Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Send correct resource version for delete events from watch cache
Fixes#58545
the watch cache filtering is returning the previous object content intact, including resource version. this is the logic the watch cache uses:
```go
switch {
case curObjPasses && !oldObjPasses:
watchEvent = watch.Event{Type: watch.Added, Object: event.Object.DeepCopyObject()}
case curObjPasses && oldObjPasses:
watchEvent = watch.Event{Type: watch.Modified, Object: event.Object.DeepCopyObject()}
case !curObjPasses && oldObjPasses:
watchEvent = watch.Event{Type: watch.Deleted, Object: event.PrevObject.DeepCopyObject()}
}
```
when processing a delete event, we should be sending the old object's content *but* with the event's resource version set in it. corresponding logic exists in the uncached stores:
77ac663df4/staging/src/k8s.io/apiserver/pkg/storage/etcd/etcd_watcher.go (L401-L403)77ac663df4/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher.go (L373-L378)
```release-note
Fixes an issue where the resourceVersion of an object in a DELETE watch event was not the resourceVersion of the delete itself, but of the last update to the object. This could cause clients receiving the watch event to revert to an old "last observed" resource version, and disrupt their ability to re-establish watches properly.
```
Kubernetes-commit: 619305f1015758f5ffc858a5b3e26d1a779c4278
Automatic merge from submit-queue (batch tested with PRs 58446, 58459, 58340). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add apiserver metric for number of requests dropped by 'max-inflight-requests' filters.
Useful for figuring out on which dimension master is overloaded.
cc @sttts @lavalamp @deads2k @timothysc @hulkholden
Kubernetes-commit: 07ad1f7176e09f0814dba7011596991de2032953
Automatic merge from submit-queue (batch tested with PRs 58496, 58078, 58123). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
refactor admission flag
**What this PR does / why we need it**:
Refactor admission control flag, finally make cluster admins not care about orders in this flag.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Add `--enable-admission-plugin` `--disable-admission-plugin` flags and deprecate `--admission-control`.
Afterwards, don't care about the orders specified in the flags.
```
Kubernetes-commit: f9bb978ad65a924620e1f362059f46731fe454ee
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use Fatalf instead of Fatal while formatting the output is needed
**What this PR does / why we need it**:
Should use Fatalf instead of Fatal while formatting the output is needed
**Release note**:
NONE
```release-note
```
Kubernetes-commit: 7dadeee5e8b84d41c5249a2ca6a8fb64f48c8e77
Automatic merge from submit-queue (batch tested with PRs 57868, 58284, 56370, 58400, 58439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix decoding of admission config file
Fixes#584261a552bbe14 (diff-eb9532eb476083e1ab31da9dd6f83eceR41) attempted to use a locally constructed scheme, but the name `scheme` was shadowed by a function arg.
Attempts to run the apiserver with a structured plugin config file would fail to decode (since the passed scheme didn't know about the AdmissionConfiguration type), then fall back to treating the file as a legacy config, and silently continue without correct config
```release-note
kube-apiserver: fixes loading of `--admission-control-config-file` containing AdmissionConfiguration apiserver.k8s.io/v1alpha1 config object
```
Kubernetes-commit: c7526fbb67711c5a36eb957b2e315e0efb815c5b
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update vendor spf13/cobra to enforce required flags
**What this PR does / why we need it**:
spf13/cobra#502 has enforced checking flags that marked as required, an error will be raised if unset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:fixes #54855
xref #48400fixeskubernetes/kubectl#121
**Special notes for your reviewer**:
/assign @liggitt @eparis
**Release note**:
```release-note
kubectl now enforces required flags at a more fundamental level
```
Kubernetes-commit: 048757b8a51333f59d3112d2b228d2f0102a4afc
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support for custom tls cipher suites in api server and kubelet
**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
**Which issue this PR fixes**
fixes#41038
**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.
If you want to test it out, this is a ciphers combination i tested without the weak ones:
```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```
If this is merged i will implement the same for the Kubelet.
