Automatic merge from submit-queue (batch tested with PRs 55004, 54957). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update kube-openapi to use validation
**What this PR does / why we need it**: Moves openapi validation code to kube-openapi, so that we can move the rest of the code to apimachinery repository, so that later we can use it from both the client and the server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #Nothing
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 55e216f56eac0082acc6be655d9ae09cf9ba38a8
Automatic merge from submit-queue (batch tested with PRs 54800, 53898, 54812, 54921, 53558). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix error for strategic merge patch of custom resources
Fixes#50037.
We need the go struct tags `patchMergeKey` and `patchStrategy` for fields that support a strategic merge patch. For native resources, we can easily figure out these tags since we know the fields.
Because custom resources are decoded as Unstructured and because we're missing the metadata about how to handle each field in a strategic merge patch, we can't find the go struct tags. Hence, we can't easily do a strategic merge for custom resources.
So we should fail fast and return an error.
**Release note**:
```release-note
NONE
```
/cc @sttts @deads2k @ncdc
Kubernetes-commit: 7aed66305127904a874289a1c78f5b5d5ad6b80c
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Log error when a healthz check fails
**What this PR does / why we need it**:
Currently we only tell a user that a healthz check failed but we don't display the explicit error of the failed check. This is fine, but we should log the error to make debugging easier.
```release-note
Log error of failed healthz check
```
Kubernetes-commit: 816f2f460531cc1b2ed999962b64f930a7fc39fd
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Shutdown http handlers before shutting down audit backend
**What this PR does / why we need it**:
Currently, audit backend is shut down before http handlers stop processing requests, so some audit events can be dropped in case of batching webhook.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50781
**Special notes for your reviewer**:
**Release note**:
```release-note
Shutdown http handlers in kube-apiserver before shutting down audit backend.
```
Kubernetes-commit: 7a6a58f4444c60a9b3fefe335a303f0c230d8f10
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use the core client with explicit version globally
**What this PR does / why we need it**:
As mentioned in #49535 and #50605, we want to have a global replace to use core client with explicit version.
**Which issue this PR fixes**: fixes#49535
**Special notes for your reviewer**:
The actual type of clientSet.Core() is already the same with clientSet.CoreV1(), so it should be safe replacement.
The places that clientSet.Core() are still in use are identified by IDE "find usages", and changes are made with one time global replace. Hopefully there will be none left after this PR merged.
Let me know if this PR is too big to review, I can split it into some smaller ones.
/cc @kubernetes/sig-api-machinery-pr-reviews
/cc @k82cn @sttts
**Release note**:
```release-note
none
```
Kubernetes-commit: d8ec716f4d7cabc8fa1fc825b20feffe105e99a9
Automatic merge from submit-queue (batch tested with PRs 49865, 53731, 54013, 54513, 51502). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move webhook admission to generic apiserver
This builds on https://github.com/kubernetes/kubernetes/pull/54414.
It moves the admission webhook into the generic apiserver. It also allows the injection of a server managed way to override the rest.Config used for a particular service. This makes for an easier point to allow auto-configuration of the kube-apiserver to loopback to itself as a special case for kubernetes.default.svc.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
the generic admission webhook is now available in the generic apiserver
```
Kubernetes-commit: 9ec88d0d45a7273bfbac70ad51279112eeeda00a
Automatic merge from submit-queue (batch tested with PRs 52717, 54568, 54452, 53997, 54237). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[OpenStack]Remove the LbaasV1 of OpenStack cloud provider
The Neutron LbaasV1 has been declared obsolete, LbaasV2 is a
better choice.
So let's remove the codes of LbaasV1, only support LbaasV2.
xref: #52609
Reference OpenStack doc:
https://docs.openstack.org/mitaka/networking-guide/config-lbaas.html
**Special notes for your reviewer**:
/assign @dims
/assign @anguslees
**Release note**:
```release-note
Remove the LbaasV1 of OpenStack cloud provider, currently only support LbaasV2.
```
Kubernetes-commit: b2b31ada149fb688aea0d62cd58e5416d5fd337b
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
audit backend run before http server start and register presShutdown …
…hook
**What this PR does / why we need it**:
1. audit backend run before http server start , prevent coming request audit blocking
2. audit backend use preShutdownHook.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#54286
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 192bb6262b5a73438d958408f91d198384c3f497
Automatic merge from submit-queue (batch tested with PRs 54199, 54181, 54196). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update openapi to use kube-openapi code
**What this PR does / why we need it**: OpenAPI code has moved to `github.com/kubernetes/kube-openapi`. Let's use that code as a dependency, since now it's duplicated.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#51823
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
No user visible changes. Just code moving around.
