From e86bdc79895cfa5b744a3b44ee9aa59ed5cd7a31 Mon Sep 17 00:00:00 2001
From: Vladimir Vivien <vivienv@vmware.com>
Date: Mon, 26 Nov 2018 22:11:47 -0500
Subject: [PATCH 1/3] Forces fsnotify CREATE and REMOVE to occur serially

---
 pkg/kubelet/util/pluginwatcher/plugin_watcher.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/kubelet/util/pluginwatcher/plugin_watcher.go b/pkg/kubelet/util/pluginwatcher/plugin_watcher.go
index 9116222cae..a9f8422edf 100644
--- a/pkg/kubelet/util/pluginwatcher/plugin_watcher.go
+++ b/pkg/kubelet/util/pluginwatcher/plugin_watcher.go
@@ -111,7 +111,7 @@ func (w *Watcher) Start() error {
 				//TODO: Handle errors by taking corrective measures
 
 				w.wg.Add(1)
-				go func() {
+				func() {
 					defer w.wg.Done()
 
 					if event.Op&fsnotify.Create == fsnotify.Create {

From 0bab5ee5adaff148d1c0f96ca86597404d972243 Mon Sep 17 00:00:00 2001
From: WanLinghao <wanlh.fnst@cn.fujitsu.com>
Date: Mon, 26 Nov 2018 13:13:18 +0800
Subject: [PATCH 2/3] Currently the root-ca-cert-publisher was shadowed by
 BoundServiceAccountTokenVolume feature gate. But its corresponding bootstrap
 RBAC policy was shadowed by TokenRequest feature gate. This patch fix it.

---
 .../rbac/bootstrappolicy/controller_policy.go |  2 +-
 .../testdata/controller-role-bindings.yaml    | 17 -------------
 .../testdata/controller-roles.yaml            | 25 -------------------
 3 files changed, 1 insertion(+), 43 deletions(-)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index b20c927d0a..71485bc986 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -353,7 +353,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 		})
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
 		addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"},
 			Rules: []rbacv1.PolicyRule{
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
index 4f259b1681..6d5cb73e50 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
@@ -357,23 +357,6 @@ items:
   - kind: ServiceAccount
     name: resourcequota-controller
     namespace: kube-system
-- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRoleBinding
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    creationTimestamp: null
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:controller:root-ca-cert-publisher
-  roleRef:
-    apiGroup: rbac.authorization.k8s.io
-    kind: ClusterRole
-    name: system:controller:root-ca-cert-publisher
-  subjects:
-  - kind: ServiceAccount
-    name: root-ca-cert-publisher
-    namespace: kube-system
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
index a853a9d9e9..3344def7c2 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@@ -1031,31 +1031,6 @@ items:
     - create
     - patch
     - update
-- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRole
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    creationTimestamp: null
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:controller:root-ca-cert-publisher
-  rules:
-  - apiGroups:
-    - ""
-    resources:
-    - configmaps
-    verbs:
-    - create
-    - update
-  - apiGroups:
-    - ""
-    resources:
-    - events
-    verbs:
-    - create
-    - patch
-    - update
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:

From 0fac5aaaad0892d711c5840023014aee022d4617 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Osipiuk?= <lukaszos@google.com>
Date: Tue, 27 Nov 2018 12:47:42 +0100
Subject: [PATCH 3/3] Update Cluster Autoscaler version to 1.13.0-rc.2

---
 cluster/gce/manifests/cluster-autoscaler.manifest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster/gce/manifests/cluster-autoscaler.manifest b/cluster/gce/manifests/cluster-autoscaler.manifest
index b4f71ac1b0..554d51e8d0 100644
--- a/cluster/gce/manifests/cluster-autoscaler.manifest
+++ b/cluster/gce/manifests/cluster-autoscaler.manifest
@@ -17,7 +17,7 @@
         "containers": [
             {
                 "name": "cluster-autoscaler",
-                "image": "k8s.gcr.io/cluster-autoscaler:v1.12.0",
+                "image": "k8s.gcr.io/cluster-autoscaler:v1.13.0-rc.2",
                 "livenessProbe": {
                     "httpGet": {
                         "path": "/health-check",