**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```
Kubernetes-commit: b7100f1ee7231617891a100dd34b3490a1f578e4
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Recheck if transformed data is stale when doing live lookup during update
Fixes#49565
Caching storage can pass in a cached object to `GuaranteedUpdate` as a hint for the current object.
If the hint is identical to the data we want to persist, before short-circuiting as a no-op update, we force a live lookup.
We should check two things on the result of that live lookup before short-circuiting as a no-op update:
1. the bytes we want to persist still match the transformed bytes read from etcd
2. the state read from etcd didn't report itself as stale. this would mean the transformer used to read the data would not be the transformer used to write it, and "no-op" writes should still be performed, since transformation will make the underlying content actually different.
After a live lookup, we checked byte equality, but not the stale indicator. This meant that key rotation or encrypted->decrypted, and decrypted->encrypted updates are broken.
Introduced in #54780 and picked back to 1.8 in #55294
```release-note
Fixed encryption key and encryption provider rotation
```
Kubernetes-commit: 4257f7595abbe7299cbbdaaae4fa36559892f654
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove duplicated import
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 99fb21f61fc0e6c1fffc0d4b5138665806eadce6
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
etcd client: add keepalive
**What this PR does / why we need it**: This PR shortens the keepaliveTimeout and enables keepalive within the etcd client to allow the socket to be closed cleanly on a dead etcd server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#46964
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @xiang90
Kubernetes-commit: 75b2109f23e15bbaac3744f398b1ffd8306adc04
Automatic merge from submit-queue (batch tested with PRs 58260, 58326). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add support for submitting/receiving CRD objects as yaml
Fixes#37455
```release-note
Custom resources can now be submitted to and received from the API server in application/yaml format.
```
Kubernetes-commit: a7c65d29e6e4fabd9ce24f8373ad6c26bfa948d5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove invalid and useless functions from unit test
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 529bf8308922cdc0ff84ebcfe1ba5beae10f8a0a
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move prometheus register to pkg/endpoints/metrics/metrics.go
**What this PR does / why we need it**:
delete k8s.io/apiserver/pkg/endpoints/apiserver.go
move prometheus init from k8s.io/apiserver/pkg/endpoints/apiserver.go to k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
Since k8s.io/apiserver/pkg/endpoints/apiserver.go only has a metrics init func, which should be in metrics pkg.
**Release note**:
```release-note
NONE
```
/assign @sttts @liggitt
Kubernetes-commit: a6710f3b8751154596ebf29feecd4b90d06ad4bc
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission: do not leak admission plugin config types outside of the plugin
We had two plugins that did not register their types into the external config scheme, breaking embedded config for them without noticing. Actually though, we do not want to leak those types at all into external scheme, but keep the types internal to the plugins. The second commit in this PR does that.
Kubernetes-commit: 8ae388e9ee9eef1721352ea5003e161893a6c4d9
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
periodically flush ResponseWriter when using response compression
This PR fixes API Compression when following logs by ensuring the compression writer periodically flushes (at the end of each write).
This is a commit extracted from #51508 to allow testing of flushing while feature remains disabled / in alpha.
Fixes https://github.com/kubernetes/kubernetes/issues/54205
```release-note
NONE
```
Kubernetes-commit: 32dc50476e6750774da96fa54989098bd0169f03
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
added defaults for --watch-cache-sizes description.
