Automatic merge from submit-queue (batch tested with PRs 65456, 65549). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix flexvolume in containerized kubelets
Fixes flex volumes in containerized kubelets.
cc @jsafrane @chakri-nelluri @verult
Note to reviewers : e2e tests pass in local containarized cluster.
```release-note
Fix flexvolume in containarized kubelets
```
Automatic merge from submit-queue (batch tested with PRs 65456, 65549). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add volume mode field to constructed volume spec for CSI plugin
Add volume mode filed to constructed Volume Spec for CSI plugin
```release-note
Add volume mode filed to constructed volume spec for CSI plugin
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding traffic shaping support for CNI network driver
**What this PR does / why we need it**:
Adding traffic shaping support for CNI network driver - it's also a sub-task of kubenet deprecation work.
Design document is available here: https://github.com/kubernetes/community/pull/1893
**Which issue(s) this PR fixes**:
Fixes #
**Special notes for your reviewer**:
/cc @freehan @jingax10 @caseydavenport @dcbw
/sig network
/sig node
**Release note**:
```release-note
Support traffic shaping for CNI network driver
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Use separate YAML docs for the kubelet and kube-proxy ComponentConfigs
**What this PR does / why we need it**:
This PR makes kubeadm load the ComponentConfig for the kubelet and kube-proxy from separate YAML documents in the `kubeadm init` config file. This is backwards-compatible with `v1alpha2`. The ComponentConfigs are stored internally in the internal kubeadm `MasterConfiguration` struct, but when marshalling the componentconfigs are written as separate YAML documents.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes/kubeadm#911
Depends on:
- [x] https://github.com/kubernetes/kubernetes/pull/65776
- [x] https://github.com/kubernetes/kubernetes/pull/65628
- [x] https://github.com/kubernetes/kubernetes/pull/65629
- [x] https://github.com/kubernetes/kubernetes/pull/65631
- [x] https://github.com/kubernetes/kubernetes/pull/65940
**Special notes for your reviewer**:
Only review the last five commits please. (The last commit is purely autogenerated, so can be skipped)
**Release note**:
```release-note
kubeadm: Use separate YAML documents for the kubelet and kube-proxy ComponentConfigs
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
/assign @timothysc
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Start using internal versions for ComponentConfigs in the internal API
**What this PR does / why we need it**:
This PR changes kubeadm to store the internal API versions of the ComponentConfig APIs, in order to in the future be able to read multiple external versions with conversion. It also moves all the ComponentConfigs to a common struct instead of splitting them out in many. This makes it possible to more easily host more ComponentConfigs in the future. In v1alpha3, the ComponentConfigs will later be removed from the external version of the API (see: https://github.com/kubernetes/kubernetes/pull/65787), but for this PR no changes to the external API are made.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes/kubeadm#911
Depends on:
- [x] https://github.com/kubernetes/kubernetes/pull/65776
- [x] https://github.com/kubernetes/kubernetes/pull/65628
- [x] https://github.com/kubernetes/kubernetes/pull/65629
- [x] https://github.com/kubernetes/kubernetes/pull/65631
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a README in test/e2e/node with a warning
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix visibility of testdata for //test/cmd:legacy-script
**What this PR does / why we need it**: fixes some BUILD visibility, albeit for a relatively unused target
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding details to Conformance Tests using RFC 2119 standards.
This PR is part of the conformance documentation. This is to provide more formal specification using RFC 2119 keywords to describe the test so that who ever is running conformance tests do not have to go through the code to understand why and what is tested.
The documentation information added here into each of the tests eventually result into a document which is currently checked in at location https://github.com/cncf/k8s-conformance/blob/master/docs/KubeConformance-1.9.md
I would like to have this PR reviewed for v1.10 as I consider it important to strengthen the conformance documents.
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Avoid printing some service comments in iptables rules
According to some profiles, with large number of endpoints in the system, comments mentioning the service in appropriate iptables rules may be responsible for 40% of all iptables contents.
Given that ~70% of memory usage of kube-proxy seems to be because of generated iptables rules, the overall saving may be at the level of 30% or so.
OTOH, we sacrifise a bit understandability of iptables, but this PR only changes some of iptables that contribute to the most painful rules.
