Before this the advertised IP (which shows up in the server cert) in case of
listening to loopback was the first host interface IP. This makes self-signed
certs non-constant, such that we cannot use fixtures.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add limit to the TokenRequest expiration time
**What this PR does / why we need it**:
A new API TokenRequest has been implemented.It improves current serviceaccount model from many ways.
This patch adds limit to TokenRequest expiration time.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63575
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The goal of this change is to remove the registration of signal
handling from pkg/kubelet. We now pass in a stop channel.
If you register a signal handler in `main()` to aid in a controlled
and deliberate exit then the handler registered in `pkg/kubelet` often
wins and the process exits immediately. This means all other signal
handler registrations are currently racy if `DockerServer.Start()` is
directly or indirectly invoked.
This change also removes another signal handler registration from
`NewAPIServerCommand()`; a stop channel is now passed to this
function.
Automatic merge from submit-queue (batch tested with PRs 55511, 63372, 63400, 63100, 63769). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create pkg/scheduling/apis/v1beta1 and move priorityClass to beta
**What this PR does / why we need it**:
This is for creating pkg/apis/scheduling/v1beta1 so that priorityClasses could be moved to beta.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of #57471
**Special notes for your reviewer**:
/cc @bsalamat @aveshagarwal
**Release note**:
```release-note
The `PriorityClass` API is promoted to `scheduling.k8s.io/v1beta1`
```
Automatic merge from submit-queue (batch tested with PRs 63315, 63383, 63318, 63439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Re-enable lease reconciler, fix shutdown race
Fixes#63378Fixes#57617
* Fixes the openapi script to wait for the apiserver on shutdown (like all the other scripts do)
* Fixes the apiserver shutdown to not hang forever if the kubernetes service reconciler cannot persist to etcd
* Readds https://github.com/kubernetes/kubernetes/pull/58474 to make the default the lease reconciler
```release-note
kube-apiserver: the default `--endpoint-reconciler-type` is now `lease`. The `master-count` endpoint reconciler type is deprecated and will be removed in 1.13.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: master count and lease endpoint test
**What this PR does / why we need it**: Adds a test to make sure master count and lease endpoint reconcilers work well together, so we can bump LeaseEndpoint to beta. Based on Jordan's comment https://github.com/kubernetes/kubernetes/pull/58474#issuecomment-369954890.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Issue: #57617
Followup PR: #58474
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @kubernetes/sig-cluster-lifecycle-api-reviews @kubernetes/sig-cluster-lifecycle-api-reviews
Automatic merge from submit-queue (batch tested with PRs 62655, 61711, 59122, 62853, 62390). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implemented truncating audit backend
Fixes https://github.com/kubernetes/kubernetes/issues/60432
Introduces an optional truncating backend, disabled by default, that estimates the size of audit events and truncates events/split batches based on the configuration.
/cc @sttts @tallclair @CaoShuFeng @ericchiang
```release-note
Introduce truncating audit backend that can be enabled for existing backend to limit the size of individual audit events and batches of events.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove request context mapper
http.Request now allows setting/retrieving a per-request context, which removes the need for plumbing a request-context mapper throughout the stack
In addition to being way simpler, this has the benefit of removing a potentially contentious lock object from the handling path
This PR:
* removes RequestContextMapper
* converts context fetchers to use `req.Context()`
* converts context setters to use `req = req.WithContext(...)`
* updates filter plumbing in two places (audit and timeout) to properly return the request with modified context
* updates tests that used a fake context mapper to set the context in the request instead
Fixes https://github.com/kubernetes/kubernetes/issues/62796
```release-note
NONE
```
This change updates the REST mapper used by all admission plugins to
be backed by cached discovery information. This cache is updated
every ten seconds via a post start hook and will not attempt to
update on calls to RESTMapping. It solely relies on the hook to
keep the cache in sync with discovery.
