Automatic merge from submit-queue
Fix cache expiration check
The check for whether an entry in the `forceLiveLookup` cache had expired was backwards. Fixed the logic and added tests
Previously we refused to emit 'autoConvert_*' functions if any field was not
convertible. The way around this was to write manual Conversion functions, but
to do so safely you must handle every fields. Huge opportunity for errors.
This PR cleans up the filtering such that it only operates on types that should
be converted (remove a lot of code) and tracks when fields are skipped. In
that case, it emits an 'autoConvert' function but not a public 'Convert'
function. If there is no manual function, the compile will fail.
This also means that manual conversion functions can call autoConvert functions
and then "patch up" what they need.
Automatic merge from submit-queue
Fixed a bug that causes k8s to delete all healthmonitors on your OpenStack tenant
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**:
The OpenStack LBaaS v2 api does not support filtering health monitors by pool_id, so /lbaas/healthmonitors?pool_id=abc123 will always return all health monitors in your OpenStack tenant.
This presents a problem when, in the very next block of code, we loop over the list of monitorIDs and delete them one-by-one. This will delete all the health monitors in your tenant without warning.
Fortunately, we already got the healthmonitor IDs when we built the list of pools. Using those, we can delete only those healthmonitors associated with our pool(s).
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
The main issue here was the use of v2_monitors.List(lbaas.network, v2_monitors.ListOpts{PoolID: poolID}). This is trying to filter healthmonitors by pool_id, but that is not supported by the API. It creates a call like /lbaas/healthmonitors?pool_id=abc123. The API server ignores the pool_id parameter and returns a list of all healthmonitors (which k8s then tries to delete).
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
add port validate when --port is set or --expose=true
```shell
$ kubectl run nginx --image=nginx --port=88888 --expose=true
The Deployment "nginx" is invalid.
spec.template.spec.containers[0].ports[0].containerPort: Invalid value: 88888: must be between 1 and 65535, inclusive
$ kubectl run nginx --image=nginx --port=0 --expose=true
error: --port must be a positive integer when exposing a service
```
1. when port is greater than 65535, port is required between 1 and 65535 and deployment 'nginx' can not be created.
2. when port is less than 1, port is not validated and deployment 'nginx' can be created. But service will be created failed.
so i add this change:
when --port is set or --expose=true, validate port range so that error reported can be the same when port is greater than 65535 or less than 1.
And this can also find the port range error before creating the deployment other than during creating the deployment.
Automatic merge from submit-queue
Update kubectl create message when using --dry-run
`kubectl create <resource> <name> --dry-run` provides a misleading success
message.
When commands such as `kubectl new-app node` are run with a
`--dry-run` flag, they make this clear by appending a "(DRY RUN)"
string to the final output. `kubectl create <resource> <name> --dry-run`
does not do this, providing a potentially misleading output.
This patch appends a "(DRY RUN)" string to the end of a successful
message of `kubectl create` subcommands that support the `--dry-run` flag.
`kubectl create quota quota --dry-run`
```
resourcequota "quota" created
```
`kubectl create quota quota --dry-run`
```
resourcequota "quota" created (DRY RUN)
```
**Release note**:
```release-note
release-note-none
```
rename plugin/pkg/client/auth/plugins.go package name to auth
add the plugin import line in client-gen
update import_known_versions for release_1_5 clientset
change copy.sh
Automatic merge from submit-queue
Fix DaemonSet namespace handling for predicates
In order to determine whether a node should run its daemon pod,
DaemonController creates a dummy pod based on DaemonSet's template and
then uses scheduler predicates (currently GeneralPredicates) to test
whether such pod can be run by the node. The problem was that
DaemonController was not setting Namespace for the dummy pod. This was
not affecting currently used GeneralPredicates but this problem could
bite later when some namespace-dependent predicates are added to
GeneralPredicates or directly to DaemonController's node checks
(e.g. pod affinity).
