Automatic merge from submit-queue (batch tested with PRs 61455, 63346, 63130, 63404). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump kube-openapi dependency
**What this PR does / why we need it**:
Pick up https://github.com/kubernetes/kube-openapi/pull/64
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63218
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig api-machinery
/cc @mbohlool @liggitt
Kubernetes-commit: 89e6895e1c550658b7c145436868b70fb3cabbcd
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate repair-malformed-updates flag, move object meta mutation into BeforeCreate
closes#23297
```release-note
NONE
```
Kubernetes-commit: 4e3efbe36496fb6a8b62eec437ba2298b4b2e4d4
This fixes an issue with KubeletConfiguration validation, where the
feature gates set by the new config were not taken into account.
Also fixes a validation issue with dynamic Kubelet config, where flag
precedence was not enforced prior to dynamic config validation in the
controller; this prevented rejection of dynamic configs that don't merge
well with values set via legacy flags.
Kubernetes-commit: 647e90341ca08640ab8fb3d49edb8027faf4836f
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implements OIDC distributed claims.
Next step to enable this feature is to enable claim caching.
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
Example claim:
```
{
... (other normal claims)...
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://www.example.com",
"access_token": "f005ba11"
},
},
}
```
Example response to a followup request to https://www.example.com is a
JWT-encoded claim token:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": ["team1", "team2"],
"exp": 9876543210
}
```
Apart from the indirection, the distributed claim behaves exactly
the same as a standard claim. For Kubernetes, this means that the
token must be verified using the same approach as for the original OIDC
token. This requires the presence of "iss", "aud" and "exp" claims in
addition to "groups".
All existing OIDC options (e.g. groups prefix) apply.
Any claim can be made distributed, even though the "groups" claim is
the primary use case.
Allows groups to be a single string due to
https://github.com/kubernetes/kubernetes/issues/33290, even though
OIDC defines "groups" claim to be an array of strings. So, this will
be parsed correctly:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": "team1",
"exp": 9876543210
}
```
Expects that distributed claims endpoints return JWT, per OIDC specs.
In case both a standard and a distributed claim with the same name
exist, standard claim wins. The specs seem undecided about the correct
approach here.
Distributed claims are resolved serially. This could be parallelized
for performance if needed.
Aggregated claims are silently skipped. Support could be added if
needed.
**What this PR does / why we need it**: Makes it possible to retrieve many group memberships by offloading to a dedicated backend for groups resolution.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62920
**Special notes for your reviewer**:
There are a few TODOs that seem better handled in separate commits.
**Release note**:
```release-note
Lays groundwork for OIDC distributed claims handling in the apiserver authentication token checker.
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
For details, see:
http://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
```
Kubernetes-commit: ab9f64afa997c3e7164c7f3705c915fa68a3ffb1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update all script shebangs to use /usr/bin/env interpreter instead of /bin/interpreter
This is required to support systems where bash doesn't reside in /bin (such as NixOS, or the *BSD family) and allow users to specify a different interpreter version through $PATH manipulation.
https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
```release-note
Use /usr/bin/env in all script shebangs to increase portability.
```
Kubernetes-commit: b5f61ac129019d314e473584c1491b7ca62144c7
Automatic merge from submit-queue (batch tested with PRs 63349, 63294). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Decorator for Create should be called on out, not obj
Kubernetes-commit: 9e72003b9d3c80a510e5913af432fad740519c32
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove rootscopedkinds from groupmeta
builds on https://github.com/kubernetes/kubernetes/pull/63206
Since, a RESTMapping can only be determined based on a connection to a server, the only thing that needs to know the namespaced-ness of a resource is the code doing the registration. Everything else is derived from that source of truth. This removes the other dangling references and collapses down onto the existing namespaced-ness methods in the strategies backing the stores.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Kubernetes-commit: dc7f07421351cf75ce3491c63f955d857426e835
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove incorrect static restmapper from type registry
A RESTMapping can only be determined by inspecting a server since discovery is the authoritative source of mapping decisions. This removes a deceptive method from the type registry and makes the old logic available for existing tests in a separate, clearly labeled package.
@kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-cli-maintainers
```release-note
NONE
```
Kubernetes-commit: f03f83a20ad6bdda650a19f52f16102962ea17d9
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove self linker from group info
The self-link is related to RESTStorage, not to the scheme/codec. Also, no one every customized it. This moves it to the single point of use and retains the override potential.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Kubernetes-commit: c929ec153a9d6c952a692abecbf61028bff79bfe
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove versioning interface
Builds on prior restmapping/converter separation to completely remove the versioning interface which isn't needed.
intersection of @kubernetes/sig-api-machinery-pr-reviews and @kubernetes/sig-cli-maintainers again
```release-note
NONE
```
Kubernetes-commit: 6b9cf21d9f23fa596db19f0f7981fbb7261fc2b6
Automatic merge from submit-queue (batch tested with PRs 59735, 63216). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use single convertor in patch handler
the request scope convertors are used to convert the object for output after the patch handler is finished with it (and were used internally by the patch handler already). they are required to be correct for the type being handled.
