Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add configuration item to allow kubeadm join to use a dns name pointing to control plane
This adds a new flag (`--apiserver-advertise-dns-address`) to kubeadm which is used in node kubelet.confg to point to API server allowing users to define a DNS entry instead of an IP address.
Fixeskubernetes/kubeadm#411
```release-note
Adds new flag `--apiserver-advertise-dns-address` which is used in node kubelet.confg to point to API server
```
// @timothysc @craigtracey
Automatic merge from submit-queue (batch tested with PRs 60158, 60156, 58111, 57583, 60055). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add support for /token subresource in serviceaccount registry
I'm planning on implementing the registry bits (this) in one PR and followup with an authenticator that supports new id tokens.
https://github.com/kubernetes/kubernetes/issues/58790
@kubernetes/sig-auth-pr-reviews
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-proxy: Fix flag validation for healthz-bind-address and metrics-bind-address
**What this PR does / why we need it**: `--healthz-bind-address` and `--metrics-bind-address` are broken for kube-proxy as they do not allow `ip:port` format, though they claim to support it.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Fixes#53754
**Special notes for your reviewer**:
cc @ncdc
**Release note**:
```release-note
Fix kube-proxy flags validation for --healthz-bind-address and --metrics-bind-address to allow specifying ip:port.
```
Automatic merge from submit-queue (batch tested with PRs 60148, 60022, 59125, 60068, 60154). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor kubeadm join command generation
**What this PR does / why we need it**:
Creation of the `kubeadm join` command is implemented in three different points of kubeadm:
- `kubeadm init`
- `kubeadm token create`
- `kubeadm phase bootstrap-token create`
This PR refactor above points in order to share a common function for creating the `kubeadm join` command.
**Which issue(s) this PR fixes**:
Fixes [#567](https://github.com/kubernetes/kubeadm/issues/567)
**Special notes for your reviewer**:
While implementing the PR, I changed the order of parameters in `kubeadm join` from:
```
kubeadm join --token 8df4zm.5jyv2nrxb18y84jq 172.31.0.101:6443 --discovery-token-ca-cert-hash sha256:b62e1f70c1c6afebe36bc971b15b90f7e453f1c0fe2ddc4d92e07512f1143194
```
to
```
kubeadm join 172.31.0.101:6443 --token 8df4zm.5jyv2nrxb18y84jq --discovery-token-ca-cert-hash sha256:b62e1f70c1c6afebe36bc971b15b90f7e453f1c0fe2ddc4d92e07512f1143194
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60148, 60022, 59125, 60068, 60154). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate KubeletConfiguration flags
This is a follow-up to #53833 to deprecate the old flags in favor of the
config file.
```release-note
Flags that can be set via the Kubelet's --config file are now deprecated in favor of the file.
```
Automatic merge from submit-queue (batch tested with PRs 58716, 59977, 59316, 59884, 60117). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Cap how long the kubelet waits when it has no client cert
If we go a certain amount of time without being able to create a client
cert and we have no current client cert from the store, exit. This
prevents a corrupted local copy of the cert from leaving the Kubelet in a
zombie state forever. Exiting allows a config loop outside the Kubelet
to clean up the file or the bootstrap client cert to get another client
cert.
Five minutes is a totally arbitary timeout, judged to give enough time for really slow static pods to boot.
@mikedanese
```release-note
Set an upper bound (5 minutes) on how long the Kubelet will wait before exiting when the client cert from disk is missing or invalid. This prevents the Kubelet from waiting forever without attempting to bootstrap a new client credentials.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
oidc authentication: switch to v2 of coreos/go-oidc
Switch to v2 of [coreos/go-oidc](https://github.com/coreos/go-oidc), which uses square/go-jose to verify tokens and supports more signing algorithms.
Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files.
This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex.
Closes https://github.com/kubernetes/kubernetes/issues/57806
```release-note
kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag.
kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.
```
cc @rithujohn191 @liggitt
cc @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 59901, 59302, 59928). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename StorageProtection to StorageObjectInUseProtection
Rename StorageProtection to StorageObjectInUseProtection
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59639
**Special notes for your reviewer**:
**Release note**:
```release-note
Rename StorageProtection to StorageObjectInUseProtection
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add criSocket to kubeadm MasterConfiguration manifest
**What this PR does / why we need it**:
Adds a criSocket field to the MasterConfiguration manifest used by kubeadm. This field configures the cri socket that kubeadm uses during preflight checks.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # kubernetes/kubeadm#679
**Special notes for your reviewer**:
kubeadm does not allow the use of --config and the --cri-socket flag together. When using kubeadm to create a cluster that will not be using docker, the preflight checks fail since this is not configurable. This PR adds the criSocket to the MasterConfiguration manifest and uses that value within the MasterConfiguration if it was provided.
Storing the value of the criSocket within the MasterConfiguration manifest will also make joining additional masters with the proposed 'kubeadm join --master' command by not requiring operators to remember to include an additional flag. This may not be the case if we instead relaxed the constraint of using additional flags when using the --config flag is set.
**Release note**:
/area kubeadm
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
```release-note
kubeadm: add criSocket field to MasterConfiguration manifiest
```
Automatic merge from submit-queue (batch tested with PRs 59292, 59600). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add criSocket to kubeadm NodeConfiguration manifest
**What this PR does / why we need it**:
Adds a criSocket field to the NodeConfiguration manifest used by kubeadm. This field configures the cri socket that kubeadm uses during preflight checks.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # kubernetes/kubeadm#679
**Special notes for your reviewer**:
This is a follow up PR, as requested, to https://github.com/kubernetes/kubernetes/pull/59057. The NodeConfiguration manifest now has a criSocket field that can be used when using the config manifest to join a node to the cluster.
**Release note**:
/area kubeadm
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
```release-note
kubeadm: add criSocket field to NodeConfiguration manifiest
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Introduce PodSecurityPolicy in the policy/v1beta1 API group
Types/constants are completely the same as in `extensions/v1beta1` except that they are located outside of the `extensions` API group.
**What this PR does / why we need it**:
This is the first step for migrating PSP-related stuff away of `extensions` group. See #43214 for more information.
Also it related to https://github.com/kubernetes/features/issues/5
**Example**:
```console
$ cat restricted2.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted2
...
$ kubectl create -f restricted.yaml
podsecuritypolicy "restricted2" created
$ kubectl get psp restricted2 -o yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
...
```
**Release note**:
```release-note
The `PodSecurityPolicy` API has been moved to the `policy/v1beta1` API group. The `PodSecurityPolicy` API in the `extensions/v1beta1` API group is deprecated and will be removed in a future release.
```
Automatic merge from submit-queue (batch tested with PRs 59391, 58097, 60057, 60090). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add IPv6 to command options.
**What this PR does / why we need it**:
This PR adds IPv6 information to the descriptions for several command options.
[Related PR in kubernetes/website](https://github.com/kubernetes/website/pull/6498)
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update bazelbuild/rules_go, kubernetes/repo-infra, and gazelle dependencies
**What this PR does / why we need it**: updates our bazelbuild/rules_go dependency in order to bump everything to go1.9.4. I'm separating this effort into two separate PRs, since updating rules_go requires a large cleanup, removing an attribute from most build rules.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate kubelet flag for cadvisor port
**Which issue(s) this PR fixes**:
Issue: #56523
TL;DR the Kubelet's `stats/summary` API is the preferred way of monitoring the node. If you need additional metrics from cAdvisor, it can be run as a daemonset.
**Release note**:
```release-note
Deprecate the kubelet's cadvisor port
```
/assign @mtaufen @tallclair
cc @kubernetes/sig-node-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Log the command line flags
**What this PR does / why we need it**:
With d7ddcca231, we lost the logging
of the flags. We should at least log what the command line flags
were used to start processes as those incredibly useful for trouble shooting.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @deads2k
/assign @liggitt
**Release note**:
```release-note
NONE
```
With d7ddcca231, we lost the logging
of the flags. We should at least log what the command line flags
were used to start processes as those incredibly useful for trouble shooting.