Kubernetes-commit: 507790c9c6f50b580b4409b5ac93b10a24570819
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update gRPC to pick up data race fix
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#53124
**Special notes for your reviewer**:
**Release note**:
```release-note
update gRPC to v1.6.0 to pick up data race fixgrpc/grpc-go#1316
```
Kubernetes-commit: 70960a5ed785c64df837139a783f89901d7891f1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update admission webhook to accept client config
Fixes https://github.com/kubernetes/kubernetes/issues/53827
This plumbs a complete client through the plugin initializer for admission webhooks. It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different. Easy things are easy, hard things are possible. This does not change behavior for kube-apiserver.
@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs
Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix typos: remove duplicated word in comments
**What this PR does / why we need it**: Remove the duplicated word `the` in comments
**Which issue this PR fixes** : fixes #
**Special notes for your reviewer**:
```release-note
NONE
```
Kubernetes-commit: 1d8f1e268f18e278b93b3ba06ca3c73604bfdb77
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove repeated type conversion
**What this PR does / why we need it**:
remove repeated type conversion(convert String to Feature)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
we just need make this conversion once.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 7d59b2d3384379a4a7e2f6ba69fde11b9d74bfef
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update rules_go, repo-infra, and rules_docker dependencies
**What this PR does / why we need it**: several of our bazel dependencies were getting pretty old, since they required bazel 0.5.4+ but there were various failures if we tried to use them with bazel 0.5.4.
Now that bazel 0.6.0 (and 0.6.1) have been out for a while, we can bump our dependencies and get a number of fixes and new functionality.
x-ref #52677 and others
**Special notes for your reviewer**:
* This will now explicitly require bazel 0.6.0+ to build kubernetes.
* Our staging directories are causing some issues for `gazelle`; it wants to set `importpath = "k8s.io/kubernetes/staging/src/k8s.io/blah"` instead of `importpath = "k8s.io/blah"`. I'm not sure what is the correct way to fix this; what we're doing here is pretty weird and nonstandard. I've used a `sed` substitution for now.
* The `-proto=default` option of `gazelle` has a number of bugs right now (https://github.com/bazelbuild/rules_go/issues/888, https://github.com/bazelbuild/rules_go/issues/900, https://github.com/bazelbuild/rules_go/issues/907), so I am forcing the legacy behavior.
**Release note**:
```release-note
NONE
```
/assign @mikedanese @spxtr @BenTheElder
Kubernetes-commit: 77b83e446b4e655a71c315ad3f3890dc2a220ccf
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make feature gates loadable from a map[string]bool
Command line flag API remains the same. This allows ComponentConfig
structures (e.g. KubeletConfiguration) to express the map structure
behind feature gates in a natural way when written as JSON or YAML.
For example:
KubeletConfiguration Before:
```
apiVersion: kubeletconfig/v1alpha1
kind: KubeletConfiguration
featureGates: "DynamicKubeletConfig=true,Accelerators=true"
```
KubeletConfiguration After:
```
apiVersion: kubeletconfig/v1alpha1
kind: KubeletConfiguration
featureGates:
DynamicKubeletConfig: true
Accelerators: true
```
Fixes: #53024
```release-note
The Kubelet's feature gates are now specified as a map when provided via a JSON or YAML KubeletConfiguration, rather than as a string of key-value pairs.
```
/cc @mikedanese @jlowdermilk @smarterclayton
Kubernetes-commit: df072ca97ee0248968c043759f0016e19911389e
Automatic merge from submit-queue (batch tested with PRs 52354, 52949, 53551). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable API chunking and promote to beta for 1.9
All list watchers default to using chunking. The server by default fills pages to avoid low cardinality filters from making excessive numbers of requests. Fix an issue with continuation tokens where a `../` could be used if the feature was enabled.
```release-note
API chunking via the `limit` and `continue` request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking.
```
Kubernetes-commit: 23cc4dc50ab223751d5a7983faa3fa6b811f2255
Automatic merge from submit-queue (batch tested with PRs 53525, 53652). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apimachinery: remove ObjectCopier interface(s)
The big commit is a mechanical, transitive removal of the copier interfaces in all structs and function calls.
