Automatic merge from submit-queue (batch tested with PRs 38084, 39306)
Small improve for GetContainerOOMScoreAdjust
In `GetContainerOOMScoreAdjust`, make logic more clear for the case `oomScoreAdjust >= besteffortOOMScoreAdj`. If `besteffortOOMScoreAdj` is defined to another value(e.g. 996), suppose `oomScoreAdjust` is 999, the function will return 998(which equals 999 - 1) instead of 995(996 -1).
Automatic merge from submit-queue
Fix comment and optimize code
**What this PR does / why we need it**:
Fix comment and optimize code.
Thanks.
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Remove jobs that do not exist from active list of CronJob
**What this PR does / why we need it**: This PR modifies the controller for CronJob to remove from the active job list any job that does not exist anymore, to avoid staying blocked in active state forever. See #37957.
**Which issue this PR fixes**: fixes#37957
**Special notes for your reviewer**:
**Release note**:
```
```
Automatic merge from submit-queue (batch tested with PRs 39405, 39371)
hack/local-up-cluster.sh: fix typo in error message
This commit fixes typo in error message and also removes stale comment from `hack/local-up-cluster.sh`.
Automatic merge from submit-queue (batch tested with PRs 36087, 39405)
federation-apiserver doesn't needs cluster-ip range
This option has been removed from genericserver options
and it is not being used by federation-apiserver anyways.
Fixes - #39388
Automatic merge from submit-queue
oidc auth-n plugin: enforce email_verified claim
This change causes the OpenID Connect authenticator to start
enforcing the 'email_verified' claim.
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
If the OIDC authenticator uses the 'email' claim as a user's username
and the 'email_verified' is not set to `true`, reject that authentication attempt.
cc @erictune @kubernetes/sig-auth @mlbiam
```release-note
When using OIDC authentication and specifying --oidc-username-claim=email, an `"email_verified":true` claim must be returned from the identity provider.
```
Automatic merge from submit-queue (batch tested with PRs 38433, 36245)
Allow pods to define multiple environment variables from a whole ConfigMap
Allow environment variables to be populated from ConfigMaps
- ConfigMaps represent an entire set of EnvVars
- EnvVars can override ConfigMaps
fixes#26299
Automatic merge from submit-queue (batch tested with PRs 38433, 36245)
Remove needless env var in OpenStack provider
**What this PR does / why we need it**:
If we use openstack provider to set up k8s cluster using kube-up script,
`TENANT_ID` environment variable is needed.
But to configure `TENANT_ID` is very annoying because this value is not static by each env.
This patch uses `TENANT_NAME` instead of `TENANT_ID`
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Since `TENANT_NAME` is unique if we use keystone v2 api,
so `TENANT_ID` is not needed if `TENANT_NAME` is provided
to configure OpenStack provider.
And also to set `TENANT_ID` is annoying to develop, because
`TENANT_ID` is not static by each environment.
This patch remove dependency of `TENANT_ID` and simply use
`TENANT_NAME`.
Automatic merge from submit-queue
add rules not allow message when authorize failed
old result:
```
# ./cluster/kubectl.sh --token=/test get po
Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "<nil>" (get pods)
```
new result:
```
# ./cluster/kubectl.sh --token=/test get po
Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "rules not allow" (get pods)
```
test.yaml
```
kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: test
rules:
- apiGroups: ["*"]
verbs: ["create"]
resources: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admin-resource-binding
subjects:
- kind: Group
name: test
roleRef:
kind: Role
name: test
```
Automatic merge from submit-queue (batch tested with PRs 39284, 39367)
Remove HostRecord annotation (beta feature)
The annotation has made it to GA so this code should be deleted.
**Release note**:
```release-note
The 'endpoints.beta.kubernetes.io/hostnames-map' annotation is no longer supported. Users can use the 'Endpoints.subsets[].addresses[].hostname' field instead.
```
Automatic merge from submit-queue (batch tested with PRs 39280, 37350, 39389, 39390, 39313)
Moves e2e service util functions into service_util.go and cleans up
Basically moves codes into a central place for service util functions.
Some other codes are touched mostly only due to this migration. Also put a bunch of network reachability utils functions into network_utils.go. They seem somehow redundant, may consider combine they later.
@bowei @freehan
Automatic merge from submit-queue (batch tested with PRs 39280, 37350, 39389, 39390, 39313)
Fix AWS break injected by #39020
Shuffle the `download-cfssl` to `cluster/common.sh` (broken in #39020)
Automatic merge from submit-queue (batch tested with PRs 39280, 37350, 39389, 39390, 39313)
delete meaningless judgments
What this PR does / why we need it:
Whether "err" is nil or not, "err" can be return, so the judgment "err !=nil " is unnecessary
Automatic merge from submit-queue (batch tested with PRs 39001, 39104, 35978, 39361, 39273)
delete SetNodeStatus() function and fix some function notes words
Automatic merge from submit-queue (batch tested with PRs 39001, 39104, 35978, 39361, 39273)
Allow PATCH in an API CORS setup
Allows the PATCH method to be used in a REST API CORS setup.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 39001, 39104, 35978, 39361, 39273)
refactored admission to avoid internal client references
Refactored admission to avoid internal client references. This required switching to plugin initializers for them. And that required some rewiring of the plugin initializers.
Technically I can decouple from the other two commits, but I'm optimistic that those will go through easy. This is slightly move invasive, but I'd like to shoot for pre-christmas to avoid new admission plugins coming through and breaking bits.
@sttts @derekwaynecarr
Automatic merge from submit-queue
Add json,yaml output format support to kubectl create, kubectl apply
Fixes: https://github.com/kubernetes/kubernetes/issues/37390
**Release note**:
```release-note
Added support for printing in all supported `--output` formats to `kubectl create ...` and `kubectl apply ...`
```
This patch adds the ability to specify an output format other than
"name" to `kubectl create ...`. It can be used in conjunction with the
`--dry-run` option. Converts unstructured objects into known types in
order to support all `--output` values.
The patch prints `*resource.Info`s returned by the server. If a resource does not yet exist (and the `--dry-run` option is not set), the resource is created and printed in the specified format.
@kubernetes/cli-review @fabianofranz
Automatic merge from submit-queue
Update New Relic sample docs with dynamic hostname info
This PR shows how to set extra environment variables for the New Relic DaemonSet that can be generated at runtime. I'm using this technique to prepend cluster names to host names as they are reported to New Relic.
Automatic merge from submit-queue (batch tested with PRs 39022, 39331, 39070, 39344)
Add a build rule for the boilerplate unit test.
We recently added unit tests that just run whenever you run `hack/verify_boilerplate.sh`, which really isn't the right time to do that. This adds a build rule instead.
Automatic merge from submit-queue (batch tested with PRs 39022, 39331, 39070, 39344)
Makefile speedup on generated code
This has been languishing in a branch for a long time. It makes the build more consistent wrt GOPATH (I still hope to enforce GOPATH at some point) and it removes a `go list` from each codegen.
I verified manually that the files that this emits as part of the make are only change in safe ways (ordering, _test files removed, etc).
Automatic merge from submit-queue
genericapiserver: extract CA cert from server cert and SNI cert chains
Without this PR a matching server cert or SNI cert is directly used as CA cert in the loopback client config. This fails if the cert is no CA cert.
With this PR the loopback client setup code walks through the chains of the server cert and the SNI certs to find a `CA:TRUE` cert. This is then used as the CA in the loopback client config.
Kubernetes Submit Queue