Automatic merge from submit-queue (batch tested with PRs 54761, 54748, 53991, 54485, 46951). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission: unify plugin constructors
It's common in Go to return the actual object in constructors, not **one interface**
it implements. This allows us to implement multiple interfaces, but only have
one constructor. As having private types in constructors, we export all plugin structs, of course with private fields.
Note: super interfaces do not work if there are overlapping methods.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update wrong group for priorityclasses
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#54690
**Special notes for your reviewer**:
assgin @bsalamat
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Optimize Repeated registration of AlgorithmProvider when ApplyFeatureGates
**What this PR does / why we need it**:
modified ApplyFeatureGates() just add/del features, cancel the register of all AlgorithmProvider.
there is Repeated registration of all AlgorithmProvider when ApplyFeatureGates() runs;
AlgorithmProvider have already registered when package defaults loaded;
I think ApplyFeatureGates() is just add/del features, it needn't register all AlgorithmProvider again
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```/release-note-none
```
Automatic merge from submit-queue (batch tested with PRs 54331, 54655, 54320, 54639, 54288). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ability to do object count quota for all namespaced resources
**What this PR does / why we need it**:
- Defines syntax for generic object count quota `count/<resource>.<group>`
- Migrates existing objects to support new syntax with old syntax
- Adds support to quota all standard namespace resources
- Updates the controller to do discovery and replenishment on those resources
- Updates unit tests
- Tweaks admission configuration around quota
- Add e2e test for replicasets (demonstrate dynamic generic counting)
```
$ kubectl create quota test --hard=count/deployments.extensions=2,count/replicasets.extensions=4,count/pods=3,count/secrets=4
resourcequota "test" created
$ kubectl run nginx --image=nginx --replicas=2
$ kubectl describe quota
Name: test
Namespace: default
Resource Used Hard
-------- ---- ----
count/deployments.extensions 1 2
count/pods 2 3
count/replicasets.extensions 1 4
count/secrets 1 4
```
**Special notes for your reviewer**:
- simple object count quotas no longer require writing code
- deferring support for custom resources pending investigation about how to share caches with garbage collector. in addition, i would like to see how this integrates with downstream quota usage in openshift.
**Release note**:
```release-note
Object count quotas supported on all standard resources using `count/<resource>.<group>` syntax
```
Automatic merge from submit-queue (batch tested with PRs 54635, 54250, 54657, 54696, 54700). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unused pods in genericScheduler
**What this PR does / why we need it**: source code cleanup. less confusion.
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
delete the hostport from usedmap
**What this PR does / why we need it**:
delete the hostport record when pod is not on the host
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Facilitate the further pr https://github.com/kubernetes/kubernetes/pull/52421. Because the code which detects the conflict between wantports and existingports is not quite clean now.
Besides remove the unused port from map will save the memory.
**Special notes for your reviewer**:
I and the original coder @k82cn agreed to make this change
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 54081, 54271, 51783, 54600, 54594). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move getMaxVols function to predicates.go and add some NewVolumeCount…
…Predicate funcs
Signed-off-by: zhangjie <zhangjie0619@yeah.net>
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
move getMaxVols function to predicates.go and add some NewVolumeCountPredicate funcs
```
Add InsertPredicateKeyToAlgorithmProviderMap() and RemovePredicateKeyFromAlgorithmProviderMap() to insert/remove fit predicate key of all algorithmProviders which in algorithmProviderMap
Add Func RemovePredicateKeyFromAlgoProvider() AND InsertPredicateKeyToAlgoProvider() which can insert/remove fit predicate key to specific algorithmProvider
Automatic merge from submit-queue (batch tested with PRs 53760, 48996, 51267, 54414). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update admission webhook to handle multiple auth domains
Fixes https://github.com/kubernetes/kubernetes/issues/54404
Adds some wiring to have the admission plugin accept a config file for per-apiserver configuration.
@kubernetes/sig-auth-api-reviews @deads2k @ericchiang @liggitt in particular
@kubernetes/sig-api-machinery-pr-reviews @lavalamp @caesarxuchao @sttts @cheftako
```release-note
generic webhook admission now takes a config file which describes how to authenticate to webhook servers
```
Automatic merge from submit-queue (batch tested with PRs 53903, 53914, 54374). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add PodDisruptionBudget to scheduler cache.
**What this PR does / why we need it**:
This is the first step to add support for PodDisruptionBudget during preemption. This PR adds PDB to scheduler cache.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: None
**Release note**:
```release-note
Add PodDisruptionBudget to scheduler cache.
