Automatic merge from submit-queue
remove bearer token from headers after we consume it
Updates the bearer token authenticator to remove the bearer token from the request headers after it is consumed. Nothing else in the stack should try to use it and we don't want to accidentally leak it somewhere.
@liggitt @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue
Clean up petset
**What this PR does / why we need it**:
Rename legacy petset to statefulset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Make Cluster Autoscaler maintainers the owner of cluster/saltbase/clusterautoscaler
CA folks are frequently increasing the version of CA. It will make their life easier if they can do without nagging K8S uber-owners.
cc: @MaciekPytel @wojtek-t @fgrzadkowski
Automatic merge from submit-queue
federation:update outdated link
**What this PR does / why we need it**:
federation:update outdated link
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add OWNERS for staging and api
Part of #44420
* api/ is a copy of pkg/api (same reasoning)
* staging/ is the set of people who should be allowing new top level nested packages + the set of people who can change the staging machinery code
Open to changes to staging/ - very rarely changed. Added owners for the other items
Automatic merge from submit-queue
util/iptables: grab iptables locks if iptables-restore doesn't support --wait
When iptables-restore doesn't support --wait (which < 1.6.2 don't), it may
conflict with other iptables users on the system, like docker, because it
doesn't acquire the iptables lock before changing iptables rules. This causes
sporadic docker failures when starting containers.
To ensure those don't happen, essentially duplicate the iptables locking
logic inside util/iptables when we know iptables-restore doesn't support
the --wait option.
Unfortunately iptables uses two different locking mechanisms, one until
1.4.x (abstract socket based) and another from 1.6.x (/run/xtables.lock
flock() based). We have to grab both locks, because we don't know what
version of iptables-restore exists since iptables-restore doesn't have
a --version option before 1.6.2. Plus, distros (like RHEL) backport the
/run/xtables.lock patch to 1.4.x versions.
Related: https://github.com/kubernetes/kubernetes/pull/43575
See also: https://github.com/openshift/origin/pull/13845
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1417234
@kubernetes/rh-networking @kubernetes/sig-network-misc @eparis @knobunc @danwinship @thockin @freehan
Automatic merge from submit-queue
fix the typos of e.g.
fix the typos of e.g.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45182, 45429)
Coverage: shasum command not supported on CentOS
Centos has sha1sum, instead of "shasum -a1". Modified script to
check for existence fo shasum, and if not present, use sha1sum
for coverage test processing.
**What this PR does / why we need it**: Allows coverage test to run under CentOS. Needed for development using that OS.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45425
**Special notes for your reviewer**:
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 45182, 45429)
CustomResources in separate API server
Builds on https://github.com/kubernetes/kubernetes/pull/45115.
This adds a basic handler for custom resources. No status handling, no finalizers, no controllers, but basic CRUD runs to allow @enisoc and others to start considering migration.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
[GCE] Collect latency metric on get/list calls
**What this PR does / why we need it**:
Collects latency & count measurements on GET and LIST operations to GCE cloud.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
update the doc of function NewPathRecorderMux
The doc of function NewPathRecorderMux() is out of date. Update it.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
Update go-restful dependency
This is required by #44787. But because both this and the changes in 44787 need constant rebase, I am trying to get this one in separately to make less rebases.
The change is only a dependency update.
Automatic merge from submit-queue
Fix crash on Pods().Get() failure
**What this PR does / why we need it**:
Fixes a potential crash in syncPod when Pods().Get() returns an error other than NotFound. This is unlikely to occur with the standard client, but easily shows up with a stub kube client that returns Unimplemented to everything. Updates the unit test as well.
**Release note**:
`NONE`
Automatic merge from submit-queue (batch tested with PRs 44830, 45130)
Adding support for Accelerators to GCE clusters.
```release-note
Create clusters with GPUs in GKE by specifying "type=<gpu-type>,count=<gpu-count>" to NODE_ACCELERATORS env var.
