Automatic merge from submit-queue (batch tested with PRs 63348, 63839, 63143, 64447, 64567). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update pod phase documentation
This is documentation that should be visible directly when a user runs `kubectl explain pod.status`.
Automatic merge from submit-queue (batch tested with PRs 59938, 63777, 64577, 63999, 64431). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support dynamiclly set glog.logging.verbosity
Support dynamically set glog logging level, which is convenient for debug.
**Release note**:
```release-note
Expose `/debug/flags/v` to allow dynamically set glog logging level, if want to change glog level to 3, you only have to send a PUT request with like `curl -X PUT http://127.0.0.1:8080/debug/flags/v -d "3"`.
```
Automatic merge from submit-queue (batch tested with PRs 63445, 63820). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
core v1: deprecate the gitRepo volume type
gitRepo stopped accepting new features nearly 2 years ago https://github.com/kubernetes/kubernetes/issues/17676#issuecomment-228650586 and today this behavior can easily be achieved through an init container. The kubelet shelling out to git in the host namespace can also be a security issue on un-trusted repos, as was demonstrated by [CVE-2017-1000117](https://groups.google.com/forum/#!topic/kubernetes-announce/CTLXJ74cu8M). Our own documentation even alludes to this volume type being removed in the future:
> In the future, such volumes may be moved to an even more decoupled model, rather than extending the Kubernetes API for every such use case.
https://kubernetes.io/docs/concepts/storage/volumes/#gitrepo
Closes https://github.com/kubernetes/kubernetes/issues/60999
```release-note-action-required
The GitRepo volume type is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.
```
/release-note-action-required
Instead of this:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: server
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /mypath
name: git-volume
volumes:
- name: git-volume
gitRepo:
repository: "git@somewhere:me/my-git-repository.git"
revision: "22f1d8406d464b0c0874075539c1f2e96c253775"
```
Do this:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: git-clone
data:
git-clone.sh: |
#!/bin/sh -e
git clone $1 $3
cd $3
git reset --hard $2
---
apiVersion: v1
kind: Pod
metadata:
name: server
spec:
initContainers:
- name: git-clone
image: alpine/git # Any image with git will do
command:
- /usr/local/git/git-clone.sh
args:
- "https://somewhere/me/my-git-repository.git"
- "22f1d8406d464b0c0874075539c1f2e96c253775"
- "/mypath"
volumeMounts:
- name: git-clone
mountPath: /usr/local/git
- name: git-repo
mountPath: /mypath
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /mypath
name: git-volume
volumes:
- name: git-volume
emptyDir: {}
- name: git-clone
configMap:
name: git-clone
defaultMode: 0755
```
Support running generate-groups.sh from any directory, so users can run
it from their own projects, instead of forcing them to run it from here.
This allows the generators to find and use go source code from a
project's vendor directory, for example.
Signed-off-by: Andy Goldstein <andy.goldstein@gmail.com>
Automatic merge from submit-queue (batch tested with PRs 64364, 64369, 63819, 64528). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: update tests to use sub-benchmarks (aes_test.go)
**What this PR does / why we need it**:
Go 1.7 added the subtest feature which can make table-driven tests much easier to run and debug. Some tests are not using this feature.
Further reading: [Using Subtests and Sub-benchmarks](https://blog.golang.org/subtests)
/kind cleanup
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57082, 64325, 64016, 64443, 64403). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
services must listen on port 443 for aggregation
If a clusterIP service isn't listening on port 443, don't mark it as available.
@mfojtik you've got an issue, right?
@kubernetes/sig-api-machinery-bugs
/assign @sttts
/kind bug
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61803, 64305, 64170, 64361, 64339). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove some unnecessarily gendered pronouns in comments
**What this PR does / why we need it**:
A bunch of comments are unnecessarily gendered. I've changed them to gender-neutral they/theirs.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61803, 64305, 64170, 64361, 64339). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add TLS support to exec authenticator plugin
**What this PR does / why we need it**:
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md#tls-client-certificate-support
Allows exec plugin to return raw TLS key/cert data. This data populates
transport.Config.TLS field.
This requires a change to AuthProvider interface to expose TLS configs,
not only RoundTripper.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61421
**Special notes for your reviewer**:
**Release note**:
```release-note
Exec authenticator plugin supports TLS client certificates.
```
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix persist typo
I wonder this pr should pull to kubernetes/kubernetes or kubernetes/client-go ?