@thockin @danwinship @dcbw - thoughts?
Ref #65441
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fail update-godep-licenses if bash version lower than 4
**What this PR does / why we need it**:
trying to update godeps on mac OSX fails without any information, this patch exits the script with a return error code just after printing the cause of the failure in the screen to the user
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65784
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add script to verify generated files
**What this PR does / why we need it**:
This is probably *really* heavy handed fix to this, but it will catch issues in presubmit.
Basically, takes a copy of the repo, clears out anything that is ignored from the git tree, runs `make generated_files`, and looks for a git diff. If there is one, error. Anything that is properly gitignored won't cause a diff, but anything that is *supposed* to be checked in, but is different, this will catch.
**Special notes for your reviewer**:
I'm open to more elegant answers, but this will at least stop it from happening for now.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: pause image should be arch agnostic, as it is a manifest list
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
**What this PR does / why we need it**:
`pause` image is backed by a manifest list. so we should not use the arch image when reporting using say `kubeadm config image list`
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/962
**Special notes for your reviewer**:
**Release note**:
```release-note
kubeadm: Fix pause image to not use architecture, as it is a manifest list
```
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve multi-authorizer errors
Fixes#52279
Includes an indication from the RBAC authorizer that it attempted to authorize the request. this reduces confusion when combined with a webhook authorizer that returns specific reasons for rejection
/sig auth
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
vSphere Cloud Provider: avoid read race during logout
**What this PR does / why we need it**:
The `go test -race` will sometimes detect a read race in the vSphere Cloud Provider logout function, causing tests to fail.
**Which issue(s) this PR fixes**:
Fixes#65696
**Special notes for your reviewer**:
The Client nil check was added in 6d1c4a3 , but there was not any
go test coverage of that code path until e22f9ca
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
track schemes by name for error reporting
Getting an error message about a type not being in the scheme is hard to fix if you don't know which scheme is failing. This adds a name to the scheme which can be set during creation or can be set based on the calling stack. If you use the old constructor a name is generated for you based on the stack. Something like "k8s.io/client-go/dynamic/scheme.go:28" for instance.
Also moves a typer to its point of use. This was debt from previous refactors which I noticed going through.
@kubernetes/sig-api-machinery-misc
@sttts
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unneeded deps
**What this PR does / why we need it**:
#65707 removed reliance on `github.com/google/cadvisor/http` (and it's dependencies), but we forgot to clean up the dep. This is causing failures in batches and postsubmits.
**Release note**:
```release-note
NONE
```
/cc @BenTheElder @dims @dashpole @luxas @philips @yujuhong
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[kubeadm] Print required flags when running kubeadm upgrade plan
**What this PR does / why we need it**:
print required flags when running kubeadm upgrade plan
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Close [kubernetes/kubeadm#935](https://github.com/kubernetes/kubeadm/issues/935)
**Special notes for your reviewer**:
/assign @chuckha
/assign @neolit123
**Release note**:
```release-note
kubeadm: print required flags when running kubeadm upgrade plan
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove --cadvisor-port - has been deprecated since v1.10
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56523
**Special notes for your reviewer**:
- Deprecated in https://github.com/kubernetes/kubernetes/pull/59827 (v1.10)
- Disabled in https://github.com/kubernetes/kubernetes/pull/63881 (v1.11)
**Release note**:
```release-note
[action required] The formerly publicly-available cAdvisor web UI that the kubelet started using `--cadvisor-port` is now entirely removed in 1.12. The recommended way to run cAdvisor if you still need it, is via a DaemonSet.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix RunAsGroup.
For https://github.com/kubernetes/features/issues/213
See https://github.com/containerd/cri/issues/836
In https://github.com/containerd/cri/issues/836, people thought that this is a containerd issue. However, it turns out that this feature doesn't work at all. @krmayankk
Without the fix:
```
• Failure [10.125 seconds]
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] [It]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
Expected error:
<*errors.errorString | 0xc42185bcd0>: {
s: "expected \"gid=2002\" in container output: Expected\n <string>: uid=1002 gid=1002\n \nto contain substring\n <string>: gid=2002",
}
expected "gid=2002" in container output: Expected
<string>: uid=1002 gid=1002
to contain substring
<string>: gid=2002
not to have occurred
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/util.go:2325
```
With the fix:
```
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
[BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141
STEP: Creating a kubernetes client
Jul 6 15:38:43.994: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig
STEP: Building a namespace api object, basename security-context
Jul 6 15:38:44.024: INFO: No PodSecurityPolicies found; assuming PodSecurityPolicy is disabled.
