Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove request context mapper
http.Request now allows setting/retrieving a per-request context, which removes the need for plumbing a request-context mapper throughout the stack
In addition to being way simpler, this has the benefit of removing a potentially contentious lock object from the handling path
This PR:
* removes RequestContextMapper
* converts context fetchers to use `req.Context()`
* converts context setters to use `req = req.WithContext(...)`
* updates filter plumbing in two places (audit and timeout) to properly return the request with modified context
* updates tests that used a fake context mapper to set the context in the request instead
Fixes https://github.com/kubernetes/kubernetes/issues/62796
```release-note
NONE
```
Kubernetes-commit: a0f94123616c275f94e7a5b680d60d6f34e92f37
Automatic merge from submit-queue (batch tested with PRs 50899, 62649). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure webhook service routing resolves kubernetes.default.svc correctly
Going through the normal endpoint resolve path isn't correct in multi-master scenarios
The auth wrapper is pulling from LoopbackClientConfig, the service resolver should do the same
```release-note
Fixes the kubernetes.default.svc loopback service resolution to use a loopback configuration.
```
Kubernetes-commit: 9c25da64f0f302f69fb14af486bc181cce22293b
Removed automatic registration with `init` funciton and use `Register` function
to register metrics for etcd storage only when requested.
Kubernetes-commit: 40cf7880135b56e2d88a04d5fce08303b249eb34
Automatic merge from submit-queue (batch tested with PRs 62726, 60085, 62583). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update github.com/stretchr/testify to v1.2.1
cd $GOPATH/src/k8s.io/kubernetes
hack/godep-restore.sh
rm -rf Godeps
rm -rf vendor
hack/godep-save.sh
**What this PR does / why we need it**:
v1.2.1 of Testify includes new functions (e.g., ElementsMatch) that make it easier to compare data structures such as slices.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Kubernetes-commit: 4761788b2afa42a4573a6794902eb93fe666d5c5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: move patch tests to their own file
**What this PR does / why we need it**: Create a new file to test patch handler.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 46dec15cb9c461c85a4215e63c35cd2464a5416a
This is the combination of a series of changes which individually don't
make any behavioral changes. The original commits are preserved in my
own fork in the refactor-patch-complete branch, as when squashed this is
impossible to review.
This turned a big function with lots of parameters and closures into an
object with multiple functions, fewer closures and more well documented
state transitions.
Kubernetes-commit: 349a99b80e7e6c0c92218c814ae0858fd71609fc
Automatic merge from submit-queue (batch tested with PRs 62748, 60536, 62300, 62661, 62731). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Instrument transformer.go with latency metrics.
**What this PR does / why we need it**:
Instrument transformer.go with latency metrics - allowing to measure performance impact of adding KMS Providers.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
"NONE"
```
Kubernetes-commit: 42f6687a1cb258e07429213e4ffd56f81b8cd237
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add CaoShuFeng as a reviewer of kube-apiserver
My contributions:
https://github.com/pulls?q=is%3Apr+author%3ACaoShuFeng+is%3Aclosed
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @deads2k @sttts @liggitt
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 33f7d8618b9a92c6bb7835420d4a3e9cd24d7862
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Show help for deprecated Kubelet flags
We recently deprecated a bunch of Kubelet flags, which caused them to disappear from `--help` output. This PR unhides these flags, so that the deprecation notice is clearly visible in `--help`.
Fixes: #62009
```release-note
NONE
```
/cc @eparis
Kubernetes-commit: ee4d90aaa61150139cdcd67a73e22da8cb226dc6
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
check etcd servers by a random order
**What this PR does / why we need it**:
Every time a health check is called on the APIServer via the /healthz endpoint, an etcd healthcheck is performed. Here makes servers check with a random order.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61180
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: a0a742c38b847c69d49e9171732355ffa15e3e69
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add myself to kube-apiserver/apiserver reviewers
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 9139d01c8f77cab52a9e4a95136cd0f6f59c053a
WithAudit admission decorator log annotations to audit events set by
the decorated admission controller
Kubernetes-commit: c38a704fb73af56841a709a199dafeb9580ca599
Automatic merge from submit-queue (batch tested with PRs 62324, 61459, 62475, 62476, 61914). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
etcdv3 client: add dial timeout
dial timeout is necessary for a reliable system, this pr add it for establishing an etcd connection.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 1b4c4898cb5d1af77c84ba9097b678bca9b6747a
Automatic merge from submit-queue (batch tested with PRs 62425, 62212, 60824, 62383, 62384). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
optimize requestcontext: use RWMutex to improve r/w performance
RequestContextMapper is one of the mostly used interface by every request, and the underlying struct is a map with Mutex protect. So here we should use RWMutex.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 14fca16a39e5b6889fdb00ae3cd1a991ee35379e
Automatic merge from submit-queue (batch tested with PRs 61241, 62136). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
OIDC required claims
**What this PR does / why we need it**:
Currently there is no mechanism for a user to specify claims in the OIDC authentication process that are required to be present in the ID Token with an expected value. This PR adds the required claims support for the OIDC authentication. It allows users to pass in a `--oidc-required-claims` flag, and key=value pairs in the API config, which will ensure that the specified `required claims` are checked against the ID Token claims.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61276
**Special notes for your reviewer**:
Ran the following commands to update godep files:
```
./hack/godep-restore.sh -v
./hack/godep-save.sh
./hack/update-staging-godeps.sh
./hack/update-bazel.sh
```
Since we don't officially support go 1.10, kept go version to 1.9
**Release note**:
```release-note
kube-apiserver: oidc authentication now supports requiring specific claims with `--oidc-required-claim=<claim>=<value>`
```
/sig auth
/kind feature
/assign @ericchiang
Kubernetes-commit: d1b38b21ef450971ab3d7507506f4d824a623aa3
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix 1.10 change log typo
**What this PR does / why we need it**:
Thanks to @christianhuening, find typo about `enable-admission-plugins` and `disable-admission-plugins`
They are plural.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: da85a280beea4aaab5412b0e74ed40869095e551
Automatic merge from submit-queue (batch tested with PRs 61183, 58807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add RBAC information to audit logs
Depends on: https://github.com/kubernetes/kubernetes/pull/58806
**Release note**:
```release-note
RBAC information is included in audit logs via audit.Event annotations:
authorization.k8s.io/decision = {allow, forbid}
authorization.k8s.io/reason = human-readable reason for the decision
```
Kubernetes-commit: 58c0748b4df80f64f1188ac83b0bd749a88a5988
Automatic merge from submit-queue (batch tested with PRs 61400, 61048). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: cancel context on timeout in WithTimeoutForNonLongRunningRequests
Requests that block time out after 60sec, but keep the handler body running. This can lead to exhaustion of clients or other leaks. This PR adds a cancel func to the context of the request and calls it on timeout.
