Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes k8s.io/kubernetes/pkg/api dependency from the webhook plugin.
**What this PR does / why we need it**: removes `k8s.io/kubernetes/pkg/api` dependency from `webhook` plugin. The runtime.scheme can be injected to the webhook from the plugin initializer.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move initializer plugin to the generic apiserver
* Moves `k8s.io/kuberentes/plugin/pkg/admission/initialization` to `k8s.io/apiserver/pkg/admission/plugin/initialization`
* Moves `k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration` to `k8s.io/apiserver/pkg/admission/configuration`
* The initializer plugin used to depend on `k8s.io/kubernetes` because it does a type assertion of `api.Pod`. It tries to skip mirror pod. I converted that code to use the generic accessor pattern.
move k8s.io/kubernetes/plugin/pkg/admission/initialization to
k8s.io/apiserver/pkg/admission/plugin/initialization/initialization.go;
move k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration to
k8s.io/apiserver/pkg/admission/configuration.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
moves admission.v1alpha1.NewAdmissionReview method to webhook plugin
**What this PR does / why we need it**:
this is necessary, because the webhook plugin will be moved down to apiserver.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
bazel: build/test almost everything
**What this PR does / why we need it**: Miscellaneous cleanups and bug fixes. The main motivating idea here was to make `bazel build //...` and `bazel test //...` mostly work. (There's a few reasons these still don't work, but we're a lot closer.)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @BenTheElder @mikedanese @spxtr
Automatic merge from submit-queue (batch tested with PRs 52831, 52764, 52763, 52673, 52558). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
Allow updating objects with empty pending initializers list
**What this PR does / why we need it**: When updating an object, an empty pending list should be treated as a nil initializer. This PR fixes a bug which prevented this functionality and also adds a test which will ensure this functionality is preserved.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#52202
**Special notes for your reviewer**:
/cc @caesarxuchao
**Release note**:
```release-note
Fixes an initializer bug where update requests which had an empty pending initializers list were erroneously rejected.
```
Automatic merge from submit-queue (batch tested with PRs 52831, 52764, 52763, 52673, 52558). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
default service resolver for webhook admission
**What this PR does / why we need it**:
provides a default service resolver for webhook plugin. The rationale behind is that webhook plugins names can be resolved by a dns server working inside a cluster.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
deprecate warning for persistent volume admission controller
**What this PR does / why we need it**:
deprecate warning for persistent volume admission controller
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#52617
**Special notes for your reviewer**:
**Release note**:
```release-note
PersistentVolumeLabel admission controller is now deprecated.
```
Automatic merge from submit-queue (batch tested with PRs 51337, 47080, 52646, 52635, 52666). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
PodSecurityPolicy.allowedCapabilities: add support for * to allow to request any capabilities
**What this PR does / why we need it**:
Prior this change there was no way to allow to pods to request any capabilities. Cluster admin had always specify a full list of capabilities explicitly. Because there are many of them, it gets tedious. This PR makes possible to use `*` to allow all possible capabilities. Non-paranoid (and lazy) cluster admins can use it. Those who are super strict and paranoid of course won't use it because `*` allows capabilities that don't exist today but may be introduced in the future.
"privileged" PSP in examples was modified to allow privileged users to use this feature.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50055
**Special notes for your reviewer**:
This functional is already present in OpenShift: https://github.com/openshift/origin/pull/12875 and https://github.com/openshift/origin/pull/15135
**Release note**:
```release-note
PSP: add support for using `*` as a value in `allowedCapabilities` to allow to request any capabilities
```
CC @simo5 @pweil- @gyliu513 @liqlin2015
Automatic merge from submit-queue (batch tested with PRs 52452, 52115, 52260, 52290)
Fix support for updating quota on update
This PR implements support for properly handling quota when resources are updated. We never take negative values and add them up.
Fixes https://github.com/kubernetes/kubernetes/issues/51736
cc @derekwaynecarr
/sig storage
```release-note
Make sure that resources being updated are handled correctly by Quota system
```
Introduce feature gate for expanding PVs
Add a field to SC
Add new Conditions and feature tag pvc update
Add tests for size update via feature gate
register the resize admission plugin
Update golint failures
The EventRateLimit plug-in limits the number of events that the API Server
will accept in a given time period. It allows for server-wide, per-namespace,
per-user,and per-source+object rate limiting.