Kubernetes-commit: aaf14d4619ddae90ec753959053a74967832058c
Automatic merge from submit-queue (batch tested with PRs 53278, 53184). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add API version apps/v1, and bump DaemonSet to apps/v1
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: kubernetes/features#484
**Special notes for your reviewer**: This PR targets `master`, as a backup if #53223 (targeting features branch) falls through
@kubernetes/sig-apps-api-reviews
**Release note**:
```release-note
Add API version apps/v1, and bump DaemonSet to apps/v1
```
Kubernetes-commit: fc81ec01e51e6bcda6ed96f0f73799b43634d8d1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some typos in api/types
**What this PR does / why we need it**:
Fix some typos in api/types
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#53420
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Kubernetes-commit: 029ed12b332dc358782a453f9ed904fa16844d8c
Automatic merge from submit-queue (batch tested with PRs 51765, 53053, 52771, 52860, 53284). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add an option for turning on/off compaction from apiserver in etcd3 mode
…erver
**What this PR does / why we need it**:
This commit adds an option for controlling request of compaction to
etcd3 from apiserver. There is a situation that apiserver cannot fully
own its etcd cluster (e.g. sharing it with canal). In such a case,
apiserver should have limited access in terms of etcd's auth
functionality so it don't have a privilege to issue compaction
requests. It means that the compaction requests should be issued by
other component and apiserver's compaction requests are needless.
For such use cases, this commit adds a new flag
storagebackend.Config.DoCompaction. If the flag is true (default),
apiserver issues the compaction requests like current behaviour. If it
is false, apiserver doesn't issue the requests.
**Related issue (etcd)**
https://github.com/coreos/etcd/issues/8458
/cc @xiang90 @struz
**Release note:**
```release-note
Add --etcd-compaction-interval to apiserver for controlling request of compaction to etcd3 from apiserver.
```
Kubernetes-commit: 5dfea9e6091a818f90e8df5afcc750b5f01fa9b7
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ring buffer for shared informer notifications
**What this PR does / why we need it**:
Improves memory allocation for shared informer listeners. Instead of always appending to the slice use as a ring buffer, avoiding reslice operations as long as there is room in the slice. See https://github.com/kubernetes/kubernetes/pull/47045#issuecomment-317621259 for details. This is a follow up PR for #47045.
Results from BenchmarkListener:
```
Current code (from the #47045):
1000000 1540 ns/op 109 B/op 1 allocs/op
```
```
New code:
1000000 1162 ns/op 16 B/op 1 allocs/op
```
**Special notes for your reviewer**:
Only review the last commit, this branch is based on #47045 PR. I'll rebase onto master once it is merged.
**Release note**:
```release-note
NONE
```
/kind enhancement
/sig api-machinery
/cc @deads2k @ncdc
Kubernetes-commit: bb035a2854e690d726ece2f8c5e1b8f4b7aef930
Automatic merge from submit-queue (batch tested with PRs 50280, 52529, 53093, 53108, 53168). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add 201/Status to the list of returned objects.
**What this PR does / why we need it**:
Adds 201/202 to the list of codes/objects returned by `POST` and 201 to the list of codes returned by `PUT` requests in Swagger/OpenAPI
**Special notes for your reviewer**:
This helps fix
https://github.com/kubernetes-client/csharp/issues/29
**Release note**:
```release-note
Adds 201/202 to the list of codes/objects returned by `POST` and 201 to the list of codes returned by `PUT` requests in Swagger/OpenAPI
```
Kubernetes-commit: ba4f5ced3cfd30649588b36dea99c8c55433f0b4
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
Collapse all metrics handlers into common code
Remove the MonitorRequest method and replace with a method that takes
request.RequestInfo, which is our default way to talk about API objects.
Preserves existing semantics for calls.
