Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make audit output version configurable.
This is a re-make of https://github.com/kubernetes/kubernetes/pull/51786, taken over form @soltysh
Copying from the previous PR:
This is followup to https://github.com/kubernetes/kubernetes/pull/51719 to start the discussion how we want to solve the problem of users picking which version is being served them.
We need to have an option for log and webhook, separately. Probably, for webhook backend with multiple destinations we'd like to send different version to each.
This approach adds two flags (only the second commit matters), one for log and another for webhook (unfortunately global one). I've looked into kubeconfig types and although there are options to specify group and version they are meant for removal. @liggitt had some thoughts maybe he could share the ideas and we can pick it up here.
@ericchiang @CaoShuFeng @sttts opinions, thoughts are more than welcome
```release-note
Add apiserver configuration option to choose audit output version.
```
Kubernetes-commit: 52ed0368f8d076236ada19b09828f2f9e2ebb6ef
Automatic merge from submit-queue (batch tested with PRs 61354, 61366, 61386, 61394, 60755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove unused tls-ca-file flag
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove `--tls-ca-file` flag.
```
Kubernetes-commit: e47280fca9c4c3c6eff9f7dc3cf7436c8abdffd2
Automatic merge from submit-queue (batch tested with PRs 61354, 61366, 61386, 61394, 60755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
vendor: Update github.com/evanphx/json-patch
Updates github.com/evanphx/json-patch dependency
to fix handling tests against empty objects/arrays.
Includes fix from evanphx/json-patch#50
Kubernetes-commit: 18a7ea703bdf09f1ff0b83e15b3febf49a447a24
Automatic merge from submit-queue (batch tested with PRs 60373, 61098, 61352, 61359, 61362). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump cfssl to be compatible with Go 1.10
Kubernetes-commit: ef3539e69e4c897f48ecd6b2dd73417ce0416b08
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add unit test for function FeatureGateSetFromMap and FeatureGateString
**What this PR does / why we need it**:
add unit test for function FeatureGateSetFromMap and FeatureGateString
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: cba7843cb403e1d7864a59949e0ec6c8927ea403
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove YEAR field of all generated files and fix kubernetes boilerplate checker
**What this PR does / why we need it**:
Remove YEAR field of all generated files and fix kubernetes boilerplate checker
xref: [remove YEAR fileds in gengo #91](https://github.com/kubernetes/gengo/pull/91)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes [#gengo/issues/24](https://github.com/kubernetes/gengo/issues/24)
**Special notes for your reviewer**:
/cc @thockin @lavalamp @sttts
**Release note**:
```release-note
NONE
```
Kubernetes-commit: e40ffd71972b820aeed283946e880aa2479f8524
Automatic merge from submit-queue (batch tested with PRs 61087, 61075, 61213, 61149, 60826). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Grant sig leads feature approval powers
**What this PR does / why we need it**:
Sig leads already approve features for milestones and do a lot of code reviews. They should be able to approve changes to the associated feature gates, rather than needing to escalate every feature to root owners.
I omitted some sigs that shouldn't need to approve features in the base repo. LMK if I missed any, or these should be included in the approvers:
- AWS
- Azure
- Big Data
- Contributor Experience
- Docs
- GCP
- OpenStack
- Product Management
- Service Catalog
- Testing
- UI
For posterity, here's the script I used: https://gist.github.com/tallclair/1128aefa3186b0c3a8f4603929d2354e
**Special notes for your reviewer**:
@sig-leads: Please use responsibly :)
**Release note**:
```release-note
NONE
```
Kubernetes-commit: d84c938da5438e05eacb7437aa3602927c857b0b
Automatic merge from submit-queue (batch tested with PRs 57871, 61094, 60459, 61089, 61105). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove the outdated TODO
**What this PR does / why we need it**:
remove the outdated TODO in [a7d6340ad2/staging/src/k8s.io/apiserver/pkg/registry/rest/meta.go (L42))
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 025439988428d2b78342549419706639cd6e52a6
Automatic merge from submit-queue (batch tested with PRs 60919, 60953, 61085, 61083, 60971). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[advanced audit]fix comment about throttle burst
/assign @sttts
**Release note**:
```release-note
NONE
```
Kubernetes-commit: ad432fa6bde65adad109f484a31f229de593b570
Automatic merge from submit-queue (batch tested with PRs 60919, 60953, 61085, 61083, 60971). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix bug in apiserver.k8s.io RootScopedKinds
RootScopedKinds in group ` apiserver.k8s.io` should be `AdmissionConfiguration`
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 32d6a9356d8659236806cd8bd5c2817a2b809819
Automatic merge from submit-queue (batch tested with PRs 61003, 61031, 60360, 58349, 60922). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
log enabled admission controller in order
This change log enabled mutating and validating admission controller
in order.