Automatic merge from submit-queue
Add local ephemeral storage support in LimitRange
**Special notes for your reviewer**:
For a single local ephemeral storage resource
xref #43607
**Release note**:
```release-note
Add local ephemeral storage support to LimitRange
```
/assign @jingxu97
cc @ddysher
Automatic merge from submit-queue (batch tested with PRs 50953, 51082)
Fix mergekey of initializers; Repair invalid update of initializers
Fix https://github.com/kubernetes/kubernetes/issues/51131
The PR did two things to make parallel patching `metadata.initializers.pending` possible:
* Add mergekey to initializers.pending
* Let the initializer admission plugin set the `metadata.intializers` to nil if an update makes the `pending` and the `result` both nil, instead of returning a validation error. Otherwise if multiple initializer controllers sending the patch removing themselves from `pending` at the same time, one of them will get a validation error.
```release-note
The patch to remove the last initializer from metadata.initializer.pending will result in metadata.initializer to be set to nil (assuming metadata.initializer.result is also nil), instead of resulting in an validation error.
```
Automatic merge from submit-queue
Remove null -> [] slice hack
Closes#44593
When 1.6 added protobuf storage, the storage layer lost the ability to persist slice fields with empty but non-null values.
As a workaround, we tried to convert empty slice fields to `[]`, rather than `null`. Compressing `null` -> `[]` was just as much of an API breakage as `[]` -> `null`, but was hoped to cause fewer problems in clients that don't do null checks.
Because of conversion optimizations around converting lists of objects, the `null` -> `[]` hack was discovered to only apply to individual get requests, not to a list of objects. 1.6 and 1.7 was released with this behavior, and the world didn't explode. 1.7 documented the breaking API change that `null` and `[]` should be considered equivalent, unless otherwise noted on a particular field.
This PR:
* Reverts the earlier attempt (https://github.com/kubernetes/kubernetes/pull/43422) at ensuring non-null json slice output in conversion
* Makes results of `get` consistent with the results of `list` (which helps naive clients that do deepequal comparisons of objects obtained via list/watch and get), and allows empty slice fields to be returned as `null`
```release-note
Protobuf serialization does not distinguish between `[]` and `null`.
API fields previously capable of storing and returning either `[]` and `null` via JSON API requests (for example, the Endpoints `subsets` field) can now store only `null` when created using the protobuf content-type or stored in etcd using protobuf serialization (the default in 1.6+). JSON API clients should tolerate `null` values for such fields, and treat `null` and `[]` as equivalent in meaning unless specifically documented otherwise for a particular field.
```
Automatic merge from submit-queue
Add enj as reviewer to OWNERS
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
**Release note**:
```release-note
NONE
```
@kubernetes/sig-api-machinery-pr-reviews
@kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue
Add Priority admission controller
**What this PR does / why we need it**: Add Priority admission controller. This admission controller checks creation and update of PriorityClasses. It also resolves a PriorityClass name of a pod to its integer value.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Add Priority admission controller for monitoring and resolving PriorityClasses.
```
ref/ #47604
ref/ #48646
Automatic merge from submit-queue
Task 3: Add MemoryPressure toleration for no BestEffort pod.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: part of #42001
**Release note**:
```release-note
After 1.8, admission controller will add 'MemoryPressure' toleration to Guaranteed and Burstable pods.
```
Automatic merge from submit-queue
Update admission control args in imagepolicy comment
Use '--admission-control-config-file' rather than
'--admission-controller-config-file'
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix print type of podname
**What this PR does / why we need it**:
It is better to change it to %s. According to context and other prints of this file, pod name's print type are all %s, except this one.
Although it does not affect the result.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
add reflector metrics
This adds metrics (optionally prometheus) to reflectors so that you can see when one reflector is behaving poorly and just how poorly its doing.
@eparis
```release-note
Adds metrics for checking reflector health.
```
Automatic merge from submit-queue (batch tested with PRs 49444, 47864, 48584, 49395, 49118)
fixed conflict resolution behavior while apply podpresets
**What this PR does / why we need it**:
This fixes the PodPreset application behavior in case of conflicts occur during the merging of Pod's information with PodPreset's. More details are in issue #47861
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes#47861
**Special notes for your reviewer**:
We are splitting the PodPreset application logic in two phases. In first phase, we try to detect the conflicts in information merging without modifying the Pod at all. If conflict occurs, then we reject the PodPresets injection. Incase of no conflicts, we apply the PodPresets and merge the information.
**Release note**:
```release-note
PodPreset is not injected if conflict occurs while applying PodPresets to a Pod.
```
Automatic merge from submit-queue (batch tested with PRs 49120, 46755, 49157, 49165, 48950)
Modify podpreset lister to use correct namespace
Previously a pod with an empty namespace field submitted to a given namespace
was incorrectly matching preset labels in a different namespace.
