Automatic merge from submit-queue
Move defaulting logic for ExternalTrafficPolicy into defaults.go
Link #45812.
Per [#45812/comment](https://github.com/kubernetes/kubernetes/issues/45812#issuecomment-301632807), move defaulting logic to defaults.go so that federation will get the same code.
This PR does not have any functional change :)
/assign @freehan @thockin
/cc @madhusudancs @nikhiljindal @shashidharatd
Also /cc @caesarxuchao per the client-go changes.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45852, 45965, 45941)
Update k8s.io/gengo dependency
**What this PR does / why we need it**:
Brings in changes to improve type checker and deep copy
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Move all API related annotations into annotation_key_constants.go
Separate from #45869. See https://github.com/kubernetes/kubernetes/pull/45869#discussion_r116839411 for details.
This PR does nothing but move constants around :)
/assign @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42895, 45940)
apiserver: no Status in body for http 204
Fixes http writer errors as with 204 we must not send any body.
Needed downstream for https://github.com/openshift/origin/issues/14213.
Automatic merge from submit-queue (batch tested with PRs 45709, 41939)
Add an AEAD encrypting transformer for storing secrets encrypted at rest
Tweak the ValueTransformer interface slightly to support additional
context information (to allow authenticated data to be generated by the
store and passed to the transformer). Add a prefix transformer that
looks for known matching prefixes and uses them. Add an AES GCM
transformer that performs AEAD on the values coming in and out of the
store.
Implementation of https://docs.google.com/document/d/1lFhPLlvkCo3XFC2xFDPSn0jAGpqKcCCZaNsBAv8zFdE/edit# and https://github.com/kubernetes/kubernetes/issues/12742
Automatic merge from submit-queue (batch tested with PRs 44520, 45253, 45838, 44685, 45901)
API for server side tabular output
These are the APIs necessary to implement propsoal kubernetes/community#363
They consist of a new meta group (v1alpha1) that indicates these are alpha apis for the server as a whole, a new kind `TableList` which is a simple row + header arranged table capable of returning both object and columnar data, a `TableListOptions` for altering the behavior of the return, and `PartialObjectMetadata` which is an "interface" style API object which allows a client to ask any object for their metadata (without having to know how to parse the object or perform gymnastics).
Extracted from #40848
A few minor tweaks still required.
Automatic merge from submit-queue (batch tested with PRs 44520, 45253, 45838, 44685, 45901)
start serving customresourcedefinition based on status
This exposes the `customresourcedefinition/status` endpoint, wires a controller to drive `NameConflict` conditions, and serves discovery from status, not spec.
Next steps after this include wiring the conditions into handling and reswizzling the handling chain to be cleaner now that we have a custom mux.
Tweak the ValueTransformer interface slightly to support additional
context information (to allow authenticated data to be generated by the
store and passed to the transformer). Add a prefix transformer that
looks for known matching prefixes and uses them. Add an AES GCM
transformer that performs AEAD on the values coming in and out of the
store.
Automatic merge from submit-queue (batch tested with PRs 45247, 45810, 45034, 45898, 45899)
Apiregistration v1alpha1→v1beta1
Promoting apiregistration api from v1alpha1 to v1beta1.
API Registration is responsible for registering an API `Group`/`Version` with
another kubernetes like API server. The `APIService` holds information
about the other API server in `APIServiceSpec` type as well as general
`TypeMeta` and `ObjectMeta`. The `APIServiceSpec` type have the main
configuration needed to do the aggregation. Any request coming for
specified `Group`/`Version` will be directed to the service defined by
`ServiceReference` (on port 443) after validating the target using provided
`CABundle` or skipping validation if development flag `InsecureSkipTLSVerify`
is set. `Priority` is controlling the order of this API group in the overall
discovery document.
The return status is a set of conditions for this aggregation. Currently
there is only one condition named "Available", if true, it means the
api/server requests will be redirected to specified API server.
```release-note
API Registration is now in beta.
