A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
Example claim:
```
{
... (other normal claims)...
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://www.example.com",
"access_token": "f005ba11"
},
},
}
```
Example response to a followup request to https://www.example.com is a
JWT-encoded claim token:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": ["team1", "team2"],
"exp": 9876543210
}
```
Apart from the indirection, the distributed claim behaves exactly
the same as a standard claim. For Kubernetes, this means that the
token must be verified using the same approach as for the original OIDC
token. This requires the presence of "iss", "aud" and "exp" claims in
addition to "groups".
All existing OIDC options (e.g. groups prefix) apply.
Any claim can be made distributed, even though the "groups" claim is
the primary use case.
Allows groups to be a single string due to
https://github.com/kubernetes/kubernetes/issues/33290, even though
OIDC defines "groups" claim to be an array of strings. So, this will
be parsed correctly:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": "team1",
"exp": 9876543210
}
```
Expects that distributed claims endpoints return JWT, per OIDC specs.
In case both a standard and a distributed claim with the same name
exist, standard claim wins. The specs seem undecided about the correct
approach here.
Distributed claims are resolved serially. This could be parallelized
for performance if needed.
Aggregated claims are silently skipped. Support could be added if
needed.
Automatic merge from submit-queue (batch tested with PRs 63138, 63091, 63201, 63341). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adds support for arm64 to microbot example of the kubernetes-worker charm.
**What this PR does / why we need it**: Adds support for arm64 to microbot example of the kubernetes-worker charm.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63138, 63091, 63201, 63341). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable bypassing online checks in kubeadm upgrade plan
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR makes `kubeadm upgrade plan` a little nicer to use in an air gapped environment. `kubeadm upgrade plan` now accepts a version and returns that instead of checking the internet.
**Which issue(s) this PR fixes**:
Fixeskubernetes/kubeadm#698
**Special notes for your reviewer**:
I also cleaned up the tests for this section of code by adding formal names for table tests and using `t.Run`.
**Release note**:
```release-note
`kubeadm upgrade plan` now accepts a version which improves the UX nicer in air-gapped environments.
```
Automatic merge from submit-queue (batch tested with PRs 63138, 63091, 63201, 63341). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set names for OpenStack loadbalancer members and monitors
**What this PR does / why we need it**:
This PR sets names for OpenStack loadbalancer members and monitors.
ATM names for members and monitors are empty, making it difficult to identify where they belong.
Healthmonitors will be named `monitor_<lb_name>_<index>` and members
will be named `member_<lb_name>_<index>_<node_name>`.
This naming scheme should in sync with the naming of other LB resources, e.g. pools: `pool_<lb_name>_<index>`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63138, 63091, 63201, 63341). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Api server extra args
**What this PR does / why we need it**:
This PR will correctly override the APIServer command with the values found in APIServerExtraArgs. If none are passed in a default set of flags will be used.
This also includes cleaning up tests by using `t.Run` and naming test cases so we know what they are doing. `t.Run` also provides better testing output when coupled with a name.
At some point we stopped using the k8s version to generate this command. It is trivial to add back if we need it later, but since we don't use it now it's best for it to go. This also exposed several test that were identical. Those have been removed.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#760
**Special notes for your reviewer**:
I split this into two commits since it's a bit easier to think about like that, but would be fine squashing.
**Release note**:
```release-note
NONE
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove rootscopedkinds from groupmeta
builds on https://github.com/kubernetes/kubernetes/pull/63206
Since, a RESTMapping can only be determined based on a connection to a server, the only thing that needs to know the namespaced-ness of a resource is the code doing the registration. Everything else is derived from that source of truth. This removes the other dangling references and collapses down onto the existing namespaced-ness methods in the strategies backing the stores.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add test for sparse version encoding/decoding
This adds tests that make sure the sparse version encoding and encoding work as callers will expect, with the correct version being picked from the list. I wrote two tests, one a theoretical test not dependent on any API and another practical test using cronjobs which are currently sparse in the registry.
@liggitt turns out that because we find exact matches, sparse versions ought to work out fine.
@smarterclayton I hate that the versioner matches on type. I'll update that separately I think.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add field selector support to delete, label, annotate
**What this PR does / why we need it**:
Builds out field selector support for more bulk commands
**Release note**:
```release-note
kubectl now supports --field-selector for `delete`, `label`, and `annotate`
```
The regular kubeconfig is fetched from metadata when
CREATE_BOOTSTRAP_KUBECONFIG==false.
We will experiment with an exec plugin that does TLS bootstrapping
internally: #61803
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubelet: force filterContainerID to empty string when removeAll is true
fixes https://github.com/kubernetes/kubernetes/issues/57865
alternative to https://github.com/kubernetes/kubernetes/pull/62170
There is a bug in the container deletor where if `removeAll` is `true` in `deleteContainersInPod()` the `filterContainerID` is still used to filter results in `getContainersToDeleteInPod()`. If the filter container is not found, no containers are returned for deletion.
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/pod_container_deletor.go#L74-L77
This is the case for the delayed deletion a pod in `CrashLoopBackoff` as the death of the infra container in response to the `DELETE` is detected by PLEG and triggers an attempt to clean up all containers but uses the infra container id as a filter with `removeAll` set to `true`. The infra container is immediately deleted and thus can not be found when `getContainersToDeleteInPod()` tries to find it. Thus the dead app container from the previous restart attempt still exists.