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Possible cipher suites values and tls versions in help for apiserver and kubelet
**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: https://github.com/kubernetes/kubernetes/pull/48859#discussion_r162413223
**Which issue(s) this PR fixes**
NONE
**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR https://github.com/kubernetes/kubernetes/pull/48859
The help output looks like this:
```
--tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
--tls-cipher-suites strings Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use. Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
--tls-min-version string Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
--tls-private-key-file string File containing the default x509 private key matching --tls-cert-file.
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add metadata to kubelet eviction event annotations
**What this PR does / why we need it**:
Add annotations to kubelet eviction events. Annotations include
"offending_containers" : comma-seperated list of containers.
"offending_containers_usage": comma-seperated list of usage.
"starved_resource": v1.ResourceName of the starved resource
**Special notes for your reviewer**:
Adding annotations to events required changing the `EventRecorder` interface to add a `AnnotatedEventf` function, which can add annotations to an event.
**Release note**:
```release-note
NONE
```
/assign @dchen1107
cc @mwielgus @schylek @kgrygiel
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: start fresh with owner file
After client-go's OWNER file has grown to 50ish many reviewers, It's time to start fresh and re-add those who really want to review. Please don't be shy to come forward if you want to stay on that list. I will re-add you.
Currently when LoopbackHostPort() is called with 0.0.0.0 and [::] it returns the first loopback
address returned from net.InterfaceAddrs() which is typically 127.0.0.1 (golang does not
specify an order that interfaces are returned). It would be more appropriate if when calling
LoopbackHostPort() with [::] that an IPv6 loopback address is returned, this prevents some cert.
generation failures.
Automatic merge from submit-queue (batch tested with PRs 64300, 64375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
HandleError include the type of the error object
**What this PR does / why we need it**:
/kind feature
HandleError include the type of the error object
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64244
**Special notes for your reviewer**:
/cc @MikeSpreitzer
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add conversion to properly parse query parameter propagationPolicy
**What this PR does / why we need it**:
This delete request query parameter has been broken for a year. I'm not sure if we want to deprecate the non-standard DeleteOptions body on delete request eventually.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#43329
**Special notes for your reviewer**:
**Release note**:
```release-note
API server properly parses propagationPolicy as a query parameter sent with a delete request
```
/sig api-machinery
Automatic merge from submit-queue (batch tested with PRs 64175, 63893). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Expose openapi schema to handlers
**What this PR does / why we need it**:
Build an openapi spec for each api resource handler. This spec will be able to be consumed by server-side apply and server-side openapi validation.
The reason for putting it into master is so we can work on implementing server side validation against the openapi spec as well as server side apply, and it will make merging the server side apply feature branch a smaller, less risky PR
/sig api-machinery
/kind feature
cc @liggitt @lavalamp @seans3 @mbohlool @apelisse
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61963, 64279, 64130, 64125, 64049). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make serverAddressByClientCIDRs in discovery API optional
**What this PR does / why we need it**:
See https://github.com/kubernetes/kubernetes/issues/61868
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61868
**Special notes for your reviewer**:
WIP: I'm having trouble updating swagger-spec using our update scripts. Thinking about removing swagger-spec from our code base as it has long passed deprecation. Sending this PR now to see the test results.
**Release note**:
```release-note
Property `serverAddressByClientCIDRs` in `metav1.APIGroup` (discovery API) now become optional instead of required
```
/sig api-machinery
Automatic merge from submit-queue (batch tested with PRs 63319, 64248, 64250, 63890, 64233). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
replace `__internal` with runtime.APIVersionInternal
**What this PR does / why we need it**:
Replace `__internal` with runtime.APIVersionInternal
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64060, 63904, 64218, 64208, 64247). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apimachinery: remove unused UnstructuredObjectConverter
This is not in apiextensions-apiserver for CR conversion.
Automatic merge from submit-queue (batch tested with PRs 64060, 63904, 64218, 64208, 64247). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
prevent zero for leader election timeouts
Add conditional checks for a stupid error that took me 20 minutes to find.
I don't see a reason to allow zero for any of the leader election tuning params
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64127, 63895, 64066, 64215, 64202). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix documentation of GA is in APIService's PriorityVersion and CRD's Versions
Explain what GA is in APIService's PriorityVersion and CRD's Versions.
ref #64136
```release-note
NONE
```
Add the Product Security Team as the security contacts for the main
repository and they can use the OWNERS files in each subsystem/dir to find
the correct owners.
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
Automatic merge from submit-queue (batch tested with PRs 62756, 63862, 61419, 64015, 64063). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiservices/status and certificatesigningrequests/status support get+update+patch
**What this PR does / why we need it**:
Fix the remaining `/status` subresources that return 405 on GET and PATCH
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref https://github.com/kubernetes/kubernetes/pull/63619
**Release note**:
```release-note
apiservices/status and certificatesigningrequests/status now support GET and PATCH
```
Automatic merge from submit-queue (batch tested with PRs 63283, 64032, 64159, 64126, 64098). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove some completed TODOs
This PR removes some old TODOs that were recently completed.
