Automatic merge from submit-queue
Add metric for remaining lifetime of certificates authenticating requests
fixes#50778
When incoming requests to the API server are authenticated by a certificate, the expiration of the certificate can affect the validity of the authentication. With auto rotation of certificates, which is starting with kubelet certificates, the goal is to use shorter lifetimes and let the kubelet renew the certificate as desired. Monitoring certificates which are approaching expiration and not renewing would be an early warning sign that nodes are about to stop participating in the cluster.
**Release note**:
```release-note
Add new Prometheus metric that monitors the remaining lifetime of certificates used to authenticate requests to the API server.
```
Kubernetes-commit: 6bc0b295b59d85ffbd1ee2044d6eb2e2277d5d21
Automatic merge from submit-queue (batch tested with PRs 49115, 47480)
Upgrade advanced audit to version v1beta1
This change does nothing but only upgrades advanced audit to version v1beta1.
There will be following up changes which does real effect to advanced audit feature.
After this change audit policy file should contain apiVersion and kind and has such format:
```
apiVersion: audit.k8s.io/v1alpha1
kind: Policy
rules:
- level: None
```
or use the v1beta1 policy:
```
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: None
```
Updates #48561
**Release note**:
```
Upgrade advanced audit to version v1beta1.
```
Kubernetes-commit: 49bee177b22f331c11860b227b5cc7f9ff9ec07c
When incoming requests to the API server are authenticated by a
certificate, the expiration of the certificate can affect the validity
of the authentication. With auto rotation of certificates, which is
starting with kubelet certificates, the goal is to use shorter lifetimes
and let the kubelet renew the certificate as desired. Monitoring
certificates which are approaching expiration and not renewing would be
an early warning sign that nodes are about to stop participating in the
cluster.
Kubernetes-commit: 49a19c6011e05363a8baf8e99c917d11a9496568
Automatic merge from submit-queue
advanced audit: shutdown batching audit webhook gracefully
Follow-up of https://github.com/kubernetes/kubernetes/pull/50439
When the `stopCh` passed to the batching audit webhook is closed, it stops accepting new events and when `Shutdown` method is called afterwards, it blocks until the last request to the webhook has finished.
/cc @tallclair @soltysh
Kubernetes-commit: 3211d4dde6c46856d896f09013717313a880cc0c
Automatic merge from submit-queue
FeatureGate: update comments
The godoc - https://godoc.org/k8s.io/apiserver/pkg/util/feature - does not contain descriptions of the functions. This PR adds them.
**Release note**:
```release-note
NONE
```
/cc @sttts
Kubernetes-commit: 1268c1a1e0220b52bf345f97007ed61dc7969caf
Automatic merge from submit-queue
apiservers: add synchronous shutdown mechanism on SIGTERM+INT
This is used to shutdown the auditing backend in order not to drop any pending events on the floor.
Kubernetes-commit: 4d6db7466c6fe79f502ba7efd55e605542849060
Automatic merge from submit-queue (batch tested with PRs 49129, 50436, 50417, 50553, 47587)
add validation for fed-apiserver and apiserver run options
**What this PR does / why we need it**:
Add validation for fed-apiserver and apiserver run options
**Which issue this PR fixes**
fixes#50552
**Special notes for your reviewer**:
This is a follow-up of #50135
**Release note**:
```release-note
NONE
```
Kubernetes-commit: f9c861aa101b16a09dd10def70756dbb0b054868
Automatic merge from submit-queue (batch tested with PRs 47724, 49984, 49785, 49803, 49618)
Fix conflict about getPortByIp
**What this PR does / why we need it**:
Currently getPortByIp() get port of instance only based on IP.
If there are two instances in diffent network and the CIDR of
their subnet are same, getPortByIp() will be conflict.
My PR gets port based on IP and Name of instance.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fix#43909
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: a7ce691311f5462cf71d79a1f9431605198803af
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Enable caching successful token authentication
Resolves#50472
To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication
```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
Kubernetes-commit: 42adb9ef2572d7ac30237a3aad47ead75ff7c6cc
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Manage BUILD files using gazelle + kazel
**What this PR does / why we need it**: uses the upstream `gazelle` tool to manage go rules in BUILD files.
This is needed to support Bazel builds on Mac OS and Bazel cross compilation in general.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47558
**Special notes for your reviewer**:
It's probably easiest to review this commit-by-commit:
* bump to latest `rules_go` (for recent `cgo_library` and `gazelle` improvements)
* update `kazel` with recent compatibility fixes (https://github.com/kubernetes/repo-infra/pull/28, https://github.com/kubernetes/repo-infra/pull/27), update `hack` scripts to download/build `gazelle`, and then run both `gazelle` and `kazel`. (Additionally make `gazelle` skip things it shouldn't touch.)
* run `hack/update-bazel.sh` to autogenerate everything
* remove the old `cgo_genrule` rules - these are now part of `go_library`
* remove the `automanaged` tags from all go rules - `gazelle` doesn't use them, and it prevents an old version of `kazel/gazel` from messing with the rules
* remove the `licenses()` rules from everywhere but `third_party/` - we don't need them, and `gazelle` won't add them on new `BUILD` files it generates.
