Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Enable caching successful token authentication
Resolves#50472
To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication
```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
Kubernetes-commit: 42adb9ef2572d7ac30237a3aad47ead75ff7c6cc
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Manage BUILD files using gazelle + kazel
**What this PR does / why we need it**: uses the upstream `gazelle` tool to manage go rules in BUILD files.
This is needed to support Bazel builds on Mac OS and Bazel cross compilation in general.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47558
**Special notes for your reviewer**:
It's probably easiest to review this commit-by-commit:
* bump to latest `rules_go` (for recent `cgo_library` and `gazelle` improvements)
* update `kazel` with recent compatibility fixes (https://github.com/kubernetes/repo-infra/pull/28, https://github.com/kubernetes/repo-infra/pull/27), update `hack` scripts to download/build `gazelle`, and then run both `gazelle` and `kazel`. (Additionally make `gazelle` skip things it shouldn't touch.)
* run `hack/update-bazel.sh` to autogenerate everything
* remove the old `cgo_genrule` rules - these are now part of `go_library`
* remove the `automanaged` tags from all go rules - `gazelle` doesn't use them, and it prevents an old version of `kazel/gazel` from messing with the rules
* remove the `licenses()` rules from everywhere but `third_party/` - we don't need them, and `gazelle` won't add them on new `BUILD` files it generates.
**Release note**:
```release-note
NONE
```
for review:
/assign @mikedanese @spxtr
for approval:
/assign @thockin
Kubernetes-commit: 941ad0164d44cfcf96dd6efbb491e2222a3a23d3
Automatic merge from submit-queue
validate kube-apiserver options
**What this PR does / why we need it**:
Create Validate() or add more checks in existing Validate() for the following files:
* vendor/k8s.io/apiextensions-apiserver/pkg/cmd/server/start.go:80
* vendor/k8s.io/kube-aggregator/pkg/cmd/server/start.go:104
* vendor/k8s.io/sample-apiserver/pkg/cmd/server/start.go:82
* cmd/kube-apiserver/app/options/validation.go:49
**Which issue this PR fixes**:
fixes#50301
**Special notes for your reviewer**:
This PR follows #50135
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 984f1af5c55b55f1cbbefbe7afd8f3731f06dcd2
Automatic merge from submit-queue
add some checks for fedration-apiserver options
**What this PR does / why we need it**:
I find there is a TODO, see https://github.com/kubernetes/kubernetes/blob/master/federation/cmd/federation-apiserver/app/options/validation.go#L30
This PR add some checks for fedration-apiserver options
@sttts
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: d40bfff29744de2b42d47627fe664a17cac04298
Automatic merge from submit-queue (batch tested with PRs 49615, 49321, 49982, 49788, 50355)
Fix unused Secret export logic.
**What this PR does / why we need it**:
The strategy used for the secret store defined custom export logic, and
had accompanying unit tests. However the secret storage did not actually
wire this up by setting an ExportStrategy and thus the code was never
used in the real world.
This change fixes the missing assignment and adds testing at a higher
level to ensure any uses of the generic registry.Store that we expect to
have an ExportStrategy do, and no others.
Several other strategies in the RBAC package also appeared to have
unwired Export logic, however their implementations were all empty
leading me to believe that these are not considered exportable. The
empty methods have now been removed.
**Which issue this PR fixes**: fixes#49042
**Release note**:
```release-note
```
Kubernetes-commit: f6d90eaa456bafa12e6287abda5a8d8c5bbf893c
The strategy used for the secret store defined custom export logic, and
had accompanying unit tests. However the secret storage did not actually
wire this up by setting an ExportStrategy and thus the code was never
used in the real world.
This change fixes the missing assignment and adds testing at a higher
level to ensure any uses of the generic registry.Store that we expect to
have an ExportStrategy do, and no others.
Several other strategies in the RBAC package also appeared to have
unwired Export logic, however their implementations were all empty
leading me to believe that these are not considered exportable. The
empty methods have now been removed.