```
Automatic merge from submit-queue (batch tested with PRs 45374, 44537, 45739, 44474, 45888)
Update 'More info' links on API types and fields
> **Please just review the first commit, the rest is generated files.**
Recent docs website shuffling during 1.6 caused majority of links in the API
types and fields to break. Since we do not have server-side 301 redirects, user
has to click an extra link, and the #target fragment in the URL will be lost. (This is
because GitHub’s redirect_from feature is not ideal.)
For the time being, I have manually gone through all of them to bring them up to date
and add HTTPS to those missing it. This is a docs-only change and impacts generated
code, generated swaggers, API reference docs etc.
cc: @steveperry-53 @devin-donnelly @chenopis fyi, docs links changes (even small title changes) easily breaks links in API reference, Swagger, kubectl explain, and many other places.
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Automatic merge from submit-queue
Update instructions for client staging copy
Following the existing instructions results in:
```
% ./staging/copy.sh
Do not run this script directly, but via hack/update-staging-client-go.sh.
```
Also format README.md as markdown.
**What this PR does / why we need it**: Updates docs to match reality
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44326, 45768)
custom resource De-Registration testcase
@deads2k as discussed via IRC
Built on top of #45732
To reproduce #45767
Uncomment code in `TestDeRegistrationAndReRegistration` to reproduce `panic`
Automatic merge from submit-queue (batch tested with PRs 45408, 45355, 45528)
Admission options spits out admission control
**What this PR does / why we need it**:
This PR adds ApplyTo method to AdmissionOptions struct. The method creates and initialises admission control to the server configuration.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
add --as-group option to cli
The usecase of this change:
When a super user grant some RBAC permissions to a group, he can use
--as--group to test whether the group get the permissions.
Note that now we support as-groups, as-user-extra in kubeconfig file after this change.
**Release note**:
```NONE
```
@liggitt
Automatic merge from submit-queue
fix missing argument for Errorf(%v): format reads arg 1, have only 0 args
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
add the missing code of "len(res.Items)"
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
delete the code after "return"
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
After return, the code is unreachable, delete it.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Internal audit API
Forked from https://github.com/kubernetes/kubernetes/pull/45315
I pulled out only the internal audit API types and would like to merge this to unblock the audit implementation work while we figure out the versioned types and code generation.
I will continue to iterate on https://github.com/kubernetes/kubernetes/pull/45315, but lets get this internal type submitted.
/cc @ericchiang @ihmccreery
Automatic merge from submit-queue (batch tested with PRs 44337, 45775, 45832, 45574, 45758)
Tighten validation of mirror pod annotations
Tightens validation for pods with a mirror pod annotation:
1. spec.nodeName must be set
2. makes the mirror pod annotation immutable
3. starts validating pod-specific annotations during pod status update
None of these changes affect usage of the mirror pod annotation by kubelets, which only set it on pod creation (verified this is true back to 1.5.x)
the second commit updates the pod validation tests to look for specific error messages (best reviewed ignoring whitespace changes)
This is the validation portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and https://github.com/kubernetes/features/issues/279
```release-note
Mirror pods must now indicate the nodeName they are bound to on creation. The mirror pod annotation is now treated as immutable and cannot be added to an existing pod, removed from a pod, or modified.
```
Automatic merge from submit-queue (batch tested with PRs 45171, 43947, 45788, 45822, 45808)
rename to CustomResourceDefinition
Related to https://github.com/kubernetes/kubernetes/issues/45277
This does a straight rename of `CustomResource` to `CustomResourceDefinition` in response to https://github.com/kubernetes/kubernetes/issues/45277 to avoid confusion.
It'll be a little painful on tests in progress, but it's easier now than later.
Automatic merge from submit-queue (batch tested with PRs 41331, 45591, 45600, 45176, 45658)
Updating generic registry to return UID of the deleted resource
Ref https://github.com/kubernetes/kubernetes/issues/42594
cc @kubernetes/sig-api-machinery-pr-reviews @smarterclayton
```release-note
Updating apiserver to return UID of the deleted resource. Clients can use this UID to verify that the resource was deleted or waiting for finalizers.