This prevents issues with the OwnerReferencesPermissionEnforcement
admission plugin when it is used with custom resources that set
blockOwnerDeletion.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Automatic merge from submit-queue (batch tested with PRs 62650, 62303, 62545, 62375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move podsecuritypolicy registry to policy package
**What this PR does / why we need it:**
This is a part of the PSP migration from extensions to policy API group. This PR moves registry to policy package and changes preferred storage format to policy/v1beta1
**Which issue(s) this PR fixes:**
Addressed to https://github.com/kubernetes/features/issues/5
Automatic merge from submit-queue (batch tested with PRs 61404, 61025). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
bug fix: create/update CRD panic when mutating webhook configured
apiextentions apiserver use its own scheme to create a admission chain before creating the apiextensions apiserver config.
Fixes#61355
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60519, 61099, 61218, 61166, 61714). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-apiserver add BuiltInAuthorizationOptions validation
Validate BuiltInAuthorizationOptions after flags parsed.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update metrics to true like it is for kube-apiserver
The kube-apiserver always hardcoded to true, but nothing else knew too. I changed the default to true (I can't think of why you wouldn't want it even if you don't often use it).
@kubernetes/sig-api-machinery-bugs
@MikeSpreitzer see if this fixes you?
Automatic merge from submit-queue (batch tested with PRs 60759, 60531, 60923, 60851, 58717). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
validate EtcdOptions.EtcdServersOverrides in EtcdOptions.Validate
move `EtcdOptions.EtcdServersOverrides` validation from `BuildStorageFactory` to `EtcdOptions.Validate`, which fails fast in kube-apiserver startup.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59882, 59434, 57722, 60320, 51249). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Expose default service IP CIDR in apiserver
**What this PR does / why we need it**:
The `--service-cluster-ip-range` parameter of API server is very important for deploying Kubernetes on some clouds. The default CIDR "10.0.0.0/24" should be exposed at least from the API server's help message so that users have a better idea whether they need to change it.
This patch exposes this default value in API server's help message.
**Which issue this PR fixes** : fixes#51248
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60054, 60202, 60219, 58090, 60275). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes for HTTP/2 max streams per connection setting
**What this PR does / why we need it**:
This PR makes two changes. One is to introduce a parameter
for the HTTP/2 setting that an api-server sends to its clients
telling them how many streams they may have concurrently open in
an HTTP/2 connection. If left at its default value of zero,
this means to use the default in golang's HTTP/2 code (which
is currently 250; see https://github.com/golang/net/blob/master/http2/server.go).
The other change is to make the recommended options for an aggregated
api-server set this limit to 1000. The limit of 250 is annoyingly low
for the use case of many controllers watching objects of Kinds served
by an aggregated api-server reached through the main api-server (in
its mode as a proxy for the aggregated api-server, in which it uses a
single HTTP/2 connection for all calls proxied to that aggregated
api-server).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#60042
**Special notes for your reviewer**:
**Release note**:
```release-note
Introduced `--http2-max-streams-per-connection` command line flag on api-servers and set default to 1000 for aggregated API servers.
```
This PR makes two changes. One is to introduce a parameter
for the HTTP/2 setting that an api-server sends to its clients
telling them how many streams they may have concurrently open in
an HTTP/2 connection. If left at its default value of zero,
this means to use the default in golang's HTTP/2 code (which
is currently 250).
The other change is to make the recommended options for an aggregated
api-server set this limit to 1000. The limit of 250 is annoyingly low
for the use case of many controllers watching objects of Kinds served
by an aggregated api-server reached through the main api-server (in
its mode as a proxy for the aggregated api-server, in which it uses a
single HTTP/2 connection for all calls proxied to that aggregated
api-server).
Fixes#60042
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
oidc authentication: switch to v2 of coreos/go-oidc
Switch to v2 of [coreos/go-oidc](https://github.com/coreos/go-oidc), which uses square/go-jose to verify tokens and supports more signing algorithms.
Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files.
This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex.
Closes https://github.com/kubernetes/kubernetes/issues/57806
```release-note
kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag.
kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.
```
cc @rithujohn191 @liggitt
cc @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Introduce PodSecurityPolicy in the policy/v1beta1 API group
Types/constants are completely the same as in `extensions/v1beta1` except that they are located outside of the `extensions` API group.
**What this PR does / why we need it**:
This is the first step for migrating PSP-related stuff away of `extensions` group. See #43214 for more information.