**What this PR does / why we need it**:
added defaults for --watch-cache-sizes description to make it clear what the defaults would be when not specified
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
#57105
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 188e6ebcdbcfd0617dc12e51e8e6a66ce89f3955
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: remove open-api import from types
This builds off of https://github.com/kubernetes/kube-openapi/pull/21 and removes the following imports from `k8s.io/client-go/kubernetes`:
```
github.com/PuerkitoBio/purell
github.com/PuerkitoBio/urlesc
github.com/emicklei/go-restful
github.com/emicklei/go-restful/log
github.com/go-openapi/jsonpointer
github.com/go-openapi/jsonreference
github.com/go-openapi/spec
github.com/go-openapi/swag
github.com/mailru/easyjson/buffer
github.com/mailru/easyjson/jlexer
github.com/mailru/easyjson/jwriter
golang.org/x/text/cases
golang.org/x/text/internal
golang.org/x/text/internal/tag
golang.org/x/text/language
golang.org/x/text/runes
golang.org/x/text/secure/precis
golang.org/x/text/width
k8s.io/kube-openapi/pkg/common
```
/assign @sttts
/assign @mbohlool
cc @kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Kubernetes-commit: f6d0632bbbf8428bfec0ca72db5103916e6248b4
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add admission into RecommendedOptions
**What this PR does / why we need it**:
make admission part of the RecommendedOptions
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56627
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: 67a5a266739b3dacb5d6920eaa1373d62f5e1a75
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: remove import of github.com/gregjones/httpcache
Moves NewCacheRoundTripper from `k8s.io/client-go/transport` to its own package. This prevents Kubernetes clients from requiring its dependencies.
This change removes the following transitive imports from `k8s.io/client-go/kubernetes`
```
github.com/google/btree
github.com/gregjones/httpcache
github.com/gregjones/httpcache/diskcache
github.com/peterbourgon/diskv
```
```release-note
NONE
```
Kubernetes-commit: 4a77bd53e88a719c612086df69a52899bbdd85af
Automatic merge from submit-queue (batch tested with PRs 58025, 57112, 57879, 57571, 58062). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fixed some bad url
**What this PR does / why we need it**:
fixed some bad url
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: bc56a90e0bce39003cac7d7665aa61883cb9abb3
Automatic merge from submit-queue (batch tested with PRs 58025, 57112, 57879, 57571, 58062). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Treat staging repos as authoritative source for all files
Add CONTRIBUTING.md files to remind people not to PR directly into the published repos.
/hold
I believe this requires removing these files from the published repos if any copies exist there
ref: kubernetes/kubernetes#57559
Kubernetes-commit: 4bc286f0255d6c007cb8d5435018ab3e31ec7d01
Automatic merge from submit-queue (batch tested with PRs 58025, 57112, 57879, 57571, 58062). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Let mutating webhook defaults the object
...after applying the patch sent back by the webhook
This should be treated as a bug and cherrypicked to 1.9.
Fixes#57982
Kubernetes-commit: 6f3e39ec94cb57c4ddb9df01eb5a824be9c831e7
Automatic merge from submit-queue (batch tested with PRs 57733, 57613, 57953). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Explicit kubelet flags
The Kubelet was using the global flag set.
Libraries also often use the global flag set.
There are flags in the Kubelet's usage statement for which the Kubelet does not control registration.
This is bad, we must have full control of our command-line API.
This PR puts a stop to it.
I worked through the Kubelet's usage printout and tracked down the flags.
In the below list, flags with checkboxes are one of:
- explicitly **registered** in this PR
- thought about and outright **rejected**
- thought about and **registered-deprecated** for legacy reasons
For the others we need to figure out whether they should be **registered** or **rejected** or **registered-deprecated**.