Fixes https://github.com/kubernetes/kubernetes/issues/49141
Release note:
```release-note
Fix pod preset to ignore input pod namespace in favor of request namespace
```
Automatic merge from submit-queue (batch tested with PRs 49055, 49128, 49132, 49134, 49110)
Remove affinity annotations leftover
**What this PR does / why we need it**:
This is a further cleanup for affinity annotations, following #47869.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
ref: #47869
**Special notes for your reviewer**:
- I remove the commented test cases and just leave TODOs instead. I think converting these untestable test cases for now is not necessary. We can add new test cases in future.
- I remove the e2e test case `validates that embedding the JSON PodAffinity and PodAntiAffinity setting as a string in the annotation value work` because we have a test case `validates that InterPod Affinity and AntiAffinity is respected if matching` to test the same thing.
/cc @aveshagarwal @bsalamat @gyliu513 @k82cn @timothysc
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47204, 46808, 47432, 47400, 47099)
Make the generic webhook admission controller use the dynamic webhook config manager
Based on #46672 and #46388.
Only the last commit is unique.
* removed `SetWebhookSource` from the PluginInitializer
* implemented `SetExternalClientset` for the generic webhook admisson controller, initializing an ExternalWebhookConfigurationManager in the method.
Automatic merge from submit-queue
Allow pods to opt out of PodPreset mutation via an annotation on the pod
An annotation in the pod spec of the form:
podpreset.admission.kubernetes.io/PodPresetOptOut: "true"
Will cause the admission controller to skip manipulating the pod spec,
no matter the labelling.
This is an alternative implementation to pull #44163.
```release-note
Allow pods to opt out of PodPreset mutation via an annotation on the pod.
```
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)
Simply changed the names of packages of some admission plugins.
**What this PR does / why we need it**:
This PR simply changes the names of packages of some admission plugins so that they are not in conflict with admission pkg.
**Release note**:
```release-note
NONE
```
Handle failure cases on startup gracefully to avoid causing cascading
errors and poor initialization in other components. Initial errors from
config load cause the initializer to pause and hold requests. Return
typed errors to better communicate failures to clients.
Add code to handle two specific cases - admin wants to bypass
initialization defaulting, and mirror pods (which want to bypass
initialization because the kubelet owns their lifecycle).
An annotation in the pod spec of the form:
podpreset.admission.kubernetes.io/exclude: "true"
Will cause the admission controller to skip manipulating the pod spec,
no matter the labelling.
The annotation for a podpreset acting on a pod has also been slightly
modified to contain a podpreset prefix:
podpreset.admission.kubernetes.io/podpreset-{name} = resource version
Fixes#44161
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)
Add annotation for image policy webhook fail open.
**What this PR does / why we need it**: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers.
**Release note**: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open.
```release-note
Add the `alpha.image-policy.k8s.io/failed-open=true` annotation when the image policy webhook encounters an error and fails open.
```
Automatic merge from submit-queue
Add initializer support to admission and uninitialized filtering to rest storage
Initializers are the opposite of finalizers - they allow API clients to react to object creation and populate fields prior to other clients seeing them.
High level description:
1. Add `metadata.initializers` field to all objects
2. By default, filter objects with > 0 initializers from LIST and WATCH to preserve legacy client behavior (known as partially-initialized objects)
3. Add an admission controller that populates .initializer values per type, and denies mutation of initializers except by certain privilege levels (you must have the `initialize` verb on a resource)
4. Allow partially-initialized objects to be viewed via LIST and WATCH for initializer types
5. When creating objects, the object is "held" by the server until the initializers list is empty
6. Allow some creators to bypass initialization (set initializers to `[]`), or to have the result returned immediately when the object is created.
The code here should be backwards compatible for all clients because they do not see partially initialized objects unless they GET the resource directly. The watch cache makes checking for partially initialized objects cheap. Some reflectors may need to change to ask for partially-initialized objects.
```release-note
Kubernetes resources, when the `Initializers` admission controller is enabled, can be initialized (defaulting or other additive functions) by other agents in the system prior to those resources being visible to other clients. An initialized resource is not visible to clients unless they request (for get, list, or watch) to see uninitialized resources with the `?includeUninitialized=true` query parameter. Once the initializers have completed the resource is then visible. Clients must have the the ability to perform the `initialize` action on a resource in order to modify it prior to initialization being completed.
```
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)
Dynamic webhook admission control plugin
Unit tests pass.
Needs plumbing:
* [ ] service resolver (depends on @wfender PR)
* [x] client cert (depends on ????)
* [ ] hook source (depends on @caesarxuchao PR)
Also at least one thing will need to be renamed after Chao's PR merges.
```release-note
Allow remote admission controllers to be dynamically added and removed by administrators. External admission controllers make an HTTP POST containing details of the requested action which the service can approve or reject.