After a discussion in sig cluster lifecycle we agreed that the passthrough flags should live in phases alpha, and not be 1st class flags.
Relates to kubernetes/kubernetes/pull/58080
Closes kubernetes/kubeadm/issues/676
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Secure Kubelet's componentconfig defaults while maintaining CLI compatibility
This updates the Kubelet's componentconfig defaults, while applying the legacy defaults to values from options.NewKubeletConfiguration(). This keeps defaults the same for the command line and improves the security of defaults when you load config from a file.
See: https://github.com/kubernetes/kubernetes/issues/53618
See: https://github.com/kubernetes/kubernetes/pull/53833#discussion_r166669931
Also moves EnableServer to KubeletFlags, per @tallclair's comments on #53833.
We should find way of generating documentation for config file defaults, so that people can easily look up what's different from flags.
```release-note
Action required: Default values differ between the Kubelet's componentconfig (config file) API and the Kubelet's command line. Be sure to review the default values when migrating to using a config file.
```
Automatic merge from submit-queue (batch tested with PRs 59800, 59817, 59711). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kubemark using cobra commands
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove CSI plugin from ProbeExpandableVolumePlugins
Add CSI plugin when feature gate is enabled
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig storage
/assign @vladimirvivien
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove experimental keystone authenticator
**What this PR does / why we need it**:
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559
So we don't need this older style / hard coded / experimental code
anymore.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens.
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
controller-manager: switch to options+config pattern and add https+auth
This PR switch the {kube,cloud}-controller-managers to use the Options+Config struct pattern for bootstrapping, as we use it throughout all apiservers. This allows us to easily plug in https and authn/z support.
Fixes parts of https://github.com/kubernetes/kubernetes/issues/59483
This is equivalent to https://github.com/kubernetes/kubernetes/pull/59408 after squashing.
```release-note
Deprecate insecure HTTP port of kube-controller-manager and cloud-controller-manager. Use `--secure-port` and `--bind-address` instead.
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add HTTPProxyCheck to preflight checks for 'kubeadm join' subcommand
**What this PR does / why we need it:**
Add HTTPProxyCheck for API servers
It makes sense to check API servers and print warnings if they're
going to be accessed through proxy. This is similar to what's
already done for 'kubeadm init'.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove bootstrap kubelet config on reset
**What this PR does / why we need it**:
Remove /etc/kubernetes/bootstrap-kubelet.conf when running 'kubeadm reset'
to ensure it will not be reused when joining the cluster next time.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove /ui/ redirect
The existing kube-apiserver hard-codes `/ui` to redirect to an optional add-on, which is not appropriate. It does not work in the following scenarios:
* https-enabled dashboards
* the dashboard is deployed to a different namespace or service name
* the dashboard is not installed at all
* authorization is enabled and does not allow access to /ui
This PR removes the hard-coded `/ui` redirect.
```release-note
apiserver: the /ui kube-dashboard redirect has been removed. Follow instructions specific to your deployment to access kube-dashboard
```
Automatic merge from submit-queue (batch tested with PRs 59767, 56454, 59237, 59730, 55479). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: add configuration option to not taint master
**What this PR does / why we need it**:
Although tainting the master is normally a good and proper thing to do in some situations (docker for mac in our case, but I suppose minikube and such as well) having a single host configuration is desirable.
In linuxkit we have a [workaround](443e47c408/projects/kubernetes/kubernetes/kubeadm-init.sh (L19...L22)) to remove the taint after initialisation. With the change here we could simply populate `/etc/kubeadm/kubeadm.yaml` with `noTaintMaster: true` instead and have it never be tainted in the first place.
I have only added this to the config file and not to the CLI since AIUI the latter is somewhat deprecated.
The code also arranges to _remove_ an existing taint if it is unwanted. I'm unsure if this behaviour is correct or desirable, I think a reasonable argument could be made for leaving an existing taint in place too.
Signed-off-by: Ian Campbell <ijc@docker.com>
**Release note**:
Since the requirement for this option is rather niche and not best practice in the majority of cases I'm not sure if it warrants mentioning in the release notes? If it were then perhaps
```release-note
`kubeadm init` can now omit the tainting of the master node if configured to do so in `kubeadm.yaml`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove controller-manager --service-sync-period flag
**What this PR does / why we need it**:
This PR removes controller manager --service-sync-period flag which is not used anywhere in the code and is causing confusion
**Which issue(s) this PR fixes**
https://github.com/kubernetes/kubernetes/issues/58776
**Special notes for your reviewer**:
@deads2k this remove the flag as per the discussion on #58776
2 commits
1. one for code change
2. one for auto generated code
**Release note**:
```release-note
1. Controller-manager --service-sync-period flag is removed (was never used in the code).
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Feature Gate - Kubeadm Audit Logging
Fixeskubernetes/kubeadm#623
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR enables [Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) behind a featureGate. A user can supply their own audit policy with configuration option as well as a place for the audit logs to live. If no policy is supplied a default policy will be provided. The default policy will log all Metadata level policy logs. It is the example provided in the documentation.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#623
**Special notes for your reviewer**:
**Release note**:
```release-note
kubeadm: Enable auditing behind a feature gate.
```
Although tainting the master is normally a good and proper thing to do in some
situations (docker for mac in our case, but I suppose minikube and such as
well) having a single host configuration is desirable.
In linuxkit we have a [workaround](443e47c408/projects/kubernetes/kubernetes/kubeadm-init.sh (L19...L22))
to remove the taint after initialisation. With the change here we could simply
populate /etc/kubeadm/kubeadm.yaml` with `noTaintMaster: true` instead and have
it never be tainted in the first place.
I have only added this to the config file and not to the CLI since AIUI the
latter is somewhat deprecated.
The code also arranges to _remove_ an existing taint if it is unwanted. I'm
unsure if this behaviour is correct or desirable, I think a reasonable argument
could be made for leaving an existing taint in place too.
Signed-off-by: Ian Campbell <ijc@docker.com>
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: imagePullPolicy option in init config
**What this PR does / why we need it**:
This PR adds `imagePullPolicy` option to the `kubeadm init` configuration file.
The new `imagePullPolicy` option is forwarded to the generated kubelet static pods for etcd, kube-apiserver, kube-controller-manager and kube-scheduler. This option allows for precise image pull policy specification for master nodes and thus for more tight control over images. It is useful in CI environments and in environments, where the user has total control over master VM templates (thus, the master VM templates can be preloaded with the required Docker images for the control plane services).
**Special notes for your reviewer**:
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm
/assign @luxas
**Release note**:
```release-note
kubeadm: New "imagePullPolicy" option in the init configuration file, that gets forwarded to kubelet static pods to control pull policy for etcd and control plane images.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix all the typos across the project
**What this PR does / why we need it**:
There are lots of typos across the project. We should avoid small PRs on fixing those annoying typos, which is time-consuming and low efficient.
This PR does fix all the typos across the project currently. And with #59463, typos could be avoided when a new PR gets merged.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/sig testing
/area test-infra
/sig release
/cc @ixdy
/assign @fejta
**Release note**:
```release-note
None
```
Audit logs are configurable via the MasterConfiguration file.
All options are ignored unless the FeatureGate is enabled.
Fixeskubernetes/kubeadm#623
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
It makes sense to check all API servers mentioned in the command
line and print warnings if they're going to be accessed through proxy.
This is similar to what's already done for 'kubeadm init'.