```release-note
NONE
```
Kubernetes-commit: b87a392b1a7ece8335ad3ade410e5070e29f216e
Automatic merge from submit-queue (batch tested with PRs 62937, 63105, 63031, 63174). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unnecessary typer from create/update handlers
**What this PR does / why we need it**:
Refactoring to remove unnecessarily duplicated definition of an ObjectTyper for some of the handlers.
The patch handler also has an extra ObjectConvertor, but it is defined differently in both places so removing one would possibly have side effects.
```release-note
NONE
```
/sig api-machinery
Kubernetes-commit: 8d1b6fa917febf2b3d225e53ce995ea479b0a096
Automatic merge from submit-queue (batch tested with PRs 62937, 63105, 63031, 63174). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
rest mappings cannot logically be object converters
A `RESTMapping` in the general sense cannot be a `ObjectConverter` since the conversions are compiled, but the RESTMappings are discovered. This starts isolating the bad assumptions into `kubectl` where they are used and removes the other bad `RESTMapping` use I found in the REST API installer that uses a mapping to determine scopes instead of using the metadata provided during API registration.
intersection of @kubernetes/sig-api-machinery-bugs and @kubernetes/sig-cli-maintainers
@sttts @pwittrock @soltysh
```release-note
NONE
```
Kubernetes-commit: 6625d353c7d5b05ce69dd8036e4d4fa003605dea
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
collapse patch conflict retry onto GuaranteedUpdate
xref https://github.com/kubernetes/kubernetes/issues/63104
This PR builds on https://github.com/kubernetes/kubernetes/pull/62868
1. When the incoming patch specified a resourceVersion that failed as a precondition, the patch handler would retry uselessly 5 times. This PR collapses onto GuaranteedUpdate, which immediately stops retrying in that case.
2. When the incoming patch did not specify a resourceVersion, and persisting to etcd contended with other etcd updates, the retry would try to detect patch conflicts with deltas from the first 'current object' retrieved from etcd and fail with a conflict error in that case. Given that the user did not provide any information about the starting version they expected their patch to apply to, this does not make sense, and results in arbitrary conflict errors, depending on when the patch was submitted relative to other changes made to the resource. This PR changes the patch application to be performed on the object retrieved from etcd identically on every attempt.
fixes#58017
SMP is no longer computed for CRD objects
fixes#42644
No special state is retained on the first attempt, so the patch handler correctly handles the cached storage optimistically trying with a cached object first
/assign @lavalamp
```release-note
fixed spurious "unable to find api field" errors patching custom resources
```
Kubernetes-commit: 6aad80cce3cc429f04e22238ce9be13574c61cd4
Automatic merge from submit-queue (batch tested with PRs 62911, 63200). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
stop duplicating preferred version order
`GroupMeta` includes two fields for a preferred groupVersion, `.GroupVersion` and `.GroupVersion[0]`. This collapses onto the latter.
@kubernetes/sig-api-machinery-pr-reviews
lots of ripples, but eliminate of duplication is good.
/assign @sttts
/assign @cheftako
```release-note
NONE
```
Kubernetes-commit: d4b678036f34699718b537a852779cd20a0567f1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove KUBE_API_VERSIONS
Fixes https://github.com/kubernetes/kubernetes/issues/63102
KUBE_API_VERSIONS is an attempt to control the available serialization of types. It pre-dates the idea that we'll have separate schemes, so it's not a thing that makes sense anymore.
Server-side we've had a very clear message about breaks in the logs for a year "KUBE_API_VERSIONS is only for testing. Things will break.".
Client-side it became progressively more broken as we moved to generic types for CRUD more than a year ago. What is registered doesn't matter when everything is unstructured.
We should remove this piece of legacy since it doesn't behave predictable server-side or client-side.
@smarterclayton @lavalamp
@kubernetes/sig-api-machinery-bugs
```release-note
KUBE_API_VERSIONS is no longer respected. It was used for testing, but runtime-config is the proper flag to set.
```
Kubernetes-commit: dd5f030b023b7d9299c516d80fb281c36b6fc844
Automatic merge from submit-queue (batch tested with PRs 63009, 63062). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
clean up unused code fakeRL in requestinfo_test.go
**What this PR does / why we need it**:
clean up unused code fakeRL in requestinfo_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: b8ab2891b36baa3bbb4e81011e39d5d23a8d46e9
Automatic merge from submit-queue (batch tested with PRs 63009, 63062). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Register Prometheus etcdmetrics only for apiserver
Removed automatic registration with `init` funciton and use `Register` function to register metrics for etcd storage only when requested.
