Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support for custom tls cipher suites in api server and kubelet
**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
**Which issue this PR fixes**
fixes#41038
**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.
If you want to test it out, this is a ciphers combination i tested without the weak ones:
```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```
If this is merged i will implement the same for the Kubelet.
**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
**What this PR does / why we need it**:
Since 1.9, `ValidatingAdmissionWebhook` and `MutatingAdmissionWebhook` are beta. Kubeadm should enable them by default.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#642
**Special notes for your reviewer**:
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
```
Automatic merge from submit-queue (batch tested with PRs 58411, 58407, 52863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create Conformance document to display all tests that belong to Confo…
…rmance suite
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58411, 58407, 52863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
low hanging fruit for using cobra commands
This makes the simple updates to use cobra commands instead of individual ones
/assign liggitt
/assign ncdc
/assign sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Benchmark test non docker specific
**What this PR does / why we need it**:
This will make benchmark test generic to all container runtimes
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58321
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
/cc @Random-Liu
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixed TearDown of NFS with root squash.
NFS plugin should not use `IsLikelyNotMountPoint()`, as it uses `lstat()` / `stat()` to determine if the NFS volume is still mounted - NFS server may use root_squash and kubelet may not be allowed to do `lstat()` / `stat()` there.
It must use slower `IsNotMountPoint()` instead, including in `TearDown()` function.
**Release note**:
```release-note
NONE
```
/assign @gnufied @rootfs
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix windows UT for proxy mode
**What this PR does / why we need it**:
/kind bug
Fix windows UT for proxy mode.
Run UTs for `kubeproxyconfig/validation` in windows,
```
=== RUN TestValidateKubeProxyConfiguration
--- FAIL: TestValidateKubeProxyConfiguration (0.00s)
validation_test.go:83: expected success: [KubeProxyConfiguration.Mode.ProxyMode: Invalid value: "ipvs": must be kernelspace,userspace or blank (blank means the most-available proxy [currently userspace])]
```
That's because proxy mode "IPVS" is not valid in windows.
**Which issue(s) this PR fixes**:
Fixes#58037
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add semver metadata regex
**What this PR does / why we need it**: When building a release tag with optional semver metadata, the minor and major versions are not parsed correctly (empty strings). This fix adds optional support to the regex for the metadata component.
example:
```
~/w/g/s/k/kubernetes ❯❯❯ git tag v1.9.0+stable.0 fixes/semver_metadata ✭
~/w/g/s/k/kubernetes ❯❯❯ hack/print-workspace-status.sh fixes/semver_metadata ✭
STABLE_BUILD_GIT_COMMIT 63e2eacd22
STABLE_BUILD_SCM_STATUS clean
STABLE_BUILD_SCM_REVISION v1.9.0+stable.0
STABLE_BUILD_MAJOR_VERSION 1
STABLE_BUILD_MINOR_VERSION 9
STABLE_DOCKER_TAG v1.9.0_stable.0
gitCommit 63e2eacd22
gitTreeState clean
gitVersion v1.9.0+stable.0
gitMajor 1
gitMinor 9
buildDate 2017-12-19T21:08:48Z
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
handle uniquified holder identities
script update for https://github.com/kubernetes/kubernetes/pull/58302
This has to be done first to allow CI to pass. We need unique leasing identities and hostnames, particularly locally determined ones, aren't unique.
/assign liggitt
/assign mikedanese
Automatic merge from submit-queue (batch tested with PRs 58375, 58306, 58386, 57420, 58035). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Track run status explicitly rather than non-nil check on stopCh
Fixes#57044
GC and quota controllers use a non-nil stop channel as a signal Run() has been called, so ensure that condition holds even when a nil stop channel is passed in
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Recheck if transformed data is stale when doing live lookup during update
Fixes#49565
Caching storage can pass in a cached object to `GuaranteedUpdate` as a hint for the current object.
If the hint is identical to the data we want to persist, before short-circuiting as a no-op update, we force a live lookup.