```
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)
move labels to components which own the APIs
During the apimachinery split in 1.6, we accidentally moved several label APIs into apimachinery. They don't belong there, since the individual APIs are not general machinery concerns, but instead are the concern of particular components: most commonly the kubelet. This pull moves the labels into their owning components and out of API machinery.
@kubernetes/sig-api-machinery-misc @kubernetes/api-reviewers @kubernetes/api-approvers
@derekwaynecarr since most of these are related to the kubelet
Automatic merge from submit-queue (batch tested with PRs 41563, 45251, 46265, 46462, 46721)
Toleration should be `notReady:NoExecute` in defaulttolerationseconds…
… test.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Add support for creating resources that are not immediately visible to
naive clients, but must first be initialized by one or more privileged
cluster agents. These controllers can mark the object as initialized,
allowing others to see them.
Permission to override initialization defaults or modify an initializing
object is limited per resource to a virtual subresource "RESOURCE/initialize"
via RBAC.
Initialization is currently alpha.
As part of https://github.com/kubernetes/community/pull/132, thsi commit
adds a generic webhook admission controller. This plugin allows for a
completely declarative approach for filtering/matching admission requests
and for matching admission requests, calls out to an external webhook for
handling admission requests.
Automatic merge from submit-queue (batch tested with PRs 45346, 45903, 45958, 46042, 45975)
ResourceQuota admission control injects registry
**What this PR does / why we need it**:
The `ResourceQuota` admission controller works with a registry that maps a GroupKind to an Evaluator. The registry used in the existing plug-in is not injectable, which makes usage of the ResourceQuota plug-in in other API server contexts difficult. This PR updates the code to support late injection of the registry via a plug-in initializer.
Automatic merge from submit-queue (batch tested with PRs 45346, 45903, 45958, 46042, 45975)
Ignored mirror pods in PodPreset admission plugin
**What this PR does / why we need it**:
Ignored mirror pods in PodPreset admission plugin.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45925
**Release note**:
```release-note
Ignored mirror pods in PodPreset admission plugin.
```
Automatic merge from submit-queue (batch tested with PRs 46028, 46104)
Use name from node object on create
GetName() isn't populated in admission attributes on create unless the rest storage is a NamedCreator (which only specific subresources are today)
Fixes#46085
Automatic merge from submit-queue (batch tested with PRs 45313, 46051)
Change all the existing admission init blocks to call a Register function
**What this PR does / why we need it**:
this is a two stage refactor when done there will be no init block in admission plugins.
Instead all plugins expose Register function which accept admission.Plugins instance.
The registration to global plugin registry happens inside Register function
**Release note**:
```
NONE
```
this is a two stage refactor when done there will be no init block in admission plugins.
Instead all plugins expose Register function which accept admission.Plugins instance.
The registration to global plugin registry happens inside Register func.
Automatic merge from submit-queue (batch tested with PRs 44337, 45775, 45832, 45574, 45758)
Tighten validation of mirror pod annotations
Tightens validation for pods with a mirror pod annotation:
1. spec.nodeName must be set
2. makes the mirror pod annotation immutable
3. starts validating pod-specific annotations during pod status update
None of these changes affect usage of the mirror pod annotation by kubelets, which only set it on pod creation (verified this is true back to 1.5.x)
the second commit updates the pod validation tests to look for specific error messages (best reviewed ignoring whitespace changes)
This is the validation portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and https://github.com/kubernetes/features/issues/279
```release-note
Mirror pods must now indicate the nodeName they are bound to on creation. The mirror pod annotation is now treated as immutable and cannot be added to an existing pod, removed from a pod, or modified.
```
Automatic merge from submit-queue (batch tested with PRs 41331, 45591, 45600, 45176, 45658)
Fixing typo in ImagePolicyWebhook admission.go
**What this PR does / why we need it**:
Noticed a typo in kubectl events when working with the ImagePolicyWebhook admission controller
**Special notes for your reviewer**:
first time contributor
Automatic merge from submit-queue
Prepare for move zz_generated_deepcopy.go to k8s.io/api
This is in preparation to move deep copies to with the types to the types repo (see https://github.com/kubernetes/gengo/pull/47#issuecomment-296855818). The init() function is referring the `SchemeBuilder` defined in the register.go in the same packge, so we need to revert the dependency.
This PR depends on https://github.com/kubernetes/gengo/pull/49, otherwise verification will fail.
Automatic merge from submit-queue (batch tested with PRs 44741, 44853, 44572, 44797, 44439)
Check errors before logging providers
The logProviders() should check errors firstly, and do not log
providers when providers is null.
Automatic merge from submit-queue (batch tested with PRs 44862, 42241, 42101, 43181, 44147)
Update limitedByDefault() which does not return error
The limitedByDefault() just get the set of resources names, no error.
