Automatic merge from submit-queue (batch tested with PRs 51298, 51510, 51511)
modifying the comment of BeforeDelete function to improve readability
**What this PR does / why we need it**:
modifying the comment of `BeforeDelete` function in `staging/src/k8s.io/apiserver/pkg/registry/rest/delete.go` to improve readability.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Kubernetes-commit: ce559394653a8e5041f44d49391b851ec5465538
Automatic merge from submit-queue (batch tested with PRs 51471, 50561, 50435, 51473, 51436)
Feature gate initializers field
The metadata.initializers field should be feature gated and disabled by default while in alpha, especially since enforcement of initializer permission that keeps users from submitting objects with their own initializers specified is done via an admission plugin most clusters do not enable yet.
Not gating the field and tests caused tests added in https://github.com/kubernetes/kubernetes/issues/51429 to fail on clusters that don't enable the admission plugin.
This PR:
* adds an `Initializers` feature gate, auto-enables the feature gate if the admission plugin is enabled
* clears the `metadata.initializers` field of objects on create/update if the feature gate is not set
* marks the e2e tests as feature-dependent (will follow up with PR to test-infra to enable the feature and opt in for GCE e2e tests)
```release-note
Use of the alpha initializers feature now requires enabling the `Initializers` feature gate. This feature gate is auto-enabled if the `Initialzers` admission plugin is enabled.
```
Kubernetes-commit: 12d73c31a97188286e7f4c8a3aec7fcd38a76a83
Automatic merge from submit-queue (batch tested with PRs 50932, 49610, 51312, 51415, 50705)
Add --request-timeout to kube-apiserver to make global request timeout configurable
**What this PR does / why we need it**:
Make the currently hard coded 60 global request timeout in apiserver configurable via a --request-timeout command line flag.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/51355
**Special notes for your reviewer**:
We plan to backport this to 1.6 and 1.7. To ease the backport work, we've kept this change to a minimum. After this PR we will submit an additional PR to rename `--min-request-timeout` to something that more clearly describes it's purpose, such as `--long-running-request-timeout-min`.
**Release note**:
```release-note
Add --request-timeout to kube-apiserver to make global request timeout configurable.
```
Kubernetes-commit: 0b0b2a22c5837975824add628df6ecb2dc297d57
Automatic merge from submit-queue
Fix forbidden message format
Before this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
Fix forbidden message format, remove extra ""
```
Kubernetes-commit: 562d2be7a08c5cfb0f78331b0225acdf73bf9d94
Automatic merge from submit-queue
Remove null -> [] slice hack
Closes#44593
When 1.6 added protobuf storage, the storage layer lost the ability to persist slice fields with empty but non-null values.
As a workaround, we tried to convert empty slice fields to `[]`, rather than `null`. Compressing `null` -> `[]` was just as much of an API breakage as `[]` -> `null`, but was hoped to cause fewer problems in clients that don't do null checks.
Because of conversion optimizations around converting lists of objects, the `null` -> `[]` hack was discovered to only apply to individual get requests, not to a list of objects. 1.6 and 1.7 was released with this behavior, and the world didn't explode. 1.7 documented the breaking API change that `null` and `[]` should be considered equivalent, unless otherwise noted on a particular field.
This PR:
* Reverts the earlier attempt (https://github.com/kubernetes/kubernetes/pull/43422) at ensuring non-null json slice output in conversion
* Makes results of `get` consistent with the results of `list` (which helps naive clients that do deepequal comparisons of objects obtained via list/watch and get), and allows empty slice fields to be returned as `null`
```release-note
Protobuf serialization does not distinguish between `[]` and `null`.
API fields previously capable of storing and returning either `[]` and `null` via JSON API requests (for example, the Endpoints `subsets` field) can now store only `null` when created using the protobuf content-type or stored in etcd using protobuf serialization (the default in 1.6+). JSON API clients should tolerate `null` values for such fields, and treat `null` and `[]` as equivalent in meaning unless specifically documented otherwise for a particular field.
```
Kubernetes-commit: 217513e27a6e54eb92d09165293cf811d5bdf878
Before this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
Kubernetes-commit: ab0918673728fc50fc539017c86bbc03fceb0adc
Automatic merge from submit-queue (batch tested with PRs 51134, 51122, 50562, 50971, 51327)
set --audit-log-format default to json
Updates: https://github.com/kubernetes/kubernetes/issues/48561
**Release note**:
```
set --audit-log-format default to json for kube-apiserver
```
Kubernetes-commit: b5bb8099e79813aa8d73a49725efa54323d9279b
Automatic merge from submit-queue (batch tested with PRs 51244, 50559, 49770, 51194, 50901)
Remove deprecated flag "long-running-request-regexp".