`canBeDeleted()` in the status manager will return `false` until all the pod containers are deleted, delaying the deletion of the pod on the API server.
The removal of the containers is eventually forced by the API server `REMOVE` after the grace period.
The slice of strings more precisely captures the hierarchic nature of
the cgroup paths we use to represent pods and their groupings.
It also ensures we're reducing the chances of passing an incorrect path
format to a cgroup driver that requires a different path naming, since
now explicit conversions are always needed.
The new constructor NewCgroupName starts from an existing CgroupName,
which enforces a hierarchy where a root is always needed. It also
performs checking on the component names to ensure invalid characters
("/" and "_") are not in use.
A RootCgroupName for the top of the cgroup hierarchy tree is introduced.
This refactor results in a net reduction of around 30 lines of code,
mainly with the demise of ConvertCgroupNameToSystemd which had fairly
complicated logic in it and was doing just too many things.
There's a small TODO in a helper updateSystemdCgroupInfo that was
introduced to make this commit possible. That logic really belongs in
libcontainer, I'm planning to send a PR there to include it there.
(The API already takes a field with that information, only that field is
only processed in cgroupfs and not systemd driver, we should fix that.)
Tested by running the e2e-node tests on both Ubuntu 16.04 (with cgroupfs
driver) and CentOS 7 (with systemd driver.)
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove incorrect static restmapper from type registry
A RESTMapping can only be determined by inspecting a server since discovery is the authoritative source of mapping decisions. This removes a deceptive method from the type registry and makes the old logic available for existing tests in a separate, clearly labeled package.
@kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-cli-maintainers
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63152, 63253). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make dynamic client slightly easier to use and add fakes
Tweaks the dynamic client to make it more "normal" for resources to namespaces. Adds a fake dynamic client.
@kubernetes/sig-api-machinery-pr-reviews
/assign @hzxuzhonghu
/assign @sttts
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubectl should not have a direct code dependency on controllers
The dependency linkage brings in the scheduler and a lot of unrelated
code. Instead, selectively copy methods that operate on public APIs.
@liggitt
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
scheduler: clean up and simplify equivalence cache locking
**What this PR does / why we need it**:
This is a cleanup of the locking code for equivalence cache. There is no change to the current logic or locking. This PR has a couple of implications, though.
1. It deletes (unreachable) code that could have been used to cache predicate results that consider nominated pods.
2. Callers should no longer lock/unlock the eCache manually, so coordinating that lock with other synchronization is restricted.
**Special notes for your reviewer**:
**Release note**:
<!-- Write your release note:
1. Enter your extended release note in the below block. If the PR requires additional action from users switching to the new release, include the string "**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
action required".
2. If no release note is required, just write "NONE".
-->
```release-note
NONE
```
/sig scheduling
/kind cleanup
Automatic merge from submit-queue (batch tested with PRs 55971, 63307). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Revert "fixtodo:validate events on PVCs in integration volume binding test"
This reverts commit 910fd1953e.
Events are not a reliable message bus... they throttle, deduplicate, and drop events over fairly conservative rate limit targets.
This commit caused test flakes, so reverting.
Fixes#63302
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58474, 60034, 62101, 63198). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove Factory from more Run commands
/assign @juanvallejo
**Release note**:
-->
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58474, 60034, 62101, 63198). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix wrong usage of kubelet option
**What this PR does / why we need it**:
"--allow-privileged true" is incorrect usage of boolean option.
It means setting '--allow-priviledged' to its default value plus
non-existing subcommand 'true'.
"--allow-privileged false" is even more confusing as it sets
allow-priviledged flag to its default value 'true'
This is true for any boolean command line option.
Fixed this by using correct syntax --allow-priviledged=true
**Special notes for your reviewer**:
This is a show-stopper for PR #61833
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58474, 60034, 62101, 63198). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
avoid race condition in device manager and plugin startup/shutdown: wait for goroutines
**What this PR does / why we need it**:
Commit 1325c2f worked around issue #59488, but it is still worthwhile to fix the underlying root cause properly.
**Which issue(s) this PR fixes**:
Fixes#59488
**Special notes for your reviewer**:
This is an alternative to PR #59861, which used a different approach. Personally I tend to prefer this one now.
**Release note**:
```release-note
NONE
```
/sig node
/area hw-accelerators
/assign vikaschoudhary16
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: change default reconciler to LeaseEndpoint
**What this PR does / why we need it**:
Graduates the lease-endpoint-reconciler flag to beta, and defaults the endpoint reconciler to LeaseEndpoint instead of MasterCount.
- [x] Default Lease Endpoint Reconciler to on
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#57617
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver: `--endpoint-reconciler-type` now defaults to `lease`. The `master-count` reconciler is deprecated and will be removed in 1.13.
```
Running "kubeadm reset --cri-socket unix:///var/run/crio/crio.sock"
fails with this error:
[reset] Cleaning up running containers using crictl with socket unix:///var/run/crio/crio.sock
[reset] Failed to list running pods using crictl. Trying using docker instead.
The actual error returned by underlying API os/exec is:
fork/exec /usr/bin/crictl -r /var/run/crio/crio.sock info: no such file or directory
This is caused by passing full command line instead of executable
path as a first parameter to the Command API.
Fixed by passing correct parameters to the Command API.
Improved error output.
Filip Filmar