ref: https://github.com/kubernetes/kubernetes/pull/60838/files#r173295334
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 4c8657c0872eb2835e1c9dac1114366d915c4381
Automatic merge from submit-queue (batch tested with PRs 60759, 60531, 60923, 60851, 58717). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
validate EtcdOptions.EtcdServersOverrides in EtcdOptions.Validate
move `EtcdOptions.EtcdServersOverrides` validation from `BuildStorageFactory` to `EtcdOptions.Validate`, which fails fast in kube-apiserver startup.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 691a7d43588692501e27be2375bebad1c30b7ae5
Automatic merge from submit-queue (batch tested with PRs 60363, 59208, 59465, 60581, 60702). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver clean code
**What this PR does / why we need it**:
1. clean up some redundant code in kube-apiserver startup
1. comment on `preparedGenericAPIServer`, which is just a wrapper of `GenericAPIServer`.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 18d9e1c450d6e080dad11af1f27d371325fba5ef
Automatic merge from submit-queue (batch tested with PRs 59740, 59728, 60080, 60086, 58714). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
more concise to merge the slice
**What this PR does / why we need it**:
more concise to merge the slice
**Special notes for your reviewer**:
Kubernetes-commit: c64f19dd1b5d0f81dd4d59cf6aa5c23cf1e46f5d
Updates github.com/evanphx/json-patch dependency
to fix tests against empty objects/arrays.
Includes fix from evanphx/json-patch#50
Kubernetes-commit: 758d3e7c576f0761b23fed69c3b5dabf6013e8d0
Automatic merge from submit-queue (batch tested with PRs 60737, 60739, 61080, 60968, 60951). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix default auditing options.
- Log backend defaults to blocking mode (backwards compatability)
- Webhook backend defaults to throttled
- Fix webhook validation
- Add options test
**Which issue(s) this PR fixes**:
Fixes#60719
**Special notes for your reviewer**:
This PR is an alternative fix to https://github.com/kubernetes/kubernetes/pull/60727. If the rollback goes in first, I'll rebase this on a roll-forward.
**Release note**:
-->
```release-note
NONE
```
Kubernetes-commit: c13d9ffea959c895ee250f5f094a648c5dd0e924
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix option --audit-webhook-initial-backoff
Before this change, --audit-webhook-initial-backoff has no effect
@crassirostris @sttts
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 25c8871bd08f2fc1914e65b0d2de281a30c212b2
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Let webhook controller uses a local scheme that understand admissionReview
An alternative to #60965.
Fix#60963.
Fixkubernetes/sample-apiserver#21.
Created a scheme that only understands admission/v1beta1 and use it to
encode/decode admissionReviews.
cc @sttts
Kubernetes-commit: fd3cbc9bbfb63b78cfc3beaf1d6d042f71d8e73a
Created a scheme that only understands admission/v1beta1 and use it to
encode/decode admissionReviews.
Also made the NegotiationSerializer setup static
Kubernetes-commit: 3ab516035d17c2b2798797eb8ee85522ccbc051e
Automatic merge from submit-queue (batch tested with PRs 60906, 60943). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make admission webhooks honor scheme part of url
**What this PR does / why we need it**:
Bug fix, allow webhooks to use the scheme provided in clientConfig, instead of defaulting to http.
(more in issue)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#60942
```release-note
Bug fix, allow webhooks to use the scheme provided in clientConfig, instead of defaulting to http.
```
/kind bug
/sig api-machinery
Kubernetes-commit: 71b40cbce509960cb020822c85e05b379c37d722
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
log enabled admission controller in order
After switching to --enable-admission-plugins/--disable-admission-plugins, some admission controller may start silently. And these admission controllers may modify or forbid objects. This pull request does a lot of help for admin to trouble shooting.
/assign @hzxuzhonghu @sttts
**Release note**:
```release-note
NONE
```
Kubernetes-commit: bad8e0d91cfd8a3e2a40ded61716629970a082c6
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
oidc: add rithujohn191 as a reviewer
cc @rithujohn191
/sig auth
/kind documentation
```release-note
NONE
```
Kubernetes-commit: f196b7c7523dbf0d6ed703a93af73f54e9d2e42c
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Prevent webhooks from affecting admission requests for WebhookConfiguration objects
**What this PR does / why we need it**:
As it stands now webhooks can be added to the system which make it impossible for a user to remove that webhook, or two webhooks could be registered which make it impossible to remove each other.
The first commit of this will add a test to make sure webhook deletion is never blocked by a webhook. This test will fail until the second commit is added which will prevent webhooks from affecting admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in the admissionregistration.k8s.io group
- [x] Test that webhook deletion is never blocked by a webhook ([test fails before second commit](https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/59840/pull-kubernetes-e2e-gce/23731/))
- [x] Prevent webhooks from being called on admission requests for [Validating|Mutating]WebhookConfiguration objects
- [x] Document this new behavior maybe in another PR
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of fixing #59124 (Verifies that it can remove the broken webhook.)