Note: we still do our own timeout handling as we don't trust the context to really cancel every blocking call we do.
This might explain why we see so many handler backtraces like https://gist.github.com/sttts/0ce972dc8a7911e4ca9eea7bf1ded5fa when an etcd node goes down with a hard poweroff. But it does not explain why we see oc to block for 15 minutes.
Kubernetes-commit: 8d28c5102be9159104839c2848b9889a7c8870b7
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission/webhook: deduplicate mutating and validating webhook code
This refactors along: webhook = generic-webhook + source + dispatcher
TODOs:
- [x] refactor unit tests
Kubernetes-commit: 80bd7510df14e8d6042fdad9ff2d54f331e3f487
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: enforce global RequestContextMapper in delegation chain
Having a request context mapper in the generic config makes it easy to forget setting
a common mapper for the whole delegation chain. This PR moves it into the New
constructors that already have the delegationTarget argument. So it is obvious
that the mapper is passed down as well.
Fixes https://github.com/kubernetes/kubernetes/issues/60610
Kubernetes-commit: 0354cac6f407d007f533a7b5e6cf347604ecccee
Automatic merge from submit-queue (batch tested with PRs 61705, 61609, 62103, 62113, 62115). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove unused function getEncodedPod in etcd_helper_test.go
**What this PR does / why we need it**:
remove unused function getEncodedPod in etcd_helper_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 485d2155823403189fdf2f48ec4be40709613be5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: add warning about not trusting authz of aggregator
The aggregator does authorization for proxied resources. But aggregated apiservers should not depend on it, but do delegated authorization in addition.
```release-note
Add warnings that authors of aggregated API servers must not rely on authorization being done by the kube-apiserver.
```
Kubernetes-commit: f5f3d0d3d9d592c64bb07fcac925b9fa36e2d222
Automatic merge from submit-queue (batch tested with PRs 61959, 62037). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump godep version to v80
**What this PR does / why we need it**:
Update the minimum godep, to v80 (supposed to be the final version).
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 22440e15764e2d821166eff5b965786fa928357e
Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
oidc authentication: email_verified claim is not required for JWT validation
**What this PR does / why we need it**:
Currently the "email_verified" claim is required by the API server to verify an OIDC token. Many OIDC providers do not support the "email_verified" claim. We want to be able to allow their OIDC tokens as valid.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59496
**Release note**:
```release-note
OIDC authentication now allows tokens without an "email_verified" claim when using the "email" claim. If an "email_verified" claim is present when using the "email" claim, it must be `true`.
```
/sig auth
/kind feature
/assign @ericchiang
CC: @sreetummidi
Kubernetes-commit: 8201b3eb7f4c99412e8067567efc80484344ea57
Automatic merge from submit-queue (batch tested with PRs 61818, 61800). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Replace gopass.GetPasswdMasked() by terminal.ReadPassword()
**What this PR does / why we need it**:
Replace `gopass.GetPasswdMasked()` used for reading passwords from the terminal with [`terminal.ReadPassword()`](https://godoc.org/golang.org/x/crypto/ssh/terminal#ReadPassword). This removes the `gopass` import.
**Special notes for your reviewer**:
Ran the following commands to update `godep` files:
```
./hack/godep-restore.sh -v
./hack/godep-save.sh
./hack/update-staging-godeps.sh
./hack/update-bazel.sh
```
/sig auth
/kind enhancement
/assign @ericchiang
```release-note
NONE
```
Kubernetes-commit: a5133305a9f347c79c20c5785d41cc9400be895e
Automatic merge from submit-queue (batch tested with PRs 61894, 61369). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use range in loops; misc fixes
**What this PR does / why we need it**:
It is cleaner to use `range` in for loops to iterate over channel until it is closed.
**Release note**:
```release-note
NONE
```
/kind cleanup
Kubernetes-commit: 7ce753aa73a42d8a8696659e345e173d15cce622
Kubernetes Publisher
jennybuckley
fisherxu
David Eads
hzxuzhonghu
Martin Vladev
Daniel Smith
Antoine Pelisse
Jordan Liggitt
Dr. Stefan Schimanski
Cao Shufeng
Matthias Bertschy
Van Tu
Michael Taufen
AdamDang
hangaoshuai
rithu john