Automatic merge from submit-queue (batch tested with PRs 40055, 42085, 44509, 44568, 43956)
Fix gofmt errors
**What this PR does / why we need it**:
There were some gofmt errors on master. Ran the following to fix:
```
hack/verify-gofmt.sh | grep ^diff | awk '{ print $2 }' | xargs gofmt -w -s
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: none
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44440, 44038, 44302, 44316, 43876)
Extend the gc admission plugin to check ownerReference.blockOwnerDeletion
#Extend the gc admission plugin to prevent user who doesn't have delete permission of the *owner* from changing blockOwnerDeletion field of existing ownerReferences, or adding ownerReference with blockOwnerDeletion=true.
The plugin need a RESTMapper to translate ownerRef.Kind to Resource. It should be using a dynamic one. However, as discussed in https://github.com/kubernetes/kubernetes/pull/42615, such a RESTMapper will be built after watchable discovery API is implemented, so in this PR the plugin is using the `api.Registry.RESTMapper()`, which is also [used](https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-controller-manager/app/core.go#L165-L166) by the garbage collector currently.
```release-note
Extending the gc admission plugin so that a user who doesn't have delete permission of the *owner* cannot modify blockOwnerDeletion field of existing ownerReferences, or add new ownerReference with blockOwnerDeletion=true
```
cc @lavalamp
Automatic merge from submit-queue (batch tested with PRs 44424, 44026, 43939, 44386, 42914)
remove defaulting from conversion path
follow up for #42764
* remove call to defaulting from conversion path (defaulting is a separate step from conversion)
* remove non-top-level-object defaulting registration (unused after conversion call is removed)
* generate missing top-level defaults for some api groups:
* autoscaling/v2alpha1
* policy/v1alpha1
* policy/v1beta1
* register top-level defaults for some api groups that were missing them:
* autoscaling/v2alpha1
* settings/v1alpha1
Automatic merge from submit-queue
Non global admission plugin registry
For testing the global state is a problem. This PR turns the actual registry into a struct that must be instantiated. For the beginning, we do this in `pkg/kubeapiserver/admission`. In some follow-up (where we hunt down all globals some day), we will move this into the genericapiserver.
Automatic merge from submit-queue
Conversionlint
**What this PR does / why we need it**:
This PR adds a comment placeholder for the exported or public functions in conversion generator files. Such functions without a comment results into golint failure in various generated files. The changes in this patch takes care of about 36 related lint failures.
Given below is an example lint error,
zz_generated.conversion.go:91:1: exported function Convert_v1alpha1_Binding_To_servicecatalog_Binding should have comment or be unexported
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Considering minor changes no issue is created.
**Special notes for your reviewer**:
Hello, I am trying to fix golint failures as we see them in the kubernetes-incubator/service-catalog project. I have separate PRs opened for lint issues related to other generator code which are in separate libraries like gengo. Thanks!
**Release note**:
```release-note
```
The exported or public functions requires a doc comment to pass golint.
This commit has changes of conversion generated code. The actual doc
changes are added into a separate commit for a clean review.
Automatic merge from submit-queue (batch tested with PRs 43545, 44293, 44221, 43888)
Avoid nil user special-casing in unsecured endpoint
The unsecured handler currently adds no `user.Info` to the request context. That means that anything that tries to authorize actions in the API server currently has to special case nil users to ensure the unsecured localhost endpoint remains capable of performing all actions.
This PR changes the unsecured localhost endpoint to be treated as a privileged user internally, so that no special casing is required by code inside the authentication layer
I'm not particularly attached to the username. It doesn't bother me for it to have a slightly uncomfortable sounding name.
Automatic merge from submit-queue (batch tested with PRs 44084, 42964)
Updated AddOrUpdateTolerationInPod to return bool only.
Updated AddOrUpdateTolerationInPod to return bool only, as there's no case to generate error (the error was used for annotation, it'll not return error after moving to field); and also update admission & daemonset accordingly.
Fix a bug in serviceaccount admission introduced when we switched
everything to use shared informers. That change accidentally reused the
list of secrets instead of creating a new one, resulting in all secrets
in the namespace being returned as possible service account tokens,
instead of limiting it only to the actual service account tokens, as it
did before the shared informer conversion. This also adds a unit test to
ensure there is no future regression here.
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
Include pod namespace in PSP 'use' authorization check
Follow up to https://github.com/kubernetes/kubernetes/pull/33080/files#diff-291b8dd7d08cc034975ddb3925dbb08fR341
Prior to this PR, when PodSecurityPolicy admission is active, you must be authorized to use a covering PodSecurityPolicy cluster-wide in order to create a pod. This PR changes that to only require a covering PodSecurityPolicy within the pod's namespace.