Stumbled upon it while working on e2e test for #31136
Automatic merge from submit-queue
Pass SelectionPredicate instead of Filter to storage layer
Depends on #31189 (first commit).
ref: #29888
What?
This PR removes the filtering logic and passes SelectionPredicate to storage layer.
Why?
Filter doesn't provide enough information of and isn't the right abstraction for indexing. We need to pass in SelectionPredicate instead.
Automatic merge from submit-queue
Default HTTP2 on, post fixes from #29001
This reverts commit 8cb799c789.
Enables HTTP2 on by default post fixes from https://github.com/kubernetes/kubernetes/issues/29001 for 1.5
NOTE: We are nearing lb connection limits at current thresholds.
/cc @bradfitz @lavalamp @smarterclayton
In order to determine whether a node should run its daemon pod,
DaemonController creates a dummy pod based on DaemonSet's template and
then uses scheduler predicates (currently GeneralPredicates) to test
whether such pod can be run by the node. The problem was that
DaemonController was not setting Namespace for the dummy pod. This was
not affecting currently used GeneralPredicates but this problem could
bite later when some namespace-dependent predicates are added to
GeneralPredicates or directly to DaemonController's node checks
(e.g. pod affinity).
Stumbled upon it while working on e2e test for #31136
Returning an error will cause the deployment to be requeued. We should
just emit an event for deployments with overlapping selectors and silently
drop then out of the queue. This should be transitioned to a Condition
once we have them.
Automatic merge from submit-queue
start creating controller SA roles. start with just one
This creates a clusterrole for the replicationcontroller controller. It also streamlines the rule creation code and I'll use this role as practice for wiring up RBAC rules.
@kubernetes/sig-auth
@ericchiang Jordan is ooto, mind taking a look?
Automatic merge from submit-queue
remove the clientset adapter
This removes the clientset adapter entirely. There is one focused adapter that remains in a single e2e test. Every other reference was removed.
Automatic merge from submit-queue
move the REST storage creation to its proper packages
Moves the `RESTStorageProvider` interfaces to their proper packages.
persistentvolumecontroller.NewPersistentVolumeController has 11 arguments now,
put them into a structure.
Also, rename NewPersistentVolumeController to NewController, persistentvolume
is already name of the package.
Fixes#30219
Automatic merge from submit-queue
Do not report error when deleting an attached volume
Persistent volume controller should not send warning events to a PV and mark the PV as failed when the volume is still attached.
This happens when a user quickly deletes a pod and associated PVC - PV is slowly detaching, while the PVC is already deleted and the PV enters Failed phase.
`Deleter.Deleter` can now return `tryAgainError`, which is sent as INFO to the PV to let the user know we did not forget to delete the PV, however the PV stays in Released state. The controller tries again in the next sync (15 seconds by default).
Fixes#31511
Automatic merge from submit-queue
Remove kubectl namespace command
**What this PR does / why we need it**:
It removes deprecated `kubectl namespace` command, which `has been superseded by the context.namespace field of .kubeconfig files. See 'kubectl config set-context --help' for more details`. It was done nearly two years ago, so like `// TODO remove once people have been given enough time to notice` comment says it may be a good time to get rid of it.
**Special notes for your reviewer**:
None ATM.
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
Remove kubectl namespace command
```
Automatic merge from submit-queue
simplify RC listers
Make the RC and SVC listers use the common list functions that more closely match client APIs, are consistent with other listers, and avoid unnecessary copies.
Automatic merge from submit-queue
CRI: add Message in ContainerStatus
Kubernetes expects a brief CamelCase string as "Reason" and a human-readable
string as "Message" in the conatiner status. It is difficult for kubelet to
derive the other one if the runtime only provides one of the two fields.
Augment the API by adding the "Message" field.
/cc @kubernetes/sig-node
Automatic merge from submit-queue
kuberuntime: include container hash in backoff keys
We should reset the backoff if the content of the container has been updated.