Not for 1.8, but fixes the ugliness and code duplication in #52237
Kubernetes-commit: 30f015a6fc13979193a6105890ce91ace651eb5c
Automatic merge from submit-queue (batch tested with PRs 51067, 52319, 52803, 52961, 51972). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
ProducesObject should only update the returned API object resource documentation
This should be a no-op for Kubernetes (the only rest.Storage that specifies ProducesObject() is pod logs, on GET), but will allow issues such as openshift/origin#8345 to be resolved (where generated API documentation is currently incorrect due to the asymmetry between the object kind sent and received by the API)
```release-note NONE```
Kubernetes-commit: 50fa5637b6dc9538c908fbdd632ff1d3c59f65da
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
Update gophercloud to Handle New Identity Endpoints
Currently openstack cloud provider just support keystone v2.0 and v3
The latest Identity Service is publishing an ID of v3.8, we should
update gophercloud to recognize v3.8 as a valid version id.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#52830
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 4f2d7b93da2464a3147e0a7e71d896dd2bade9ad
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
bazel: build/test almost everything
**What this PR does / why we need it**: Miscellaneous cleanups and bug fixes. The main motivating idea here was to make `bazel build //...` and `bazel test //...` mostly work. (There's a few reasons these still don't work, but we're a lot closer.)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @BenTheElder @mikedanese @spxtr
Kubernetes-commit: 7c9e614cbb507b094d82301c5ea4d26f075eed82
Automatic merge from submit-queue (batch tested with PRs 51438, 52182, 51607, 47912, 51595). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
Ensure we log the flag apiserver starts with.
Trying to make sure we always log the flags an instance of apiserver
starts with.
This can be especially valuable for emailed logs or e2e/kubemark tests.
**What this PR does / why we need it**: Ensures we log the flags an apiserver was started with.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #none
**Special notes for your reviewer**:
**Release note**:```release-note NONE
```
Kubernetes-commit: d2cf4d01c69881e65f8a9d38b9baad70d1eacdb3
Automatic merge from submit-queue (batch tested with PRs 51031, 51705, 51888, 51727, 51684). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
Avoid hard-coding location for auto-generated cert files
**What this PR does / why we need it**:
This fixes the confusing/incorrect help message for "--tls-cert-file" in apiserver package.
**Which issue this PR fixes**: fixes#51887
**Special notes for your reviewer**:
Please advise if a release note is needed.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 3484ae9e496eb0b4e24fb646db39e51440c1c135
Automatic merge from submit-queue (batch tested with PRs 52843, 52710, 52821, 52844). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
update-staging-godeps: only mangle staging repos in staging Godeps.json
- this re-adds non-staging k8s.io/* repos to the staging Godeps.jsons
- x-outs instead of removing of staging dependencies in order to get a
precise trigger for a complete godep restore+save run in the publisher
bot.
The first breaks k8s.io/kube-aggregator's staging export.
The second potentially leads to inconsistent godeps in our exported staging repos.
Kubernetes-commit: 3ba46ee9fab32ccaeeee4af4a80375e6e1d71ace
Automatic merge from submit-queue (batch tested with PRs 52477, 52790, 52798). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
conversion-gen: make staging dirs independent of living in vendor/
The `+k8s:conversion-gen` tags included the package directory inside of kube's vendor dir. This
makes them invalid when we publish staging repos.
Without this PR our sample-apiserver example code-generation is broken once published.
Kubernetes-commit: 74ff323f9e546e62288d331f62a37e0ec58f6b35
Currently openstack cloud provider just support keystone v2.0 and v3
The latest Identity Service is publishing an ID of v3.8, we should
update gophercloud to recognize v3.8 as a valid version id.
Kubernetes-commit: f98326b7f9364f6a5c3e336af1279833713e73c9
Automatic merge from submit-queue (batch tested with PRs 51824, 50476, 52451, 52009, 52237)
Improve apiserver metrics reporting
Normalize "WATCHLIST" to "WATCH", add "scope" to the other metrics (listing 50k pods is != listing pods in a namespace), and add a new scope "resource" to cover individual resource calls.
This roughly aligns metrics with our ACL model (technically resource scope is GET, but POST to a subresource and POST to a namespace are not the same thing).
```release-note
WATCHLIST calls are now reported as WATCH verbs in prometheus for the apiserver_request_* series. A new "scope" label is added to all apiserver_request_* values that is either 'cluster', 'resource', or 'namespace' depending on which level the query is performed at.
```
Kubernetes-commit: 93ddb7be5f547f5ebb0a60bd1135234fdf4e3c07
Automatic merge from submit-queue (batch tested with PRs 51900, 51782, 52030)
apiservers: stratify versioned informer construction
The versioned share informer factory has been part of the GenericApiServer config,
but its construction depended on other fields of that config (e.g. the loopback
client config). Hence, the order of changes to the config mattered.