```release-note
NONE
```
Added unit tests.
Changed NewController function to accept informers and not informers
factory. This make code more testable and align it with other
controllers.
Automatic merge from submit-queue (batch tested with PRs 63881, 64046, 63409, 63402, 63221). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kubelet config: Validate new config against future feature gates
This fixes an issue with KubeletConfiguration validation, where the
feature gates set by the new config were not taken into account.
Also fixes a validation issue with dynamic Kubelet config, where flag
precedence was not enforced prior to dynamic config validation in the
controller; this prevented rejection of dynamic configs that don't merge
well with values set via legacy flags.
Fixes#63305
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64069, 64087). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix error message
**What this PR does / why we need it**:
This PR fixes a minor mistake in an error message in `Equalities.DeepEqual`. I've tried to trace this mistake but could not find out where it originated.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Sort API Services by Kube-Version order
Sort API services based on kube-version format. If the version does not have kube-version format.
kube-version format: `v[MajorVersion]((alpha|beta)[minorVersion])?`
e.g. v1alpha1, v4, v21beta12
Sort base on:
Version type first: GA>Beta>Alpha
Major version then Minor version (if exists).
```release-note
APIServices with kube-like versions (e.g. v1, v2beta1, etc.) will be sorted appropriately within each group.
```
This fixes an issue with KubeletConfiguration validation, where the
feature gates set by the new config were not taken into account.
Also fixes a validation issue with dynamic Kubelet config, where flag
precedence was not enforced prior to dynamic config validation in the
controller; this prevented rejection of dynamic configs that don't merge
well with values set via legacy flags.
Automatic merge from submit-queue (batch tested with PRs 63598, 63913, 63459, 63963, 60464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Client-go raises error on duplicated name in kubeconfig
(for NamedCluster, NamedContext, NamedUser, NamedExtension)
**What this PR does / why we need it**:
Client should detect duplicated name when loading `name-value` based lists in kubeconfig: `users`, `clusters`, `contexts`. Currently if there are multiple value with same name, `client-python` will pick the first one, while `client-go` will pick the last.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes-client/python#445, kubernetes-client/python-base#47
**Special notes for your reviewer**:
**Release note**:
```release-note
kubectl and client-go now detects duplicated name for user, cluster and context when loading kubeconfig and reports error
```
/sig api-machinery
cc @brendandburns @mbohlool
Automatic merge from submit-queue (batch tested with PRs 63598, 63913, 63459, 63963, 60464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix event ref determination for apigroups
The event ref determination was never updated to handle apigroups so it has been returning only a group (not a version).
@kubernetes/sig-apps-bugs
```release-note
event object references with apiversion will now report an apiversion.
```
Automatic merge from submit-queue (batch tested with PRs 63598, 63913, 63459, 63963, 60464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiextensions: promote CustomResourcesSubresources to beta
Fixes#62786
This PR promotes the CustomResourcesSubResources feature to beta and makes it enabled by default.
**Release note**:
```release-note
Subresources for custom resources is now beta and enabled by default. With this, updates to the `/status` subresource will disallow updates to all fields other than `.status` (not just `.spec` and `.metadata` as before). Also, `required` can be used at the root of the CRD OpenAPI validation schema when the `/status` subresource is enabled.
```
/assign sttts deads2k
/sig api-machinery
/area custom-resources
Automatic merge from submit-queue (batch tested with PRs 63920, 63716, 63928, 60553, 63946). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add InstallPathHandler which allows for more then one path to be associated with health checking.
Currently it is only possible to have one group of checks which must all pass for the handler to report success.
Allowing multiple paths for these checks allows use of the same machinery for other kinds of checks, i.e. readiness.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63871, 63927, 63966, 63957, 63844). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove UID mutation from request.context
**What this PR does / why we need it**:
remove UID mutation from request.context, which is no use currently.
Fixes#59775
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove UID mutation from request.context.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow for listing & watching individual secrets from nodes
This PR:
- propagates value of `metadata.name` field from fieldSelector to `name` field in RequestInfo (for list and watch requests)
- authorizes list/watch for requests for single secrets/configmaps coming from nodes
As an example:
```
/api/v1/secrets/namespaces/ns?fieldSelector=metadata.name=foo =>
requestInfo.Name = "foo",
requestInfo.Verb = "list"
/api/v1/secrets/namespaces/ns?fieldSelector=metadata.name=foo&watch=true =>
requestInfo.Name = "foo",
requestInfo.Verb = "list"
```
```release-note
list/watch API requests with a fieldSelector that specifies `metadata.name` can now be authorized as requests for an individual named resource
```
Automatic merge from submit-queue (batch tested with PRs 63875, 63817). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make TestGetServerGroupsWithTimeout more reliable
Stops overriding a global variable in a test and tolerates a different kind of timeout message you can see.