Automatic merge from submit-queue (batch tested with PRs 59344, 59595, 59598). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix kubeadm typo
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 59580, 58854). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Prefer apps/v1 storage for daemonsets, deployments, replicasets, statefulsets
The workload API objects went GA in 1.9. This means we can safely begin persisting them in etcd in apps/v1 format in 1.10.
xref #43214
```release-note
DaemonSet, Deployment, ReplicaSet, and StatefulSet objects are now persisted in etcd in apps/v1 format
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove CAdvisorPort from KubeletConfiguration struct
See: #56523, cAdvisor is becoming an implementation detail of
Kubernetes, and we should not canonize its knobs on the
KubeletConfiguration.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Extract instantiation of cloud provider
**What this PR does / why we need it**:
Add a separate method in a new file for creating cloud providers.
Currently the code is all mixed into the controller manager. We
should actively control what is made available to the cloud provider
so list explicitly the parms needed and move the code out. This will
avoid linkages to sneak in as we will catch it better during reviews.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59190, 59360). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding benchmarks to envelop encryption integration tests
**What this PR does / why we need it**:
Adding benchmarks for envelop encryption integration tests.
Allows to estimate how envelop encryption may impact the performance of KubeAPI server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Reimplement 2 tests using fakeexec
**What this PR does / why we need it**:
Used fakeexec API from utils/exec/testing to test
GetKubeletVersion and KubeletVersionCheck APIs without running kubelet.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59054, 59515, 59577). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add 'none' option to EnforceNodeAllocatable
This lets us use omitempty on `EnforceNodeAllocatable`. We shouldn't treat
`nil` as different from `[]T{}`, because this can play havoc with
serializers (a-la #43203).
See: https://github.com/kubernetes/kubernetes/pull/53833#discussion_r166672137
```release-note
'none' can now be specified in KubeletConfiguration.EnforceNodeAllocatable (--enforce-node-allocatable) to explicitly disable enforcement.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove port from HTTPProxyCheck
**What this PR does / why we need it**:
HTTPProxyCheck doesn't use port. It uses proxy related variables
(HTTP_PROXY, NO_PROXY, etc) that only operate with protocol
and host.
Removing port from the check should make it more clear for
user that port is not used as it will not be present in
the check output.
**Release note**:
```release-note
NONE
```
Add a separate method in a new file for creating cloud providers.
Currently the code is all mixed into the controller manager. We
should actively control what is made available to the cloud provider
so list explicitly the parms needed and move the code out. This will
avoid linkages to sneak in as we will catch it better during reviews.
Automatic merge from submit-queue (batch tested with PRs 57824, 58806, 59410, 59280). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
2nd try at using a vanity GCR name
The 2nd commit here is the changes relative to the reverted PR. Please focus review attention on that.
This is the 2nd attempt. The previous try (#57573) was reverted while we
figured out the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
xref https://github.com/kubernetes/release/issues/281
TL;DR:
* The new `staging-k8s.gcr.io` is where we push images. It is literally an alias to `gcr.io/google_containers` (the existing repo) and is hosted in the US.
* The contents of `staging-k8s.gcr.io` are automatically synced to `{asia,eu,us)-k8s.gcr.io`.
* The new `k8s.gcr.io` will be a read-only alias to whichever regional repo is closest to you.
* In the future, images will be promoted from `staging` to regional "prod" more explicitly and auditably.
```release-note
Use "k8s.gcr.io" for pulling container images rather than "gcr.io/google_containers". Images are already synced, so this should not impact anyone materially.
Documentation and tools should all convert to the new name. Users should take note of this in case they see this new name in the system.
```
This is the 2nd attempt. The previous was reverted while we figured out
the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559
So we don't need this older style / hard coded / experimental code
anymore.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Do not recycle volumes that are used by pods
**What this PR does / why we need it**:
Recycler should wait until all pods that use a volume are finished.
Consider this scenario:
1. User creates a PVC that's bound to a NFS PV.
2. User creates a pod that uses the PVC
3. User deletes the PVC.
Now the PV gets `Released` (the PVC does not exists) and recycled, however the PV is still mounted to a running pod. PVC protection won't help us, because it puts finalizers on PVC that is under user's control and user can remove it.
This PR checks that there is no pod that uses a PV before it recycles it.
**Release note**:
```release-note
NONE
```
/sig storage
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update kubeadm supported etcd version to 3.2.14 in 1.10
**What this PR does / why we need it**:
Kubernetes will upgrade to etcd server 3.2.14 in 1.10 cycle (#58645), update DefaultEtcdVersion in kubeadm to this version.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
relevant PR: #57480#58645
fixes: https://github.com/kubernetes/kubeadm/issues/621
**Special notes for your reviewer**:
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
NONE
```
kubeadm don't need to advertise this in release notes.
Automatic merge from submit-queue (batch tested with PRs 59394, 58769, 59423, 59363, 59245). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
IPv6: Ensure calculated node CIDR size for pod subnets is valid
With IPv4, the node CIDR prefix is set to /24, which gives 256 pods per node
and 256 nodes, when assuming a /16 is used for the pod subnet.
For IPv6, the node CIDR prefix, is hard coded to /64. This does not work,
because the pod subnet prefix must be /66 or higher and must be a larger subnet
(lower value) than the node CIDR prefix.
In addition, the bit mask used to track the subnets (implying the number of
nodes), can only handle 32K entries, so the difference between pod subnet
prefix and node CIDR prefix cannot be more than 16 (bits).
To address this, the following algorithm is proposed to provide as many pods
per node as possible, and not exceed the number of nodes.
If the pod subnet prefix is from /66 to /104, we'll set the node CIDR prefix
to 16 more, so that the bit map is not exceeded. The rest of the bits will be
for pods per node.
If the subnet prefix is from /105 to /112, we'll split the available bits
between what is used for the nodes and what is used for the pods per node.
This will give a node CIDR prefix from /116 to /120.
If the subnet prefix is from /113 to /119, we'll do like IPv4 and ensure that
there are 256 pods per node, and the remaining bits will be for the nodes,
giving a node CIDR prefix of /120 always. This supports a limited number of
nodes, in some cases.
If the subnet prefix is /120 to /128, we don't have enough bits and will set
the node CIDR prefix to be the same as the pod subnet prefix. This will cause
a falure later, when it tests that the pod subnet prefix is larger than the
node CIDR prefi.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58766
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
This adds context to all the relevant cloud provider interface signatures.
Callers of those APIs are currently satisfied using context.TODO().
There will be follow on PRs to push the context through the stack.
For an idea of the full scope of this change please look at PR #58532.
With IPv4, the node CIDR prefix is set to /24, which gives 256 pods per node
and 256 nodes, when assuming a /16 is used for the pod subnet.
For IPv6, the node CIDR prefix, is hard coded to /64. This does not work,
because currently the pod subnet prefix must be /66 or higher and must be a
larger subnet (lower value) than the node CIDR prefix.
In addition, the bit mask used to track the subnets (implying the number of
nodes), can only handle 64K entries, so the difference between pod subnet
prefix and node CIDR prefix cannot be more than 16 (bits). The node CIDR
value needs to support this restriction.
To address this, the following algorithm is proposed...
For pod subnet prefixes of /113 or smaller, the remaining bits will be used
for the node CIDR, in multiples of 8, and 9-16 bits will be reserved for the
nodes, so that there are 512-64K nodes and 256, 512, 768, ... pods/node.
For example, with a pod network of /111, there will be 17 bits available. This
would give 8 bits for pods per node and 9 bits for nodes. The node CIDR would
be /120. For a pod network of /104, there will be 24 bits available. There will
be 8 bits for nodes, and 16 bits for pods/node, using a /112 node CIDR.
If the pod subnet prefix is /112, then the node CIDR will be set to /120, and
256 nodes and 256 pods/node will be available.
If the subnet prefix is /113 to /128, we don't have enough bits and will set
the node CIDR prefix to be the same as the pod subnet prefix. This will cause
a falure later, when it tests that the pod subnet prefix is larger than the
node CIDR prefix.