Part of #33189
Kubernetes expects a brief CamelCase string as "Reason" and a human-readable
string as "Message" in the conatiner status. It is difficult for kubelet to
derive the other one if the runtime only provides one of the two fields.
Augment the API by adding the "Message" field.
Automatic merge from submit-queue
Fix API Installer to generate unique Operation IDs
OperationIDs generated by api_installer.go may not be unique and that causes long auto-generated function names in swagger generated clients. This is a step toward making those IDs unique.
Reference Issue kubernetes/features#53 and #13414
Automatic merge from submit-queue
Allow garbage collection to work against different API prefixes
The GC needs to build clients based only on Resource or Kind. Hoist the
restmapper out of the controller and the clientpool, support a new
ClientForGroupVersionKind and ClientForGroupVersionResource, and use the
appropriate one in both places.
Allows OpenShift to use the GC
Automatic merge from submit-queue
Remove hacks from ScheduledJobs cron spec parsing
Previusly `github.com/robfig/cron` library did not allow passing cron spec without seconds. First commit updates the library, which has additional method ParseStandard which follows the standard cron spec, iow. minute, hour, day of month, month, day of week.
@janetkuo @erictune as promised in #30227 I've updated the library and now I'm updating it in k8s
Automatic merge from submit-queue
oidc authenticator: allow string value as groups claim
Allow the group claim to be a single string instead of an array of
strings. This means the following claim
{
"role": "admin"
}
Will be mapped to the groups
["admin"]
cc @kubernetes/sig-auth @mlbiam
closes#33290
Automatic merge from submit-queue
Move HighWaterMark to the top of the struct in order to fix arm, second time
ref: #33117
Sorry for not fixing everyone at once, but I seriously wasn't prepared for that quick LGTM 😄, so here's the other half.
@lavalamp
> lgtm, but seriously, this is terrible, we probably have this bug all over. And what if someone embeds the etcdWatcher struct in something else not at the top? We need the compiler to enforce things like this, it just can't be done manually. Can you file or link a golang issue for this?
I totally agree! There isn't currently a way of programmatically detecting this unfortunately.
I guess @davecheney or @minux can explain better to you why it's so hard.
This is noted in https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/multi-platform.md as a corner case indeed.
@pwittrock This should be cherrypicked toghether with #33117
Automatic merge from submit-queue
Fix race condition in setting node statusUpdateNeeded flag
This PR fixes the race condition in setting node statusUpdateNeeded flag
in master's attachdetach controller. This flag is used to indicate
whether a node status has been updated by the node_status_updater or
not. When updater finishes update a node status, it is set to false.
When the node status is changed such as volume is detached or new volume
is attached to the node, the flag is set to true so that updater can
update the status again. The previous workflow has a race condition as
follows
1. updater gets the currently attached volume list from the node which needs to be
updated.
2. A new volume A is attached to the same node right after 1 and set the
flag to TRUE
3. updater updates the node attached volume list (which does not include volume A) and then set the flag to FALSE.
The result is that volume A will be never added to the attached volume
list so at node side, this volume is never attached.
So in this PR, the flag is set to FALSE when updater tries to get the
attached volume list (as in an atomic operation). So in the above
example, after step 2, the flag will be TRUE again, in step 3, updater
does not set the flag if updates is sucessful. So after that, flag is
still TRUE and in next round of update, the node status will be updated.
Automatic merge from submit-queue
add resource filter handling before printing
**Release note**:
```release-note
release-note-none
```
Resources are currently filtered (in order to prevent printing) at print
time in their HumanReadablePrinter handlers. This design makes it not
possible to filter objects when they are printed using any other
printer, such as YAML, JSON, or the NamePrinter.
This patch removes any filters previously added at the printer level for
pods and adds a way to define resource-specific filters before they are
sent to a printer handler. A woking filter handler for pods has also been
implemented.