/assign @soltysh
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move to a structured status for dynamic kubelet config
This PR updates dynamic Kubelet config to use a structured status, rather than a node condition. This makes the status machine-readable, and thus more useful for config orchestration.
Fixes: #56896
```release-note
The status of dynamic Kubelet config is now reported via Node.Status.Config, rather than the KubeletConfigOk node condition.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apimachinery: move schema reference object into smp patcher
The schema reference object is only used in the strategic merge patch code path. This PR moves the creation there.
This PR is a preparation to make the patcher compatible with the UnstructuredObjectConverter without internal types. It will allow us to return an error on missing kinds at https://github.com/kubernetes/kubernetes/pull/63830#discussion_r188171025.
Automatic merge from submit-queue (batch tested with PRs 63589, 63644, 63861, 63872, 63847). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove service.deletecollection since the server doesn't support it
Updates the generated service client to match the API available.
@kubernetes/sig-api-machinery-pr-reviews
@kubernetes/api-reviewers
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
clean unused code in restmapper_test.go
**What this PR does / why we need it**:
clean unused code in restmapper_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/kind cleanup
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiextensions: normalize CR validation to return multiple errors
Deduplicated and use of the `allErrs` pattern we have elsewhere.
Updates dynamic Kubelet config to use a structured status, rather than a
node condition. This makes the status machine-readable, and thus more
useful for config orchestration.
Fixes: #56896
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move cached_discovery to client-go/discovery
**Release note**:
```release-note
NONE
```
Moves the cmd/util CachedDiscoveryClient to client-go
cc @soltysh @deads2k
Automatic merge from submit-queue (batch tested with PRs 63792, 63495, 63742, 63332, 63779). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Track a metrics of number of registered watchers in apiserver
Automatic merge from submit-queue (batch tested with PRs 63792, 63495, 63742, 63332, 63779). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Actually support service `publishNotReadyAddresses`
This was added and the annotation was deprecated, but it was never
implemented.
xref #63741
**Release note**:
```release-note
The annotation `service.alpha.kubernetes.io/tolerate-unready-endpoints` is deprecated. Users should use Service.spec.publishNotReadyAddresses instead.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
avoid duplicate status in audit events
Fixes: https://github.com/kubernetes/kubernetes/issues/60108
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @sttts @tallclair
**Release note**:
```
Action required: When Response is a metav1.Status, it is no longer copied into the audit.Event status. Only the "status", "reason" and "code" fields are set.
```
Automatic merge from submit-queue (batch tested with PRs 63603, 63557, 62015). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: Fail if dry-run query param is specified
Adds a dry-run query parameter now that does nothing but reject the request. The sooner we have this check in master, the safer it will be for clients to send dry-run requests that are not going to be applied nonetheless.
```release-note
Create a new `dryRun` query parameter for mutating endpoints. If the parameter is set, then the query will be rejected, as the feature is not implemented yet. This will allow forward compatibility with future clients; otherwise, future clients talking with older apiservers might end up modifying a resource even if they include the `dryRun` query parameter.
```
Automatic merge from submit-queue (batch tested with PRs 55511, 63372, 63400, 63100, 63769). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create pkg/scheduling/apis/v1beta1 and move priorityClass to beta
**What this PR does / why we need it**:
This is for creating pkg/apis/scheduling/v1beta1 so that priorityClasses could be moved to beta.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of #57471
**Special notes for your reviewer**:
/cc @bsalamat @aveshagarwal
**Release note**:
```release-note
The `PriorityClass` API is promoted to `scheduling.k8s.io/v1beta1`
```
**What this PR does / why we need it**:
The sample-controller makes extensive use of various mechanisms
available in the client-go library. For writing custom controllers/operators
it will be helpful if there is precise description of how the
client-go library works and how/where it interfaces with
custom controller code.
This patch adds documentation that sheds light on how (parts) of the
client-go library work and its interaction-points with
controller code. The documentation and the diagram comes from [1],
(link included here for reference purpose).
