Automatic merge from submit-queue (batch tested with PRs 56258, 58398). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make the controller manager create and use a valid cobra command
The controller manager was returning an invalid cobra command that couldn't be executed and then side-stepped it by adding flags separately. This brings it into line.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
openstack: remove orphaned routes from terminated instances
**What this PR does / why we need it**:
At the moment the openstack cloudprovider only returns routes where the `NextHop` address points to an existing openstack instance. This is a problem when an instance is terminated before the corresponding node is removed from k8s. The existing route is not returned by the cloudprovider anymore and therefore never considered for deletion by the route controller. When the route's `DestinationCIDR` is reassigned to a new node the router ends up with two routes pointing to a different `NextHop` leading to broken networking.
This PR removes skipping routes pointing to unknown next hops when listing routes. This should cause [this conditional](93dc3763b0/pkg/controller/route/route_controller.go (L208)) in the route controller to succeed and have the route removed if the route controller [feels responsible](93dc3763b0/pkg/controller/route/route_controller.go (L206)).
```release-note
OpenStack cloudprovider: Ensure orphaned routes are removed.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Reduce Metrics Server memory requirement
**What this PR does / why we need it**:
Reduces memory requirements of Metrics Server.
This was tested on GCE. On 16 - node cluster with 30 user pods per node, Metrics Server consumes ~60MB of memory. For larger clusters, the base value matters even less, and the memory utilization will be lower, therefore this change is safe.
**Release note**:
```release-note
Reduce Metrics Server memory requirement
```
Automatic merge from submit-queue (batch tested with PRs 58263, 58425, 58419). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apps api is now stable, use it
**What this PR does / why we need it**: as of kubernetes 1.9, the apps api is stable. we should use v1 instead of v1beta2
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # none
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58263, 58425, 58419). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable --external-cloud-volume-plugin/--provider-id for local-up-cluster
See the following commit for more information about the
--external-cloud-volume-plugin flag:
070a7b5823
We need this flag for EXTERNAL_CLOUD_PROVIDER flag to work properly with
volume plugins
Also add --provider-id defaulting to hostname as we seem to pick
up the ip address otherwise causing problem with looking up the
node in the cloud provider
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some bad url
**What this PR does / why we need it**:
fix some bad url
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rework method of updating atomic-updated data volumes
**What this PR does / why we need it**:
This change affects the way that secret, configmap, downwardAPI and projected volumes (which all use the same underlying code) implement their data update functionality.
* Instead of creating a subdirectory hierarchy that will contain symlinks to each actual data file, create only symlinks to items in the root of the volume, whether they be files or directories.
* Rather than comparing the user-visible data directory to see if an update is needed, compare with the current version of the data directory.
* Fix data dir timestamp format year
* Create `..data` symlink even when a data volume has no data so consumers can have simplified update watch logic.
**Which issue(s) this PR fixes**:
Fixes#57421
**Release note**:
```release-note
Correct issues that arise when volumes are mounted beneath another secret, configmap, downwardAPI or projected volume
```
Automatic merge from submit-queue (batch tested with PRs 53631, 56960). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unused code in UT files in pkg/
**What this PR does / why we need it**:
Remove unused code in UT files in pkg/ .
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update vendor spf13/cobra to enforce required flags
**What this PR does / why we need it**:
spf13/cobra#502 has enforced checking flags that marked as required, an error will be raised if unset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:fixes #54855
xref #48400fixeskubernetes/kubectl#121
**Special notes for your reviewer**:
/assign @liggitt @eparis
**Release note**:
```release-note
kubectl now enforces required flags at a more fundamental level
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: remove Initializers (still in alpha) from admission control
**What this PR does / why we need it**:
Currently `Initializers` is still in alpha version, which should not be enabled by default, until promoted to beta.
For kubeadm users, who still want to use `Initializers`, they can use `apiServerExtraArgs` through kubeadm config file to enable it when booting up the cluster.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#629
**Special notes for your reviewer**:
/assign @luxas
/area kubeadm
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/cc @liggitt @jamiehannaford @timothysc
**Release note**:
```release-note
Remove alpha Initializers from kubadm admission control
```
See the following commit for more information about the
--external-cloud-volume-plugin flag:
070a7b5823
We need this flag for EXTERNAL_CLOUD_PROVIDER flag to work properly with
volume plugins
Also add --provider-id defaulting to hostname as we seem to pick
up the ip address otherwise causing problem with looking up the
node in the cloud provider
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support for custom tls cipher suites in api server and kubelet
**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
**Which issue this PR fixes**
fixes#41038
**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.
If you want to test it out, this is a ciphers combination i tested without the weak ones:
```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```
If this is merged i will implement the same for the Kubelet.
