Automatic merge from submit-queue (batch tested with PRs 62425, 62212, 60824, 62383, 62384). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix custom resource definition validation
/assign @sttts
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62425, 62212, 60824, 62383, 62384). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
optimize requestcontext: use RWMutex to improve r/w performance
RequestContextMapper is one of the mostly used interface by every request, and the underlying struct is a map with Mutex protect. So here we should use RWMutex.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Updated Readme for Azure (OIDC) auth provider
**What this PR does / why we need it**:
When trying this documentation in the field, I ran into some issues based on details missing here. I got it working in the end with some help from @stuartleeks from Microsoft, this PR is to help others trying to set this up not have the same question marks I had.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
None AFAIK
**Special notes for your reviewer**:
Includes:
* Added details and clarifications based on my experience
* Some minor copy editing
Not sure if this requires release notes, I consider it a very small change.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61241, 62136). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
OIDC required claims
**What this PR does / why we need it**:
Currently there is no mechanism for a user to specify claims in the OIDC authentication process that are required to be present in the ID Token with an expected value. This PR adds the required claims support for the OIDC authentication. It allows users to pass in a `--oidc-required-claims` flag, and key=value pairs in the API config, which will ensure that the specified `required claims` are checked against the ID Token claims.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61276
**Special notes for your reviewer**:
Ran the following commands to update godep files:
```
./hack/godep-restore.sh -v
./hack/godep-save.sh
./hack/update-staging-godeps.sh
./hack/update-bazel.sh
```
Since we don't officially support go 1.10, kept go version to 1.9
**Release note**:
```release-note
kube-apiserver: oidc authentication now supports requiring specific claims with `--oidc-required-claim=<claim>=<value>`
```
/sig auth
/kind feature
/assign @ericchiang
Includes:
* Added details and clarifications based on my experience
* Some minor copy editing
added note about resulting username
fixing last list item
clarficiation of resulting username
mainly just refering to OIDC docs
fixed comment about callback URL
Automatic merge from submit-queue (batch tested with PRs 59027, 62333, 57661, 62086, 61584). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
CustomResources: in OpenAPI spec allow additionalProperties without properties
This implements @ayushpateria's idea https://github.com/kubernetes/kubernetes/issues/59485#issuecomment-375726922.
With this PR it becomes possible to specify `map[string]Interface{}` non-object types, e.g. `map[string]string` for selectors. On the other hands, "normal" objects use `properties`, mutually exclusively to `additionalProperties`. This way we avoid a conflict with Kubernetes API conventions that unknown objects fields are dropped.
Fixes#59485
```release-note
Allow additionalProperties in CRD OpenAPI v3 specification for validation, mutually exclusive to properties.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix 1.10 change log typo
**What this PR does / why we need it**:
Thanks to @christianhuening, find typo about `enable-admission-plugins` and `disable-admission-plugins`
They are plural.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
export unstructured helper function nestedFieldNoCopy
Signed-off-by: Steve Kriss <steve@heptio.com>
**What this PR does / why we need it**: Export the unstructured helper function `nestedFieldNoCopy`. This enables checking for existence of nested fields without requiring a deep-copy via JSON.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60197, 61614, 62074, 62071, 62301). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Narrow interface consumed by scale client
The scale client only uses a single method of the rest mapper, and only for preferred resource version (no resource/kind lookup or translation)
Narrow the specified interface to make it clear what function is actually required.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60692, 61809). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove ObjectMeta and *Options from core api
remove ObjectMeta and *Options from core api
Fixes#61807
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove `ObjectMeta ` `ListOptions` `DeleteOptions` from core api group. Please use that in meta/v1
```
Automatic merge from submit-queue (batch tested with PRs 59035, 61933). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add TestGeneration in customresource/etcd_test.go
**What this PR does / why we need it**:
add TestGeneration in customresource/etcd_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62231, 44495, 62199). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make priority rest mapper handle partial discovery results
If the delegate restmapper returns partial results, let the priority restmapper find a prioritized entry and propagate the original error
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61183, 58807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add RBAC information to audit logs
Depends on: https://github.com/kubernetes/kubernetes/pull/58806
**Release note**:
```release-note
RBAC information is included in audit logs via audit.Event annotations:
authorization.k8s.io/decision = {allow, forbid}
authorization.k8s.io/reason = human-readable reason for the decision
```
Automatic merge from submit-queue (batch tested with PRs 61400, 61048). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: cancel context on timeout in WithTimeoutForNonLongRunningRequests
Requests that block time out after 60sec, but keep the handler body running. This can lead to exhaustion of clients or other leaks. This PR adds a cancel func to the context of the request and calls it on timeout.
Note: we still do our own timeout handling as we don't trust the context to really cancel every blocking call we do.
This might explain why we see so many handler backtraces like https://gist.github.com/sttts/0ce972dc8a7911e4ca9eea7bf1ded5fa when an etcd node goes down with a hard poweroff. But it does not explain why we see oc to block for 15 minutes.
Automatic merge from submit-queue (batch tested with PRs 61400, 61048). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
code-gen: allow specifying custom resync periods for certain informer types
**What this PR does / why we need it**:
This PR extends the informer code-generator to allow the consumer to specify a custom resync period for certain informer types and uses the default resync period if none is defined.