[1] https://medium.com/@cloudark/kubernetes-custom-controllers-b6c7d0668fdf
Contributing the diagram and the writeup was recommended by
by @sttts and @nikhita on https://github.com/kubernetes/sample-controller/issues/13
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63367, 63718, 63446, 63723, 63720). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
finish new dynamic client and deprecate old dynamic client
Builds on a couple other pulls. This completes the transition to the new dynamic client.
@kubernetes/sig-api-machinery-pr-reviews
@caesarxuchao @sttts
```release-note
The old dynamic client has been replaced by a new one. The previous dynamic client will exist for one release in `client-go/deprecated-dynamic`. Switch as soon as possible.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
CRD Status subresource support get+update+patch
CRD Status previously only supports PUT and returns 405 on GET and PATCH
/assign @sttts
/sig api-machinery
**Release note**:
```release-note
CustomResourceDefinitions Status subresource now supports GET and PATCH
```
Currently it is only possible to have one group of checks which must all pass for the handler to report success.
Allowing multiple paths for these checks allows use of the same machinery for other kinds of checks, i.e. readiness.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
sample-apiserver admission wait for informer sync before serving
**What this PR does / why we need it**:
sample-apiserver admission wait for informer sync before serving
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix typo in apiextentions apiserver
the comment should be apiextentions apiserver
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63246, 63185). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add checks validation MinRequestTimeout of ServerRunOptions
**What this PR does / why we need it**:
add checks validation MinRequestTimeout of ServerRunOptions
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
I think we should check MinRequestTimeout > 0 (like RequestTimeout), in Validate() of ServerRunOptions. If it is not necessary, close this PR.Thanks
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59727, 63468). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix annotation of APIGroupInfo
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
should use time.Since instead of time.Now().Sub
**What this PR does / why we need it**:
should use time.Since instead of time.Now().Sub
**Special notes for your reviewer**:
Automatic merge from submit-queue (batch tested with PRs 62665, 62194, 63616, 63672, 63450). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Correct the returned message
Line 73 and line 103:
return fmt.Errorf("expected ResponseBody to be nil, got non-nill '%s'", events[i].ResponseObject.Raw)
"non-nill" should be changed to "non-nil"
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
construct resource.Builder from kubeconfig flags
updates the resource.Builder to be constructed from the kubeconfig flags struct/interface that we now have.
@kubernetes/sig-cli-maintainers
@juanvallejo @soltysh
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
read openstack auth config from client config
**What this PR does / why we need it**:
> // TODO: read/persist client configuration(OS_XXX env vars) in config
/sig openstack
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @dims
**Release note**:
```release-note
read openstack auth config from client config
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Stop() for Ticker to enable leak-free code
**What this PR does / why we need it**:
I wanted to use the clock package but the `Ticker` without a `Stop()` method is a deal breaker for me.
**Release note**:
```release-note
NONE
```
/kind enhancement
/sig api-machinery
Automatic merge from submit-queue (batch tested with PRs 63624, 59847). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
explicit kubelet config key in Node.Spec.ConfigSource.ConfigMap
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.
As part of this change, we are retiring ConfigMapRef for ConfigMap.
```release-note
You must now specify Node.Spec.ConfigSource.ConfigMap.KubeletConfigKey when using dynamic Kubelet config to tell the Kubelet which key of the ConfigMap identifies its config file.
```
Automatic merge from submit-queue (batch tested with PRs 63593, 63539). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix typo in envelope transform error message
genvelope -> envelope
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59284, 63602). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
category expansion can only come from the server
A couple release ago we moved category expansion to the server instead of hardcoding it in the client. Similar to restmappings, there is no valid client-side expansion anymore, so this removes the code that hardcoded the list and moves the category expansion to the same package as our discovery based restmappers.
@kubernetes/sig-cli-maintainers
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59284, 63602). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Exclude keys containing empty patches in the final patch
**What this PR does / why we need it**:
This minimizes the 3-way JSON merge patch generated when calculating the patch necessary to send to the server. It does this by removing empty maps created from deleting keys in the keepOrDeleteNullInObj method.
This is not only a slight performance improvement (less PATCH requests) but also necessary when working with custom resources that have RBAC restrictions.
**Which issue(s) this PR fixes**: N/A
**Special notes for your reviewer**: N/A
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62354, 62934, 63502). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Run resource discovery in parallel
best viewed ignoring whitespace (https://github.com/kubernetes/kubernetes/pull/63502/files?w=1)
on high-latency connections, serializing resource discovery requests across group versions can take significant amounts of time. this parallelizes the network request portion of the discovery call
xref #63368
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59034, 63565, 63533). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiextensions: allow "required" at root with status subresource
In the subresources alpha we intentionally disallowed anything than `properties` at the root of the validation schema in order to allow us to project it to the .status subtree. By doing this we also disallowed `required` at the root which is necessary to enforce e.g. a spec to be set. This PR fixes this.