Filters affect resources being printed through the HumanReadablePrinter,
YAML, JSON, and `--template` printers.
cc @smarterclayton
Automatic merge from submit-queue
unify available api group versions in our scripts
There are currently many parallel lists of available group versions with slightly different syntaxes in each one. This collapses them into a single list for us to maintain.
Also caught spots where the lists didn't match before.
@sttts @ncdc
Addresses #33215.
When vCenter returns error vm not found, this is now being translated to
the appropriate error 'cloudprovider.InstanceNotFound' which indicates
to Kubernetes node controller that the VM is in fact not found.
Automatic merge from submit-queue
Remove duplicated ECDHE key handling
This PR removes the duplicated ECDHE private key handling. `x509.CreateCertificateRequest` picks the signature type for ECDHE keys already (see https://golang.org/src/crypto/x509/x509.go `signingParamsForPublicKey`). Only the RSA key signature needed customization.
It also defers to `CreateCertificateRequest` to return errors on unknown private key types.
Automatic merge from submit-queue
Add positive logging for GC events
We have no positive logging for GC events. This PR:
1. Adds positive logging at V(4) for success cases
2. Adds positive logging at V(1) for the first successful GC after a failure
Automatic merge from submit-queue
Dereference the UID pointer for a readable error message.
cc @nikhiljindal @quinton-hoole @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Staging 1.5 client
Created the 1.5 folder and remove the 1.4 folder in the staging area in the master branch.
Content of kubernetes/client-go/1.4 will be pulled from the kubernetes/kubernetes 1.4 branch (https://github.com/kubernetes/contrib/pull/1719)
Automatic merge from submit-queue
Fake container exec/logs support for in-process docker CRI integration
This is necessary to unblock other work on docker integration, while we are addressing
`logs` and `exec` in the meantime.
This is part of #31459 and #33189
/cc @kubernetes/sig-node
Automatic merge from submit-queue
remove storage related fields from genericapiserver
Removes `StorageFactory` and `StorageDecorator` from from `genericapiserver` since both constructs are related to building a `RESTStorage`, which should be provided fully formed (or via factory func) to a truly generic API server.
I found this while trying to move the creation API routes earlier.
This is a temporary hack to bypass CRI when getting container logs or
running exec in a container. This is necessary to unblock testing and adding
other features in the integration.
Allow the group claim to be a single string instead of an array of
strings. This means the following claim
{
"role": "admin"
}
Will be mapped to the groups
["admin"]
This PR fixes the race condition in setting node statusUpdateNeeded flag
in master's attachdetach controller. This flag is used to indicate
whether a node status has been updated by the node_status_updater or
not. When updater finishes update a node status, it is set to false.
When the node status is changed such as volume is detached or new volume
is attached to the node, the flag is set to true so that updater can
update the status again. The previous workflow has a race condition as
follows
1. updater gets the currently attached volume list from the node which needs to be
updated.
2. A new volume A is attached to the same node right after 1 and set the
flag to TRUE
3. updater updates the node attached volume list (which does not include volume A) and then set the flag to FALSE.
The result is that volume A will be never added to the attached volume
list so at node side, this volume is never attached.
So in this PR, the flag is set to FALSE when updater tries to get the
attached volume list (as in an atomic operation). So in the above
example, after step 2, the flag will be TRUE again, in step 3, updater
does not set the flag if updates is sucessful. So after that, flag is
still TRUE and in next round of update, the node status will be updated.
This PR also changes a unit test due to the workflow changes
Automatic merge from submit-queue
Refactor Builder.visitorResult by extra methonds.
**What this PR does / why we need it**:
Code polish; it'll make code readable.
Automatic merge from submit-queue
Apiserver don't log stacktrace when proxying
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**:
When we are proxying unexpected status from a service or a pod, we print the stack traces (which is not the wanted behaviour). This is an attempt at fixing the issue #32747,
With the `RequestInfoResolver` struct, it's possible to inspect the request and get the `Verb`. In this case, the `proxy` value is what I was looking for to avoid logging stack traces.