Automatic merge from submit-queue (batch tested with PRs 51323, 59306, 58991, 59050). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
clean temporary para for require-kubeconfig
**What this PR does / why we need it**:
delete temporary require-kubeconfig
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59165, 59386). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Scheduler - not able to read from config file if configmap is not found
**What this PR does / why we need it**:
As of now, we are not able to read config file if configmap is not present. As of now, the only way to make it work is to enable legacy mode which should not be the case.
xref: https://bugzilla.redhat.com/show_bug.cgi?id=1540785
**Release note**:
```release-note
Scheduler should be able to read from config file if configmap is not present.
```
/cc @bsalamat @ironcladlou
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-proxy: fix field name comments & json tags
**What this PR does / why we need it**: correct some minor issues in the comments and json tags for some of the fields in the kube-proxy config structs.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
The udpTimeoutMilliseconds field in the kube-proxy configuration file has been renamed to udpIdleTimeout. Action required: administrators need to update their files accordingly.
```
This was extracted from my currently unmerged f074b28fe9, as requested [here](https://github.com/kubernetes/kubernetes/pull/52198#pullrequestreview-85538637).
@kubernetes/sig-network-pr-reviews @luxas
Automatic merge from submit-queue (batch tested with PRs 59158, 38320, 59059, 55516, 59357). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Promote v1alpha1 meta to v1beta1
No code changes, just renames. We can discuss if there are any field / naming changes here or in a follow-up
Parent #58536Fixes#53224
Prereq to #55637
@kubernetes/sig-api-machinery-pr-reviews @deads2k
```release-note
The `meta.k8s.io/v1alpha1` objects for retrieving tabular responses from the server (`Table`) or fetching just the `ObjectMeta` for an object (as `PartialObjectMetadata`) are now beta as part of `meta.k8s.io/v1beta1`. Clients may request alternate representations of normal Kubernetes objects by passing an `Accept` header like `application/json;as=Table;g=meta.k8s.io;v=v1beta1` or `application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1`. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their `Accept` header like `application/json` - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add PV size grow feature for azure file
**What this PR does / why we need it**:
According to kubernetes/features#284, add size grow feature for azure file
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56462
**Special notes for your reviewer**:
Since azure file is using SMB 3.0 protocal, there is no necessary to resize filesystem on agent side, the agent node will detect the changed size automatically.
**Release note**:
```
add size grow feature for azure file
```
/sig azure
@gnufied @rootfs @brendandburns
If we go a certain amount of time without being able to create a client
cert and we have no current client cert from the store, exit. This
prevents a corrupted local copy of the cert from leaving the Kubelet in a
zombie state forever. Exiting allows a config loop outside the Kubelet
to clean up the file or the bootstrap client cert to get another client
cert.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm init: skip checking cri socket in preflight checks
**What this PR does / why we need it**:
`kubeadm init` does not need to require `dockershim.sock` to be present.
Remove the check for `dockershim.sock`.
xref #55055
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#657
**Special notes for your reviewer**:
/area kubeadm
/kind bug
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
kubeadm init: skip checking cri socket in preflight checks
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Postpone PV deletion with finalizer when it is being used
Postpone PV deletion if it is bound to a PVC
xref: https://github.com/kubernetes/community/pull/1608
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#33355
**Special notes for your reviewer**:
**Release note**:
```release-note
Postpone PV deletion when it is being bound to a PVC
```
WIP, assign to myself first
/assign @NickrenREN
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add V1beta1 VolumeAttachment API
**What this PR does / why we need it**:
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58461
**Special notes for your reviewer**:
**Release note**:
```release-note
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add call to addCredentialProviderFlags
**What this PR does / why we need it**:
Credential flags such as 'azure-container-registry-config' are still in use, call addCredentialProviderFlags to hook it up.
See:
https://github.com/kubernetes/kubernetes/pull/56995#issuecomment-361483382
**Which issue(s) this PR fixes**
Follow up of #56995
**Special notes for your reviewer**:
/assign @mtaufen @liggitt
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
refactor aggregator api group install
**What this PR does / why we need it**:
refactor aggregator apigroup install. move NewRESTStorage to
`staging/src/k8s.io/kube-aggregator/pkg/registry/apiservice/rest/storage_apiservice.go`
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix PodPidsLimit and ConfigTrialDuration on internal KubeletConfig type
They should both follow the convention of not being a pointer on the internal type.
This required adding a conversion function between `int64` and `*int64`. A side effect is this removes a warning in the generated code for the apps API group.
@dims
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Include `upstream` option in CoreDNS
**What this PR does / why we need it**:
Including `upstream` as a default in the manifest and keep in sync with the default CoreDNS manifest.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#57785
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix adding FileContentCheck
**What this PR does / why we need it**:
Current code adds FileContentCheck only for the first API
Server mentioned in the command line. The test is never added
as net.ParseIP always fails because address:port is passed
to it instead of just an address.
Fixed both issues by introducing a loop over all API Servers
and splitting address:port before passing address to the
net.ParseIP API.
**Release note**:
```release-note
NONE
```
They should both follow the convention of not being a pointer on the
internal type. This required adding a conversion function between
`int64` and `*int64`.
A side effect is this removes a warning in the generated code for the
apps API group.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-apiserver flag --admision-control is deprecated, use the new --e…
…nable-admission-plugins
**What this PR does / why we need it**:
1. As #58123 mark kube-apiserver flag `admission-control` deprecated, replace it in some places.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @liggitt @deads2k @sttts
This check doesn't use port. It uses proxy related variables
(HTTP_PROXY, NO_PROXY, etc) that only operate with protocol
and host.
Removing port from the check should make it more clear for
user that port is not used as it will not be present in
the check output.
This changes the Kubelet configuration flag precedence order so that
flags take precedence over config from files/ConfigMaps.
See #56171 for rationale.
Note: Feature gates accumulate with the following
precedence (greater number overrides lesser number):
1. file-based config
2. dynamic cofig
3. flag-based config
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove deprecated --require-kubeconfig flag, remove default --kubeconfig value
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#41161
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove deprecated --require-kubeconfig flag, remove default --kubeconfig value
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use SSH tunnel for webhook communication iff the webhook is deployed as a service
**What this PR does / why we need it**:
We are getting the following error when the apiserver connects the webhook on localhost (configured via URL). We should only use the SSL tunnel for the connections to nodes when the webhooks are running as services.
```
I0119 17:41:18.678436 1 ssh.go:400] [4cdf44753cc3705d: localhost:10258] Dialing...
W0119 17:41:18.678483 1 ssh.go:424] SSH tunnel not found for address "localhost", picking random node
I0119 17:41:18.679810 1 ssh.go:402] [4cdf44753cc3705d: localhost:10258] Dialed in 1.398691ms.
W0119 17:41:18.679928 1 admission.go:256] Failed calling webhook, failing closed xxx: failed calling admission webhook "xxx": Post xxx: ssh: rejected: connect failed (Connection refused)
I0119 17:41:18.680346 1 wrap.go:42] POST /api/v1/namespaces/kube-system/pods: (5.725588ms) 500
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubernetes/issues/58779
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver is changed to use SSH tunnels for webhook iff the webhook is not directly routable from apiserver's network environment.
```
/assign @lavalamp @caesarxuchao @cheftako
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Removal of KubeletConfigFile feature gate: Step 1
This feature gate was redundant with the `--config` flag, which already
enables/disables loading Kubelet config from a file.
Since the gate guarded an alpha feature, removing it is not a violation
of our API guidelines.