Moreover, it fixes that the restriction is only enforced when the status subresource is actually enabled. Before this PR we were enforcing the restriction as soon as the feature gate was enabled, leading to a backwards incompatible change.
```release-note
Allow "required" to be used at the CRD OpenAPI validation schema when the /status subresource is enabled.
```
There was an issue reporting the bug. But cannot find it.
Automatic merge from submit-queue (batch tested with PRs 63537, 63385). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[CustomResourceSubresources] fix status subresource
This change make the codes consistent with the document.
Fixes: https://github.com/kubernetes/kubernetes/issues/63359
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @nikhita
**Release note**:
```release-note
When updating /status subresource of a custom resource, only the value at the `.status` subpath for the update is considered.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Return error when has no RequestInfo in handlerchain
**What this PR does / why we need it**:
we should return error when has no RequestInfo.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.
As part of this change, we are retiring ConfigMapRef for ConfigMap.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor hard code in rest_test.go
**What this PR does / why we need it**:
Refactor hard code in rest_test.go
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63291, 63490, 60445, 63507, 63524). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move client based restmappers to client-go
Moves the client-based restmappers to client-go where everyone who needs them can have access.
```release-note
the shortcuts which were moved server-side in at least 1.9 have been removed from being hardcoded in kubectl
```
@kubernetes/sig-cli-maintainers @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 63291, 63490, 60445, 63507, 63524). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes fake client generation for non-namespaced subresources
**What this PR does / why we need it**:
Fixes code generation for non-namespaced subresources fake clients.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#60444
**Special notes for your reviewer**:
**Release note**:
```dev-release-note
Fixes fake client generation for non-namespaced subresources
```
/cc @mfojtik @liggitt
I'm not sure the best way to add tests for this. Any pointers?
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubectl get CRD resources with --server-print=true column name error
**What this PR does / why we need it**:
Here's a bunch of kubectl get command execution and their outputs.
my-crd is the user-define CRD resource.
1.
```
kubectl get pod --all-namespaces --server-print=true
NAMESPACE NAME READY STATUS RESTARTS AGE
test-ns test-pod 1/1 running 1 15m
```
2.
```
kubectl get my-crd --all-namespaces --server-print=false
NAMESPACE NAME AGE
test-ns test-crd 21m
```
3.
```
kubectl get my-crd --all-namespaces --server-print=true
NAMESPACE NAME CREATED AT
test-ns test-crd 21m
```
Here's the problem
1. Example 3 isn't consistent with example 1 and 2
2. CREATED AT 21m doesn't make sense
This patch fix this.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63460, 63481). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove redundant runtime.GOMAXPROCS
Since golang 1.5, `By default, Go programs run with GOMAXPROCS set to the number of cores available;`
If env `GOMAXPROCS `, it uses default `runtime.NumCPU()`. So set again is redundant.
cc @deads2k
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiserver: document how to run sample-apiserver standalone outside the cluster
This PR documents how to run the sample-apiserver outside of a cluster for development.
tl/dr: local client CA with `system:masters` group membership. Then authorization is skipped.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
catch err when Watch testResource failed in func TestWatchCallNonNamespace
**What this PR does / why we need it**:
catch err when Watch testResource failed in func TestWatchCallNonNamespace
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
[#61155](https://github.com/kubernetes/kubernetes/issues/61155)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
the output looks like:
NAMESPACE NAME CREATED AT
default test 2m
Notice that the column CREATED AT 2m makes no sense.
The correct column name here should be AGE.