List of available GPUs - https://cloud.google.com/compute/docs/gpus/#introduction
```
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Use dedicated UnixUserID and UnixGroupID types
**What this PR does / why we need it**:
DRYs up type definitions by using the dedicated types in apimachinery
**Which issue this PR fixes**
#38120
**Release note**:
```release-note
UIDs and GIDs now use apimachinery types
```
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Fix onlylocal endpoint's healthcheck nodeport logic
I was in the middle of rebasing #41162, surprisingly found the healthcheck nodeport logic in kube-proxy is still buggy. Separate this fix out as it isn't GA related.
/assign @freehan @thockin
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
remove mvPodUidDir test
**What this PR does / why we need it**:
Removes a [HostCleanup] test which deleted the pod's uid directory and checked to see that the host was cleaned up. This test consistently failed on gci (COS) due to OS differences related to handling mounting (containerized on COS) and rm'ing files being accessed. See #44592 for more details.
```release-note
NONE
```
cc. @msau42 @copejon
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Refactor volume operation log and error messages
What this PR does / why we need it:
Adds wrappers for volume-specific error and log messages. Each message has a simple version that can be displayed to the user and a detailed version that can be used in logs. The messages that are used for events was also cleaned up. @msau42
Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes#40905
Special notes for your reviewer:
pkg/kubelet/volumemanager/reconciler/reconciler.go can be refactored. I can do that refactoring after this one.
Release note:
NONE
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Enable basic auth username rotation for GCI
When changing basic auth creds, just delete the whole file, in order to be able to rotate username in addition to password.
Centos has sha1sum, instead of "shasum -a1". Modified script to
check for existence fo shasum, and if not present, use sha1sum
for coverage test processing. If neither are available, an error
will be reported and processing stopped.
Automatic merge from submit-queue
Kubectl taint node based on label selector
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #44522
**Release note**:
```
Taints the node based on label selector
```
Automatic merge from submit-queue (batch tested with PRs 45322, 44770, 45411)
Fix and make TaintManager harder to break before we move it out of NC
Fix#45342
cc @gyliu513
Automatic merge from submit-queue (batch tested with PRs 45322, 44770, 45411)
Re-architecture of scheduler perf tests to make them more extendable
**What this PR does / why we need it**:
**Special notes for your reviewer**:
This is for re-architecture of scheduler, so that we can enable or disable certain predicates and priorities and see their impact.
**Release note**:
```release-note
Scheduler perf modular extensions.
```
Automatic merge from submit-queue (batch tested with PRs 45322, 44770, 45411)
Put podAntiAffinity in PodSpec.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
In 1.6, we moved the `affinity` from `annotations` to `PodSpec`, but the `annotations` still works with `AffinityInAnnotations=true`. Please check https://docs.google.com/document/d/1YP3OJTKMpXkWAhipPjx9-bDMxJ87JZ6AcVak7c3SGos/edit for detail.
**Release note**:
```release-note
```
Fixed#45318
Automatic merge from submit-queue
add set rolebinding/clusterrolebinding command
add command to set user/group/serviceaccount in rolebinding/clusterrolebinding /cc @liggitt @deads2k
Automatic merge from submit-queue
OWNERS: add directxman12 to pkg/apis/autoscaling
Added directxman12 (current SIG lead of SIG-autoscaling) as a reviewer for pkg/apis/autoscaling.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43732, 45413)
Extend timeouts in timed_workers_test
Fix#45375
If it won't be enough I'll rewrite it to allow injectable timers.
Automatic merge from submit-queue (batch tested with PRs 43732, 45413)
Handle maxUnavailable larger than spec.replicas
**What this PR does / why we need it**:
Handle maxUnavailable larger than spec.replicas
**Which issue this PR fixes**
fixes#42479
**Special notes for your reviewer**:
None
**Release note**:
```
NONE
```
Kubernetes Submit Queue