**What this PR does / why we need it**:
remove `long-running-request-regexp` post-1.6.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 05294d80347f4cf4ff6111e0211013d8f617a0f5
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223)
Add tests around TableConvert and server side printing
Also wire in more table printers
@fabianofranz
Kubernetes-commit: 4f19a8fd2a0ed24aff9154670adcc332a8b6d1b1
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223)
Enable finalizers independent of GC enablement
Decouple finalizer processing from garbage collection configuration.
Finalizers should be effective even when garbage collection is disabled
for a given store.
Fixes https://github.com/kubernetes/kubernetes/issues/50528.
```release-note
NONE
```
/cc @kubernetes/sig-api-machinery-bugs
/cc @caesarxuchao @liggitt @sttts @pmorie
Kubernetes-commit: 7edab23997d012e142ff3e7a24fa24e69243575f
Automatic merge from submit-queue (batch tested with PRs 47115, 51196, 51204, 51208, 51206)
Add an OrDie version for AddPostStartHook
Simplifies usage and consolidate the error message so it is always
the same everywhere.
```release-note
NONE
```
Kubernetes-commit: 2c214baefc06cefd68cc282b532bfe526613e36c
Automatic merge from submit-queue (batch tested with PRs 51193, 51154, 42689, 51189, 51200)
Bumped gRPC version to 1.3.0
**What this PR does / why we need it**:
This PR bumps down the version of the vendored version of gRPC from v1.5.1 to v1.3.0
This is needed as part of the Device Plugin API where we expect client and server to use the Keep alive feature in order to detect an error.
Unfortunately I had to also bump the version of `golang.org/x/text` and `golang.org/x/net`.
- Design document: kubernetes/community#695
- PR tracking: [kubernetes/features#368](https://github.com/kubernetes/features/issues/368#issuecomment-321625420)
**Which issue this PR fixes**: fixes#51099
Which was caused by my previous PR updating to 1.5.1
**Special notes for your reviewer**:
@vishh @jiayingz @shyamjvs
**Release note**:
```
Bumped gRPC to v1.3.0
```
Kubernetes-commit: 5fb38a325efb343c2a0467a12732829bd5ed3c3c
Simplifies usage and consolidate the error message so it is always
the same everywhere.
Signed-off-by: Simo Sorce <simo@redhat.com>
Kubernetes-commit: 15c54ffa7750c3037f464933c2b678a9a94cea82
Decouple finalizer processing from garbage collection configuration.
Finalizers should be effective even when garbage collection is disabled
for a given store.
Fixes https://github.com/kubernetes/kubernetes/issues/50528.
Kubernetes-commit: ed5b5bb94e7c75f22a7fc302e47dade6c0d1662d
Automatic merge from submit-queue (batch tested with PRs 50893, 50913, 50963, 50629, 50640)
[advanced audit api] fuzz Event with random value
This is an error import by me:
https://github.com/kubernetes/kubernetes/pull/49115
We need to fuzz other parts of Event with random value, otherwise
this round trip test will not make too much sense.
@sttts
@ericchiang is also researching this.
**Release note**:
```
NONE
```
Kubernetes-commit: c13e9d14cde09e97cebd5883d04443d22cc91ca1
Automatic merge from submit-queue (batch tested with PRs 50531, 50853, 49976, 50939, 50607)
Updated gRPC vendoring to support Keep Alive
**What this PR does / why we need it**:
This PR bumps the version of the vendored version of gRPC from v1.0.4 to v1.5.1
This is needed as part of the Device Plugin API where we expect client and server to use the Keep alive feature in order to detect an error.
Unfortunately I had to also bump the version of `golang.org/x/text` and `golang.org/x/net`.
- Design document: kubernetes/community#695
- PR tracking: [kubernetes/features#368](https://github.com/kubernetes/features/issues/368#issuecomment-321625420)
**Special notes for your reviewer**:
@vishh @jiayingz
**Release note**:
```
Bumped gRPC from v1.0.4 to v1.5.1
```
Kubernetes-commit: 967c19df4916160d4d4fbd9a65bad41a53992de8
This is an error import by me:
https://github.com/kubernetes/kubernetes/pull/49115
We need to fuzz other parts of Event with random value, otherwise
this round trip test will not make too much sense.