**Release note**:
```release-note
ValidatingWebhooks and MutatingWebhooks will not be called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in the admissionregistration.k8s.io group
```
Kubernetes-commit: 5066a67caaf8638c7473d4bd228037d0c270c546
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix initializing watch cache
When initializing watch cache, set auxiliary fields in `storeElement` object. Fixes#60507.
```release-note
NONE
```
Kubernetes-commit: e2dee6073933c99b63addecfd6397c058b512cd4
Automatic merge from submit-queue (batch tested with PRs 60470, 59149, 56075, 60280, 60504). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove unused function negotiate() and writeYAML()
**What this PR does / why we need it**:
remove unused function negotiate() and writeYAML() in k8s.io/apiserver/pkg
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: e2cbda006a802b74bc521284c7ccc6caaa3aae25
Automatic merge from submit-queue (batch tested with PRs 53689, 56880, 55856, 59289, 60249). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add test/typecheck, a fast typecheck for all build platforms.
Add test/typecheck, a fast typecheck for all build platforms.
Most of the time spent compiling is spent optimizing and linking
binary code. Most errors occur at the syntax or semantic (type) layers.
Go's compiler is importable as a normal package, so we can do fast
syntax and type checking for the 10 platforms we build on.
This currently takes ~6 minutes of CPU time (parallelized).
This makes presubmit cross builds superfluous, since it should catch
most cross-build breaks (generally Unix and 64-bit assumptions).
Example output:
```$ time go run test/typecheck/main.go
type-checking: linux/amd64, windows/386, darwin/amd64, linux/arm,
linux/386, windows/amd64, linux/arm64, linux/ppc64le, linux/s390x, darwin/386
ERROR(windows/amd64) pkg/proxy/ipvs/proxier.go:1708:27: ENXIO not declared by package unix
ERROR(windows/386) pkg/proxy/ipvs/proxier.go:1708:27: ENXIO not declared by package unix
real 0m45.083s
user 6m15.504s
sys 1m14.000s
```
```release-note
NONE
```
Kubernetes-commit: aa13f3fa2a884042dbccb85bc93f8b2958ccf64c
Automatic merge from submit-queue (batch tested with PRs 59365, 60446, 60448, 55019, 60431). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove dep-reviewers
**What this PR does / why we need it**:
The dep-reviewers group seems to get assigned PRs early the the review process. However, most code changes should be reviewed in the importing part of the code base first, and then assigned to an approver after.
By removing the reviewers group, the approvers plugin will still suggest assigning to an approver, but won't assign for review when the PR is initially opened.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 724a2f968c6981efc9f5a85e4ad60f56e1c0902f
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
code-gen: output golint compliant 'Generated by' comment
New PR instead of reopening #58115 because /reopen did not work.
This won't be ready to merge until the upstream https://github.com/kubernetes/gengo/pull/94 merges. Once that merges, the second commit will be changed to godep-save.sh and update-staging-godeps.sh, and the last commit will be changed to update-all.sh
The failing test is due to the upstream changes not being merged yet
```devel-release-note
Go code generated by the code generators will now have a comment which allows them to be easily identified by golint
```
Fixes#56489
Kubernetes-commit: 1eb1c00c44f8f597b9b23a05cd0a8da205c87f8a
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some syntax related errors
**What this PR does / why we need it**:
fix some syntax related errors
**Special notes for your reviewer**:
None
```release-note
NONE
```
Kubernetes-commit: effa021db773fb95c9e8fbe5646d01784bb2f7f6
Automatic merge from submit-queue (batch tested with PRs 60011, 59256, 59293, 60328, 60367). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Serve OpenAPI spec with single /openapi/v2 endpoint
**What this PR does / why we need it**:
We are deprecating format-separated endpoints (`/swagger.json`, `/swagger-2.0.0.json`, `/swagger-2.0.0.pb-v1`, `/swagger-2.0.0.pb-v1.gz`) for OpenAPI spec, and switching to a single `/openapi/v2` endpoint in Kubernetes 1.10. The design doc and deprecation process are tracked at: https://docs.google.com/document/d/19lEqE9lc4yHJ3WJAJxS_G7TcORIJXGHyq3wpwcH28nU
Requested format is specified by setting HTTP headers
header | possible values
-- | --
Accept | `application/json`, `application/com.github.proto-openapi.spec.v2@v1.0+protobuf`
Accept-Encoding | `gzip`
This PR changes dynamic_client (and kubectl as a result) to use the new endpoint. The old endpoints will remain in 1.10 and 1.11, and get removed in 1.12.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
action required: Deprecate format-separated endpoints for OpenAPI spec. Please use single `/openapi/v2` endpoint instead.
```
/sig api-machinery
Kubernetes-commit: d6153194d929ad6c036d5bbbf67a6f892e75feb5
hzxuzhonghu