STEP: Waiting for a default service account to be provisioned in namespace
[It] should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser
Jul 6 15:38:44.027: INFO: Waiting up to 5m0s for pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hwm7l" to be "success or failure"
Jul 6 15:38:44.029: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.17106ms
Jul 6 15:38:46.031: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003308423s
Jul 6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005287901s
STEP: Saw pod success
Jul 6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure"
Jul 6 15:38:48.034: INFO: Trying to get logs from node 127.0.0.1 pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil>
STEP: delete the pod
Jul 6 15:38:48.047: INFO: Waiting for pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 to disappear
Jul 6 15:38:48.049: INFO: Pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 no longer exists
[AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142
Jul 6 15:38:48.049: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "e2e-tests-security-context-hwm7l" for this suite.
Jul 6 15:38:54.057: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered
Jul 6 15:38:54.084: INFO: namespace: e2e-tests-security-context-hwm7l, resource: bindings, ignored listing per whitelist
Jul 6 15:38:54.107: INFO: namespace e2e-tests-security-context-hwm7l deletion completed in 6.056285097s
• [SLOW TEST:10.113 seconds]
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
[BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141
STEP: Creating a kubernetes client
Jul 6 15:38:54.108: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig
STEP: Building a namespace api object, basename security-context
STEP: Waiting for a default service account to be provisioned in namespace
[It] should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser
Jul 6 15:38:54.137: INFO: Waiting up to 5m0s for pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hs2vr" to be "success or failure"
Jul 6 15:38:54.138: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.374422ms
Jul 6 15:38:56.140: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003249942s
Jul 6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005110799s
STEP: Saw pod success
Jul 6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure"
Jul 6 15:38:58.143: INFO: Trying to get logs from node 127.0.0.1 pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil>
STEP: delete the pod
Jul 6 15:38:58.149: INFO: Waiting for pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 to disappear
Jul 6 15:38:58.152: INFO: Pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 no longer exists
[AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142
Jul 6 15:38:58.152: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "e2e-tests-security-context-hs2vr" for this suite.
Jul 6 15:39:04.157: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered
Jul 6 15:39:04.175: INFO: namespace: e2e-tests-security-context-hs2vr, resource: bindings, ignored listing per whitelist
Jul 6 15:39:04.193: INFO: namespace e2e-tests-security-context-hs2vr deletion completed in 6.039953722s
• [SLOW TEST:10.085 seconds]
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
------------------------------
SSSSJul 6 15:39:04.193: INFO: Running AfterSuite actions on all node
Jul 6 15:39:04.193: INFO: Running AfterSuite actions on node 1
Ran 2 of 1007 Specs in 50.246 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 1005 Skipped PASS
Ginkgo ran 1 suite in 50.482926642s
Test Suite Passed
2018/07/06 15:39:04 process.go:155: Step './hack/ginkgo-e2e.sh -host=https://localhost:6443 --ginkgo.focus=RunAsGroup' finished in 50.523613088s
2018/07/06 15:39:04 e2e.go:83: Done
```
We should cherry-pick this to 1.10 and 1.11. /cc @kubernetes/sig-node-bugs
```release-note
Fix `RunAsGroup` which doesn't work since 1.10.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove echo cmd when overwriting a file from an Env var.
**What this PR does / why we need it**:
Cleanup the shell script.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
"NONE"
```
Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
only need to ignore resources that match discovery conditions
GC and quota controllers ignore resources that are too expensive to manage. In kube this is only events. The incompatible resources should now be excluded on the basis of discovery. We should actually reflect that in the RESTStorage (done for GC for events) and discovery too.
@liggitt
@kubernetes/sig-api-machinery-bugs
```release-note
NONE
```