Kubernetes-commit: 855a1c17131f92fca6de33279a02eca3893ca374
Automatic merge from submit-queue (batch tested with PRs 50254, 50174, 50179)
Revert "Merge pull request #47353 from apelisse/http-cache"
Some issues were discovered with the caching merged in #47353:
* uses a disk-based cache that is not safe between processes (does not use atomic fs operations)
* writes get/list responses to disk that should not be cached (like `kubectl get secrets`)
* is vulnerable to partially written cache responses being used as responses to future requests
* breaks uses of the client transport that make use of websockets
* defaults to enabling the cache for any client builder using RecommendedConfigOverrideFlags or DefaultClientConfig which affects more components than just kubectl
This reverts commit fc89743dca6b563063b74728c3b28100cf674d9d, reversing changes made to 29ab38e898988c36e2de34f77fa33be556eb21bd.
Kubernetes-commit: 187e6ab0bc35f696d8f5f574fab9aa457f253d34
This reverts commit fc89743dca6b563063b74728c3b28100cf674d9d, reversing
changes made to 29ab38e898988c36e2de34f77fa33be556eb21bd.
Kubernetes-commit: 4ee72eb300423772020dd1cf208159058ba7dab5
Automatic merge from submit-queue (batch tested with PRs 49868, 50143, 49377, 50141, 50145)
Return Audit-Id http response header for trouble shooting
Users can use Audit-Id http response header to grep the audit events in log.
This provides a fast way to find the events in audit.
**Release note**:
```
Audit-Id HTTP header is included in the apiserver responses for audited requests, except some cases when it's not possible, e.g. pods/exec.
```
@sttts @tallclair
Kubernetes-commit: a0826e1d89a45414598138547ebcc9a87aef9448
Automatic merge from submit-queue (batch tested with PRs 49868, 50143, 49377, 50141, 50145)
Status objects for 404 API errors will have the correct APIVersion
Fixes https://github.com/kubernetes/kubernetes/issues/48959
superseded https://github.com/kubernetes/kubernetes/pull/49183
```release-note
Status objects for 404 API errors will have the correct APIVersion
```
Kubernetes-commit: fb661268ffc56567710e5772d949a6669d88fed8
Automatic merge from submit-queue (batch tested with PRs 49855, 49915)
Let controllers ignore initialization timeout when creating pods
Partially address https://github.com/kubernetes/kubernetes/issues/48893#issuecomment-318540129.
This only updates the controllers that create pods with `GenerateName`.
The controllers ignore the timeout error when creating the pods, depending on how the initialization progress:
* If the initialization is successful in less than 5 mins, the controller will observe the creation via the informer. All is good.
* If the initialization fails, server will delete the pod, but the controller won't receive any event. The controller will not create new pod until the Creation expectation expires in 5 min.
* If the initialization takes too long (> 5 mins), the Creation expectation expires and the controller will create extra pods.
I'll send follow-up PRs to fix the latter two cases, e.g., by refactoring the sharedInformer.
Kubernetes-commit: f75f49e7a03700b5b300e9ccb61d434487bb0ccc
Automatic merge from submit-queue
Timeout and Max-in-flight don't report non-resource URLs correctly.
Unify error reporting for 429 and 504 to be correct for timeout and max in flight and eviction. Add better messages to eviction (removing a todo). Return the correct body content for timeouts (reason and code should be correct).
This potentially increases cardinality of 429, but because non-api urls may be under the max-inflight budget we need to report them somewhere (if something breaks and starts fetching API versions endlessly).
```release-note
The 504 timeout error was returning a JSON error body that indicated it was a 500. The body contents now correctly report a 500 error.
```
Kubernetes-commit: 8d6bbaa85f96f14ac9c9722ed1677e1052c974ba
SuggestClientDelay is returning whether the server has requested that
the client delay their next action. It is *not* about whether the client
should retry the action. Webhook was using it incorrectly, and the
method is now up to date.
Kubernetes-commit: 04846cc25b862c1eabff03ea0b11cbf2f7fae8e2
Automatic merge from submit-queue
go-client: Use httpcache client for all requests, even though only openapi returns ETags for caching
**What this PR does / why we need it**: Use HTTP ETag for caching Swagger spec download
This also adds a new command-line flag "cachedir" to specify where the cache should keep its file. It defaults to `$HOME/.kube/http-cache`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partly #38637
**Special notes for your reviewer**:
Because this adds a bunch of dependencies, and removes a couple of files, I do recommend reading each commit individually.
