Suppress common name verify warning log and roll up into returned error
remove glog test dependency
Kubernetes-commit: bb3124c48a4d276ed280175e5825ea9db022d699
Grab important bug fix that can cause a `panic()` from this package on
certain inputs. See https://github.com/evanphx/json-patch/pull/64
Kubernetes-commit: 2e974f30ab728f2f105af30d4de9db01d02e9514
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
vendor: bump github.com/evanphx/json-patch
Grab important bug fix that can cause a `panic()` from this package on
certain inputs. See 73af7f547e
```release-note
NONE
```
Kubernetes-commit: 5af5f1e66353a50a848a4017c1fba6a39f12584c
Automatic merge from submit-queue (batch tested with PRs 67950, 68195). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Consolidate componentconfig code standards
**What this PR does / why we need it**:
This PR fixes a bunch of very small misalignments in ComponentConfig packages:
- Add sane comments to all functions/variables in componentconfig `register.go` files
- Make the `register.go` files of componentconfig pkgs follow the same pattern and not differ from each other like they do today.
- Register the `openapi-gen` tag in all `doc.go` files where the pkg contains _external_ types.
- Add the `groupName` tag where missing
- Fix cases where `addKnownTypes` was registered twice in the `SchemeBuilder`
- Add `Readme` and `OWNERS` files to `Godeps` directories if missing.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @sttts @thockin
Kubernetes-commit: a6eb49f0dc9a6d9fecf7ff4a8edeaa382b55ac50
Grab important bug fix that can cause a `panic()` from this package on
certain inputs. See 73af7f547e
Signed-off-by: Brandon Philips <brandon@ifup.org>
Kubernetes-commit: 2fbd47da561cb80e7f01f38da6a556b63b2579bd
Automatic merge from submit-queue (batch tested with PRs 67691, 68147). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Update etcd client to 3.2.24 for latest release
**What this PR does / why we need it**:
Updates etcd client to 3.2.24 which is the latest in the 3.2 series. See https://github.com/etcd-io/etcd/blob/master/CHANGELOG-3.2.md for details.
**Special notes for your reviewer**:
This is only the client, in order to update the server components it requires a googler to push the 3.2.24 image.
**Release note**:
```
Update etcd client interface to 3.2.24
```
/assign @jpbetz @wojtek-t
/cc @liggitt @kubernetes/sig-cluster-lifecycle @kubernetes/sig-scalability-pr-reviews
Kubernetes-commit: 2811228dcf9934dc6bf4fb3f2e8397eedec29840
Automatic merge from submit-queue (batch tested with PRs 68265, 68273). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
apiserver: make InClusterConfig errs for delegated authn/z non-fatal
Fixes https://github.com/kubernetes/kubernetes/issues/68246:
Background:
In gci e2e tests the kube-controller-manager is started as static pod. When it first starts, there is no kubernetes service and the KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT env vars are not set inside the container.
When the kube-controller-manager is restarted, the KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT env vars are set, but the static pod has no service account, i.e. /var/run/secrets/kubernetes.io/serviceaccount/token does not exist. We made the later fatal in rest.InClusterConfig and its use to setup delegated authn/z.
Kubernetes-commit: 2c933695fa61d57d1c6fa5defb89caed7d49f773
Adding blank line between comment tag and package name in doc.go. So
that the comment tags such as '+k8s:deepcopy-gen=package' do not show up
in GoDoc.
Kubernetes-commit: 61117761cd4a1b2e6ad9ff2d7eb915f3d2739dc6
Picking up https://github.com/modern-go/reflect2/pull/2 which lazy
initializes a map of all types which we don't use in k8s, saving
memory & initialization time.
Kubernetes-commit: 970e4da4c6636b835175dc79a7492d22dc11ba33
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add validation for kube-scheduler configuration options
**What this PR does / why we need it**: This adds validation to the kube-scheduler so that we're not accepting bogus values to the kube-scheduler. As requested by @bsalamat in issue https://github.com/kubernetes/kubernetes/issues/66743
**Which issue(s) this PR fixes**:
Fixes#66743
**Special notes for your reviewer**:
- Not sure if this validation is too heavy handed. Would love some feedback.
- I started working on this before I realized @islinwb was also working on this same problem... https://github.com/kubernetes/kubernetes/pull/66787 I put this PR up anyways since I'm sure good code exists in both. I wasn't aware of the /assign command so didn't assign myself before starting work.
- I didn't have time to work on adding validation to deprecated cli options. If the rest of this looks ok, I can finish that up.
- I hope the location of IsValidSocketAddr is correct. Lmk if it isn't.
**Release note**:
```release-note
Adding validation to kube-scheduler at the API level
```
Kubernetes-commit: f3b98a08b05257fbc3c19b52ced70ea67c546b1e
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Hide & warn on GA & deprecated feature gates
**What this PR does / why we need it**:
1. Hide GA & deprecated feature gates from the help text
2. Print a warning when GA & deprecated feature gates are explicitly set
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
For #46404
**Special notes for your reviewer**:
I need to add to my list of things I dislike about glog that it is impossible to test.