Some stuff in `kubernetes/test-infra` currently sets the gate,
so removing will be a 3 step process:
1. This PR, which makes the gate a no-op.
2. Stop setting the gate in `kubernetes/test-infra`.
3. Completely remove the gate (this PR will get the release note).
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55792, 58342). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Promote Statefulset controller and its e2e tests to use apps/v1
**What this PR does / why we need it**:
Promotes the statefulset controller to use to use the latest apps group [apps/v1](https://github.com/kubernetes/kubernetes/pull/53679)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubernetes/issues/55714
**Special notes for your reviewer**:
* Listerexpansion for v1 `k8s.io/client-go/listers/apps/v1` (was recently done for v1beta2)
* `v1beta2` && `v1` had `ObservedGeneration` as `int64` where as `v1beta1` and rest of the code (including conversion) is expecting `ObservedGeneration` to be `*int64`
```
type StatefulSetStatus struct {
// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
// StatefulSet's generation, which is updated on mutation by the API Server.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
```
* for kubectl's `rollback` and `history` commands a couple functions have been duplicated to allow us to use `v1` version instead of `v1beta1` for statefulsets, while the older functions are still used by other controllers.
We should be able to remove these duplicates once all the controllers are moved.
If this aligns with the plan then i could move other controllers too.
cc: @kow3ns
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58518, 58771, 58101, 56829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix typo
**What this PR does / why we need it**:
Fix a typo (evalutated -> evaluated).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
I didn't touch pkg/generated/bindata.go and k8s.mo. Should I regenerate them in this PR?
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57973, 57990). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set pids limit at pod level
**What this PR does / why we need it**:
Add a new Alpha Feature to set a maximum number of pids per Pod.
This is to allow the use case where cluster administrators wish
to limit the pids consumed per pod (example when running a CI system).
By default, we do not set any maximum limit, If an administrator wants
to enable this, they should enable `SupportPodPidsLimit=true` in the
`--feature-gates=` parameter to kubelet and specify the limit using the
`--pod-max-pids` parameter.
The limit set is the total count of all processes running in all
containers in the pod.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#43783
**Special notes for your reviewer**:
**Release note**:
```release-note
New alpha feature to limit the number of processes running in a pod. Cluster administrators will be able to place limits by using the new kubelet command line parameter --pod-max-pids. Note that since this is a alpha feature they will need to enable the "SupportPodPidsLimit" feature.
```
Automatic merge from submit-queue (batch tested with PRs 58626, 58791). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
serviceaccount: check token is issued by correct iss before verifying
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.
This change helps us support multiple service account token
authenticators with different issuers.
https://github.com/kubernetes/kubernetes/issues/58790
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
uniquify resource lock identities
Resource lock identities on the same host were not unique. This keeps the hostname (that's valuable), but also adds a UUID so that you can start a process twice on the same host and not end up with two processes trying to lead.
@kubernetes/sig-api-machinery-bugs @liggitt @smarterclayton
Current code adds FileContentCheck only for the first API
Server mentioned in the command line. The test is never added
as net.ParseIP always fails because <address>:<port> is passed
to it instead of <address>.
Fixed both issues by introducing a loop over all API Servers
and splitting <address>:<port> before passing <address> to the
net.ParseIP API.
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.
This change helps us support multiple service account token
authenticators with different issuers.
Automatic merge from submit-queue (batch tested with PRs 58259, 58664). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support out-of-tree / external cloud providers
**What this PR does / why we need it**:
Currently kubeadm fails in preflight check. We should allow external cloud providers
```
[preflight] Starting the kubelet service
cloudprovider: Invalid value: "external": cloudprovider not supported
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Added support for external cloud providers in kubeadm
```
This feature gate was redundant with the `--config` flag, which already
enables/disables loading Kubelet config from a file.
Since the gate guarded an alpha feature, removing it is not a violation
of our API guidelines.
Some stuff in `kubernetes/test-infra` currently sets the gate,
so removing will be a 3 step process:
1. This PR, which makes the gate a no-op.
2. Stop setting the gate in `kubernetes/test-infra`.
3. Completely remove the gate.
Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add TLS min version flag
Adds a flag for controlling the minimum TLS level allowed.
/assign liggitt
@kubernetes/sig-node-pr-reviews @k8s-mirror-api-machinery-pr-reviews
```release-note
--tls-min-version on kubelet and kube-apiserver allow for configuring minimum TLS versions
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
dockershim: remove the use of kubelet's internal API
We let dockershim implement the kubelet's internal (CRI) API as an
intermediary step before transitioning fully to communicate using gRPC.
Now that kubelet has been communicating to the runtime over gRPC for
multiple releases, we can safely retire the extra interface in
dockershim.
This PR also moves the legacy functions to a separate file and clean up
the interfaces.
Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[kubeadm] Bump kube-dns to 1.14.8
**What this PR does / why we need it**:
Bump kube-dns to 1.14.8 for kubeadm. Ref https://github.com/kubernetes/kubernetes/pull/57918.
cc @rramkumar1
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Utilize transport defaults from API machinery for http calls inside kubeadm
**What this PR does / why we need it**:
Default Go HTTP transport does not allow to use CIDR notations in
NO_PROXY variables, thus for certain HTTP calls that is done inside
kubeadm user needs to put explicitly multiple IP addresses. For most of
calls done via API machinery it is get solved by setting different Proxy
resolver. This patch allows to use CIDR notations in NO_PROXY variables
for currently all other HTTP calls that is made inside kubeadm.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes/kubeadm#324
**Special notes for your reviewer**:
Based on discussion in #52788, replacing this patch replacing all calls inside kubeadm that are done via DefaultTransport to explicitly defined and initialized with API machinery defaults Transport and http client.
**Release note**:
```release-note
- kubeadm now supports CIDR notations in NO_PROXY environment variable
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Allows to specify custom flag values for control plane components
This makes it possible to override / add flag values to the k8s api server, controller manager and scheduler components on `kubeadm init` and `kubeadm alpha controlplane <component>`
**What this PR does / why we need it**:
This PR makes kubeadm a little more flexible by allowing to specify flag values (or override kubeadm defaults) for the control plane components.
One good example is to deploy Kubernetes with a different admission-control flag on API server
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58072
**Special notes for your reviewer**:
Not sure about what should be fixed. The PR merely adds flags to the CLI exposing existing functionality (which I suppose is already tested)
**Release note**:
```release-note
kubeadm now accept `--apiserver-extra-args`, `--controller-manager-extra-args` and `--scheduler-extra-args` to override / specify additional flags for control plane components
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
improve error message for expired tokens
**What this PR does / why we need it**:
When you join a node with a expired tokens, you can get fuzz error messages: `[discovery] Failed to connect to API Server "<cluster-ip>:6443": there is no JWS signed token in the cluster-info ConfigMap. This token id "c33826" is invalid for this cluster, can't connect`, we should improve it.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes [https://github.com/kubernetes/kubeadm/issues/630](https://github.com/kubernetes/kubeadm/issues/630)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58446, 58459, 58340). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
handle scheduler without exposed ports
Plumbs the scheduler port opt out more completely. When the metrics server was added, the deprecated paths forgot about it.
Automatic merge from submit-queue (batch tested with PRs 58496, 58078, 58123). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
refactor admission flag
**What this PR does / why we need it**:
Refactor admission control flag, finally make cluster admins not care about orders in this flag.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Add `--enable-admission-plugin` `--disable-admission-plugin` flags and deprecate `--admission-control`.
Afterwards, don't care about the orders specified in the flags.
```
This makes it possible to override / add flag values to the k8s api server, controller manager and scheduler components on `kubeadm init` and `kubeadm alpha controlplane <component>`
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kubeadm: clean up MarshalToYamlForCodecs
Proxy will use PrintBytesWithLinePrefix to indent.