When used in concert with mechanisms that limits pods within a namespace to a particular set of nodes, this can be used to allow users to create privileged pods within specific namespaces only.
```release-note
Permission to use a PodSecurityPolicy can now be granted within a single namespace by allowing the `use` verb on the `podsecuritypolicies` resource within the namespace.
```
Automatic merge from submit-queue (batch tested with PRs 42379, 42668, 42876, 41473, 43260)
Bump test coverage for initialresources
**What this PR does / why we need it**:
Increases test coverage for `plugin/pkg/admission/initialresources` to 80.2%.
**Which issue this PR fixes**
https://github.com/kubernetes/kubernetes/issues/39559
**Special notes for your reviewer**:
Some of these features require E2E tests to achieve 100% coverage, the tests here are just unit tests, so I've tried to delineate as much as possible. I also saw that we might be exporting a lot of this to Heapster in the future.
**Release note**:
```release-note
Test coverage for initialresources increased to 80.2% percent.
```
Automatic merge from submit-queue
Improved test code coverage for plugin/pkg/admission/admit.
**What this PR does / why we need it**:'
part of #39559 , code coverage improved from 60% to 80%
Automatic merge from submit-queue (batch tested with PRs 41794, 42349, 42755, 42901, 42933)
Fix DefaultTolerationSeconds admission plugin
DefaultTolerationSeconds is not working as expected. It is supposed to add default tolerations (for unreachable and notready conditions). but no pod was getting these toleration. And api server was throwing this error:
```
Mar 08 13:43:57 fedora25 hyperkube[32070]: E0308 13:43:57.769212 32070 admission.go:71] expected pod but got Pod
Mar 08 13:43:57 fedora25 hyperkube[32070]: E0308 13:43:57.789055 32070 admission.go:71] expected pod but got Pod
Mar 08 13:44:02 fedora25 hyperkube[32070]: E0308 13:44:02.006784 32070 admission.go:71] expected pod but got Pod
Mar 08 13:45:39 fedora25 hyperkube[32070]: E0308 13:45:39.754669 32070 admission.go:71] expected pod but got Pod
Mar 08 14:48:16 fedora25 hyperkube[32070]: E0308 14:48:16.673181 32070 admission.go:71] expected pod but got Pod
```
The reason for this error is that the input to admission plugins is internal api objects not versioned objects so expecting versioned object is incorrect. Due to this, no pod got desired tolerations and it always showed:
```
Tolerations: <none>
```
After this fix, the correct tolerations are being assigned to pods as follows:
```
Tolerations: node.alpha.kubernetes.io/notReady=:Exists:NoExecute for 300s
node.alpha.kubernetes.io/unreachable=:Exists:NoExecute for 300s
```
@davidopp @kevin-wangzefeng @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-scheduling-bugs @derekwaynecarr
Fixes https://github.com/kubernetes/kubernetes/issues/42716
Automatic merge from submit-queue
Fix Multizone pv creation on GCE
When Multizone is enabled static PV creation on GCE
fails because Cloud provider configuration is not
available in admission plugins.
cc @derekwaynecarr @childsb
Automatic merge from submit-queue (batch tested with PRs 41306, 42187, 41666, 42275, 42266)
Implement bulk polling of volumes
This implements Bulk volume polling using ideas presented by
justin in https://github.com/kubernetes/kubernetes/pull/39564
But it changes the implementation to use an interface
and doesn't affect other implementations.
cc @justinsb
This implements Bulk volume polling using ideas presented by
justin in https://github.com/kubernetes/kubernetes/pull/39564
But it changes the implementation to use an interface
and doesn't affect other implementations.
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Add storage.k8s.io/v1 API
This is combined version of reverted #40088 (first 4 commits) and #41646. The difference is that all controllers and tests use old `storage.k8s.io/v1beta1` API so in theory all tests can pass on GKE.
Release note:
```release-note
StorageClassName attribute has been added to PersistentVolume and PersistentVolumeClaim objects and should be used instead of annotation `volume.beta.kubernetes.io/storage-class`. The beta annotation is still working in this release, however it will be removed in a future release.
```
Automatic merge from submit-queue (batch tested with PRs 42126, 42130, 42232, 42245, 41932)
allow subject access review to non-existent namespace
A localsubjectaccessreview is a special kind of resource which can be created even when the namespace doesn't exist. Since permissions can be granted at different scopes, you can reasonably check if someone *could* do something at a lower scope that isn't there yet. In addition, the permission to do an access check is separate from the permission to list all namespaces, so we're leaking information.