I'm wrapping the `.Log()` call with an `if` statement to remove all stack traces logging when the call is a proxy from a service or a pod
Another approach would have been to add another kind of `StacktracePred` in the `httplog` package. I found this path to be trickier to code as it's currently only accepting int values.
**Which issue this PR fixes** : fixes#32747
**Special notes for your reviewer**: N/A
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Send recycle events from pod to pv.
This allows users to diagnose what's wrong with recycler. Recycler pods are started automatically with a cryptic name and they are deleted immediately when they finish.
e.g, `kubectl describe pv` could show that NFS cannot be mounted (and how many pods have tried it):
```
FirstSeen LastSeen Count From SubobjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
59m 59m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(5421800e-347b-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
53m 53m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(3c9809e5-347c-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
46m 46m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(250dd2a2-347d-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
40m 40m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(0d84ea33-347e-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
33m 33m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(f5fb63bf-347e-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
27m 27m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(de7128fd-347f-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
1h 3m 75 {persistentvolume-controller } Normal RecyclerPod Recycler pod: Successfully assigned recycler-for-nfs to 127.0.0.1
1h 3m 76 {persistentvolume-controller } Normal RecyclerPod Recycler pod: Pod was active on the node longer than specified deadline
1h 1m 12 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Error syncing pod, skipping: timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
20m 1m 4 {persistentvolume-controller } Warning RecyclerPod (events with common reason combined)
```
These steps were necessary:
- added event watcher to volume.RecycleVolumeByWatchingPodUntilCompletion
- pass all these events through volume plugins to volume controller
- rework volume.RecycleVolumeByWatchingPodUntilCompletion unit tests to a table (too much copy-paste)
- fix all unit tests along the way
The GC needs to build clients based only on Resource or Kind. Hoist the
restmapper out of the controller and the clientpool, support a new
ClientForGroupVersionKind and ClientForGroupVersionResource, and use the
appropriate one in both places.
Automatic merge from submit-queue
Add port forwarding for rkt with kvm stage1
Port forwarding for rkt kvm using `socat`.
cc @yifan-gu @euank @pskrzyns @lukasredynk
Attempt at closing #32747,
With the `RequestInfoResolver` struct, it's possible to inspect the
request and get the `Verb`. In this case, the `proxy` value is what I
was looking for to avoid logging stacktraces.
I'm wrapping the `.Log()` call with an `if` statement to remove all
stacktrace logging when we proxied through the apiserver
Another approach would have been to add another kind of
`StacktracePred` in the `httplog` package. I found this path to be
trickier to code as it's currently only accepting int values.
Automatic merge from submit-queue
Fix FakeNodeHandler Update behaviour
Two problems:
1. Get is always using Existing nodes slice, and you will for sure miss any updated data
2. Each Update adds a duplicate node entry to UpdatedNodes slice
For the 1st, we will try to find a node in UpdatedNodes slice (same as for the List).
2nd - append only if there is no node with same name as updated, if there is we will replace object in UpdatedNodes slice.
Automatic merge from submit-queue
Correct versioned.Event output in Swagger
Fixes#24240
```release-note
The value of the `versioned.Event` object (returned by watch APIs) in the Swagger 1.2 schemas has been updated from `*versioned.Event` which was not expected by many client tools. The new value is consistent with other structs returned by the API.
```
Automatic merge from submit-queue
Move image pull throttling logic to pkg/kubelet/images
This is part of #31458
This allows runtimes in different packages (dockertools, rkt, kuberuntime) to
share the same logic. Before this change, only dockertools support this
feature. Now all three packages support image pull throttling.
/cc @kubernetes/sig-node
Automatic merge from submit-queue
Remove closing audit log file and add error check when writing to audit
This picks the order fix from #33164. Additionally I've removed entirely closing the log file, since it didn't make sense where it was. I've also added error checks when actually writing to audit logs.