**What this PR does / why we need it**:
This removed the function MarshalToYamlForCodecsWithShift() and the proxy
code will use PrintBytesWithLinePrefix() to shift over the yaml lines.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#57907
**Special notes for your reviewer**:
**Release note**:
```release-note-none
```
Automatic merge from submit-queue (batch tested with PRs 58488, 58360). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add get volumeattachment to the node authorizer
Fixes#58355
Adds `get volumeattachment` authorization for nodes to the node authorizer when the CSI feature is enabled
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable privileged containers for apiserver and controller
**What this PR does / why we need it**:
In OpenStack environment, when there is no metadata service, we
look at the config drive to figure out the metadata. Since we need
to run commands like blkid, we need to ensure that api server and
kube controller are running in the privileged mode.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#47392
Fixes https://github.com/kubernetes/kubeadm/issues/588
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix issue when using OpenStack config drive for node metadata
```
In OpenStack environment, when there is no metadata service, we
look at the config drive to figure out the metadata. Since we need
to run commands like blkid, we need to ensure that api server and
kube controller are running in the privileged mode.
So add a new field in MasterConfiguration for specifying that the
api server and controller manager (s) need extra privileges. Added
a TODO to remove this code when we fully yank out cloud provider
specific calls from these processes.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some bad url
**What this PR does / why we need it**:
fix some bad url
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update vendor spf13/cobra to enforce required flags
**What this PR does / why we need it**:
spf13/cobra#502 has enforced checking flags that marked as required, an error will be raised if unset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:fixes #54855
xref #48400fixeskubernetes/kubectl#121
**Special notes for your reviewer**:
/assign @liggitt @eparis
**Release note**:
```release-note
kubectl now enforces required flags at a more fundamental level
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support for custom tls cipher suites in api server and kubelet
**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
**Which issue this PR fixes**
fixes#41038
**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.
If you want to test it out, this is a ciphers combination i tested without the weak ones:
```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```
If this is merged i will implement the same for the Kubelet.
**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
**What this PR does / why we need it**:
Since 1.9, `ValidatingAdmissionWebhook` and `MutatingAdmissionWebhook` are beta. Kubeadm should enable them by default.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#642
**Special notes for your reviewer**:
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
```
Automatic merge from submit-queue (batch tested with PRs 58411, 58407, 52863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
low hanging fruit for using cobra commands
This makes the simple updates to use cobra commands instead of individual ones
/assign liggitt
/assign ncdc
/assign sttts
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Track run status explicitly rather than non-nil check on stopCh
Fixes#57044
GC and quota controllers use a non-nil stop channel as a signal Run() has been called, so ensure that condition holds even when a nil stop channel is passed in
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow version arg to be optional in "kubeadm upgrade apply"
**What this PR does / why we need it**:
This PR make the version arg optional if --config is specified and .KuberneteVersion is available.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes https://github.com/kubernetes/kubeadm/issues/460
**Special notes for your reviewer**:
```release-note
Allow version arg in kubeadm upgrade apply to be optional if config file already have version info
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add comments for explaining the group/version fields
**What this PR does / why we need it**:
This PR adds comments for explaining group/version fields. This is my understanding of what @deads2k told me today. Please, correct me if I'm wrong or you see how it can be further improved.
I didn't find where it's documented, so I hope that this PR makes it easy for other new contributors addition of new APIs.
**Release note**:
```release-note
NONE
```
PTAL @deads2k
CC @simo5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
use shared informers for BootstrapSigner controller
**What this PR does / why we need it**:
fix TODO: Switch to shared informers
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Add a new Alpha Feature to set a maximum number of pids per Pod.
This is to allow the use case where cluster administrators wish
to limit the pids consumed per pod (example when running a CI system).
By default, we do not set any maximum limit, If an administrator wants
to enable this, they should enable `SupportPodPidsLimit=true` in the
`--feature-gates=` parameter to kubelet and specify the limit using the
`--pod-max-pids` parameter.
The limit set is the total count of all processes running in all
containers in the pod.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Print the full path of Kubeconfig files.
**What this PR does / why we need it**:
kubeadm init:
```
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
```
It'd be good to print the path of the KubeConfig files in case users want to view the content of these files.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/656
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make controller port exposure optional
Makes it possible to disable the http server part of controllers if a user wishes.
Automatic merge from submit-queue (batch tested with PRs 57733, 57613, 57953). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Explicit kubelet flags
The Kubelet was using the global flag set.
Libraries also often use the global flag set.
There are flags in the Kubelet's usage statement for which the Kubelet does not control registration.
This is bad, we must have full control of our command-line API.
This PR puts a stop to it.
I worked through the Kubelet's usage printout and tracked down the flags.
In the below list, flags with checkboxes are one of:
- explicitly **registered** in this PR
- thought about and outright **rejected**
- thought about and **registered-deprecated** for legacy reasons
For the others we need to figure out whether they should be **registered** or **rejected** or **registered-deprecated**.
### cadvisor:
grep commands, for reference:
```
# flag definitions in cadvisor
git grep -E "\"application_metrics_count_limit\"|\"boot_id_file\"|\"container_hints\"|\"containerd\"|\"docker\"|\"docker_env_metadata_whitelist\"|\"docker_only\"|\"docker_root\"|\"docker-tls\"|\"docker-tls-ca\"|\"docker-tls-cert\"|\"docker-tls-key\"|\"enable_load_reader\"|\"event_storage_age_limit\"|\"event_storage_event_limit\"|\"global_housekeeping_interval\"|\"housekeeping_interval\"|\"log_cadvisor_usage\"|\"machine_id_file\"|\"storage_driver_buffer_duration\"|\"storage_driver_db\"|\"storage_driver_host\"|\"storage_driver_password\"|\"storage_driver_secure\"|\"storage_driver_table\"|\"storage_driver_user\"" -- vendor/github.com/google/cadvisor
# flag invocations
git grep -E "\--application_metrics_count_limit|--boot_id_file|--container_hints|--containerd|--docker|--docker_env_metadata_whitelist|--docker_only|--docker_root|--docker_tls|--docker_tls_ca|--docker_tls_cert|--docker_tls_key|--enable_load_reader|--event_storage_age_limit|--event_storage_event_limit|--global_housekeeping_interval|--housekeeping_interval|--log_cadvisor_usage|--machine_id_file|--storage_driver_buffer_duration|--storage_driver_db|--storage_driver_host|--storage_driver_password|--storage_driver_secure|--storage_driver_table|--storage_driver_user" -- ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# normalized flag invocations
git grep -E "\--application-metrics-count-limit|--boot-id-file|--container-hints|--containerd|--docker|--docker-env-metadata-whitelist|--docker-only|--docker-root|--docker-tls|--docker-tls-ca|--docker-tls-cert|--docker-tls-key|--enable-load-reader|--event-storage-age-limit|--event-storage-event-limit|--global-housekeeping-interval|--housekeeping-interval|--log-cadvisor-usage|--machine-id-file|--storage-driver-buffer-duration|--storage-driver-db|--storage-driver-host|--storage-driver-password|--storage-driver-secure|--storage-driver-table|--storage-driver-user" -- ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# flag names
git grep -E "application_metrics_count_limit|boot_id_file|container_hints|containerd|docker|docker_env_metadata_whitelist|docker_only|docker_root|docker_tls|docker_tls_ca|docker_tls_cert|docker_tls_key|enable_load_reader|event_storage_age_limit|event_storage_event_limit|global_housekeeping_interval|housekeeping_interval|log_cadvisor_usage|machine_id_file|storage_driver_buffer_duration|storage_driver_db|storage_driver_host|storage_driver_password|storage_driver_secure|storage_driver_table|storage_driver_user" ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# normalized flag names