Which keeps the same with the situation when --server-print=false
This patch fix this.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Cache preferred resources, use in kubectl resource name autocomplete
Fixes#63145
Fixes https://github.com/kubernetes/kubectl/issues/357
Alternative to #61928
* starts to unify preferred resource logic on top of ServerGroups()/ServerResourcesForGroupVersion() methods
* allows indicating a cached list of resources is acceptable when calling `kubectl api-resources` (default is still to rediscover)
* uses `kubectl api-resources` in bash completion
```sh
$ kubectl get [TAB][TAB]
apiservices.apiregistration.k8s.io networkpolicies.extensions
certificatesigningrequests.certificates.k8s.io networkpolicies.networking.k8s.io
clusterrolebindings.rbac.authorization.k8s.io nodes
clusterroles.rbac.authorization.k8s.io persistentvolumeclaims
componentstatuses persistentvolumes
configmaps poddisruptionbudgets.policy
controllerrevisions.apps pods
cronjobs.batch podsecuritypolicies.extensions
customresourcedefinitions.apiextensions.k8s.io podsecuritypolicies.policy
daemonsets.apps podtemplates
daemonsets.extensions replicasets.apps
deployments.apps replicasets.extensions
deployments.extensions replicationcontrollers
endpoints resourcequotas
events rolebindings.rbac.authorization.k8s.io
events.events.k8s.io roles.rbac.authorization.k8s.io
horizontalpodautoscalers.autoscaling secrets
ingresses.extensions serviceaccounts
initializerconfigurations.admissionregistration.k8s.io services
jobs.batch statefulsets.apps
limitranges storageclasses.storage.k8s.io
mutatingwebhookconfigurations.admissionregistration.k8s.io validatingwebhookconfigurations.admissionregistration.k8s.io
namespaces volumeattachments.storage.k8s.io
```
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update to latest Gophercloud
**What this PR does / why we need it**:
periodic update to latest gophercloud. The changes are as follows:
6da026c32e...781450b3c4
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61455, 63346, 63130, 63404). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump kube-openapi dependency
**What this PR does / why we need it**:
Pick up https://github.com/kubernetes/kube-openapi/pull/64
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63218
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig api-machinery
/cc @mbohlool @liggitt
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implements OIDC distributed claims.
Next step to enable this feature is to enable claim caching.
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
Example claim:
```
{
... (other normal claims)...
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://www.example.com",
"access_token": "f005ba11"
},
},
}
```
Example response to a followup request to https://www.example.com is a
JWT-encoded claim token:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": ["team1", "team2"],
"exp": 9876543210
}
```
Apart from the indirection, the distributed claim behaves exactly
the same as a standard claim. For Kubernetes, this means that the
token must be verified using the same approach as for the original OIDC
token. This requires the presence of "iss", "aud" and "exp" claims in
addition to "groups".
All existing OIDC options (e.g. groups prefix) apply.
Any claim can be made distributed, even though the "groups" claim is
the primary use case.
Allows groups to be a single string due to
https://github.com/kubernetes/kubernetes/issues/33290, even though
OIDC defines "groups" claim to be an array of strings. So, this will
be parsed correctly:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": "team1",
"exp": 9876543210
}
```
Expects that distributed claims endpoints return JWT, per OIDC specs.
In case both a standard and a distributed claim with the same name
exist, standard claim wins. The specs seem undecided about the correct
approach here.
Distributed claims are resolved serially. This could be parallelized
for performance if needed.
Aggregated claims are silently skipped. Support could be added if
needed.
**What this PR does / why we need it**: Makes it possible to retrieve many group memberships by offloading to a dedicated backend for groups resolution.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62920
**Special notes for your reviewer**:
There are a few TODOs that seem better handled in separate commits.
**Release note**:
```release-note
Lays groundwork for OIDC distributed claims handling in the apiserver authentication token checker.
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
For details, see:
http://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
```
Automatic merge from submit-queue (batch tested with PRs 62657, 63278, 62903, 63375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
ensure diff output includes the portion that differs
When using ObjectReflectDiff() on objects with long string fields, the
80 character limit on diffs will commonly hide the actual difference
between the fields and require that the dev change which diff function
is used to see what the issue was. This defeats the purpose of printing
the diff between objects.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update all script shebangs to use /usr/bin/env interpreter instead of /bin/interpreter
This is required to support systems where bash doesn't reside in /bin (such as NixOS, or the *BSD family) and allow users to specify a different interpreter version through $PATH manipulation.
https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
```release-note
Use /usr/bin/env in all script shebangs to increase portability.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update restmapping to indicate fully qualified resource
The resource of a restmapping is logically fully qualified and we have that value when we construct it. Update the return value so that callers don't have to synthentically create one.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
A distributed claim allows the OIDC provider to delegate a claim to a
separate URL. Distributed claims are of the form as seen below, and are
defined in the OIDC Connect Core 1.0, section 5.6.2.
See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
Example claim:
```
{
... (other normal claims)...
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://www.example.com",
"access_token": "f005ba11"
},
},
}
```
Example response to a followup request to https://www.example.com is a
JWT-encoded claim token:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": ["team1", "team2"],
"exp": 9876543210
}
```
Apart from the indirection, the distributed claim behaves exactly
the same as a standard claim. For Kubernetes, this means that the
token must be verified using the same approach as for the original OIDC
token. This requires the presence of "iss", "aud" and "exp" claims in
addition to "groups".
All existing OIDC options (e.g. groups prefix) apply.
Any claim can be made distributed, even though the "groups" claim is
the primary use case.