```
Automatic merge from submit-queue (batch tested with PRs 41331, 45591, 45600, 45176, 45658)
Move client/unversioned/remotecommand to client-go
Module remotecommand originally part of kubernetes/pkg/client/unversioned was moved
to client-go/tools, and will be used as authoritative in kubectl, e2e and other places.
Module remotecommand relies on util/exec module which was copied to client-go/pkg/util
Automatic merge from submit-queue (batch tested with PRs 45070, 45821, 45732, 45494, 45789)
apiextesions-server integration tests: test multiple registration
**What this PR does / why we need it**:
Add integration test for Multiple registrations XREF: #45511
**Special notes for your reviewer**:
@deads2k my first plan was to submit one single PR for both tests but I'm facing one issue with resources deregistration. Get in touch via slack
Automatic merge from submit-queue
Uses container/heap for DelayingQueue
The current implementation of DelayingQueue doesn't perform very well when a large number of items (at random delays) are inserted. The original authors seemed to be aware of this and noted it in a `TODO` comment. This is my attempt at switching the implementation to use a priority queue based on `container/heap`.
Benchmarks from before the change:
```
╰─ go test -bench=. -benchmem | tee /tmp/before.txt
BenchmarkDelayingQueue_AddAfter-8 300000 256824 ns/op 520 B/op 3 allocs/op
PASS
ok k8s.io/kubernetes/staging/src/k8s.io/client-go/util/workqueue 77.237s
```
After:
```
╰─ go test -bench=. -benchmem | tee /tmp/after.txt
BenchmarkDelayingQueue_AddAfter-8 500000 3519 ns/op 406 B/op 4 allocs/op
PASS
ok k8s.io/kubernetes/staging/src/k8s.io/client-go/util/workqueue 2.969s
```
Comparison:
```
╰─ benchcmp /tmp/before.txt /tmp/after.txt
benchmark old ns/op new ns/op delta
BenchmarkDelayingQueue_AddAfter-8 256824 3519 -98.63%
benchmark old allocs new allocs delta
BenchmarkDelayingQueue_AddAfter-8 3 4 +33.33%
benchmark old bytes new bytes delta
BenchmarkDelayingQueue_AddAfter-8 520 406 -21.92%
```
I also find the `container/heap`-based code a bit more easy to understand. The implementation of the PriorityQueue is based on the documentation for `container/heap`.
Feedback definitely welcomed. This is one of my first contributions.
```release-note
NONE
```
Module remotecommand originally part of kubernetes/pkg/client/unversioned was moved
to client-go/tools, and will be used as authoritative in kubectl, e2e and other places.
Module remotecommand relies on util/exec module which will be copied to client-go/pkg/util
Automatic merge from submit-queue
kube-apiextensions-server: Fix potential SEGV with null delegate handler
**What this PR does / why we need it**:
In the kube-apiextensions-server there is a fallback value for `null` delegate to `http.NotFoundHandler()` in handling group and versions discovery, but no fallback for custom resources endpoint.
It leads to SEGV when running with `genericapiserver.EmptyDelegate`.
ApplyTo adds the admission chain to the server configuration the method lazily initializes a generic plugin
that is appended to the list of pluginInitializers.
apiserver.Config will hold an instance of SharedInformerFactory to ensure we only have once instance.
The field will be initialized in apisever.SecureServingOptions
The usecase of this change:
When a super user grant some RBAC permissions to a group, he can use
--as-group to test whether the group get the permissions.
Note that now we support as-groups, as-user-extra in kubeconfig file
after this change.
Automatic merge from submit-queue (batch tested with PRs 44748, 45692)
Limiting client go packages visibility, round 3
Continue the work in the merged PR https://github.com/kubernetes/kubernetes/pull/45258
These packages in client-go will be gone after #44065 is fixed:
pkg/api/helper, pkg/api/util, internal version of api groups, API install packages.
This PR removes the dependency on these packages and add bazel visibility rules to prevent relapse.
Automatic merge from submit-queue (batch tested with PRs 45623, 45241, 45460, 41162)
Promotes Source IP preservation for Virtual IPs from Beta to GA
Fixes#33625. Feature issue: kubernetes/features#27.