@sttts ptal
**1.4 justification:**
Risk: the code only runs if auditing is enabled with an apiserver flag. So the risk is low.
Rollback: nothing should depend on this
Cost: the auditing feature is broken because the impersonation filter is applied before and you might not see the proper user when using `--as` flag. Additionally no errors are logged if writing to audit fails.
Automatic merge from submit-queue
Refactor cert utils into one pkg, add funcs from bootkube for kubeadm to use
**What this PR does / why we need it**:
We have ended-up with rather incomplete and fragmented collection of utils for handling certificates. It may be worse to consider using `cfssl` for doing all of these things, but for now there is some functionality that we need in `kubeadm` that we can borrow from bootkube. It makes sense to move the utils from bookube into core, as discussed in #31221.
**Special notes for your reviewer**: I've taken the opportunity to review names of existing funcs and tried to make some improvements in that area (with help from @peterbourgon).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
move registry packages for all API groups
This continues the pattern of `registry/<group>/resource` for our backing storage. This entire pull is nothing but moves. I'll reswizzle the actual storage next, but these are cargo-culted everywhere, so I want to lay this down early.
@sttts @ncdc
Automatic merge from submit-queue
Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
to talk to the api server
* Add a new authenticator that checks for this specific bearer token
Fixes#13598
Automatic merge from submit-queue
don't mutate original master->kubelet TLS config
fixes https://github.com/kubernetes/kubernetes/issues/33140
```release-note
Resolves x509 verification issue with masters dialing nodes when started with --kubelet-certificate-authority
```
This allows runtimes in different packages (dockertools, rkt, kuberuntime) to
share the same logic. Before this change, only dockertools support this
feature. Now all three packages support image pull throttling.
Resources are currently filtered (in order to prevent printing) at print
time in their HumanReadablePrinter handlers. This design makes it not
possible to filter objects when they are printed using any other
printer, such as YAML, JSON, or the NamePrinter.
This patch removes any filters previously added at the printer level for
pods and adds a way to define resource-specific filters before they are
sent to a printer handler. A woking filter handler for pods has also
been
implemented.
Filters affect resources being printed through the HumanReadablePrinter,
YAML, JSON, and `--template` printers.
Automatic merge from submit-queue
Behave gracefully in kubectl if /version returns 404
Fixes https://github.com/kubernetes/kubernetes/issues/32679.
It's only about caching the swagger spec here. So it's safe to fall back to non-caching mode and continue.
Automatic merge from submit-queue
simplify RC and SVC listers
Make the RC and SVC listers use the common list functions that more closely match client APIs, are consistent with other listers, and avoid unnecessary copies.
Automatic merge from submit-queue
controller: enhance timeout error message for Recreate deployments
Makes the error message from https://github.com/kubernetes/kubernetes/issues/29197 more obvious
@kubernetes/deployment
This commit moves away from using a global variable for default
configuration checking, and instead exposes a method on LoadingRules to
determine whether a particular restclient.Config should be considered
"default". This allows kubectl to provide its own defaults (the same
as before, KUBERNETES_MASTER and the static localhost:8080 values) while
allowing other clients to avoid defining them.
In-cluster config defaulting is now easier to read.
Automatic merge from submit-queue
Move generated openAPI specs out of genericapiserver and make it configurable
A follow up to #31468
Generated OpenAPI Spec does not belong to genericapiserver package. A new package "generated" created in hope of all generated codes goes into it in future. Openapi folder of that package contains generated definitions and generic API server will accept the definition map as a configuration parameter.
Reference: #13414
Automatic merge from submit-queue
stop etcd watcher when watch chan is closed
When startWatching() stops due to the watch chan is closed, the watcher could still keeps running in the background. When this case happen, we should stop the watcher entirely and close ResultChan() too.
Prior to this, we would approve eviction as long as the current state of
the pods matched the budget. The new version requires that after the
eviction, the pods would still match the budget.
Also update tests to match.
Kubernetes Submit Queue