git grep -E "application-metrics-count-limit|boot-id-file|container-hints|containerd|docker|docker-env-metadata-whitelist|docker-only|docker-root|docker-tls|docker-tls-ca|docker-tls-cert|docker-tls-key|enable-load-reader|event-storage-age-limit|event-storage-event-limit|global-housekeeping-interval|housekeeping-interval|log-cadvisor-usage|machine-id-file|storage-driver-buffer-duration|storage-driver-db|storage-driver-host|storage-driver-password|storage-driver-secure|storage-driver-table|storage-driver-user" ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
# normalized and underscore names combined
git grep -E "application_metrics_count_limit|boot_id_file|container_hints|containerd|docker|docker_env_metadata_whitelist|docker_only|docker_root|docker_tls|docker_tls_ca|docker_tls_cert|docker_tls_key|enable_load_reader|event_storage_age_limit|event_storage_event_limit|global_housekeeping_interval|housekeeping_interval|log_cadvisor_usage|machine_id_file|storage_driver_buffer_duration|storage_driver_db|storage_driver_host|storage_driver_password|storage_driver_secure|storage_driver_table|storage_driver_user|application-metrics-count-limit|boot-id-file|container-hints|containerd|docker-env-metadata-whitelist|docker-only|docker-root|docker-tls|docker-tls-ca|docker-tls-cert|docker-tls-key|enable-load-reader|event-storage-age-limit|event-storage-event-limit|global-housekeeping-interval|housekeeping-interval|log-cadvisor-usage|machine-id-file|storage-driver-buffer-duration|storage-driver-db|storage-driver-host|storage-driver-password|storage-driver-secure|storage-driver-table|storage-driver-user" ':(exclude)pkg/generated/bindata.go' ':(exclude)Godeps' ':(exclude)CHANGELOG*' ':(exclude)vendor'
```
- [x] --docker-root (**registered** - this is used in `cluster/saltbase/salt/kubelet/default`)
- [x] --housekeeping-interval (**registered** - e2e node tests rely on this (`test/e2e_node/resource_collector.go`))
- [x] --application-metrics-count-limit (**registered-deprecated** - temporarily register for legacy)
- [x] --boot-id-file (**registered-deprecated** - temporarily register for legacy)
- [x] --container-hints (**registered-deprecated** - temporarily register for legacy)
- [x] --containerd (**registered-deprecated** - temporarily register for legacy)
- [x] --docker (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-env-metadata-whitelist (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-only (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls-ca (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls-cert (**registered-deprecated** - temporarily register for legacy)
- [x] --docker-tls-key (**registered-deprecated** - temporarily register for legacy)
- [x] --enable-load-reader (**registered-deprecated** - temporarily register for legacy)
- [x] --event-storage-age-limit (**registered-deprecated** - the Kubelet overrides the default via the global flagset (`pkg/kubelet/cadvisor/cadvisor_linux.go`), but nothing else in core repo provides)
- [x] --event-storage-event-limit (**registered-deprecated** - the Kubelet overrides the default via the global flagset (`pkg/kubelet/cadvisor/cadvisor_linux.go`), but nothing else in core repo provides)
- [x] --global-housekeeping-interval (**registered-deprecated** - temporarily register for legacy)
- [x] --log-cadvisor-usage (**registered-deprecated** - temporarily register for legacy)
- [x] --machine-id-file (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-user (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-password (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-host (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-db (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-table (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-secure (**registered-deprecated** - temporarily register for legacy)
- [x] --storage-driver-buffer-duration (**registered-deprecated** - temporarily register for legacy)
### pkg/apiserver/util/logs:
- [x] --log-flush-frequency (**registered** - like the glog flags, this is probably useful)
### pkg/credentialprovider/azure/azure_credentials.go:
- [x] --azure-container-registry-config (**registered** - This isn't quite as straightforward as --google-json-key, because the file it points to isn't static. For now we will just register, and we will deprecate it when there is an alternative. See below comments.)
### pkg/credentialprovider/gcp/jwt.go:
- [x] --google-json-key (**registered-deprecated** - This is really old legacy stuff to allow kubelets to authenticate with gcr (see: d5e0054eb0). See @liggit's below comment for what should be used instead.)
### pkg/cloudprovider/providers/gce/gce_loadbalancer.go:
- [x] --cloud-provider-gce-lb-src-cidrs (**rejected** - Kubelet doesn't need to know about the cidrs that were opened in the firewall for the load balancer)
### glog:
I registered all of these, since this logging library is used pretty much everywhere in the Kubelet, and all of its toggles are probably useful.
- [x] --logtostderr (**registered**)
- [x] --alsologtostderr (**registered**)
- [x] -v, --v (**registered**)
- [x] --stderrthreshold (**registered**)
- [x] --vmodule (**registered**)
- [x] --log-backtrace-at (**registered**)
- [x] --log-dir (**registered**)
### verflag:
This is how you get the Kubelet's version, absolutely necessary to register this.
- [x] --version (**registered**)
```release-note
The Kubelet now explicitly registers all of its command-line flags with an internal flagset, which prevents flags from third party libraries from unintentionally leaking into the Kubelet's command-line API. Many unintentionally leaked flags are now marked deprecated, so that users have a chance to migrate away from them before they are removed. One previously leaked flag, --cloud-provider-gce-lb-src-cidrs, was entirely removed from the Kubelet's command-line API, because it is irrelevant to Kubelet operation.
```
Thanks to @liggitt for being surprised that we didn't already do this.
Thanks to @dashpole for realizing cadvisor flags were leaked after seeing #55863.
Thanks to @tallclair who recognized this problem a long time ago in #19432.
This explicitly registers Kubelet flags from libraries that were
registering flags globally, and stops parsing the global flag set.
In general, we should always be explicit about flags we register
and parse, so that we maintain control over our command-line API.
Automatic merge from submit-queue (batch tested with PRs 56290, 57984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: more random tokens
The strategy of hex encoding a random byte array only uses the
following characters:
0123456789abcdef
Instead of the entire bootstrapping token character set:
0123456789abcdefghijklmnopqrstuvwxyz
Update the token generation to use the entire character set. This
increases the token secret from 48 bits of entropy to ~82 bits.
256^8 (1.8e+19) vs. 36^16 (7.9e+24).
Noticed this writing https://github.com/kubernetes-incubator/bootkube/pull/663
```release-note
NONE
```
/cc @mattmoyer @luxas
Automatic merge from submit-queue (batch tested with PRs 56290, 57984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactoring ValidateUsages for bootstrap tokens.
**What this PR does / why we need it**:
Refactoring and cleanup.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/cc @luxas @jbeda
**Release note**:
```release-note
NONE
```
The strategy of hex encoding a random byte array only uses the
following characters:
0123456789abcdef
Instead of the entire bootstrapping token character set:
0123456789abcdefghijklmnopqrstuvwxyz
Update the token generation to use the entire character set. This
increases the token secret from 48 bits of entropy to ~82 bits.
256^8 (1.8e+19) vs. 36^16 (7.9e+24).
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove mikedanese from kubeadm owners since he's no longer actively working on the project
**What this PR does / why we need it**: OWNERS file cleanup.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix `kubeadm upgrade` error while CoreDNS is installed
**What this PR does / why we need it**:
In the scenario when I have CoreDNS installed via `kubeadm init` and I want to continue using CoreDNS after `kubeadm upgrade`, the upgrade is unsuccessful and it gives an error.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#641
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move scheduler out of plugin directory
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
This is but one step toward resolving the referenced issue.
/ref #57579
**Special notes for your reviewer**:
**Release note**:
```release-note
Default scheduler code is moved out of the plugin directory.
plugin/pkg/scheduler -> pkg/scheduler
plugin/cmd/kube-scheduler -> cmd/kube-scheduler
```
/sig scheduling
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: set kube-apiserver advertise address using downward API
**What this PR does / why we need it**:
Sets kube-apiserver --advertise-address using downward API for self-hosted Kubernetes with kubeadm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubeadm/issues/400
**Special notes for your reviewer**:
@luxas mentioned something about losing the ability to customize advertise address via kubeadm, didn't really take that into consideration yet but I can definitely make the necessary changes if needed.