We should check two things on the result of that live lookup before short-circuiting as a no-op update:
1. the bytes we want to persist still match the transformed bytes read from etcd
2. the state read from etcd didn't report itself as stale. this would mean the transformer used to read the data would not be the transformer used to write it, and "no-op" writes should still be performed, since transformation will make the underlying content actually different.
After a live lookup, we checked byte equality, but not the stale indicator. This meant that key rotation or encrypted->decrypted, and decrypted->encrypted updates are broken.
Introduced in #54780 and picked back to 1.8 in #55294
```release-note
Fixed encryption key and encryption provider rotation
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add jsafrane as util/mount approver.
I've written large parts of the mounter and I am fixing it regularly.
**Release note**:
```release-note
NONE
```
This change affects the way that secret, configmap, downwardAPI and projected
volumes (which all use the same underlying code) implement their data update
functionality.
* Instead of creating a subdirectory hierarchy that itself
will contain symlinks to each actual data file, create only
symlinks to items in the root of the volume, whether they
be files or directories.
* Rather than comparing the user-visible data directory
to see if an update is needed, compare with the current
version of the data directory.
* Fix data dir timestamp format year
* Create ..data symlink even when a data volume has no data so
consumers can have simplified update watch logic.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/securitycontext/util_test.go(TestAddNoNewPrivileges): update tests
**What this PR does / why we need it**:
This PR improves existing test in the following ways:
- remove irrelevant test cases
- add test case for `AllowPrivilegeEscalation: nil`
- explicitly specify input and expected outcome
This is addressed to the following review comment: https://github.com/kubernetes/kubernetes/pull/47019#discussion_r135808264
**Release note**:
```release-note
NONE
```
PTAL @jessfraz @kubernetes/sig-auth-pr-reviews
CC @simo5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update comments for getting and removing loopback device for iSCSI,FC,RBD
**What this PR does / why we need it**:
This PR adds comments of the background why plugin gets loopback device and removes loopback device even if operation_generator has same functionality.
**Which issue(s) this PR fixes** : No
**Special notes for your reviewer**:
/cc @rootfs @sbezverk
related PR: https://github.com/kubernetes/kubernetes/pull/56651
**Release note**:
```release-note
NONE
```
This PR add comments for the background why plugin gets loopback
device and removes loopback device even if operation_generator has
same functionality.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
set fsGroup by securityContext.fsGroup in azure file
**What this PR does / why we need it**:
set fsGroup by securityContext.fsGroup in azure file
This PR respects `securityContext.fsGroup`, while if user both sets `gid=xxx` in mountOptions in azure storage class and `securityContext.fsGroup`, `gid=xxx` setting in mountOptions will win.
```
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#44085
**Special notes for your reviewer**:
**Release note**:
```
set fsGroup by securityContext.fsGroup in azure file
```
/assign @karataliu
cc @rootfs @avaranovich
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix update-swagger-spec.sh to always cleanup etcd
**What this PR does / why we need it**:
This PR fixes `hack/update-swagger-spec.sh` so it always cleanup etcd and to noe leave orphaned process after its execution. This process also doesn't allow to run the script again as it detects existing etcd and won't start.
I also made a minor improvement by adding guard against an empty arguments.
**Release note**:
```release-note
NONE
```
CC @simo5
Prior this change, etcd wasn't cleaned up on my machine that lead to
orphaned etcd process after the update-swagger-spec.sh failed.
This change also adds additional improvements:
- don't kill/wait/rm when argument is empty.
- use kube::util::trap_add.
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update-swagger-spec.sh: when API server fails to start, show the last lines of logs
**What this PR does / why we need it**:
When API server fails to start there is no easy way to know why. You have to read the script where you will find that there is a log file that could have some useful info. This PR simplifies debugging:
1) it includes the path to the log file in the error message
2) it also shows the last 10 lines from this log
Before this change:
```
+++ [0116 19:33:49] Starting kube-apiserver
!!! [0116 19:34:19] Timed out waiting for apiserver: to answer at 127.0.0.1:8050/healthz; tried 30 waiting 1 between each
!!! Error in ./hack/update-swagger-spec.sh:42
Error in ./hack/update-swagger-spec.sh:42. 'return 1' exited with status 1
Call stack:
1: ./hack/update-swagger-spec.sh:42 main(...)