@liggitt @kubernetes/sig-auth-pr-reviews
export functions from pkg/api/validation
add settings API
add settings to pkg/registry
add settings api to pkg/master/master.go
add admission control plugin for pod preset
add new admission control plugin to kube-apiserver
add settings to import_known_versions.go
add settings to codegen
add validation tests
add settings to client generation
add protobufs generation for settings api
update linted packages
add settings to testapi
add settings install to clientset
add start of e2e
add pod preset plugin to config-test.sh
Signed-off-by: Jess Frazelle <acidburn@google.com>
Automatic merge from submit-queue (batch tested with PRs 41814, 41922, 41957, 41406, 41077)
Use consistent helper for getting secret names from pod
Kubelet secret-manager and mirror-pod admission both need to know what secrets a pod spec references. Eventually, a node authorizer will also need to know the list of secrets.
This creates a single (well, double, because api versions) helper that can be used to traverse the secret names referenced from a pod, optionally short-circuiting (for places that are just looking to see if any secrets are referenced, like admission, or are looking for a particular secret ref, like authorization)
Fixes:
* secret manager not handling secrets used by env/envFrom in initcontainers
* admission allowing mirror pods with secret references
@smarterclayton @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628)
enable DefaultTolerationSeconds admission controller by default
**What this PR does / why we need it**:
Continuation of PR #41414, enable DefaultTolerationSeconds admission controller by default.
**Which issue this PR fixes**:
fixes: #41860
related Issue: #1574, #25320
related PRs: #34825, #41133, #41414
**Special notes for your reviewer**:
**Release note**:
```release-note
enable DefaultTolerationSeconds admission controller by default
```
Automatic merge from submit-queue (batch tested with PRs 41421, 41440, 36765, 41722)
ResourceQuota ability to support default limited resources
Add support for the ability to configure the quota system to identify specific resources that are limited by default. A limited resource means its consumption is denied absent a covering quota. This is in contrast to the current behavior where consumption is unlimited absent a covering quota. Intended use case is to allow operators to restrict consumption of high-cost resources by default.
Example configuration:
**admission-control-config-file.yaml**
```
apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- name: "ResourceQuota"
configuration:
apiVersion: resourcequota.admission.k8s.io/v1alpha1
kind: Configuration
limitedResources:
- resource: pods
matchContains:
- pods
- requests.cpu
- resource: persistentvolumeclaims
matchContains:
- .storageclass.storage.k8s.io/requests.storage
```
In the above configuration, if a namespace lacked a quota for any of the following:
* cpu
* any pvc associated with particular storage class
The attempt to consume the resource is denied with a message stating the user has insufficient quota for the matching resources.
```
$ kubectl create -f pvc-gold.yaml
Error from server: error when creating "pvc-gold.yaml": insufficient quota to consume: gold.storageclass.storage.k8s.io/requests.storage
$ kubectl create quota quota --hard=gold.storageclass.storage.k8s.io/requests.storage=10Gi
$ kubectl create -f pvc-gold.yaml
... created
```
Automatic merge from submit-queue (batch tested with PRs 41382, 41407, 41409, 41296, 39636)
Update to use proxy subresource consistently
Proxy subresources have been in place since 1.2.0 and improve the ability to put policy in place around proxy access.
This PR updates the last few clients to use proxy subresources rather than the root proxy
Automatic merge from submit-queue
Add serviceaccount owners files
Poor @derekwaynecarr is the sole approver/reviewer for the entire admission package.
This adds OWNERS files for service account controller and admission packages
When a pod uses a service account that references multiple secrets,
prefer the secrets in the order they're listed.
Without this change, the added test fails:
--- FAIL: TestMultipleReferencedSecrets (0.00s)
admission_test.go:832: expected first referenced secret to be mounted, got "token2"
These files have been created lately, so we don't have much information
about them anyway, so let's just:
- Remove assignees and make them approvers
- Copy approves as reviewers
Automatic merge from submit-queue
make client-go more authoritative
Builds on https://github.com/kubernetes/kubernetes/pull/40103
This moves a few more support package to client-go for origination.
1. restclient/watch - nodep
1. util/flowcontrol - used interface
1. util/integer, util/clock - used in controllers and in support of util/flowcontrol
Automatic merge from submit-queue
eliminate duplicated codes in estimateContainer method
**What this PR does / why we need it**:
there are two code snippets about when to estimate resource for cpu and mem are duplicated, i extracted them into method `getEstimationIfNeeded` method
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue (batch tested with PRs 39807, 37505, 39844, 39525, 39109)
Admission control support for versioned configuration files
**What this PR does / why we need it**:
Today, the `--admission-control-config-file=` argument takes an opaque file that is shared across all admission controllers to provide configuration. This file is not well-versioned and it's shared across multiple plug-ins. Some plugins take file based configuration (`ImagePolicyWebhook`) and others abuse flags to provide configuration because we lacked a good example (`InitialResources`). This PR defines a versioned configuration format that we can use moving forward to provide configuration input to admission controllers that is well-versioned, and does not require the addition of new flags.
