Adding blank line between comment tag and package name in doc.go. So
that the comment tags such as '+k8s:deepcopy-gen=package' do not show up
in GoDoc.
Automatic merge from submit-queue (batch tested with PRs 68161, 68023, 67909, 67955, 67731). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
CSI: skip attach for non-attachable drivers
**What this PR does / why we need it**:
This is implementation of https://github.com/kubernetes/community/pull/2523. CSI volumes that don't need attach/detach now don't need external attacher running.
WIP:
* contains #67803 to get CSIDriver API. Ignore the first commit.
* ~~missing e2e test~~
/sig storage
cc: @saad-ali @vladimirvivien @verult @msau42 @gnufied @davidz627
**Release note**:
```release-note
CSI volume plugin does not need external attacher for non-attachable CSI volumes.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add yue9944882 as subproject reviewer (core admission/apiserver)
extend reviewer bandwidth 😃am a super careful reviewer
i had contributed series of refactors for core admission controllers and apiserver launch flow.
/assign @deads2k
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
promote TokenRequest and projection to beta in 1.12
```release-note
TokenRequest and TokenRequestProjection are now beta features. To enable these feature, the API server needs to be started with the following flags:
* --service-account-issuer
* --service-account-signing-key-file
* --service-account-api-audiences
```
Automatic merge from submit-queue (batch tested with PRs 64597, 67854, 67734, 67917, 67688). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow ImageReview backend to add audit annotations.
**What this PR does / why we need it**:
This can be used to create annotations that will allow auditing of the created
pods.
The change also introduces "fail open" audit annotations in addition to the
previously existing pod annotation for fail open. The pod annotations for
fail open will be deprecated soon.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Allow ImageReview backend to return annotations to be added to the created pod.
```
This extends the Kubelet to create and periodically update leases in a
new kube-node-lease namespace. Based on [KEP-0009](https://github.com/kubernetes/community/blob/master/keps/sig-node/0009-node-heartbeat.md),
these leases can be used as a node health signal, and will allow us to
reduce the load caused by over-frequent node status reporting.
- add NodeLease feature gate
- add kube-node-lease system namespace for node leases
- add Kubelet option for lease duration
- add Kubelet-internal lease controller to create and update lease
- add e2e test for NodeLease feature
- modify node authorizer and node restriction admission controller
to allow Kubelets access to corresponding leases
This can be used to create annotations that will allow auditing of the created
pods.
The change also introduces "fail open" audit annotations in addition to the
previously existing pod annotation for fail open. The pod annotations for
fail open will be deprecated soon.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Externalize serviceaacount admission controller
ref: #66680
this pull externalizes serviceaccount admission controller in which secret & serviceaccount informers will be completely replaced.
/sig api-machinery
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66780, 67330). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Changed admission controller to allow volume expansion for all volume plugins
**What this PR does / why we need it**:
There are two motivations for this change:
1. CSI plugins are soon going to support volume expansion. For such plugins, admission controller doesn't know whether the plugins are capabale of supporting volume expansion or not.
2. Currently, admission controller rejects PVC updates for in-tree plugins that don't support volume expansion (e.g., NFS, iSCSI). This change allows external controllers to expand volumes similar to how external provisioners are accommodated.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
This PR mimics the behavior of the PV controller when PVs are provisioned externally by logging and setting a new event for PVs that are being expanded externally. As SIG Storage is planning new types of operations on PVs, it may make more sense to a have a single event for all actions taken by external controllers.
**Release note**:
```release-note
The check for unsupported plugins during volume resize has been moved from the admission controller to the two controllers that handle volume resize.
```
/sig storage
/assign @gnufied @jsafrane @wongma7
Automatic merge from submit-queue (batch tested with PRs 67160, 67090, 67159, 66866, 62111). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor checkRequest to allow it to be called from outside
**What this PR does / why we need it**:
Refactor checkRequest method to allow it to be called from outside of admission controller (most of its body does not depend on any quotaEvaluator properties).
