream.master.help
+++ b/mtaufen.kc-flags-precedence-redo.help
@@ -30,7 +30,6 @@ Flags:
--authorization-mode string Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. (default "AlwaysAllow")
--authorization-webhook-cache-authorized-ttl duration The duration to cache 'authorized' responses from the webhook authorizer. (default 5m0s)
--authorization-webhook-cache-unauthorized-ttl duration The duration to cache 'unauthorized' responses from the webhook authorizer. (default 30s)
- --azure-container-registry-config string Path to the file containing Azure container registry configuration information.
--bootstrap-checkpoint-path string <Warning: Alpha feature> Path to to the directory where the checkpoints are stored
--bootstrap-kubeconfig string Path to a kubeconfig file that will be used to get client certificate for kubelet. If the file specified by --kubeconfig does not exist, the bootstrap kubeconfig is used to request a client certificate from the API server. On success, a kubeconfig file referencing the generated client certificate and key is written to the path specified by --kubeconfig. The client certificate and key file will be stored in the directory pointed by --cert-dir.
--cadvisor-port int32 The port of the localhost cAdvisor endpoint (set to 0 to disable) (default 4194)
```
Ultimately, I think we should implement a common lib that K8s components can use to generate clean help text, as the global flag leakage problem affects all core k8s binaries. I would like to do so in a future PR, to keep this PR simple. We could base the help text format on the default values returned from `Command.HelpTemplate` and `Command.UsageTemplate`. Unfortunately, the template funcs used to process these defaults are private to Cobra, so we'd have to re-implement these, or avoid using them.
```release-note
NONE
```
Kubernetes-commit: cf92d921d907f2c3fdf635b690849fd663705638
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use SSH tunnel for webhook communication iff the webhook is deployed as a service
**What this PR does / why we need it**:
We are getting the following error when the apiserver connects the webhook on localhost (configured via URL). We should only use the SSL tunnel for the connections to nodes when the webhooks are running as services.
```
I0119 17:41:18.678436 1 ssh.go:400] [4cdf44753cc3705d: localhost:10258] Dialing...
W0119 17:41:18.678483 1 ssh.go:424] SSH tunnel not found for address "localhost", picking random node
I0119 17:41:18.679810 1 ssh.go:402] [4cdf44753cc3705d: localhost:10258] Dialed in 1.398691ms.
W0119 17:41:18.679928 1 admission.go:256] Failed calling webhook, failing closed xxx: failed calling admission webhook "xxx": Post xxx: ssh: rejected: connect failed (Connection refused)
I0119 17:41:18.680346 1 wrap.go:42] POST /api/v1/namespaces/kube-system/pods: (5.725588ms) 500
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubernetes/issues/58779
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver is changed to use SSH tunnels for webhook iff the webhook is not directly routable from apiserver's network environment.
```
/assign @lavalamp @caesarxuchao @cheftako
Kubernetes-commit: ac495f169b71d51dc9a63c2ff76cf9f596578853
Automatic merge from submit-queue (batch tested with PRs 55792, 58342). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a metric to track usage of inflight request limit.
This one is tricky. The goal is to know how 'loaded' given apiserver is before we start dropping the load, to so we need to somehow expose 'fullness' of channels.
Sadly this metric is pretty volatile so it's not clear how to do this correctly. I decided to do pre-aggregation to smoothen the metric a bit. In the current implementation the metric publishes maximum "usage" of the inflight is previous second.
If you have any ideas please share.
@smarterclayton @lavalamp @wojtek-t @liggitt @deads2k @caesarxuchao @sttts @crassirostris @hulkholden
```release-note
NONE
```
Kubernetes-commit: a73c96d7b28e8c04a5bd5f68af04eecea3ec14ff
Automatic merge from submit-queue (batch tested with PRs 58518, 58771, 58101, 56829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Resource version parsing should all be in one place
This is 100% refactoring that ought to be a no-op at run time. It puts resource version parsing in a single file. Doing this because I want to follow up with a change which will make it obvious to users of the system our rules about resource version. Don't want to mix that with this refactor (on the off chance it gets rolled back).
Part of: #58112
```release-note
NONE
```
Kubernetes-commit: d9ded43bbeed4ff0d1708b39e9fabc47b8f596cb
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Never let cluster-scoped resources skip webhooks
Fix#57964
This allows user write webhooks for cluster-scoped custom resources.
We still need to figure out how to selectively exempt cluster-scoped resources from webhooks to avoid bootstrapping deadlocks. For now, if a deadlock occurs, users can work around by first deleting the webhook configuration, then rebooting the webhook, then re-enabling the webhook configuration.
```release-note
Bug fix: webhooks now do not skip cluster-scoped resources
Action required: Before upgrading your Kubernetes clusters, double check if you had configured webhooks for cluster-scoped objects (e.g., nodes, persistentVolume), these webhooks will start to take effect. Delete/modify the configs if that's not desirable.
```
Kubernetes-commit: 0b8f3a2240c7444196e321ded215eafd7a2c96db
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
trace patch operations
Just like `update`, `create`, `get` and `delete` operations.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: a5e33195e4418eac8fde3a9db33f4fbf0f73d87f
Automatic merge from submit-queue (batch tested with PRs 58412, 56132, 58506, 58542, 58394). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
don't stop informer delivery on error
If an informer delivery fails today, we stop delivering to it entirely. The pull updates the code to skip that particular notification, delay, and continue delivery with the next time.
/assign derekwaynecarr
/assign ncdc
/assign ash2k
@derekwaynecarr This would change the "the controller isn't doing anything?!" to "the controller missed my (individual) resource!"
```release-note
NONE
```
Kubernetes-commit: 71426ba59fd4a37e5da7deac6298ab33101bb5b6
Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add TLS min version flag
Adds a flag for controlling the minimum TLS level allowed.
/assign liggitt
@kubernetes/sig-node-pr-reviews @k8s-mirror-api-machinery-pr-reviews
```release-note
--tls-min-version on kubelet and kube-apiserver allow for configuring minimum TLS versions
```
Kubernetes-commit: 3550551b9f68641f55fc16b6d31eb27ac39b1914
Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pass down runtime-config through apiserver chain
**What this PR does / why we need it**:
>kube-apiserver is actually a delegation chain of aggregator+kube+apiextensions. Let's pass down runtime-config through the chain, each layer removing the groups it knows about.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#57189
**Special notes for your reviewer**:
make a new pkg `k8s.io/apiserver/pkg/server/resourceconfig`, and
1. move resourceconfig related code to it.
2. abstract generic used function `MergeAPIResourceConfigs`, put it here.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: f0b73194945d81bb78c23e94db9f1075ce13e642
Dr. Stefan Schimanski
Kubernetes Publisher
Eric Chiang
Davanum Srinivas
fisherxu
Cao Shufeng
Clayton Coleman
Ryan Hitchman
halfcrazy
WanLinghao
hzxuzhonghu
David Eads
Wu Qiang
Jordan Liggitt
Yang Guo