**Special notes for your reviewer**:
Example:
```go
cs := clientset.NewForConfigOrDie(config)
resyncConfig := externalversions.ResyncConfiguration{
&samplev1alpha1.Sample{}: 30 * time.Second,
}
informer := externalversions.NewSharedInformerFactory(cs, 2*time.Minute, externalversions.WithCustomResyncConfig(resyncConfig))
```
**Release note**:
```release-note
NONE
```
- unify test cases
- remove broken VersionedAttributes override abstraction
This overriding had no effect. The versioned.Attributes were never
used as admission.Attributes.Better make the versioned objects
explicit than hiding them under a wrong abstraction.
- remove wrapping of scheme.Convert
- internalize conversion package
Automatic merge from submit-queue (batch tested with PRs 60102, 59970, 60021, 62011, 62080). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
sample-controller: add status subresource support
Builds on top of https://github.com/kubernetes/kubernetes/pull/55168.
**DO NOT MERGE** until https://github.com/kubernetes/kubernetes/pull/55168 is merged. Adding a hold.
/hold
Update: It is now merged! 🎉
This PR:
- Adds an example to show how to use the `/status` subresource with custom resources.
- Generates `UpdateStatus` for the `Foo` resource.
- Updates the comment in the controller to mention that `UpdateStatus` can now be used. Note: this is not enabled by default because subresources require the feature gate to be enabled and are not on by default.
- Updates the README to add feature gate information and examples for `CustomResourceSubresources`.
- Updates the README to remove feature gate information for CRD validation since the current example uses `apps/v1` deployments (and thus requires v1.9 anyway).
**Release note**:
```release-note
NONE
```
/assign sttts munnerz
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Updated the "create-update-delete-deployment" example to use apps/v1 and removed rollback example
**What this PR does / why we need it**:
*Waiting for migration to apps/v1*
> The current example at [create-update-delete-deployment/main.go](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/examples/create-update-delete-deployment/main.go) was using `RollbackTo` of `v1beta1.DeploymentSpec` which is deprecated.
The current implementation upgrades `create-update-delete-deployment` main.go to use **apps/v1** instead of **extensions/v1beta1** and removed rollback example for now.
**Which issue(s) this PR fixes**
Helps kubernetes/client-go#346
**Special notes for your reviewer**:
Since it's my first PR dealing with codebase and not a typo fix :xD please let me know my mistakes.
I would love to resolve them.
@nikhita @sttts @jekohk Please review. The other PR #59663 got closed accidentally while changing branch.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make UnstructuredContent return contents without mutating the source
**What this PR does / why we need it**:
This PR solves the issues described in #56316
Before this change:
- A call to `UnstructuredContent()` potentially modified `Object`
- The values returned by `UnstructuredContent()` could be manipulated to modify the value in `Object`. Going through the history it looks like this behavior was added before the addition of `SetUnstructuredContent()`. IMO it makes more sense now to use `SetUnstructuredContent()` or make changes to the exposed `Object` property
- `UnstructuredList` did not implement the behavior described in the godoc. The godoc stated that the value returned should be mutable, but if u.Object == nil the map returned had no effect on Object
With this PR I'm proposing `UnstructuredContent()` returns the data without providing the contract of a mutable map. It also ensures all implementations of the `Unstructured` interface abide by the doc
**Which issue(s) this PR fixes**:
Fixes#56316
**Special notes for your reviewer**:
This PR continues work started in #57713.
**Release note**:
```release-note
NONE
```
/kind bug
/sig api-machinery
/cc sttts deads2k
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add a func to merge multiple Strategic Merge Patches into one patch
This PR is adding a function similar to 9fa11df836/merge.go (L95-L100)
It merges multiple SMPs and yield another SMP.
This PR has no risk to existing SMP code.
```release-note
NONE
```
/cc @apelisse
/assign @pwittrock
Automatic merge from submit-queue (batch tested with PRs 61705, 61609, 62103, 62113, 62115). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove unused function getEncodedPod in etcd_helper_test.go
**What this PR does / why we need it**:
remove unused function getEncodedPod in etcd_helper_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: add warning about not trusting authz of aggregator
The aggregator does authorization for proxied resources. But aggregated apiservers should not depend on it, but do delegated authorization in addition.
```release-note
Add warnings that authors of aggregated API servers must not rely on authorization being done by the kube-apiserver.
```
Automatic merge from submit-queue (batch tested with PRs 61959, 62037). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump godep version to v80
**What this PR does / why we need it**:
Update the minimum godep, to v80 (supposed to be the final version).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62049, 62085). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes incorrect atomic usage
Fixes incorrect assignment for atomic increment.
NOTE: This will be a vet error in go version 1.10.
ERROR: "direct assignment to atomic value".
No other erroneous atomic assignments found.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61818, 61800). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Replace gopass.GetPasswdMasked() by terminal.ReadPassword()
**What this PR does / why we need it**:
Replace `gopass.GetPasswdMasked()` used for reading passwords from the terminal with [`terminal.ReadPassword()`](https://godoc.org/golang.org/x/crypto/ssh/terminal#ReadPassword). This removes the `gopass` import.
**Special notes for your reviewer**:
Ran the following commands to update `godep` files:
```
./hack/godep-restore.sh -v
./hack/godep-save.sh
./hack/update-staging-godeps.sh
./hack/update-bazel.sh
```
/sig auth
/kind enhancement
/assign @ericchiang
```release-note
NONE
```
Kubernetes Submit Queue