Bullet points:
- Declare 2 fields (ExternalTraffic and HealthCheckNodePort) that mirror the ESIPP annotations.
- ESIPP alpha annotations will be ignored.
- Existing ESIPP beta annotations will still be fully supported.
- Allow promoting beta annotations to first class fields or reversely.
- Disallow setting invalid ExternalTraffic and HealthCheckNodePort on services. Default ExternalTraffic field for nodePort or loadBalancer type service to "Global" if not set.
**Release note**:
```release-note
Promotes Source IP preservation for Virtual IPs to GA.
Two api fields are defined correspondingly:
- Service.Spec.ExternalTrafficPolicy <- 'service.beta.kubernetes.io/external-traffic' annotation.
- Service.Spec.HealthCheckNodePort <- 'service.beta.kubernetes.io/healthcheck-nodeport' annotation.
```
Automatic merge from submit-queue (batch tested with PRs 45623, 45241, 45460, 41162)
Replacing “Pod Injection Policy” with “Pod Preset” in the code documentation
**What this PR does / why we need it**:
Replacing the leftovers of the old term "Pod Injection Policy" with "Pod Preset" in the code documentation.
Automatic merge from submit-queue (batch tested with PRs 45571, 45657, 45638, 45663, 45622)
Added indexer description for the API of NewIndexerInformer.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
plumb stopch to post start hook index since many of them are starting go funcs
Many post-start hooks require a stop channel to properly terminate their go funcs.
@p0lyn0mial I think you need this for https://github.com/kubernetes/kubernetes/pull/45355 ptal.
@ncdc per request
@sttts can you review too since Andy is out?
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Automatic merge from submit-queue
HTML escape apiserver errors to avoid triggering vulnerability scanners.
Simple XSS scans might fetch /<script>alert('vulnerable')</script>, and
fail when the response body includes the script tag verbatim, despite
the headers directing the browser to interpret the response as text.
This isn't a real vulnerability, but it's easier to fix this here than
it is to fix the scanners.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Remove mentioning insecure server (which is not supported anymore) from API server docs
**What this PR does / why we need it**:
Remove mentioning insecure serving from the docs, since only secure serving is supported now.
Automatic merge from submit-queue
apimachinery: NotRegisteredErr for known kinds not registered in target GV
Fixes the fall back to core v1 for *Options in the parameter encoder of the dynamic client.
The dynamic client uses NotRegisteredErr to fall back to core v1 if ListOptions is not known
in the given GV. This commit fixes the case that ListOptions is known in some group, but not
in the given one.
The dynamic client uses NotRegisteredErr to fall back to core v1 if ListOptions is not known
in the given GV. This commit fixes the case that ListOptions is known in some group, but not
in the given one.
Automatic merge from submit-queue (batch tested with PRs 45556, 45561, 45256)
add defaulting for customresources
This adds the promised defaulting for customresources. Namespaced by default, listkind=kind+List, singular=toLower(kind).
Automatic merge from submit-queue
add validation for customresourcedefintions
Add basic validation for customresource definitions.
@adohe if you had review bandwidth, this is a relatively small one.
Automatic merge from submit-queue (batch tested with PRs 45382, 45384, 44781, 45333, 45543)
Do roundtrip testing with external kinds in client-go TPR example
This tests that our serialization machinery works for TPR types, i.e. without internal counterpart and without generated code.
/cc @nilebox
Automatic merge from submit-queue (batch tested with PRs 45382, 45384, 44781, 45333, 45543)
Copy internal types to metrics
Supersedes #45306.
#45306 removed the internal types and suggested whoever needs the internal types should define their own copy, and use the code-gen tools to generated the conversion functions. Per offline discussion with @DirectXMan12, we wanted to go that direction but it's not clear where to put the internal types yet. Hence, as a temporary solution, we decided copy the referred client-go/pkg/api types into metrics api to avoid the dependency.
The commit "remove need of registry from custom_metrics/client.go" is similar to what I did to the fake client in an earlier PR. Let me know if you want to put the commit in another PR.
Automatic merge from submit-queue
Add myself to client-go OWNERS
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Salvatore Dario Minonne