update feature gates for generic apiserver
Add apiextensions-apiserver features to golint_failures
Ignore alpha feature if gate is disabled
Kubernetes-commit: 6ba1523a8e36c3121a9e08bfac7b4f342bb8ccb3
Automatic merge from submit-queue
Add Google cloud KMS service for envelope encryption transformer
This adds the required pieces which will allow addition of KMS based encryption providers (envelope transformer).
For now, we will be implementing it using Google Cloud KMS, but the code should make it easy to add support for any other such provider which can expose Decrypt and Encrypt calls.
Writing tests for Google Cloud KMS Service may cause a significant overhead to the testing framework. It has been tested locally and on GKE though.
Upcoming after this PR:
* Complete implementation of the envelope transformer, which uses LRU cache to maintain decrypted DEKs in memory.
* Track key version to assist in data re-encryption after a KEK rotation.
Development branch containing the changes described above: https://github.com/sakshamsharma/kubernetes/pull/4
Envelope transformer used by this PR was merged in #49350
Concerns #48522
Planned configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- kms:
cachesize: 100
configfile: gcp-cloudkms.conf
name: gcp-cloudkms
- identity: {}
```
gcp-cloudkms.conf:
```
[GoogleCloudKMS]
kms-location: global
kms-keyring: google-container-engine
kms-cryptokey: example-key
```
Kubernetes-commit: 0d17e9deb7188bc79d905cb4ef6911c0a27adc59
Automatic merge from submit-queue (batch tested with PRs 51298, 51510, 51511)
modifying the comment of BeforeDelete function to improve readability
**What this PR does / why we need it**:
modifying the comment of `BeforeDelete` function in `staging/src/k8s.io/apiserver/pkg/registry/rest/delete.go` to improve readability.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Kubernetes-commit: ce559394653a8e5041f44d49391b851ec5465538
Automatic merge from submit-queue (batch tested with PRs 51471, 50561, 50435, 51473, 51436)
Feature gate initializers field
The metadata.initializers field should be feature gated and disabled by default while in alpha, especially since enforcement of initializer permission that keeps users from submitting objects with their own initializers specified is done via an admission plugin most clusters do not enable yet.
Not gating the field and tests caused tests added in https://github.com/kubernetes/kubernetes/issues/51429 to fail on clusters that don't enable the admission plugin.
This PR:
* adds an `Initializers` feature gate, auto-enables the feature gate if the admission plugin is enabled
* clears the `metadata.initializers` field of objects on create/update if the feature gate is not set
* marks the e2e tests as feature-dependent (will follow up with PR to test-infra to enable the feature and opt in for GCE e2e tests)
```release-note
Use of the alpha initializers feature now requires enabling the `Initializers` feature gate. This feature gate is auto-enabled if the `Initialzers` admission plugin is enabled.
```
Kubernetes-commit: 12d73c31a97188286e7f4c8a3aec7fcd38a76a83
Automatic merge from submit-queue (batch tested with PRs 50932, 49610, 51312, 51415, 50705)
Add --request-timeout to kube-apiserver to make global request timeout configurable
**What this PR does / why we need it**:
Make the currently hard coded 60 global request timeout in apiserver configurable via a --request-timeout command line flag.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/51355
**Special notes for your reviewer**:
We plan to backport this to 1.6 and 1.7. To ease the backport work, we've kept this change to a minimum. After this PR we will submit an additional PR to rename `--min-request-timeout` to something that more clearly describes it's purpose, such as `--long-running-request-timeout-min`.
**Release note**:
```release-note
Add --request-timeout to kube-apiserver to make global request timeout configurable.
```
Kubernetes-commit: 0b0b2a22c5837975824add628df6ecb2dc297d57
Automatic merge from submit-queue
Fix forbidden message format
Before this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
Fix forbidden message format, remove extra ""
```
Kubernetes-commit: 562d2be7a08c5cfb0f78331b0225acdf73bf9d94
Automatic merge from submit-queue
Remove null -> [] slice hack
Closes#44593
When 1.6 added protobuf storage, the storage layer lost the ability to persist slice fields with empty but non-null values.
As a workaround, we tried to convert empty slice fields to `[]`, rather than `null`. Compressing `null` -> `[]` was just as much of an API breakage as `[]` -> `null`, but was hoped to cause fewer problems in clients that don't do null checks.