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65297, 67179, 67116, 67011, 66842). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Externalize node admission controller
**Release note**:
```release-note
NONE
```
**What this PR does / why we need it**:
/sig api-machinery
under unbrella: #66680
We start with injecting external informer/lister into node admission controller for that it's slightly simpler than the others.
Here is the thing I actually did in this pull:
1. Enable plugin initializer to inject external/internal clientset/informers into the admission controllers.
2. Receive external informer in node admission controller.
3. Create a `AdmissionConfig` following how we did in `AuthenticationConfig` and `AuthorizationConfig` and creates the actual plugin initializers and the admission post-start hook in its `New()` method
Make apiserver pass connectRequest.Options directly to the admission layer. All
the information in rest.ConnectRequest is present in admission attributes.
Automatic merge from submit-queue (batch tested with PRs 66351, 66883, 66156). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Graduate Quota configuration API to v1beta1
ref: kubernetes/features#587
**Release note**:
```release-note
Quota admission configuration api graduated to v1beta1
```
/sig node
/sig scheduling
/cc @derekwaynecarr @deads2k @liggitt @sjenning @aveshagarwal @ravisantoshgudimetla @smarterclayton
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add availability zones support to Azure managed disks
**What this PR does / why we need it**:
Continue of [Azure Availability Zone feature](https://github.com/kubernetes/features/issues/586).
This PR adds availability zone support for Azure managed disks and its storage class. Zoned managed disks is enabled by default if there are zoned nodes in the cluster.
The zone could also be customized by `zone` or `zones` parameter, e.g.
```yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
name: managed-disk-zone-1
parameters:
zone: "southeastasia-1"
# zones: "southeastasia-1,"southeastasia-2"
cachingmode: None
kind: Managed
storageaccounttype: Standard_LRS
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Delete
volumeBindingMode: Immediate
```
All zoned AzureDisk PV will also be labeled with its availability zone, e.g.
```sh
$ kubectl get pvc pvc-azuredisk-az-1
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
pvc-azuredisk-az-1 Bound pvc-5ad0c7b8-8f0b-11e8-94f2-000d3a07de8c 5Gi RWO managed-disk-zone-1 2h
$ kubectl get pv pvc-5ad0c7b8-8f0b-11e8-94f2-000d3a07de8c --show-labels
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE LABELS
pvc-5ad0c7b8-8f0b-11e8-94f2-000d3a07de8c 5Gi RWO Delete Bound default/pvc-azuredisk-az-1 managed-disk-zone-1 2h failure-domain.beta.kubernetes.io/region=southeastasia,failure-domain.beta.kubernetes.io/zone=southeastasia-1
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
See also the [KEP](https://github.com/kubernetes/community/pull/2364).
DynamicProvisioningScheduling feature would be added in a following PR.
**Release note**:
```release-note
Azure managed disks now support availability zones and new parameters `zoned`, `zone` and `zones` are added for AzureDisk storage class.
```
/kind feature
/sig azure
/assign @brendandburns @khenidak @andyzhangx
Automatic merge from submit-queue (batch tested with PRs 62901, 66562, 66938, 66927, 66926). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Eventratelimit aggregates all reject errors
Previously, Eventratelimit validates event by each limiter but only returns the last reject error. Which is not accurate, so here I aggregate each error.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65730, 66615, 66684, 66519, 66510). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
aggregate admin from edit and view to ensure coverage
ClusterRole aggregate has worked quite well. This updates the edit role to be aggregated from a separate edit and view and updates the admin role to aggregated from admin, edit, and view. This ensures coverage (we previously had unit tests, but that didn't work as people aggregated more powers in) and it makes each role smaller since it only has a diff to consider.
@kubernetes/sig-auth-pr-reviews
```release-note
admin RBAC role now aggregates edit and view. edit RBAC role now aggregates view.
```
k8s-ci-robot