This PR stratifies this by moving the SharedInformerFactory from the generic Config
to the CompleteConfig struct. Hence, it is only filled during completion when it is
guaranteed that the loopback client config is set.
While doing this, the CompletedConfig construction is made more type-safe again,
i.e. the use of SkipCompletion() is considereably reduced. This is archieved by
splitting the derived apiserver Configs into the GenericConfig and the ExtraConfig
part. Then the completion is structural again because CompleteConfig is again
of the same structure: generic CompletedConfig and local completed ExtraConfig.
Fixes#50661.
Kubernetes-commit: 63d6bdb58c864de4f42ff139cb0a044a35f7a36f
Automatic merge from submit-queue
fix format of forbidden messages
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#51813
**Special notes for your reviewer**:
/assign @deads2k @liggitt
**Release note**:
```release-note
None
```
Kubernetes-commit: 45fe0a9e0417eb148c3082c53ae16da7377a2c32
Automatic merge from submit-queue (batch tested with PRs 52097, 52054)
Provide field info in storage configuration
Makes debugging how storage was configured difficult
@kubernetes/sig-api-machinery-bugs
Kubernetes-commit: 310b24bfcdc9958304973bf61f3aa23f516e82d9
Automatic merge from submit-queue (batch tested with PRs 49133, 51557, 51749, 50842, 52018)
enhance unit tests of advance audit feature
This change addresses comments from @crassirostris
https://github.com/kubernetes/kubernetes/pull/49115#discussion_r133416080
It does three things:
1. use auditinternal for unit test in filter stage
2. add a seperate unit test for Audit-ID http header
3. add unit test for audit log backend
**Release note**:
```
NONE
```
Kubernetes-commit: d369160c7900368c96391738561dbc932fa9737d
Automatic merge from submit-queue
set AdvancedAuditing feature gate to true by default
All feature commits are merged. The types are updated already to beta. This only enable the feature gate by default.
**Release note**:
```
Promote the AdvancedAuditing feature to beta and enable the feature gate by default.
```
Kubernetes-commit: 7be29bd9b6913e2f39b44a72a5f46e6f33244410
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634)
Bug Fix - Adding an allowed address pair wipes port security groups
**What this PR does / why we need it**:
Fix for cloud routes enabled instances will have their security groups
removed when the allowed address pair is added to the instance's port.
Upstream bug report is in:
https://github.com/gophercloud/gophercloud/issues/509
Upstream bug fix is in:
https://github.com/gophercloud/gophercloud/pull/510
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#51755
**Special notes for your reviewer**:
Just an fix in vendored code. minimal changes needed in OpenStack cloud provider
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 9a8cb435b77085fa7d518c4428a02eae316b1003
Automatic merge from submit-queue (batch tested with PRs 51186, 50350, 51751, 51645, 51837)
Update Cadvisor Dependency
Fixes: https://github.com/kubernetes/kubernetes/issues/51832
This is the worst dependency update ever...
The root of the problem is the [name change of Sirupsen -> sirupsen](https://github.com/sirupsen/logrus/issues/570#issuecomment-313933276). This means that in order to update cadvisor, which venders the lowercase, we need to update all dependencies to use the lower-cased version. With that being said, this PR updates the following packages:
`github.com/docker/docker`
- `github.com/docker/distribution`
- `github.com/opencontainers/go-digest`
- `github.com/opencontainers/image-spec`
- `github.com/opencontainers/runtime-spec`
- `github.com/opencontainers/selinux`
- `github.com/opencontainers/runc`
- `github.com/mrunalp/fileutils`
- `golang.org/x/crypto`
- `golang.org/x/sys`
- `github.com/docker/go-connections`
- `github.com/docker/go-units`
- `github.com/docker/libnetwork`
- `github.com/docker/libtrust`
- `github.com/sirupsen/logrus`
- `github.com/vishvananda/netlink`
`github.com/google/cadvisor`
- `github.com/euank/go-kmsg-parser`
`github.com/json-iterator/go`
Fixed https://github.com/kubernetes/kubernetes/issues/51832
```release-note
Fix journalctl leak on kubelet restart
Fix container memory rss
Add hugepages monitoring support
Fix incorrect CPU usage metrics with 4.7 kernel
Add tmpfs monitoring support
```
Kubernetes-commit: 99aa992ce845fe947a406ac4d3f99d2208f0416b
Automatic merge from submit-queue (batch tested with PRs 51833, 51936)
fix docstring of advanced audit policy
I found this when I write doc for advanced audit beta version.