Because of conversion optimizations around converting lists of objects, the `null` -> `[]` hack was discovered to only apply to individual get requests, not to a list of objects. 1.6 and 1.7 was released with this behavior, and the world didn't explode. 1.7 documented the breaking API change that `null` and `[]` should be considered equivalent, unless otherwise noted on a particular field.
This PR:
* Reverts the earlier attempt (https://github.com/kubernetes/kubernetes/pull/43422) at ensuring non-null json slice output in conversion
* Makes results of `get` consistent with the results of `list` (which helps naive clients that do deepequal comparisons of objects obtained via list/watch and get), and allows empty slice fields to be returned as `null`
```release-note
Protobuf serialization does not distinguish between `[]` and `null`.
API fields previously capable of storing and returning either `[]` and `null` via JSON API requests (for example, the Endpoints `subsets` field) can now store only `null` when created using the protobuf content-type or stored in etcd using protobuf serialization (the default in 1.6+). JSON API clients should tolerate `null` values for such fields, and treat `null` and `[]` as equivalent in meaning unless specifically documented otherwise for a particular field.
```
Kubernetes-commit: 217513e27a6e54eb92d09165293cf811d5bdf878
Before this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
Kubernetes-commit: ab0918673728fc50fc539017c86bbc03fceb0adc
Automatic merge from submit-queue (batch tested with PRs 51134, 51122, 50562, 50971, 51327)
set --audit-log-format default to json
Updates: https://github.com/kubernetes/kubernetes/issues/48561
**Release note**:
```
set --audit-log-format default to json for kube-apiserver
```
Kubernetes-commit: b5bb8099e79813aa8d73a49725efa54323d9279b
Automatic merge from submit-queue (batch tested with PRs 51244, 50559, 49770, 51194, 50901)
Remove deprecated flag "long-running-request-regexp".
**What this PR does / why we need it**:
remove `long-running-request-regexp` post-1.6.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 05294d80347f4cf4ff6111e0211013d8f617a0f5
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223)
Add tests around TableConvert and server side printing
Also wire in more table printers
@fabianofranz
Kubernetes-commit: 4f19a8fd2a0ed24aff9154670adcc332a8b6d1b1
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223)
Enable finalizers independent of GC enablement
Decouple finalizer processing from garbage collection configuration.
Finalizers should be effective even when garbage collection is disabled
for a given store.
Fixes https://github.com/kubernetes/kubernetes/issues/50528.
```release-note
NONE
```
/cc @kubernetes/sig-api-machinery-bugs
/cc @caesarxuchao @liggitt @sttts @pmorie
Kubernetes-commit: 7edab23997d012e142ff3e7a24fa24e69243575f
Automatic merge from submit-queue (batch tested with PRs 47115, 51196, 51204, 51208, 51206)
Add an OrDie version for AddPostStartHook
Simplifies usage and consolidate the error message so it is always
the same everywhere.
```release-note
NONE
```
Kubernetes-commit: 2c214baefc06cefd68cc282b532bfe526613e36c
Automatic merge from submit-queue (batch tested with PRs 51193, 51154, 42689, 51189, 51200)
Bumped gRPC version to 1.3.0
**What this PR does / why we need it**:
This PR bumps down the version of the vendored version of gRPC from v1.5.1 to v1.3.0
This is needed as part of the Device Plugin API where we expect client and server to use the Keep alive feature in order to detect an error.
Unfortunately I had to also bump the version of `golang.org/x/text` and `golang.org/x/net`.
- Design document: kubernetes/community#695
- PR tracking: [kubernetes/features#368](https://github.com/kubernetes/features/issues/368#issuecomment-321625420)
**Which issue this PR fixes**: fixes#51099
Which was caused by my previous PR updating to 1.5.1
**Special notes for your reviewer**:
@vishh @jiayingz @shyamjvs
**Release note**:
```
Bumped gRPC to v1.3.0
```
Kubernetes-commit: 5fb38a325efb343c2a0467a12732829bd5ed3c3c
Simplifies usage and consolidate the error message so it is always
the same everywhere.
Signed-off-by: Simo Sorce <simo@redhat.com>
Kubernetes-commit: 15c54ffa7750c3037f464933c2b678a9a94cea82
Decouple finalizer processing from garbage collection configuration.