The sample configuration file would look as follows:
```
apiVersion: componentconfig/v1alpha1
kind: AdmissionConfiguration
plugins:
- name: "ImagePolicyWebhook"
path: "image-policy-webhook.json"
```
The general behavior is each plugin that requires additional configuration is enumerated by name. An alternate file location is provided for its specific configuration, or the configuration can be embedded as a raw extension via the configuration section.
**Special notes for your reviewer**:
A follow-on PR will be needed to make `ImagePolicyWebhook` to use versioned configuration. This PR maintains backwards compatibility by ignoring configuration it cannot understand and therefore treating the file as opaque. I plan to make use of this PR to complete https://github.com/kubernetes/kubernetes/pull/36765 which attempts to allow more configuration parameters to the `ResourceQuota` admission plugin.
Automatic merge from submit-queue
run staging client-go update
Chasing to see what real problems we have in staging-client-go.
@sttts you get similar results?
Automatic merge from submit-queue
replace global registry in apimachinery with global registry in k8s.io/kubernetes
We'd like to remove all globals, but our immediate problem is that a shared registry between k8s.io/kubernetes and k8s.io/client-go doesn't work. Since client-go makes a copy, we can actually keep a global registry with other globals in pkg/api for now.
@kubernetes/sig-api-machinery-misc @lavalamp @smarterclayton @sttts
Automatic merge from submit-queue
'Max' and 'MIn' don't seem to used anywhere, so I would suggest removing them
Signed-off-by: Yanqiang Miao miao.yanqiang@zte.com.cn
We are more liberal in what we accept as a volume id in k8s, and indeed
we ourselves generate names that look like `aws://<zone>/<id>` for
dynamic volumes.
This volume id (hereafter a KubernetesVolumeID) cannot directly be
compared to an AWS volume ID (hereafter an awsVolumeID).
We introduce types for each, to prevent accidental comparison or
confusion.
Issue #35746
Automatic merge from submit-queue
Add tooling to generate listers
Add lister-gen tool to auto-generate listers. So far this PR only demonstrates replacing the manually-written `StoreToLimitRangeLister` with the generated `LimitRangeLister`, as it's a small and easy swap.
cc @deads2k @liggitt @sttts @nikhiljindal @lavalamp @smarterclayton @derekwaynecarr @kubernetes/sig-api-machinery @kubernetes/rh-cluster-infra
Automatic merge from submit-queue
Update PodAntiAffinity to ignore calls to subresources
@smarterclayton I hit this when I was trying to evict a pod, apparently k8s does not have this particular admission plugin on by default. ptal
@mml @davidopp fyi
At master volume reconciler, the information about which volumes are
attached to nodes is cached in actual state of world. However, this
information might be out of date in case that node is terminated (volume
is detached automatically). In this situation, reconciler assume volume
is still attached and will not issue attach operation when node comes
back. Pods created on those nodes will fail to mount.
This PR adds the logic to periodically sync up the truth for attached volumes kept in the actual state cache. If the volume is no longer attached to the node, the actual state will be updated to reflect the truth. In turn, reconciler will take actions if needed.
To avoid issuing many concurrent operations on cloud provider, this PR
tries to add batch operation to check whether a list of volumes are
attached to the node instead of one request per volume.
More details are explained in PR #33760
Automatic merge from submit-queue
Adding default StorageClass annotation printout for resource_printer and describer and some refactoring
adding ISDEFAULT for _kubectl get storageclass_ output
```
[root@screeley-sc1 gce]# kubectl get storageclass
NAME TYPE ISDEFAULT
another-class kubernetes.io/gce-pd NO
generic1-slow kubernetes.io/gce-pd YES
generic2-fast kubernetes.io/gce-pd YES
```
```release-note
Add ISDEFAULT to kubectl get storageClass output
```
@kubernetes/sig-storage
Automatic merge from submit-queue
Add PSP support for seccomp profiles
Seccomp support for PSP. There are still a couple of TODOs that need to be fixed but this is passing tests.
One thing of note, since seccomp is all being stored in annotations right now it breaks some of the assumptions we've stated for the provider in terms of mutating the passed in pod. I've put big warning comments around the pieces that do that to make sure it's clear and covered the rollback in admission if the policy fails to validate.
@sttts @pmorie @erictune @smarterclayton @liggitt
Automatic merge from submit-queue
Fix typos and englishify plugin/pkg
**What this PR does / why we need it**: Just typos
**Which issue this PR fixes**: `None`
**Special notes for your reviewer**: Just typos
**Release note**: `NONE`
David Eads