**Release note**:
```
NONE
```
Kubernetes-commit: 3a5622db737d4910d20cb2ce73fea986b8b43a64
Automatic merge from submit-queue
Provide a way to omit Event stages in audit policy
This provide a way to omit some stages for each audit policy rule.
For example:
```
apiVersion: audit.k8s.io/v1beta1
kind: Policy
- level: Metadata
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles"]
omitStages:
- "RequestReceived"
```
RequestReceived stage will not be emitted to audit backends with previous config.
**Release note**:
```
None
```
#
Kubernetes-commit: 9d29ce135658be851a96aad9dd337c5afd531d2e
Automatic merge from submit-queue (batch tested with PRs 50579, 50875, 51797, 51807, 51803)
oidc auth: make the OIDC claims prefix configurable
Add the following flags to control the prefixing of usernames and
groups authenticated using OpenID Connect tokens.
--oidc-username-prefix
--oidc-groups-prefix
```release-note
The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix.
```
Closes https://github.com/kubernetes/kubernetes/issues/50408
Ref https://github.com/kubernetes/kubernetes/issues/31380
cc @grillz @kubernetes/sig-auth-pr-reviews @thomastaylor312 @gtaylor
Kubernetes-commit: d970eb8f9450e985073734790d2dfd93693db1da
Automatic merge from submit-queue (batch tested with PRs 51301, 50497, 50112, 48184, 50993)
audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage
Impersonation will automatically add system:authenticated, system:serviceaccounts group to the impersonated user info. This pr use the newest impersonated user info in the second audit event. This will help users to debug rbac problems.
**Release note**:
```
[advanced audit] audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage
```
@liggitt @sttts
Kubernetes-commit: 134b667d0a7f7606775631e63675a2b6b2e1f59f
Automatic merge from submit-queue (batch tested with PRs 51583, 51283, 51374, 51690, 51716)
Unify initializer name validation
Unify the validation rules on initializer names. Fix https://github.com/kubernetes/kubernetes/issues/51843.
```release-note
Action required: validation rule on metadata.initializers.pending[x].name is tightened. The initializer name needs to contain at least three segments separated by dots. If you create objects with pending initializers, (i.e., not relying on apiserver adding pending initializers according to initializerconfiguration), you need to update the initializer name in existing objects and in configuration files to comply to the new validation rule.
```
Kubernetes-commit: 12f96e2e3542dc8d6d415a31698bdb272f138095
Automatic merge from submit-queue
basic logging and additional documentation for healthz installer
@pmorie upstream logging
- InstallHandler is the public interface through which all interaction
occurs.
- It is good to know whether the default ping is occurring to know due
to manual installation or automatic installation.
- It is good to know how many handlers are installed to see whether
code changes are taking effect.
**What this PR does / why we need it**:
add logging for external users of the genericapiserver
**Special notes for your reviewer**:
This should run exactly once at startup.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: fe3e7482764ace362b465405c45780d03a8c6706
Automatic merge from submit-queue (batch tested with PRs 45724, 48051, 46444, 51056, 51605)
Add selfsubjectrulesreview in authorization
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes#47834#31292
**Special notes for your reviewer**:
**Release note**:
```release-note
Add selfsubjectrulesreview API for allowing users to query which permissions they have in a given namespace.
```
/cc @deads2k @liggitt
Kubernetes-commit: c84b3132a2f1c784447ed6f405be9fe9a601d423
Automatic merge from submit-queue (batch tested with PRs 51632, 51055, 51676, 51560, 50007)
Split APIVersion into APIGroup and APIVersion in audit events
audit.Event.ObjectRef.APIVersion currently holds both the the API group and
version, separated by a /. This change break these out into separate fields.
**Release note**:
```
NONE
```
Kubernetes-commit: 92db97dfcc5eb45dcb0f686526041438d0b31a2e
Automatic merge from submit-queue
Use json-iterator instead of ugorji for JSON.
@smarterclayton @wojtek-t
Fixes#36120
xref #18762
```release-note
Switch JSON marshal/unmarshal to json-iterator library. Performance should be close to previous with no generated code.