Exiting with status 1
+++ [0116 19:34:19] Clean up complete
```
After this change:
```
+++ [0116 19:42:41] Starting kube-apiserver
!!! [0116 19:42:51] Timed out waiting for apiserver: to answer at 127.0.0.1:8050/healthz; tried 30 waiting 1 between each
!!! [0116 19:42:51] Here are the last 10 lines from kube-apiserver (/tmp/swagger-api-server.log)
!!! [0116 19:42:51] === BEGIN OF LOG ===
I0116 19:42:41.689355 30809 server.go:122] Version: v1.10.0-alpha.1.877+a02cb7c1f7d0d6-dirty
I0116 19:42:41.942601 30809 serving.go:295] Generated self-signed cert (/tmp/update-swagger-spec.2Udp/certs/apiserver.crt, /tmp/update-swagger-spec.2Udp/certs/apiserver.key)
I0116 19:42:41.942611 30809 server.go:647] external host was not specified, using 10.10.10.10
W0116 19:42:41.942618 30809 authentication.go:378] AnonymousAuth is not allowed with the AllowAll authorizer. Resetting AnonymousAuth to false. You should use a different authorizer
error in initializing storage factory: group version podsecuritypolicy.admission.k8s.io/v1beta1 that has not been registered
!!! [0116 19:42:51] === END OF LOG ===
+++ [0116 19:42:51] Clean up complete
```
**Release note**:
```release-note
NONE
```
PTAL @cblecker @sttts
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
etcd client: add keepalive
**What this PR does / why we need it**: This PR shortens the keepaliveTimeout and enables keepalive within the etcd client to allow the socket to be closed cleanly on a dead etcd server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#46964
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @xiang90
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cluster: remove salt
Nothing uses it directly. There were some dangling dependencies from GCE and Centos kube-ups, so I just copied them into respective dirs.
see #49213
```release-note
Remove deprecated and unmaintained salt support. kubernetes-salt.tar.gz will no longer be published in the release tarball.
```
Automatic merge from submit-queue (batch tested with PRs 58319, 58345). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
azure disk: if the disk is not found, immediately detach it. This prevents azure keeps the bad request and stops issuing new request
**What this PR does / why we need it**:
Detach and clear bad disk URI
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58344
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58319, 58345). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Call Dial in blocking mode
**What this PR does / why we need it**:
# Tests which uncover underlying problem
On the current master code:
1. comment out stub plugin server start [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/cm/deviceplugin/endpoint_test.go#L127-L128)
2. run `go test -v k8s.io/kubernetes/pkg/kubelet/cm/deviceplugin --run TestNewEndpoint --count 1`. Test succeeds.
3. run `go test -v k8s.io/kubernetes/pkg/kubelet/cm/deviceplugin --run TestRun --count 1`. Test hangs with:
> listAndWatch ended unexpectedly for device plugin mock with error rpc error: code = Unavailable desc = grpc: the connection is unavailable
`2` does not fail even though it invokes Dial and no listening server is running. It is because currently Dial is not waiting till the connection turns to Ready state. And this case does not invokes any RPC call over the `conn` returned by `Dial`
`3` hangs because this tests involves actual usage of `conn`(client) and there it does not find listening server because we dint start and deliberately stopped in `1`.
`Dial` should be using `WithBlock` option which ensures that `conn` is returned only when connection is in `Ready` state.
After using `WithBlock` in the `Dial`, in this PR, if `1`, `2` and `3` are repeated. Both, `2` and `3`, fails at `Dial`, which is expected behavior. By `fail`, I meant Dial blocks forever if `WithTimeout` is not used or otherwise, a timeout failure.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58281
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
/area hw-accelerators
/sig node
/cc @jiayingz @RenaudWasTaken @vishh @ScorpioCPH @sjenning @derekwaynecarr @jeremyeder @lichuqiang @tengqm
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fail earlier on discovery failures
When discovery fails, the object mapper and typer are incomplete. This change reflects that and returns errors instead of nils.
@juanvallejo
Minhan Xia