**What this PR does / why we need it**: Prevents leaking etcd metrics to other k8s components
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Partially #63004
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: b181af1c68ba820d3c92dbf3f765e5074e229680
Automatic merge from submit-queue (batch tested with PRs 63186, 63133). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
eliminate alwaysAdmit admission in apiserver test
**What this PR does / why we need it**:
alwaysAdmit is of no meaning, previously if not specify an admission plugin, it will panic, but now since we add protection `if admit != nil`. So can safely remove it.
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 5fa25a9508bb656c97d6eb2509f8c284142f036a
Automatic merge from submit-queue (batch tested with PRs 59965, 59115, 63076, 63059). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Upgrade dep json-iterator/go to fix base64 decode bug
**What this PR does / why we need it**:
upgrade dep `json-iterator/go` to fix base64 decode bug #62742
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62742
**Special notes for your reviewer**:
Just upgrade `json-iterator/go` to latest which includes base64 decode fix https://github.com/json-iterator/go/pull/266
No other code changes
**Release note**:
```release-note
None
```
Kubernetes-commit: 3dbcd1ddcee786f443f89a82514bbd9c6ad06c99
Automatic merge from submit-queue (batch tested with PRs 62432, 62868, 63040). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor patch
**What this PR does / why we need it**:
Continue making patch handler readable.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: b942c535464f6b98dea8d99d95c5da28c59df3fa
Automatic merge from submit-queue (batch tested with PRs 62982, 63075, 63067, 62877, 63141). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
eliminate indirection from type registration
Some years back there was a partial attempt to revamp api type registration, but the effort was never completed and this was before we started splitting schemes. With separate schemes, the idea of partial registration no longer makes sense. This pull starts removing cruft from the registration process and pulls out a layer of indirection that isn't needed.
@kubernetes/sig-api-machinery-pr-reviews
@lavalamp @cheftako @sttts @smarterclayton
Rebase cost is fairly high, so I'd like to avoid this lingering.
/assign @sttts
/assign @cheftako
```release-note
NONE
```
Kubernetes-commit: 97287177ee2b603f13f1028ef7f053f4795351f7
Automatic merge from submit-queue (batch tested with PRs 59220, 62927, 63084, 63090, 62284). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix typo: mutating validating admission should be distinguished
1. fix typo: mutating validating admission should be distinguished
1. avoid calling admit.Handles twice in delete
**Release note**:
```release-note
NONE
```
Kubernetes-commit: be20a8d1d01bf6735abeed6b386a9149caa8b71a
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove confusing flexibility for metadata interpretation
Metadata accessors are coded in. This means that we don't need to inject flexibility, the flexibility is already present based on what your code relies up. This removes the per-individual resource injection which simplifies all calling code.
intersection of @kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-cli-maintainers
```release-note
NONE
```
Kubernetes-commit: 6fbca94faec5d21630d076853e5f883b4a630412
Automatic merge from submit-queue (batch tested with PRs 62655, 61711, 59122, 62853, 62390). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implemented truncating audit backend
Fixes https://github.com/kubernetes/kubernetes/issues/60432
Introduces an optional truncating backend, disabled by default, that estimates the size of audit events and truncates events/split batches based on the configuration.
/cc @sttts @tallclair @CaoShuFeng @ericchiang
```release-note
Introduce truncating audit backend that can be enabled for existing backend to limit the size of individual audit events and batches of events.
```
Kubernetes-commit: bf1974c83fb36ab07c3efe615000d129995fa07f
builds on #62868
1. When the incoming patch specified a resourceVersion that failed as a precondition,
the patch handler would retry uselessly 5 times. This PR collapses onto GuaranteedUpdate,
which immediately stops retrying in that case.
2. When the incoming patch did not specify a resourceVersion, and persisting to etcd
contended with other etcd updates, the retry would try to detect patch conflicts with
deltas from the first 'current object' retrieved from etcd and fail with a conflict error
in that case. Given that the user did not provide any information about the starting version
they expected their patch to apply to, this does not make sense, and results in arbitrary
conflict errors, depending on when the patch was submitted relative to other changes made
to the resource. This PR changes the patch application to be performed on the object retrieved
from etcd identically on every attempt.
fixes#58017
SMP is no longer computed for CRD objects
fixes#42644
No special state is retained on the first attempt, so the patch handler correctly handles
the cached storage optimistically trying with a cached object first
Kubernetes-commit: fbd6f3808480d27a83643e82a11c217601b76cbc
Automatic merge from submit-queue (batch tested with PRs 63046, 62925, 63014). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove repeated get resourceversion in update
**What this PR does / why we need it**:
Obj have no updated, so no need to reGet.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 4344d33772337fe2b54751dd1847f5bc0ac1f7af
David Eads
wojtekt
tamal
Kubernetes Publisher
Haowei Cai
Jeff Grafton
Michael Taufen
Clayton Coleman
Jordan Liggitt
hangaoshuai
ceshihao
xuzhonghu
Cao Shufeng
Mike Danese