```
Kubernetes-commit: 6a845c67f097cd76f9d90ab3c9c5b5603c70afe4
Automatic merge from submit-queue (batch tested with PRs 51574, 51534, 49257, 44680, 48836)
audit policy: support subresources and resource names
Updates #48561
policy:
- level: Metadata
resources:
- group: ""
resources ["pods/logs"]
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
The top level resource no longer matches the subresource. For example "pods"
no longer matches requests to the logs subresource on pods.
```release-note
Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources.
```
/cc @sttts @soltysh @crassirostris @ihmccreery @timstclair
Kubernetes-commit: 58aa139f9926afd8d8d067677698a46d72fcb7b2
Automatic merge from submit-queue (batch tested with PRs 51480, 49616, 50123, 50846, 50404)
Kubectl to use http caching to cache openapi responses from the server
**What this PR does / why we need it**:
This PR is trying to address the problems raised in #50254
> * uses a disk-based cache that is not safe between processes (does not use atomic fs operations)
> * writes get/list responses to disk that should not be cached (like kubectl get secrets)
> * is vulnerable to partially written cache responses being used as responses to future requests
> * breaks uses of the client transport that make use of websockets
> * defaults to enabling the cache for any client builder using RecommendedConfigOverrideFlags or DefaultClientConfig which affects more components than just kubectl
All of these points are addressed by this pull-request:
1. It now uses atomic fs operations
2. Doesn't cache by default, only if requested by the client (and it's only done by openapi client)
3. Fixed because of atomic fs operations
4. Found the reason for the bug: Cache wrapper couldn't be unwrapped. I implemented the `WrappedRoundTripper` interface.
5. Since 2. is fixed, I think that should be fine
@smarterclayton @liggitt
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50254
**Special notes for your reviewer**:
**Release note**:
```release-note
Allows kubectl to use http caching mechanism for the OpenAPI schema. The cache directory can be configured through `--cache-dir` command line flag to kubectl. If set to empty string, caching will be disabled.
```
Kubernetes-commit: 0f2c2bd847ca7a66035b2289e83359ef4c923617
Automatic merge from submit-queue (batch tested with PRs 51298, 51510, 51511)
modifying the comment of BeforeDelete function to improve readability
**What this PR does / why we need it**:
modifying the comment of `BeforeDelete` function in `staging/src/k8s.io/apiserver/pkg/registry/rest/delete.go` to improve readability.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Kubernetes-commit: ce559394653a8e5041f44d49391b851ec5465538
Automatic merge from submit-queue (batch tested with PRs 50932, 49610, 51312, 51415, 50705)
Add --request-timeout to kube-apiserver to make global request timeout configurable
**What this PR does / why we need it**:
Make the currently hard coded 60 global request timeout in apiserver configurable via a --request-timeout command line flag.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/51355
**Special notes for your reviewer**:
We plan to backport this to 1.6 and 1.7. To ease the backport work, we've kept this change to a minimum. After this PR we will submit an additional PR to rename `--min-request-timeout` to something that more clearly describes it's purpose, such as `--long-running-request-timeout-min`.
**Release note**:
```release-note
Add --request-timeout to kube-apiserver to make global request timeout configurable.
```
Kubernetes-commit: 0b0b2a22c5837975824add628df6ecb2dc297d57
Automatic merge from submit-queue
Fix forbidden message format
Before this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
Fix forbidden message format, remove extra ""
```
Kubernetes-commit: 562d2be7a08c5cfb0f78331b0225acdf73bf9d94
Automatic merge from submit-queue
Remove null -> [] slice hack
Closes#44593
When 1.6 added protobuf storage, the storage layer lost the ability to persist slice fields with empty but non-null values.
As a workaround, we tried to convert empty slice fields to `[]`, rather than `null`. Compressing `null` -> `[]` was just as much of an API breakage as `[]` -> `null`, but was hoped to cause fewer problems in clients that don't do null checks.
Because of conversion optimizations around converting lists of objects, the `null` -> `[]` hack was discovered to only apply to individual get requests, not to a list of objects. 1.6 and 1.7 was released with this behavior, and the world didn't explode. 1.7 documented the breaking API change that `null` and `[]` should be considered equivalent, unless otherwise noted on a particular field.
This PR:
* Reverts the earlier attempt (https://github.com/kubernetes/kubernetes/pull/43422) at ensuring non-null json slice output in conversion
* Makes results of `get` consistent with the results of `list` (which helps naive clients that do deepequal comparisons of objects obtained via list/watch and get), and allows empty slice fields to be returned as `null`
```release-note
Protobuf serialization does not distinguish between `[]` and `null`.
