Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: add warning about not trusting authz of aggregator
The aggregator does authorization for proxied resources. But aggregated apiservers should not depend on it, but do delegated authorization in addition.
```release-note
Add warnings that authors of aggregated API servers must not rely on authorization being done by the kube-apiserver.
```
Automatic merge from submit-queue (batch tested with PRs 58420, 60483). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kube apiserver ServerRunOptions set default called before use
**What this PR does / why we need it**:
move `ServerRunOptions` set default function `defaultOptions` out of `CreateKubeAPIServerConfig`, it should be called before real use `CreateNodeDialer`. So move it to cobra.Command just after kube-apiserver flags parsed.
Similarly `ServerRunOptions.Validate` move there too.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58420, 60483). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubectl: make error with resource list prettier
**What this PR does / why we need it**:
Previously, running commands like `kubectl get` with no further
arguments would print a list of valid resource types with an error
messages formatted like so:
<snip>
* serviceaccounts (aka 'sa')
* services (aka 'svc')
* statefulsets (aka 'sts')
* storageclasses (aka 'sc')error: Required resource not specified.
Use "kubectl explain <resource>" for a detailed description of that resource (e.g. kubectl explain pods).
See 'kubectl get -h' for help and examples.
This commit adds extra spacing so it now looks pretty:
<snip>
* serviceaccounts (aka 'sa')
* services (aka 'svc')
* statefulsets (aka 'sts')
* storageclasses (aka 'sc')
error: Required resource not specified.
Use "kubectl explain <resource>" for a detailed description of that resource (e.g. kubectl explain pods).
See 'kubectl get -h' for help and examples.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Currently user only specify subnet-id in cloud.conf file.
If user want to specify other subnet for some special services,
the subnet-id annotation should be a good choice.
Automatic merge from submit-queue (batch tested with PRs 61959, 62037). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump godep version to v80
**What this PR does / why we need it**:
Update the minimum godep, to v80 (supposed to be the final version).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61959, 62037). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support custom test configurations
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Support custom test configuration for IPAM performance integration tests
```
Automatic merge from submit-queue (batch tested with PRs 62049, 62085). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes incorrect atomic usage
Fixes incorrect assignment for atomic increment.
NOTE: This will be a vet error in go version 1.10.
ERROR: "direct assignment to atomic value".
No other erroneous atomic assignments found.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Added downgrade notice to Changelog
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update image for ingress downgrade test
**What this PR does / why we need it**:
Ref: #62075
**Release note**:
```release-note
None
```
/assign @bowei
Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update GLBC manifest to v1.0.1
**Release note**:
```release-note
GCE: Updates GLBC version to 1.0.1 which includes a fix which prevents multi-cluster ingress objects from creating full load balancers.
```
/assign @bowei @nikhiljindal
cc @csbell @rramkumar1 @freehan @MrHohn
Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
oidc authentication: email_verified claim is not required for JWT validation
**What this PR does / why we need it**:
Currently the "email_verified" claim is required by the API server to verify an OIDC token. Many OIDC providers do not support the "email_verified" claim. We want to be able to allow their OIDC tokens as valid.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59496
**Release note**:
```release-note
OIDC authentication now allows tokens without an "email_verified" claim when using the "email" claim. If an "email_verified" claim is present when using the "email" claim, it must be `true`.
```
/sig auth
/kind feature
/assign @ericchiang
CC: @sreetummidi
Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make use of auto generated LoadBalancerStatus.DeepCopy
Remove LoadBalancerStatusDeepCopy in helpers.go, and use the auto generated `LoadBalancerStatus.DeepCopy` in pkg/apis/core/zz_generated.deepcopy.go.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60983, 62012, 61892, 62051, 62067). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add support for multiple certificates to targetproxy
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60983, 62012, 61892, 62051, 62067). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix local volume issue on Windows
**What this PR does / why we need it**:
Actually local volume does not work on Windows up to now, with this PR, local volume would work on Windows. Here is a [local volume example on Windows](https://github.com/andyzhangx/demo/tree/master/windows/local)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62010
**Special notes for your reviewer**:
This PR would not `MkdirAll(dir, 0750)` on windows node, the MkdirAll process would happen on https://github.com/kubernetes/kubernetes/blob/master/pkg/util/mount/mount_windows.go#L59-L62
**Release note**:
```
fix local volume issue on Windows
```
/sig windows
/sig storage
Automatic merge from submit-queue (batch tested with PRs 60983, 62012, 61892, 62051, 62067). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Controllable timeout for join failures
**What this PR does / why we need it**:
This PR introduces a timeout for `kubeadm join`. During that time kubeadm will try to join as many times as possible. The timeout can be controlled via the `discoveryTimeout` config option. Its default value is 5 minutes.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#677
**Special notes for your reviewer**:
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm
/assign @luxas
/assign @timothysc
**Release note**:
```release-note
kubeadm: Introduce join timeout that can be controlled via the discoveryTimeout config option (set to 5 minutes by default).
```
Konstantinos Tsakalozos