**Release note**:
```release-note
kubeadm: set kube-apiserver advertise address using downward API
```
This moves plugin/pkg/scheduler to pkg/scheduler and
plugin/cmd/kube-scheduler to cmd/kube-scheduler.
Bulk of the work was done with gomvpkg, except for kube-scheduler main
package.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Split the NodeController into lifecycle and ipam pieces.
**What this PR does / why we need it**: Separates node controller into ipam and lifecycle components.
Prepatory work for removing cloud provider dependency from node
controller running in Kube Controller Manager. Splitting the node
controller into its two major pieces life-cycle and CIDR/IP
management. Both pieces currently need the the cloud system to do their work.
Removing lifecycles dependency on cloud will be fixed ina followup PR.
Moved node scheduler code to live with node lifecycle controller.
Got the IPAM/Lifecycle split completed. Still need to rename pieces.
Made changes to the utils and tests so they would be in the appropriate
package.
Moved the node based ipam code to nodeipam.
Made the relevant tests pass.
Moved common node controller util code to nodeutil.
Removed unneeded pod informer sync from node ipam controller.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #https://github.com/kubernetes/kubernetes/issues/52369
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump pause container used by kubelet and tests to 3.1
This updates the version of the pause container used by the kubelet and
various test utilities to 3.1.
**What this PR does / why we need it**: The pause container hasn't been rebuilt in quite a while and needs an update to reap zombies (#50865) and for schema2 manifest (#56253).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#50865, Fixes#56253
**Special notes for your reviewer**:
**Release note**:
```release-note
The kubelet uses a new release 3.1 of the pause container with the Docker runtime. This version will clean up orphaned zombie processes that it inherits.
```
Prepatory work fpr removing cloud provider dependency from node
controller running in Kube Controller Manager. Splitting the node
controller into its two major pieces life-cycle and CIDR/IP
management. Both pieces currently need the the cloud system to do their work.
Removing lifecycles dependency on cloud will be fixed ina followup PR.
Moved node scheduler code to live with node lifecycle controller.
Got the IPAM/Lifecycle split completed. Still need to rename pieces.
Made changes to the utils and tests so they would be in the appropriate
package.
Moved the node based ipam code to nodeipam.
Made the relevant tests pass.
Moved common node controller util code to nodeutil.
Removed unneeded pod informer sync from node ipam controller.
Fixed linter issues.
Factored in feedback from @gmarek.
Factored in feedback from @mtaufen.
Undoing unneeded change.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
validate admission-control startup param
**What this PR does / why we need it**:
validate admission plugins, if not registered, return err to prevent going on until call AdmissionOptions.ApplyTo.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56614
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update gengo version to include goimports formatter
Update gengo which now uses goimports to format code and organize imports.
Fixes#55542
**Special notes for your reviewer**:
Updates version of k8s.io/gengo
Takes new dependency on golang.org/x/tools/imports and golang.org/x/tools/go/ast/astutil
**Release Notes**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57572, 57512, 57770). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
More default fixups for Kubelet flags
Similar to #57621, this fixes some other Kubelet flags that were
defaulted wrong.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57746, 57621, 56839, 57464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix PodCIDR flag: defaults come from the object, not as literal args to the flag function
The defaulter runs on the object before adding flags. Flags should be registered with defaults sourced from this object, so that the defaulter, not the flag var function, determines the canonical default value.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57651, 56411, 56779, 57523, 57624). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Replace --init-config-dir with --config
Rather than a directory with magic names, just give the Kubelet a file path.
Was originally in #55718, but I'm splitting it out for clarity.
Fixes#57763
```release-note
The alpha `--init-config-dir` flag has been removed. Instead, use the `--config` flag to reference a kubelet configuration file directly.
```
Automatic merge from submit-queue (batch tested with PRs 57651, 56411, 56779, 57523, 57624). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use authentication client with explicit version
**What this PR does / why we need it**:
Authentication client without explicit version has been deprecated, change them to the one with explicit version.
**Which issue(s) this PR fixes**:
Fixes partially #55993
**Special notes for your reviewer**:
/cc @caesarxuchao @sttts
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix garbage collector when leader-elect=false
**What this PR does / why we need it**:
In a 1.8.x master with --leader-elect=false, the garbage collector controller
does not work.
When deleting a deployment with v1meta.DeletePropagationForeground, the deployment
had its deletionTimestamp set and a foreground Deletion finalizer was added,
but the deployment, rs and pod were not deleted.
This is an issue with how the garbage collector graph_builder behaves when the
stopCh=nil. This PR creates a dummy stop channel for the garbage collector controller (and other
controllers started by the controller-manager) so that they can work more like they do when
when the controller-manager is configured with --leader-elect=true.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#57044
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix garbage collection when the controller-manager uses --leader-elect=false
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix incorrect hairpin-mode value and validate it
**What this PR does / why we need it**:
* Fix incorrect hairpin-mode value
* Add validation
**Which issue(s) this PR fixes**:
Fixes#57609
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55483, 57132). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
enhance kube-schedule init flag
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
```
remove TODO: once we switch everything over to Cobra commands, we can go back to calling
utilflag.InitFlags() (by removing its pflag.Parse() call).
For now, we have to set the normalize func and add the go flag set by hand.
```
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve error messages and comments in KubeAdm.
**What this PR does / why we need it**:
Improve error messages and comments in KubeAdm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix minor err in kubeadm
**What this PR does / why we need it**:
fix minor text error in kubeadm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57139, 57358). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm upgrade: fix unit test flake
The CA generated for each test case is global and the cases modify
the expiry. This can flake depending on what order the tests run.
Generate a new CA for each test case.
```release-note
NONE
```
Fixes https://github.com/kubernetes/kubernetes/issues/57357
/cc @kubernetes/sig-cluster-lifecycle-bugs
/cc @xiangpengzhao
/cc @luxas
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fixed typo in kubeadm/v1alpha1/defaults.go
**What this PR does / why we need it**:
fixed some typo in comment
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use apps/v1 API in kubeadm
**What this PR does / why we need it**:
The core workloads API has been promoted to GA stability in the apps/v1 group version from 1.9. Use apps/v1 API in kubeadm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/596
**Special notes for your reviewer**:
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update CoreDNS version and Corefile in kubeadm
**What this PR does / why we need it**:
We bumped CoreDNS version to 1.0.0 (#56802) and added CoreDNS as an optional addon in kube-up (#55728), but something wrt log was missed. The log option of CoreDNS was changed since 1.0.0. We should update the Corefile to reflect the change.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubernetes/issues/57277
ref: https://github.com/coredns/coredns/issues/1218https://github.com/coredns/coredns/pull/1221
**Special notes for your reviewer**:
/cc @luxas @rajansandeep
cc @fturib @johnbelamaric
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57434, 57221, 57417, 57474, 57481). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Send an event just before the Kubelet restarts to use a new config
**What this PR does / why we need it**:
This PR makes the Kubelet send events for configuration changes. This makes it much easier to see a recent history of configuration changes for the Kubelet.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56895
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @dchen1107 @liggitt @dashpole
Automatic merge from submit-queue (batch tested with PRs 56716, 52371). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Separate loop and plugin control
**What this PR does / why we need it**: Separate loop and plugin control in the kube-controller-manager.
Adding an "--external-plugin" flag to specify a plugin to load when
cloud-provider is set to "external". Flag has no effect currently
when the cloud-provider is not set to external. The expectation is
that the cloud provider and external plugin flags would go away once
all cloud providers are on stage 2 cloud-controller-manager solutions.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#52369
**Special notes for your reviewer**:
**Release note**:
```release-note Added --external-plugin flag to kube-controller-manager to determine plugin when --cloud-provider is set to external.
```
hzxuzhonghu