### cadvisor:
grep commands, for reference:
```
# flag definitions in cadvisor
git grep -E "\"application_metrics_count_limit\"|\"boot_id_file\"|\"container_hints\"|\"containerd\"|\"docker\"|\"docker_env_metadata_whitelist\"|\"docker_only\"|\"docker_root\"|\"docker-tls\"|\"docker-tls-ca\"|\"docker-tls-cert\"|\"docker-tls-key\"|\"enable_load_reader\"|\"event_storage_age_limit\"|\"event_storage_event_limit\"|\"global_housekeeping_interval\"|\"housekeeping_interval\"|\"log_cadvisor_usage\"|\"machine_id_file\"|\"storage_driver_buffer_duration\"|\"storage_driver_db\"|\"storage_driver_host\"|\"storage_driver_password\"|\"storage_driver_secure\"|\"storage_driver_table\"|\"storage_driver_user\"" -- vendor/github.com/google/cadvisor
# flag invocations
git grep -E "\--application_metrics_count_limit|--boot_id_file|--container_hints|--containerd|--docker|--docker_env_metadata_whitelist|--docker_only|--docker_root|--docker_tls|--docker_tls_ca|--docker_tls_cert|--docker_tls_key|--enable_load_reader|--event_storage_age_limit|--event_storage_event_limit|--global_housekeeping_interval|--housekeeping_interval|--log_cadvisor_usage|--machine_id_file|--storage_driver_buffer_duration|--storage_driver_db|--storage_driver_host|--storage_driver_password|--storage_driver_secure|--storage_driver_table|--storage_driver_user" -- ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# normalized flag invocations
git grep -E "\--application-metrics-count-limit|--boot-id-file|--container-hints|--containerd|--docker|--docker-env-metadata-whitelist|--docker-only|--docker-root|--docker-tls|--docker-tls-ca|--docker-tls-cert|--docker-tls-key|--enable-load-reader|--event-storage-age-limit|--event-storage-event-limit|--global-housekeeping-interval|--housekeeping-interval|--log-cadvisor-usage|--machine-id-file|--storage-driver-buffer-duration|--storage-driver-db|--storage-driver-host|--storage-driver-password|--storage-driver-secure|--storage-driver-table|--storage-driver-user" -- ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# flag names
git grep -E "application_metrics_count_limit|boot_id_file|container_hints|containerd|docker|docker_env_metadata_whitelist|docker_only|docker_root|docker_tls|docker_tls_ca|docker_tls_cert|docker_tls_key|enable_load_reader|event_storage_age_limit|event_storage_event_limit|global_housekeeping_interval|housekeeping_interval|log_cadvisor_usage|machine_id_file|storage_driver_buffer_duration|storage_driver_db|storage_driver_host|storage_driver_password|storage_driver_secure|storage_driver_table|storage_driver_user" ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# normalized flag names
git grep -E "application-metrics-count-limit|boot-id-file|container-hints|containerd|docker|docker-env-metadata-whitelist|docker-only|docker-root|docker-tls|docker-tls-ca|docker-tls-cert|docker-tls-key|enable-load-reader|event-storage-age-limit|event-storage-event-limit|global-housekeeping-interval|housekeeping-interval|log-cadvisor-usage|machine-id-file|storage-driver-buffer-duration|storage-driver-db|storage-driver-host|storage-driver-password|storage-driver-secure|storage-driver-table|storage-driver-user" ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# normalized and underscore names combined
git grep -E "application_metrics_count_limit|boot_id_file|container_hints|containerd|docker|docker_env_metadata_whitelist|docker_only|docker_root|docker_tls|docker_tls_ca|docker_tls_cert|docker_tls_key|enable_load_reader|event_storage_age_limit|event_storage_event_limit|global_housekeeping_interval|housekeeping_interval|log_cadvisor_usage|machine_id_file|storage_driver_buffer_duration|storage_driver_db|storage_driver_host|storage_driver_password|storage_driver_secure|storage_driver_table|storage_driver_user|application-metrics-count-limit|boot-id-file|container-hints|containerd|docker-env-metadata-whitelist|docker-only|docker-root|docker-tls|docker-tls-ca|docker-tls-cert|docker-tls-key|enable-load-reader|event-storage-age-limit|event-storage-event-limit|global-housekeeping-interval|housekeeping-interval|log-cadvisor-usage|machine-id-file|storage-driver-buffer-duration|storage-driver-db|storage-driver-host|storage-driver-password|storage-driver-secure|storage-driver-table|storage-driver-user" ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
```
- [x] --docker-root (**registered** - this is used in `cluster/saltbase/salt/kubelet/default`)
- [x] --housekeeping-interval (**registered** - e2e node tests rely on this (`test/e2e_node/resource_collector.go`))
- [x] --application-metrics-count-limit (**registered-deprecated** - temporarily register for legacy)