```
ref/ #53913
Automatic merge from submit-queue (batch tested with PRs 54363, 54333). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure port on resolved service host
The resolved host should include a port so it can be used by dialers directly. It's also not necessary to reparse the URL when constructing directly.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52792, 48963). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix range for min value in imagepolicy admission
**What this PR does / why we need it**:
This makes the range for imagepolicy admission work properly. Currently if we specify `1s` for the value of `AllowTTL` or `DenyTTL` in the configuration yaml, we get a message like the following:
```
Error: failed to initialize plugins: Couldn't init admission plugin "ImagePolicyWebhook": valid value is between 1s and 30m0s, got 1s
```
This is due to a wrong comparison which is fixed in this PR. The rest of the PR just adds tests for this behaviour.
Automatic merge from submit-queue (batch tested with PRs 52147, 54309). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update bootstrap policy with replicaset/daemonset permissions in the apps API group
Resolves#54310
Bootstrap policy was not updated when replicasets and daemonsets got promoted to the apps group
```release-note
Resolves forbidden error when accessing replicasets and daemonsets via the apps API group
```
Automatic merge from submit-queue (batch tested with PRs 54031, 54261). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow absent Weight if PrioritizeVerb is empty
The scheduler currently validates `ExtenderConfig.Weight` (the weight applied to `Prioritize`) even when `ExtenderConfig.PrioritizeVerb` is empty, which is not correct. A configuration without these two fields should be allowed.
**Release note**:
```
None
```
/sig scheduling
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make scheduler integration test faster
Not to wait for 30 seconds for every negative test case. This commit
also organizes the test code to make it more readable.
It cuts the test time from 450s to 125s.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#53302
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52753, 54034, 53982, 54209). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make test case description more accurate.
**What this PR does / why we need it**:
Make test case description more accurate. This test case tests the GCE persistent disk instead of the general one, change the name to make it consistent with AWS/Azure/ISCSI test cases.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 51310, 51458, 47636). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove useless allocation of map
This one-element map is only used for checking api. Remove it and
simplify the code.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49305, 54158). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix error print for admission test
**What this PR does / why we need it**:
fix error print to make them easy to inspect.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow fail close webhook admission
Webhook admission needs to allow failing closed. Even in an alpha state, I don't want to be one DDOS away from having an exposed cluster.
/assign caesarxuchao
/assign sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow */subresource in rbac policy rules
xref #29698
xref #38756
xref #49504
xref #38810
Allow `*/subresource` format in RBAC policy rules to support polymorphic subresources like `*/scale` for HPA.
@DirectXMan12 fyi
```release-note
RBAC PolicyRules now allow resource=`*/<subresource>` to cover `any-resource/<subresource>`. For example, `*/scale` covers `replicationcontroller/scale`.
```
Automatic merge from submit-queue (batch tested with PRs 47717, 53896). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
decode admission responses into a fresh object
Something about the way the admission request object is built causes decoding into back into it to fail with
```
W1013 14:10:42.457423 2960 admission.go:185] rejected by webhook namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations &{%!t(string=namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations) %!t(*errors.errorString=&{reflect.Value.Addr of unaddressable value})}: failed calling admission webhook "namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations": reflect.Value.Addr of unaddressable value
```
This simply creates a fresh object to decode into, which works fine for our usage and makes it possible to actually have the webhook call out to something.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/api: extract Scheme/Registry/Codecs into pkg/api/legacyscheme
This serves as
- a preparation for the pkg/api->pkg/apis/core move
- and makes the dependency to the scheme explicit when vizualizing
left depenncies.
The later helps with our our efforts to split up the monolithic repo
into self-contained sub-repos, e.g. for kubectl, controller-manager
and kube-apiserver in the future.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix the bad code comment
**What this PR does / why we need it**:
fix the bad code comment in scheduler
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 54030, 54041). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix admission webhook test failure in go1.9
**What this PR does / why we need it**:
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#54020
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 54036, 53739). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission_test.go: remove unused functions
**What this PR does / why we need it**:
PR removed unused `createNamespaceForTest()` and `createSAForTest()` functions from `admission_test.go`.
**Release note**:
```release-note
NONE
```
PTAL @liggitt @pweil-
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 53978, 54008, 53037). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Change scheduler to skip pod with updates only on pod annotations
Fixes#52914, by checking whether the pod is already assumed before scheduling it.
**Release note**:
```
Scheduler cache ignores updates to an assumed pod if updates are limited to pod annotations.