**Release note**:
```release-note
NONE
```
/kind cleanup
Kubernetes-commit: 5aacd43d38f70707273b5abe348cac3f73a3e292
Automatic merge from submit-queue (batch tested with PRs 67571, 67284, 66835, 68096, 68152). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
apiserver returns continue together with the 410 error
Implements https://github.com/kubernetes/kubernetes/issues/66981#issuecomment-410845134.
Closes#66981.
/sig api-machinery
/assign @lavalamp @liggitt @smarterclayton
```release-note
Upon receiving a LIST request with expired continue token, the apiserver now returns a continue token together with the 410 "the from parameter is too old " error. If the client does not care about getting a list from a consistent snapshot, the client can use this token to continue listing from the next key, but the returned chunk will be from the latest snapshot.
```
Kubernetes-commit: 5b916f8b02f6cb7255bffa497000684f9ecd2dd5
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add a ProcMount option to the SecurityContext & AllowedProcMountTypes to PodSecurityPolicy
So there is a bit of a chicken and egg problem here in that the CRI runtimes will need to implement this for there to be any sort of e2e testing.
**What this PR does / why we need it**: This PR implements design proposal https://github.com/kubernetes/community/pull/1934. This adds a ProcMount option to the SecurityContext and AllowedProcMountTypes to PodSecurityPolicy
Relies on https://github.com/google/cadvisor/pull/1967
**Release note**:
```release-note
ProcMount added to SecurityContext and AllowedProcMounts added to PodSecurityPolicy to allow paths in the container's /proc to not be masked.
```
cc @Random-Liu @mrunalp
Kubernetes-commit: 39004e852bb523d0497343705ee2bf42b4e9c3e3
Automatic merge from submit-queue (batch tested with PRs 68051, 68130, 67211, 68065, 68117). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Fix unnecessary too-old-errors from watch cache
When initializing watch cache via LIST, we set its resource version to the RV of the list request.
However, before this PR, the first incoming watch event (updating the watch cache) was moving the "smallest oldest known version" to RV of that watch event. So watch requests passing rv equal to the RV returned from the initial list were failing with "too old resource version".
That is not needed, because we know that in the meantime there weren't any other watch events.
This PR is addressing that issue.
/assign @liggitt
Kubernetes-commit: 3966b8bbcc072cb48508d151c284241a26c45ede
Automatic merge from submit-queue (batch tested with PRs 67756, 64149, 68076, 68131, 68120). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
kube-ctrl-mgr: enable secure port 10257
This PR enables authn+authz (delegated to the kube-apiserver) and the secure port 10257 for the kube-controller-manager. In addition, the insecure port is disabled.
Moreover, it adds integration test coverage for the `--port` and `--secure-port` flags, plus the testserver infrastructure to tests flags in general inside integration tests.
```release-note
Enable secure serving on port 10257 to kube-controller-manager (configurable via `--secure-port`). Delegated authentication and authorization have to be configured like for aggregated API servers.
```
Kubernetes-commit: 5d4b0f81bf809d517e880aea935264f5497c1e3c
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Refactor admission webhook client code to a apiserver/pkg/util package
As part of #67006 This refactoring enable us to share code between admission webhooks and CRD conversion webhooks.
@deads2k @lavalamp @sttts @kubernetes/sig-api-machinery-misc
Kubernetes-commit: 14eb029fba5717e2dfe3434a682f9aec4752c44d
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Fix grammar in secure-port flag help
The phrasing made it difficult to understand the message.
```release-note
NONE
```
Kubernetes-commit: 95e85a5dfb0d766479a1708a3363192af51c8419
Automatic merge from submit-queue (batch tested with PRs 67764, 68034, 67836). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
apiserver: make not-found external-apiserver-authn configmap non-fatal
As client-ca and requestheader-client-ca is optional in the external-apiserver-authentication config file and components like kube-controller-manager and kube-scheduler won't need that anyway, we better make it non-fatal if the configmap is not found in the cluster.
Consumer counter-part PR to https://github.com/kubernetes/kubernetes/pull/67694.
```release-note
Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster.
```
Kubernetes-commit: 55859a60fe09c412e183c92ad265cf0d52fbe3d8
This is the old behaviour and we did not intent to change it due to enabled authn/z in general.
As the kube-apiserver this sets the "system:unsecured" user info.
Kubernetes-commit: 8aa0eefce8fbd801a38da46c8704f2d74996e5cd
Kubernetes Publisher
Haowei Cai
Joe Betz
Jordan Liggitt
Mike Danese
tanshanshan
gorilla1024
David McCormick
David Eads
immutablet
jennybuckley
Cao Shufeng
Brandon Philips
Lucas Käldström
Dr. Stefan Schimanski
Jingyi Hu
Justin Santa Barbara
Timothy St. Clair
Tim Allclair
fengzixu
Jess Frazelle