@sttts @ericchiang
Kubernetes-commit: f2ec610455f3756afebfcbd99c108abc86a5015d
Automatic merge from submit-queue (batch tested with PRs 46512, 50146)
Make metav1.(Micro)?Time functions take pointers
Is there any reason for those functions not to be on pointers?
Kubernetes-commit: b59ad9cbfff866093a6c0ee26c3562e9ec9133e4
Automatic merge from submit-queue
Add enj as reviewer to OWNERS
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
**Release note**:
```release-note
NONE
```
@kubernetes/sig-api-machinery-pr-reviews
@kubernetes/sig-auth-pr-reviews
Kubernetes-commit: afabd09889d53ade30f1ce5b39b33ebe40f0a52f
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: dd06794bc20ef1e0889af576c7a4f7a2f607e49d
Automatic merge from submit-queue (batch tested with PRs 50255, 50885)
remove dead code for cloner
I found some dead code in audit webhook backend.
This change do some clean work for: 2bbe72d4e0
**Release note**:
```
NONE
```
Kubernetes-commit: 2ba796fe47b3d17c5a385183d91a396aee580b87
I found some dead code in audit webhook backend.
This change do some clean work for: 2bbe72d4e0
Kubernetes-commit: 7b5c7bb711e7f15a1bf216a7a51fd40148110fba
Automatic merge from submit-queue
fix typo
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 38053c3e4486e6a7fafd00b2784a1e67e0357f45
Automatic merge from submit-queue (batch tested with PRs 50281, 50747, 50347, 50834, 50852)
fix incorrect logic in admission register
**What this PR does / why we need it**:
There is no issue for this PR, just fix incorrect logic in invocation `func (ps *Plugins) Register(name string, plugin Factory) ` after browsing the code accidentally. And apparently, the logic exits potential panic.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
no issue
**Special notes for your reviewer**:
none
**Release note**:
none
Kubernetes-commit: 1eb04f6a2a16b3b8642184db62719451c3e84d2a
Automatic merge from submit-queue
Add metric for remaining lifetime of certificates authenticating requests
fixes#50778
When incoming requests to the API server are authenticated by a certificate, the expiration of the certificate can affect the validity of the authentication. With auto rotation of certificates, which is starting with kubelet certificates, the goal is to use shorter lifetimes and let the kubelet renew the certificate as desired. Monitoring certificates which are approaching expiration and not renewing would be an early warning sign that nodes are about to stop participating in the cluster.
**Release note**:
```release-note
Add new Prometheus metric that monitors the remaining lifetime of certificates used to authenticate requests to the API server.
```
Kubernetes-commit: 6bc0b295b59d85ffbd1ee2044d6eb2e2277d5d21
Automatic merge from submit-queue (batch tested with PRs 49115, 47480)
Upgrade advanced audit to version v1beta1
This change does nothing but only upgrades advanced audit to version v1beta1.
There will be following up changes which does real effect to advanced audit feature.
After this change audit policy file should contain apiVersion and kind and has such format:
```
apiVersion: audit.k8s.io/v1alpha1
kind: Policy
rules:
- level: None
```
or use the v1beta1 policy:
```
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: None
```
Updates #48561
**Release note**:
```
Upgrade advanced audit to version v1beta1.
```
Kubernetes-commit: 49bee177b22f331c11860b227b5cc7f9ff9ec07c
When incoming requests to the API server are authenticated by a
certificate, the expiration of the certificate can affect the validity
of the authentication. With auto rotation of certificates, which is
starting with kubelet certificates, the goal is to use shorter lifetimes
and let the kubelet renew the certificate as desired. Monitoring
certificates which are approaching expiration and not renewing would be
an early warning sign that nodes are about to stop participating in the
cluster.
Kubernetes-commit: 49a19c6011e05363a8baf8e99c917d11a9496568
Kubernetes Publisher
huangjiuyuan
Jordan Liggitt
Joe Betz
Cao Shufeng
Slava Semushin
xiangpengzhao
Clayton Coleman
Dan Mace
Simo Sorce
Renaud Gaubert
Shyam JVS
Renaud Gaubert
gmarek
Monis Khan
duan-yue
guangxuli
Jacob Simpson