Allows groups to be a single string due to
https://github.com/kubernetes/kubernetes/issues/33290, even though
OIDC defines "groups" claim to be an array of strings. So, this will
be parsed correctly:
```
{
"iss": "https://www.example.com",
"aud": "my-client",
"groups": "team1",
"exp": 9876543210
}
```
Expects that distributed claims endpoints return JWT, per OIDC specs.
In case both a standard and a distributed claim with the same name
exist, standard claim wins. The specs seem undecided about the correct
approach here.
Distributed claims are resolved serially. This could be parallelized
for performance if needed.
Aggregated claims are silently skipped. Support could be added if
needed.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove rootscopedkinds from groupmeta
builds on https://github.com/kubernetes/kubernetes/pull/63206
Since, a RESTMapping can only be determined based on a connection to a server, the only thing that needs to know the namespaced-ness of a resource is the code doing the registration. Everything else is derived from that source of truth. This removes the other dangling references and collapses down onto the existing namespaced-ness methods in the strategies backing the stores.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add test for sparse version encoding/decoding
This adds tests that make sure the sparse version encoding and encoding work as callers will expect, with the correct version being picked from the list. I wrote two tests, one a theoretical test not dependent on any API and another practical test using cronjobs which are currently sparse in the registry.
@liggitt turns out that because we find exact matches, sparse versions ought to work out fine.
@smarterclayton I hate that the versioner matches on type. I'll update that separately I think.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove incorrect static restmapper from type registry
A RESTMapping can only be determined by inspecting a server since discovery is the authoritative source of mapping decisions. This removes a deceptive method from the type registry and makes the old logic available for existing tests in a separate, clearly labeled package.
@kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-cli-maintainers
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60890, 63244, 60741, 63254). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Indicate clusterrolebinding, rolebinding subjects are optional fields
**What this PR does / why we need it**: With this PR, clusterrolebinding and rolebinding subjects are marked optional instead of required. Currently we cannot create clusterrolebinding and rolebinding with subjects are empty using `kubectl create/apply/replace -f`.
```
$ kubectl create rolebinding test --clusterrole view
rolebinding "test" created
$ kubectl get rolebinding test -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: 2018-03-02T06:58:16Z
name: test
namespace: default
resourceVersion: "5606612"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/test
uid: 155c5c29-1de7-11e8-9f6f-fa163ec89f2a
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects: null
$ kubectl get rolebinding test -o yaml | kubectl replace -f -
error: error validating "STDIN": error validating data: ValidationError(RoleBinding): missing required field "subjects" in io.k8s.api.rbac.v1.RoleBinding; if you choose to ignore these errors, turn validation off with --validate=false
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**: This is a same issue with https://github.com/kubernetes/kubernetes/issues/59403. /cc @liggitt
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove self linker from group info
The self-link is related to RESTStorage, not to the scheme/codec. Also, no one every customized it. This moves it to the single point of use and retains the override potential.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63153, 63238). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix curl header
partially reverts kubernetes/kubernetes#60925
such command cause a 406 status code from api-server
```
curl -H "Accept: 'application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json'"
```
this works fine:
```
curl -H "Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json"
```
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63251, 59166, 63250, 63180, 63169). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Break a generic package dependency to core/api/v1
It is not necessary for this package to depend on core/v1.
Automatic merge from submit-queue (batch tested with PRs 63251, 59166, 63250, 63180, 63169). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
divide statically known typer from dynamically derived restmapper
The CLI factory conflated a statically known typer and a dynamically derived restmapper. This produced confusion and unnecessary indirection. This pull separates dynamically known from statically known.
A future pull will continue the separation of in the builder to indicate the points of variability for clients, which should logically be limited to a negotiated serializer for decoding and an object typer.
@kubernetes/sig-cli-maintainers
/assign @soltysh
/assign @juanvallejo
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove versioning interface
Builds on prior restmapping/converter separation to completely remove the versioning interface which isn't needed.
intersection of @kubernetes/sig-api-machinery-pr-reviews and @kubernetes/sig-cli-maintainers again
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61804, 63189). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make use of simple dynamic client instead of deprecated client pool
**What this PR does / why we need it**:
Use simple dynamic client through all integration test.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63182
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62937, 63105, 63031, 63174). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unnecessary typer from create/update handlers
**What this PR does / why we need it**:
Refactoring to remove unnecessarily duplicated definition of an ObjectTyper for some of the handlers.
The patch handler also has an extra ObjectConvertor, but it is defined differently in both places so removing one would possibly have side effects.
```release-note
NONE
```
/sig api-machinery
Kubernetes Submit Queue