**Release note**:
```release-note
NONE
```
for review:
/assign @mikedanese @spxtr
for approval:
/assign @thockin
Kubernetes-commit: 941ad0164d44cfcf96dd6efbb491e2222a3a23d3
Automatic merge from submit-queue
validate kube-apiserver options
**What this PR does / why we need it**:
Create Validate() or add more checks in existing Validate() for the following files:
* vendor/k8s.io/apiextensions-apiserver/pkg/cmd/server/start.go:80
* vendor/k8s.io/kube-aggregator/pkg/cmd/server/start.go:104
* vendor/k8s.io/sample-apiserver/pkg/cmd/server/start.go:82
* cmd/kube-apiserver/app/options/validation.go:49
**Which issue this PR fixes**:
fixes#50301
**Special notes for your reviewer**:
This PR follows #50135
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 984f1af5c55b55f1cbbefbe7afd8f3731f06dcd2
Automatic merge from submit-queue
add some checks for fedration-apiserver options
**What this PR does / why we need it**:
I find there is a TODO, see https://github.com/kubernetes/kubernetes/blob/master/federation/cmd/federation-apiserver/app/options/validation.go#L30
This PR add some checks for fedration-apiserver options
@sttts
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: d40bfff29744de2b42d47627fe664a17cac04298
Automatic merge from submit-queue (batch tested with PRs 49615, 49321, 49982, 49788, 50355)
Fix unused Secret export logic.
**What this PR does / why we need it**:
The strategy used for the secret store defined custom export logic, and
had accompanying unit tests. However the secret storage did not actually
wire this up by setting an ExportStrategy and thus the code was never
used in the real world.
This change fixes the missing assignment and adds testing at a higher
level to ensure any uses of the generic registry.Store that we expect to
have an ExportStrategy do, and no others.
Several other strategies in the RBAC package also appeared to have
unwired Export logic, however their implementations were all empty
leading me to believe that these are not considered exportable. The
empty methods have now been removed.
**Which issue this PR fixes**: fixes#49042
**Release note**:
```release-note
```
Kubernetes-commit: f6d90eaa456bafa12e6287abda5a8d8c5bbf893c
The strategy used for the secret store defined custom export logic, and
had accompanying unit tests. However the secret storage did not actually
wire this up by setting an ExportStrategy and thus the code was never
used in the real world.
This change fixes the missing assignment and adds testing at a higher
level to ensure any uses of the generic registry.Store that we expect to
have an ExportStrategy do, and no others.
Several other strategies in the RBAC package also appeared to have
unwired Export logic, however their implementations were all empty
leading me to believe that these are not considered exportable. The
empty methods have now been removed.
Kubernetes-commit: 855a1c17131f92fca6de33279a02eca3893ca374
Automatic merge from submit-queue (batch tested with PRs 50254, 50174, 50179)
Revert "Merge pull request #47353 from apelisse/http-cache"
Some issues were discovered with the caching merged in #47353:
* uses a disk-based cache that is not safe between processes (does not use atomic fs operations)
* writes get/list responses to disk that should not be cached (like `kubectl get secrets`)
* is vulnerable to partially written cache responses being used as responses to future requests
* breaks uses of the client transport that make use of websockets
* defaults to enabling the cache for any client builder using RecommendedConfigOverrideFlags or DefaultClientConfig which affects more components than just kubectl
This reverts commit fc89743dca6b563063b74728c3b28100cf674d9d, reversing changes made to 29ab38e898988c36e2de34f77fa33be556eb21bd.
Kubernetes-commit: 187e6ab0bc35f696d8f5f574fab9aa457f253d34
This reverts commit fc89743dca6b563063b74728c3b28100cf674d9d, reversing
changes made to 29ab38e898988c36e2de34f77fa33be556eb21bd.
Kubernetes-commit: 4ee72eb300423772020dd1cf208159058ba7dab5
Automatic merge from submit-queue (batch tested with PRs 49868, 50143, 49377, 50141, 50145)
Return Audit-Id http response header for trouble shooting
Users can use Audit-Id http response header to grep the audit events in log.
This provides a fast way to find the events in audit.
**Release note**:
```
Audit-Id HTTP header is included in the apiserver responses for audited requests, except some cases when it's not possible, e.g. pods/exec.
```
@sttts @tallclair
Kubernetes-commit: a0826e1d89a45414598138547ebcc9a87aef9448
Automatic merge from submit-queue (batch tested with PRs 49868, 50143, 49377, 50141, 50145)
Status objects for 404 API errors will have the correct APIVersion
Fixes https://github.com/kubernetes/kubernetes/issues/48959
superseded https://github.com/kubernetes/kubernetes/pull/49183
```release-note
Status objects for 404 API errors will have the correct APIVersion
```
Kubernetes-commit: fb661268ffc56567710e5772d949a6669d88fed8
Automatic merge from submit-queue (batch tested with PRs 49855, 49915)
Let controllers ignore initialization timeout when creating pods
Partially address https://github.com/kubernetes/kubernetes/issues/48893#issuecomment-318540129.
This only updates the controllers that create pods with `GenerateName`.
The controllers ignore the timeout error when creating the pods, depending on how the initialization progress:
* If the initialization is successful in less than 5 mins, the controller will observe the creation via the informer. All is good.
* If the initialization fails, server will delete the pod, but the controller won't receive any event. The controller will not create new pod until the Creation expectation expires in 5 min.
* If the initialization takes too long (> 5 mins), the Creation expectation expires and the controller will create extra pods.
I'll send follow-up PRs to fix the latter two cases, e.g., by refactoring the sharedInformer.
Kubernetes-commit: f75f49e7a03700b5b300e9ccb61d434487bb0ccc
duan-yue