Also it related to https://github.com/kubernetes/features/issues/5
**Example**:
```console
$ cat restricted2.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted2
...
$ kubectl create -f restricted.yaml
podsecuritypolicy "restricted2" created
$ kubectl get psp restricted2 -o yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
...
```
**Release note**:
```release-note
The `PodSecurityPolicy` API has been moved to the `policy/v1beta1` API group. The `PodSecurityPolicy` API in the `extensions/v1beta1` API group is deprecated and will be removed in a future release.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update bazelbuild/rules_go, kubernetes/repo-infra, and gazelle dependencies
**What this PR does / why we need it**: updates our bazelbuild/rules_go dependency in order to bump everything to go1.9.4. I'm separating this effort into two separate PRs, since updating rules_go requires a large cleanup, removing an attribute from most build rules.
**Release note**:
```release-note
NONE
```
With d7ddcca231, we lost the logging
of the flags. We should at least log what the command line flags
were used to start processes as those incredibly useful for trouble shooting.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove experimental keystone authenticator
**What this PR does / why we need it**:
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559
So we don't need this older style / hard coded / experimental code
anymore.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens.
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
controller-manager: switch to options+config pattern and add https+auth
This PR switch the {kube,cloud}-controller-managers to use the Options+Config struct pattern for bootstrapping, as we use it throughout all apiservers. This allows us to easily plug in https and authn/z support.
Fixes parts of https://github.com/kubernetes/kubernetes/issues/59483
This is equivalent to https://github.com/kubernetes/kubernetes/pull/59408 after squashing.
```release-note
Deprecate insecure HTTP port of kube-controller-manager and cloud-controller-manager. Use `--secure-port` and `--bind-address` instead.
```
Automatic merge from submit-queue (batch tested with PRs 59580, 58854). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Prefer apps/v1 storage for daemonsets, deployments, replicasets, statefulsets
The workload API objects went GA in 1.9. This means we can safely begin persisting them in etcd in apps/v1 format in 1.10.
xref #43214
```release-note
DaemonSet, Deployment, ReplicaSet, and StatefulSet objects are now persisted in etcd in apps/v1 format
```
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559
So we don't need this older style / hard coded / experimental code
anymore.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add V1beta1 VolumeAttachment API
**What this PR does / why we need it**:
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58461
**Special notes for your reviewer**:
**Release note**:
```release-note
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
refactor aggregator api group install
**What this PR does / why we need it**:
refactor aggregator apigroup install. move NewRESTStorage to
`staging/src/k8s.io/kube-aggregator/pkg/registry/apiservice/rest/storage_apiservice.go`
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-apiserver flag --admision-control is deprecated, use the new --e…
…nable-admission-plugins
**What this PR does / why we need it**:
1. As #58123 mark kube-apiserver flag `admission-control` deprecated, replace it in some places.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @liggitt @deads2k @sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use SSH tunnel for webhook communication iff the webhook is deployed as a service
**What this PR does / why we need it**:
We are getting the following error when the apiserver connects the webhook on localhost (configured via URL). We should only use the SSL tunnel for the connections to nodes when the webhooks are running as services.
```
I0119 17:41:18.678436 1 ssh.go:400] [4cdf44753cc3705d: localhost:10258] Dialing...
W0119 17:41:18.678483 1 ssh.go:424] SSH tunnel not found for address "localhost", picking random node
I0119 17:41:18.679810 1 ssh.go:402] [4cdf44753cc3705d: localhost:10258] Dialed in 1.398691ms.
W0119 17:41:18.679928 1 admission.go:256] Failed calling webhook, failing closed xxx: failed calling admission webhook "xxx": Post xxx: ssh: rejected: connect failed (Connection refused)
I0119 17:41:18.680346 1 wrap.go:42] POST /api/v1/namespaces/kube-system/pods: (5.725588ms) 500
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubernetes/issues/58779
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver is changed to use SSH tunnels for webhook iff the webhook is not directly routable from apiserver's network environment.
```
/assign @lavalamp @caesarxuchao @cheftako
Dr. Stefan Schimanski