**Release note**:
```release-note
```
Kubernetes-commit: fc89743dca6b563063b74728c3b28100cf674d9d
Our rules are that code of the error must match code of the response. We
were also not setting the correct reason. This updates the timeout
filter to be consistent with other clients, without changing the error
code (504 is correct). The new message properly indicates the request
may still be running, which the old message did not do.
Kubernetes-commit: 74f6669b4983a9295dc0549ad15e44d70a18cc8f
This potentially has high cardinality, however we can rate limit based
on queries to these endpoints as well.
Kubernetes-commit: 022a5463dcf20126b02e9d9f797ea1e589de1dd1
All of these errors are now part of the standard HTTP method. Formalize
those into our error types and remove duplication and unclear
separation.
Kubernetes-commit: d3be1ac92eb644e284915a55fe67942c33f88d4c
Automatic merge from submit-queue (batch tested with PRs 48237, 50084, 50019, 50069, 50090)
create default storage selection functions
The vast majority of our REST storage needs either default selection predicates or minor tweaks the the field selection criteria. This pull makes that work without any special fields set, but also allows the more complex configuration where it is required. I only changed one storage an example. Once this merges, I'll update the others.
@kubernetes/sig-api-machinery-misc @wojtek-t @smarterclayton @sttts @cheftako ptal.
Kubernetes-commit: 65e6bf8d76f54851c1e57c40ce33f69a5f854543
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
Run kazel on the entire tree
**What this PR does / why we need it**: part of #47558: auto-generate `BUILD` files on the entire tree, since this is what `gazelle` does, and it'll make subsequent reviews easier if less is changing.
**Release note**:
```release-note
NONE
```
/assign
/release-note-none
Kubernetes-commit: d15baf69e10f3eddd59da2f6972a723a08e7dac7
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
Add missing UID in SubjectAccessReviewSpec
**What this PR does / why we need it**:
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
The SubjectAccessReview API in the authorization.k8s.io API group now allows providing the user uid.
```
Kubernetes-commit: 40d66b8e05ec7d4dd5bfe03d9f76ace4d4ad34da
Automatic merge from submit-queue
fix typo in staging/src/k8s.io/apiserver/pkg/server/config.go
**What this PR does / why we need it**: Fix a typo `It's members are sorted roughly in order of importance for composers.` in `staging/src/k8s.io/apiserver/pkg/server/config.go`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Kubernetes-commit: 2bd0b3dd2616e5c4a6ef79d08dfb8bc8f5959ced
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.
Kubernetes-commit: 9a761b16c1558106800222dbc52f6ab03c40c64c
Automatic merge from submit-queue
Switch from package syscall to golang.org/x/sys/unix
**What this PR does / why we need it**:
The syscall package is locked down and the comment in https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24 advises to switch code to use the corresponding package from golang.org/x/sys. This PR does so and replaces usage of package syscall with package golang.org/x/sys/unix where applicable. This will also allow to get updates and fixes
without having to use a new go version.
In order to get the latest functionality, golang.org/x/sys/ is re-vendored. This also allows to use Eventfd() from this package instead of calling the eventfd() C function.
**Special notes for your reviewer**:
This follows previous works in other Go projects, see e.g. moby/moby#33399, cilium/cilium#588
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 5d24a2c19923d6da46110b827619f4b21cf689ac
Automatic merge from submit-queue
Add missing ugorji codecs for auth/v1, settings/v1alphav1 and storage/v1
Kubernetes-commit: f8affc7dcc9e227b5d883d2322105be779d22125
Automatic merge from submit-queue
remove dead log handler and increase verbosity
We had a handler that no one was using and this bumps the verbosity slightly (2->3) to reduce noise at 2.
Kubernetes-commit: 804ec9457a78f03bbb2c78da94ea163dbff9329f
Kubernetes Publisher
Jordan Liggitt
Jeff Grafton
m1093782566
Devan Goodwin
Shiyang Wang
Cao Shufeng
Chao Xu
Clayton Coleman
Antoine Pelisse
deads2k
Davanum Srinivas
huangjiuyuan
Tobias Klauser
Dr. Stefan Schimanski