Automatic merge from submit-queue (batch tested with PRs 39544, 39552, 39553)
Allow disruption controller to read statefulsets
**What this PR does / why we need it**: Disruption controller was unable to list/watch statefulsets when RBAC is enabled because it wasn't granted permission.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/39541
cc @mwielgus
Automatic merge from submit-queue
Generate a dummy BUILD file in _output/local/go to keep Bazel out of trouble
**What this PR does / why we need it**: the Kubernetes build system creates a symlink from `_output/local/go/src/k8s.io/kubernetes` back to `$KUBE_ROOT`, likely to deal with folks that don't have their `GOPATH `set up correctly.
Bazel's `glob()` is not very smart, and runs into issues with this; the `package-srcs` glob in `//BUILD.bazel` first evaluates the `**` before matching any excludes, and thus explodes on the infinite loop.
By generating a `BUILD` file along the path to the symlink, Bazel treats this as a separate package and descends no further.
(Oddly, generating a `BUILD.bazel` file doesn't seem to solve the glob explosion, but a directory with a `BUILD.bazel` file is still treated as a separate package. There's probably a subtle bug in Bazel somewhere.)
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Updated kubemark with RBAC for controllers, proxy and kubelet
Fixes issue #39244
@kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 39466, 39490, 39527)
bump gengo to latest
bumping gengo to limit surprises while working on https://github.com/kubernetes/kubernetes/pull/39475
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 39466, 39490, 39527)
Generate OpenAPI definition for inlined types
Currently OpenAPI definition generator ignores any type's member with an empty json name tag. However, most (if not all) of these types also have "inline" json tag. That means we should inline their members into parent type's OpenAPI definition instead of ignoring them. This resulted in many types missing common parameters such as "Name". It look something serious to me for OpenAPI spec and I suggest we merge and cherry-pick this into 1.5 release branch as soon as possible.
Automatic merge from submit-queue
Move provisioning examples out of 'experimental' directory.
Dynamic provisioning is pretty stable now.
@kubernetes/sig-storage-misc PTAL, this should be trivial to review.
Automatic merge from submit-queue
ShortcutExpander has been extended in a way that it will examine a ha…
**What this PR does / why we need it**:
ShortcutExpander has been extended in a way that it will examine a hardcoded list of tuples anticipated from the server when searching for an alternative name for the resource.
Note that the list is ordered and the first match will yield the extended resource's name.
One important thing to highlight is that the ShortcutExpander will fall back to PriorityRestMaper to determine the group for the resource.
Also this PR introduces a new shortcut namely sc which will resolve to storageclasses within storage.k8s.io group
**Special notes for your reviewer**: You might want to see https://github.com/kubernetes/kubernetes/pull/38755
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 39132, 39428)
Move wideHeader [] strings into handlerEntry
To adress this problem: https://github.com/openshift/origin/pull/12354, make `-o wide` more flexible to be used by OpenShift
Automatic merge from submit-queue (batch tested with PRs 39493, 39496)
Use privileged containers for host path e2e tests
Test containers need to run as spc_t in order to interact with the host
filesystem under /tmp, as the tests for HostPath are doing. Docker will
transition the container into this domain when running the container as
privileged.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Currently, this test fails with AVC denials like:
```
time->Thu Jan 5 10:17:51 2017
type=SYSCALL msg=audit(1483629471.846:6623): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=c820010120 a2=80241 a3=1a4 items=0 ppid=4112 pid=4130 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mt" exe="/mt" subj=system_u:system_r:svirt_lxc_net_t:s0:c123,c328 key=(null)
type=AVC msg=audit(1483629471.846:6623): avc: denied { write } for pid=4130 comm="mt" name="sub-path" dev="xvda2" ino=118491348 scontext=system_u:system_r:svirt_lxc_net_t:s0:c123,c328 tcontext=system_u:object_r:container_runtime_tmp_t:s0 tclass=dir
```
```release-note
NONE
```
/cc @ncdc @pmorie
Automatic merge from submit-queue (batch tested with PRs 39493, 39496)
kubelet: fix nil deref in volume type check
An attempt to address memory exhaustion through a build up of terminated pods with memory backed volumes on the node in PR https://github.com/kubernetes/kubernetes/pull/36779 introduced this.
For the `VolumeSpec`, either the `Volume` or `PersistentVolume` field is set, not both. This results in a situation where there is a nil deref on PVs. Since PVs are inherently not memory-backend, only local/temporal volumes should be considered.
This needs to go into 1.5 as well.
Fixes#39480
@saad-ali @derekwaynecarr @grosskur @gnufied
```release-note
fixes nil dereference when doing a volume type check on persistent volumes
```
Automatic merge from submit-queue
Implemented file and HTTPS based discovery for kubeadm
**What this PR does / why we need it**:
This PR implements both file and HTTPS based discovery for `kubeadm`.
**Which issue this PR fixes**:
fixes https://github.com/kubernetes/kubeadm/issues/93
fixes https://github.com/kubernetes/kubeadm/issues/94
**Special notes for your reviewer**:
I'd like to add some tests but 'm sure `kubeconfig` loading is already covered by other tests in `clientcmd` package.
/cc @luxas @pipejakob
Automatic merge from submit-queue
bazel: update to gazel v13 and create sources rules throughout tree
**What this PR does / why we need it**: creates filegroup rules using https://github.com/mikedanese/gazel/pull/20, which we can then use in creating release tarballs
**Special notes for your reviewer**: this obviously should not be merged before https://github.com/mikedanese/gazel/pull/20 is merged and tagged; this is more to give you an idea of what the output looks like. The verification tests should fail this PR in any case.
**Release note**:
```release-note
NONE
```
Test containers need to run as spc_t in order to interact with the host
filesystem under /tmp, as the tests for HostPath are doing. Docker will
transition the container into this domain when running the container as
privileged.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes Submit Queue