Finalizers should be effective even when garbage collection is disabled
for a given store.
Fixes https://github.com/kubernetes/kubernetes/issues/50528.
Kubernetes-commit: ed5b5bb94e7c75f22a7fc302e47dade6c0d1662d
Automatic merge from submit-queue (batch tested with PRs 50893, 50913, 50963, 50629, 50640)
[advanced audit api] fuzz Event with random value
This is an error import by me:
https://github.com/kubernetes/kubernetes/pull/49115
We need to fuzz other parts of Event with random value, otherwise
this round trip test will not make too much sense.
@sttts
@ericchiang is also researching this.
**Release note**:
```
NONE
```
Kubernetes-commit: c13e9d14cde09e97cebd5883d04443d22cc91ca1
Automatic merge from submit-queue (batch tested with PRs 50531, 50853, 49976, 50939, 50607)
Updated gRPC vendoring to support Keep Alive
**What this PR does / why we need it**:
This PR bumps the version of the vendored version of gRPC from v1.0.4 to v1.5.1
This is needed as part of the Device Plugin API where we expect client and server to use the Keep alive feature in order to detect an error.
Unfortunately I had to also bump the version of `golang.org/x/text` and `golang.org/x/net`.
- Design document: kubernetes/community#695
- PR tracking: [kubernetes/features#368](https://github.com/kubernetes/features/issues/368#issuecomment-321625420)
**Special notes for your reviewer**:
@vishh @jiayingz
**Release note**:
```
Bumped gRPC from v1.0.4 to v1.5.1
```
Kubernetes-commit: 967c19df4916160d4d4fbd9a65bad41a53992de8
This is an error import by me:
https://github.com/kubernetes/kubernetes/pull/49115
We need to fuzz other parts of Event with random value, otherwise
this round trip test will not make too much sense.
@sttts @ericchiang
Kubernetes-commit: f2ec610455f3756afebfcbd99c108abc86a5015d
Automatic merge from submit-queue (batch tested with PRs 46512, 50146)
Make metav1.(Micro)?Time functions take pointers
Is there any reason for those functions not to be on pointers?
Kubernetes-commit: b59ad9cbfff866093a6c0ee26c3562e9ec9133e4
Automatic merge from submit-queue
Add enj as reviewer to OWNERS
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
**Release note**:
```release-note
NONE
```
@kubernetes/sig-api-machinery-pr-reviews
@kubernetes/sig-auth-pr-reviews
Kubernetes-commit: afabd09889d53ade30f1ce5b39b33ebe40f0a52f
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: dd06794bc20ef1e0889af576c7a4f7a2f607e49d
Automatic merge from submit-queue (batch tested with PRs 50255, 50885)
remove dead code for cloner
I found some dead code in audit webhook backend.
This change do some clean work for: 2bbe72d4e0
**Release note**:
```
NONE
```
Kubernetes-commit: 2ba796fe47b3d17c5a385183d91a396aee580b87
I found some dead code in audit webhook backend.
This change do some clean work for: 2bbe72d4e0
Kubernetes-commit: 7b5c7bb711e7f15a1bf216a7a51fd40148110fba
Automatic merge from submit-queue
fix typo
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 38053c3e4486e6a7fafd00b2784a1e67e0357f45
Automatic merge from submit-queue (batch tested with PRs 50281, 50747, 50347, 50834, 50852)
fix incorrect logic in admission register
**What this PR does / why we need it**:
There is no issue for this PR, just fix incorrect logic in invocation `func (ps *Plugins) Register(name string, plugin Factory) ` after browsing the code accidentally. And apparently, the logic exits potential panic.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
no issue
**Special notes for your reviewer**:
none
**Release note**:
none
Kubernetes-commit: 1eb04f6a2a16b3b8642184db62719451c3e84d2a
Jordan Liggitt
Kubernetes Publisher
Nikhita Raghunath
Saksham Sharma
huangjiuyuan
Joe Betz
Cao Shufeng
Slava Semushin
xiangpengzhao
Clayton Coleman
Dan Mace
Simo Sorce
Renaud Gaubert
Shyam JVS
Renaud Gaubert
gmarek
Monis Khan