- [x] --boot-id-file (**registered-deprecated** - temporarily register for legacy)
- [x] --container-hints (**registered-deprecated** - temporarily register for legacy)
- [x] --containerd (**registered-deprecated** - temporarily register for legacy)
- [x] --docker (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-env-metadata-whitelist (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-only (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls-ca (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls-cert (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls-key (**registered-deprecated** - temporarily register for legacy)
- [x] --enable-load-reader (**registered-deprecated** - temporarily register for legacy)
- [x] --event-storage-age-limit (**registered-deprecated** - the Kubelet overrides the default via the global flagset (`pkg/kubelet/cadvisor/cadvisor_linux.go`), but nothing else in core repo provides)
- [x] --event-storage-event-limit (**registered-deprecated** - the Kubelet overrides the default via the global flagset (`pkg/kubelet/cadvisor/cadvisor_linux.go`), but nothing else in core repo provides)
- [x] --global-housekeeping-interval (**registered-deprecated** - temporarily register for legacy)
- [x] --log-cadvisor-usage (**registered-deprecated** - temporarily register for legacy)
- [x] --machine-id-file (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-user (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-password (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-host (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-db (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-table (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-secure (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-buffer-duration (**registered-deprecated** - temporarily register for legacy)
### pkg/apiserver/util/logs:
- [x] --log-flush-frequency (**registered** - like the glog flags, this is probably useful)
### pkg/credentialprovider/azure/azure_credentials.go:
- [x] --azure-container-registry-config (**registered** - This isn't quite as straightforward as --google-json-key, because the file it points to isn't static. For now we will just register, and we will deprecate it when there is an alternative. See below comments.)
### pkg/credentialprovider/gcp/jwt.go:
- [x] --google-json-key (**registered-deprecated** - This is really old legacy stuff to allow kubelets to authenticate with gcr (see: d5e0054eb039e90defc55464a2d938bc38fddb0d). See @liggit's below comment for what should be used instead.)
### pkg/cloudprovider/providers/gce/gce_loadbalancer.go:
- [x] --cloud-provider-gce-lb-src-cidrs (**rejected** - Kubelet doesn't need to know about the cidrs that were opened in the firewall for the load balancer)
### glog:
I registered all of these, since this logging library is used pretty much everywhere in the Kubelet, and all of its toggles are probably useful.
- [x] --logtostderr (**registered**)
- [x] --alsologtostderr (**registered**)
- [x] -v, --v (**registered**)
- [x] --stderrthreshold (**registered**)
- [x] --vmodule (**registered**)
- [x] --log-backtrace-at (**registered**)
- [x] --log-dir (**registered**)
### verflag:
This is how you get the Kubelet's version, absolutely necessary to register this.
- [x] --version (**registered**)
```release-note
The Kubelet now explicitly registers all of its command-line flags with an internal flagset, which prevents flags from third party libraries from unintentionally leaking into the Kubelet's command-line API. Many unintentionally leaked flags are now marked deprecated, so that users have a chance to migrate away from them before they are removed. One previously leaked flag, --cloud-provider-gce-lb-src-cidrs, was entirely removed from the Kubelet's command-line API, because it is irrelevant to Kubelet operation.
```
Thanks to @liggitt for being surprised that we didn't already do this.
Thanks to @dashpole for realizing cadvisor flags were leaked after seeing #55863.
Thanks to @tallclair who recognized this problem a long time ago in #19432.
Kubernetes-commit: 5e444bbe12b36d03975d4cd43a1ed167bfc638ab
Automatic merge from submit-queue (batch tested with PRs 57521, 56769). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
forbid unnamed context
**What this PR does / why we need it**:
forbid unnamed contexts with validation
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56747
**Special notes for your reviewer**:
/assign @sttts @fabianofranz
**Release note**:
```release-note
forbid unnamed context
```
Kubernetes-commit: a2bce0d74e283654cd6e561faacf5fba7ea29310
hzxuzhonghu