API fields previously capable of storing and returning either `[]` and `null` via JSON API requests (for example, the Endpoints `subsets` field) can now store only `null` when created using the protobuf content-type or stored in etcd using protobuf serialization (the default in 1.6+). JSON API clients should tolerate `null` values for such fields, and treat `null` and `[]` as equivalent in meaning unless specifically documented otherwise for a particular field.
```
Kubernetes-commit: 217513e27a6e54eb92d09165293cf811d5bdf878
Automatic merge from submit-queue (batch tested with PRs 51134, 51122, 50562, 50971, 51327)
set --audit-log-format default to json
Updates: https://github.com/kubernetes/kubernetes/issues/48561
**Release note**:
```
set --audit-log-format default to json for kube-apiserver
```
Kubernetes-commit: b5bb8099e79813aa8d73a49725efa54323d9279b
Automatic merge from submit-queue (batch tested with PRs 51244, 50559, 49770, 51194, 50901)
Remove deprecated flag "long-running-request-regexp".
**What this PR does / why we need it**:
remove `long-running-request-regexp` post-1.6.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 05294d80347f4cf4ff6111e0211013d8f617a0f5
Automatic merge from submit-queue (batch tested with PRs 47115, 51196, 51204, 51208, 51206)
Add an OrDie version for AddPostStartHook
Simplifies usage and consolidate the error message so it is always
the same everywhere.
```release-note
NONE
```
Kubernetes-commit: 2c214baefc06cefd68cc282b532bfe526613e36c
Automatic merge from submit-queue (batch tested with PRs 51193, 51154, 42689, 51189, 51200)
Bumped gRPC version to 1.3.0
**What this PR does / why we need it**:
This PR bumps down the version of the vendored version of gRPC from v1.5.1 to v1.3.0
This is needed as part of the Device Plugin API where we expect client and server to use the Keep alive feature in order to detect an error.
Unfortunately I had to also bump the version of `golang.org/x/text` and `golang.org/x/net`.
- Design document: kubernetes/community#695
- PR tracking: [kubernetes/features#368](https://github.com/kubernetes/features/issues/368#issuecomment-321625420)
**Which issue this PR fixes**: fixes#51099
Which was caused by my previous PR updating to 1.5.1
**Special notes for your reviewer**:
@vishh @jiayingz @shyamjvs
**Release note**:
```
Bumped gRPC to v1.3.0
```
Kubernetes-commit: 5fb38a325efb343c2a0467a12732829bd5ed3c3c
Automatic merge from submit-queue (batch tested with PRs 50893, 50913, 50963, 50629, 50640)
[advanced audit api] fuzz Event with random value
This is an error import by me:
https://github.com/kubernetes/kubernetes/pull/49115
We need to fuzz other parts of Event with random value, otherwise
this round trip test will not make too much sense.
@sttts
@ericchiang is also researching this.
**Release note**:
```
NONE
```
Kubernetes-commit: c13e9d14cde09e97cebd5883d04443d22cc91ca1
Automatic merge from submit-queue (batch tested with PRs 50531, 50853, 49976, 50939, 50607)
Updated gRPC vendoring to support Keep Alive
**What this PR does / why we need it**:
This PR bumps the version of the vendored version of gRPC from v1.0.4 to v1.5.1
This is needed as part of the Device Plugin API where we expect client and server to use the Keep alive feature in order to detect an error.
Unfortunately I had to also bump the version of `golang.org/x/text` and `golang.org/x/net`.
- Design document: kubernetes/community#695
- PR tracking: [kubernetes/features#368](https://github.com/kubernetes/features/issues/368#issuecomment-321625420)
**Special notes for your reviewer**:
@vishh @jiayingz
**Release note**:
```
Bumped gRPC from v1.0.4 to v1.5.1
```
Kubernetes-commit: 967c19df4916160d4d4fbd9a65bad41a53992de8
Kubernetes Publisher
Rohit Agarwal
Shiyang Wang
hzxuzhonghu
Antoine Pelisse
Maru Newby
David Eads
Shyam JVS
FengyunPan
Di Xu
Janet Kuo
Mikhail Mazurskiy
Nikhita Raghunath
Davanum Srinivas
David Ashpole
Tim Hockin
NickrenREN
Renaud Gaubert