**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
**What this PR does / why we need it**:
Since 1.9, `ValidatingAdmissionWebhook` and `MutatingAdmissionWebhook` are beta. Kubeadm should enable them by default.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#642
**Special notes for your reviewer**:
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
```
Automatic merge from submit-queue (batch tested with PRs 58411, 58407, 52863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create Conformance document to display all tests that belong to Confo…
…rmance suite
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58411, 58407, 52863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
low hanging fruit for using cobra commands
This makes the simple updates to use cobra commands instead of individual ones
/assign liggitt
/assign ncdc
/assign sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Benchmark test non docker specific
**What this PR does / why we need it**:
This will make benchmark test generic to all container runtimes
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58321
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
/cc @Random-Liu
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixed TearDown of NFS with root squash.
NFS plugin should not use `IsLikelyNotMountPoint()`, as it uses `lstat()` / `stat()` to determine if the NFS volume is still mounted - NFS server may use root_squash and kubelet may not be allowed to do `lstat()` / `stat()` there.
It must use slower `IsNotMountPoint()` instead, including in `TearDown()` function.
**Release note**:
```release-note
NONE
```
/assign @gnufied @rootfs
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix windows UT for proxy mode
**What this PR does / why we need it**:
/kind bug
Fix windows UT for proxy mode.
Run UTs for `kubeproxyconfig/validation` in windows,
```
=== RUN TestValidateKubeProxyConfiguration
--- FAIL: TestValidateKubeProxyConfiguration (0.00s)
validation_test.go:83: expected success: [KubeProxyConfiguration.Mode.ProxyMode: Invalid value: "ipvs": must be kernelspace,userspace or blank (blank means the most-available proxy [currently userspace])]
```
That's because proxy mode "IPVS" is not valid in windows.
**Which issue(s) this PR fixes**:
Fixes#58037
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add semver metadata regex
**What this PR does / why we need it**: When building a release tag with optional semver metadata, the minor and major versions are not parsed correctly (empty strings). This fix adds optional support to the regex for the metadata component.
example:
```
~/w/g/s/k/kubernetes ❯❯❯ git tag v1.9.0+stable.0 fixes/semver_metadata ✭
~/w/g/s/k/kubernetes ❯❯❯ hack/print-workspace-status.sh fixes/semver_metadata ✭
STABLE_BUILD_GIT_COMMIT 63e2eacd22
STABLE_BUILD_SCM_STATUS clean
STABLE_BUILD_SCM_REVISION v1.9.0+stable.0
STABLE_BUILD_MAJOR_VERSION 1
STABLE_BUILD_MINOR_VERSION 9
STABLE_DOCKER_TAG v1.9.0_stable.0
gitCommit 63e2eacd22
gitTreeState clean
gitVersion v1.9.0+stable.0
gitMajor 1
gitMinor 9
buildDate 2017-12-19T21:08:48Z
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
handle uniquified holder identities
script update for https://github.com/kubernetes/kubernetes/pull/58302
This has to be done first to allow CI to pass. We need unique leasing identities and hostnames, particularly locally determined ones, aren't unique.
/assign liggitt
/assign mikedanese
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Track run status explicitly rather than non-nil check on stopCh
Fixes#57044
GC and quota controllers use a non-nil stop channel as a signal Run() has been called, so ensure that condition holds even when a nil stop channel is passed in
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Recheck if transformed data is stale when doing live lookup during update
Fixes#49565
Caching storage can pass in a cached object to `GuaranteedUpdate` as a hint for the current object.
If the hint is identical to the data we want to persist, before short-circuiting as a no-op update, we force a live lookup.
We should check two things on the result of that live lookup before short-circuiting as a no-op update:
1. the bytes we want to persist still match the transformed bytes read from etcd
2. the state read from etcd didn't report itself as stale. this would mean the transformer used to read the data would not be the transformer used to write it, and "no-op" writes should still be performed, since transformation will make the underlying content actually different.
After a live lookup, we checked byte equality, but not the stale indicator. This meant that key rotation or encrypted->decrypted, and decrypted->encrypted updates are broken.
Introduced in #54780 and picked back to 1.8 in #55294
```release-note
Fixed encryption key and encryption provider rotation
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add jsafrane as util/mount approver.
I've written large parts of the mounter and I am fixing it regularly.
**Release note**:
```release-note
NONE
```
This change affects the way that secret, configmap, downwardAPI and projected
volumes (which all use the same underlying code) implement their data update
functionality.
* Instead of creating a subdirectory hierarchy that itself
will contain symlinks to each actual data file, create only
symlinks to items in the root of the volume, whether they
be files or directories.
* Rather than comparing the user-visible data directory
to see if an update is needed, compare with the current
version of the data directory.