```
/sig scheduling
/assign @bsalamat
/cc @vishh
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
Automatic merge from submit-queue (batch tested with PRs 48665, 52849, 54006, 53755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Order PSP by name, prefer non-mutating PSPs
Fixes#36184Fixes#23217
Related to #23217
Removes unnecessary mutation of pods:
* Determines effective security context for pods using a wrapper containing the pod and container security context, rather than building/setting a combined struct on every admission
* Does not set `privileged:&false` on security contexts with `privileged:nil`
* Does not set `runAsNonRoot:&true` on security contexts that already have a non-nil, non-0 `runAsUser`
* Does not mutate/normalize container capabilities unless changes are required (missing defaultAddCapabilities or requiredDropCapabilities)
Defines behavior when multiple PSP objects allow a pod:
* PSPs which allow the pod as-is (no defaulting/mutating) are preferred
* If the pod must be defaulted/mutated to be allowed, the first PSP (ordered by name) to allow the pod is selected
* During update operations, when mutations to pod specs are disallowed, only non-mutating PSPs are used to validate the pod
```release-note
PodSecurityPolicy: when multiple policies allow a submitted pod, priority is given to ones which do not require any fields in the pod spec to be defaulted. If the pod must be defaulted, the first policy (ordered by name) that allows the pod is used.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Modify Schedule function
**What this PR does / why we need it**:
It is obvious that no need to prioritizing when only one node after predicate.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
@davidopp @timothysc
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 53507, 53772, 52903, 53543). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make configFactory private
**What this PR does / why we need it**:
Fix TODO make this private if possible, so that only its interface is externally used.
I have check the use of configFactory and it is safe to make it private.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes k8s.io/kubernetes/pkg/api dependency from the webhook plugin.
**What this PR does / why we need it**: removes `k8s.io/kubernetes/pkg/api` dependency from `webhook` plugin. The runtime.scheme can be injected to the webhook from the plugin initializer.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move initializer plugin to the generic apiserver
* Moves `k8s.io/kuberentes/plugin/pkg/admission/initialization` to `k8s.io/apiserver/pkg/admission/plugin/initialization`
* Moves `k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration` to `k8s.io/apiserver/pkg/admission/configuration`
* The initializer plugin used to depend on `k8s.io/kubernetes` because it does a type assertion of `api.Pod`. It tries to skip mirror pod. I converted that code to use the generic accessor pattern.
move k8s.io/kubernetes/plugin/pkg/admission/initialization to
k8s.io/apiserver/pkg/admission/plugin/initialization/initialization.go;
move k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration to
k8s.io/apiserver/pkg/admission/configuration.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refresh scheduler equivalence cache when node taints changed.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#53425
**Release note**:
```release-note
None
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
moves admission.v1alpha1.NewAdmissionReview method to webhook plugin
**What this PR does / why we need it**:
this is necessary, because the webhook plugin will be moved down to apiserver.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes Authorizer and ExternalClientSet from kubeapiserver's admissi…
**What this PR does / why we need it**:
removes Authorizer and ExternalClientSet from kubeapiserver's admission initializer.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor node taint conditions
**What this PR does / why we need it**:
We should use `not-ready` etc as node condition taint key.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes#51246
**Special notes for your reviewer**:
**Release note**:
```release-note
Use `not-ready` to replace `notReady` in node condition taint keys.
```
Automatic merge from submit-queue (batch tested with PRs 53135, 52512, 48339). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixed counting of unbound PVCs towards limit of attached volumes.
Count unbound PVCs to the limit of attached volumes to a node.
When MaxPDVolumeCountPredicate is in doubt (e.g. PVC or PV is missing), it assumes the volume is attached. It should assume the same when it encounters an unbound PVC. In any case, it should not return an error, it would stop scheduling all pods with a PVC.
Fixes: #53134
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52723, 53271). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Apply algorithm in scheduler by feature gates.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: part of #42001
**Release note**:
```release-note
Apply algorithm in scheduler by feature gates.
```
Automatic merge from submit-queue (batch tested with PRs 50749, 52869, 53359). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add /swagger.json and /swagger-2.0.0.pb-v1 to discovery role
Allow access to openapi docs
Fixes#53349
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
moved admission interfaces WantsClientCert, WantsAuthorizer and Wants…
**What this PR does / why we need it**:
moves some admission interfaces to apiserver, hopefully moving the webhook admission in the future will be much easier.
**Release note**:
```
NONE
```
There are two ways how a scheduled pod can get its PVCs unbound:
- admin forcefuly unbinds it
- user deletes original PVC that was bound when the pod was scheduled and
creates a new one with the same name that does not get bound from some
reason.
In both cases we don't know where the original PVC pointed at and if we
should account it to the limit of attached AWS EBS / GCE PDs etc.
The common pattern here is to count it in when in doubt.
Automatic merge from submit-queue (batch tested with PRs 53247, 53319). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove unused function addStorageLimit
**What this PR does / why we need it**:
In package `plugin/pkg/scheduler/algorithm/predicates` remove unused
unexported function `addStorageLimit`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 53263, 52967, 53262, 52654, 53187). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add pod disruption budgets to admin/edit/view roles
Closes#50767
cc @kubernetes/sig-auth-pr-reviews @kubernetes/sig-node-pr-reviews
```release-note
RBAC: The default `admin` and `edit` roles now include read/write permissions and the `view` role includes read permissions on `poddisruptionbudget.policy` resources.
```
Avesh Agarwal