* Fix data dir timestamp format year
* Create ..data symlink even when a data volume has no data so
consumers can have simplified update watch logic.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/securitycontext/util_test.go(TestAddNoNewPrivileges): update tests
**What this PR does / why we need it**:
This PR improves existing test in the following ways:
- remove irrelevant test cases
- add test case for `AllowPrivilegeEscalation: nil`
- explicitly specify input and expected outcome
This is addressed to the following review comment: https://github.com/kubernetes/kubernetes/pull/47019#discussion_r135808264
**Release note**:
```release-note
NONE
```
PTAL @jessfraz @kubernetes/sig-auth-pr-reviews
CC @simo5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update comments for getting and removing loopback device for iSCSI,FC,RBD
**What this PR does / why we need it**:
This PR adds comments of the background why plugin gets loopback device and removes loopback device even if operation_generator has same functionality.
**Which issue(s) this PR fixes** : No
**Special notes for your reviewer**:
/cc @rootfs @sbezverk
related PR: https://github.com/kubernetes/kubernetes/pull/56651
**Release note**:
```release-note
NONE
```
This PR add comments for the background why plugin gets loopback
device and removes loopback device even if operation_generator has
same functionality.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
set fsGroup by securityContext.fsGroup in azure file
**What this PR does / why we need it**:
set fsGroup by securityContext.fsGroup in azure file
This PR respects `securityContext.fsGroup`, while if user both sets `gid=xxx` in mountOptions in azure storage class and `securityContext.fsGroup`, `gid=xxx` setting in mountOptions will win.
```
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#44085
**Special notes for your reviewer**:
**Release note**:
```
set fsGroup by securityContext.fsGroup in azure file
```
/assign @karataliu
cc @rootfs @avaranovich
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix update-swagger-spec.sh to always cleanup etcd
**What this PR does / why we need it**:
This PR fixes `hack/update-swagger-spec.sh` so it always cleanup etcd and to noe leave orphaned process after its execution. This process also doesn't allow to run the script again as it detects existing etcd and won't start.
I also made a minor improvement by adding guard against an empty arguments.
**Release note**:
```release-note
NONE
```
CC @simo5
Prior this change, etcd wasn't cleaned up on my machine that lead to
orphaned etcd process after the update-swagger-spec.sh failed.
This change also adds additional improvements:
- don't kill/wait/rm when argument is empty.
- use kube::util::trap_add.
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update-swagger-spec.sh: when API server fails to start, show the last lines of logs
**What this PR does / why we need it**:
When API server fails to start there is no easy way to know why. You have to read the script where you will find that there is a log file that could have some useful info. This PR simplifies debugging:
1) it includes the path to the log file in the error message
2) it also shows the last 10 lines from this log
Before this change:
```
+++ [0116 19:33:49] Starting kube-apiserver
!!! [0116 19:34:19] Timed out waiting for apiserver: to answer at 127.0.0.1:8050/healthz; tried 30 waiting 1 between each
!!! Error in ./hack/update-swagger-spec.sh:42
Error in ./hack/update-swagger-spec.sh:42. 'return 1' exited with status 1
Call stack:
1: ./hack/update-swagger-spec.sh:42 main(...)
Exiting with status 1
+++ [0116 19:34:19] Clean up complete
```
After this change:
```
+++ [0116 19:42:41] Starting kube-apiserver
!!! [0116 19:42:51] Timed out waiting for apiserver: to answer at 127.0.0.1:8050/healthz; tried 30 waiting 1 between each
!!! [0116 19:42:51] Here are the last 10 lines from kube-apiserver (/tmp/swagger-api-server.log)
!!! [0116 19:42:51] === BEGIN OF LOG ===
I0116 19:42:41.689355 30809 server.go:122] Version: v1.10.0-alpha.1.877+a02cb7c1f7d0d6-dirty
I0116 19:42:41.942601 30809 serving.go:295] Generated self-signed cert (/tmp/update-swagger-spec.2Udp/certs/apiserver.crt, /tmp/update-swagger-spec.2Udp/certs/apiserver.key)
I0116 19:42:41.942611 30809 server.go:647] external host was not specified, using 10.10.10.10
W0116 19:42:41.942618 30809 authentication.go:378] AnonymousAuth is not allowed with the AllowAll authorizer. Resetting AnonymousAuth to false. You should use a different authorizer
error in initializing storage factory: group version podsecuritypolicy.admission.k8s.io/v1beta1 that has not been registered
!!! [0116 19:42:51] === END OF LOG ===
+++ [0116 19:42:51] Clean up complete
```
**Release note**:
```release-note
NONE
```
PTAL @cblecker @sttts
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
etcd client: add keepalive
**What this PR does / why we need it**: This PR shortens the keepaliveTimeout and enables keepalive within the etcd client to allow the socket to be closed cleanly on a dead etcd server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#46964
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @xiang90
David Eads