Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix a race condition in SharedInformer
**What this PR does / why we need it**:
This fixes a race condition that can occur in the `sharedIndexInformer`
**Which issue(s) this PR fixes**:
Fixes#59822
**Release note**:
```release-note
Fixed a race condition in k8s.io/client-go/tools/cache.SharedInformer that could violate the sequential delivery guarantee and cause panics on shutdown.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix markdown formatting for test image doc
subtitles were not rendering correctly due to lack of spaces after octothorps.
**Release note**:
None.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove CSI plugin from ProbeExpandableVolumePlugins
Add CSI plugin when feature gate is enabled
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig storage
/assign @vladimirvivien
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove experimental keystone authenticator
**What this PR does / why we need it**:
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559
So we don't need this older style / hard coded / experimental code
anymore.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Avoid hook errors when effecting label changes on kubernetes-worker charm.
**What this PR does / why we need it**: Avoid hook errors when effecting label changes on kubernetes-worker charm.
**Release note**:
```release-note
Avoid hook errors when effecting label changes on kubernetes-worker charm.
```
Automatic merge from submit-queue (batch tested with PRs 59705, 59207, 59677). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
local-up-cluster.sh conformance tests - ALLOW_SECURITY_CONTEXT should default to true
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
SecurityContextDeny Admission plugin causes failures in several conformance tests
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59705, 59207, 59677). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
build: fix a logic error in shell script.
**What this PR does / why we need it**: It looks like that there's a logic error in `build/common.sh`. The return value of a `docker inspect` command is not checked properly, since the value being assigned is actually the previous command's return value (a `0`, because `local` always returns `0` when used like this).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubectl port-forward allows using resource name to select a matching pod
**What this PR does / why we need it**:
#15180 describes use cases that port-foward should use resource name for selecting a pod.
**Which issue(s) this PR fixes**:
Add support so resource/name can be used to select a pod.
**Special notes for your reviewer**:
I decided to reuse `AttachablePodForObject` to select a pod using resource name, and extended it to support Service (which it did not). I think that should not be a problem, and may help improve attach's use case. If it makes more sense to fork the function I'd be happy to do so. The practice of waiting for pods to become ready is also copied over.
In keeping the change to minimal, I also decided to resolve pod from resource name in Complete(), following the pattern in attach.
**Release note**:
```release-note
kubectl port-forward now allows using resource name (e.g., deployment/www) to select a matching pod, as well as allows the use of --pod-running-timeout to wait till at least one pod is running.
kubectl port-forward no longer support deprecated -p flag
```
Nobody uses it; the one or two older users from 1.4/1.5 timeframe
were removed for 1.6. It's also poorly understood and the sole
example is in the testcases, and it's pretty incomplete.
If anyone really wants compression, they can revert this PR.
This prevents a race condition where the sharedIndexInformer was
causeing the processorListener's run and pop method to be started
twice. That violated the SharedInformer's interface guarantee of
sequential delivery and also caused panics on shutdown.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add reviewers to util/mount
**What this PR does / why we need it**:
Add some more reviewers
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add node e2e tests to verify HugePages feature
**What this PR does / why we need it**:
Add node e2e tests to verify HugePages feature.
**Special notes for your reviewer**:
Test follows same pattern as pod container manager tests.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
libffi-dev dependency added in fluentd-es-image Dockerfile to solve the docker build error
**What this PR does / why we need it**:
Not able to build the docker images for fluentd-es-image. The docker build shows the error like below
```
Installing fluent-plugin-elasticsearch (2.4.1)
Installing ffi (1.9.21)
Building native extensions. This could take a while...
ERROR: While executing gem ... (Gem::Ext::BuildError)
ERROR: Failed to build gem native extension.
current directory: /var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c
/usr/bin/ruby2.3 -r ./siteconf20180209-4127-3e9tjv.rb extconf.rb
checking for ffi.h... no
checking for ffi.h in /usr/local/include,/usr/include/ffi... no
checking for shlwapi.h... no
checking for rb_thread_blocking_region()... no
checking for rb_thread_call_with_gvl()... yes
checking for rb_thread_call_without_gvl()... yes
creating extconf.h
creating Makefile
To see why this extension failed to compile, please check the mkmf.log which can be found here:
/var/lib/gems/2.3.0/extensions/x86_64-linux/2.3.0/ffi-1.9.21/mkmf.log
current directory: /var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c
make "DESTDIR=" clean
current directory: /var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c
make "DESTDIR="
Running autoreconf for libffi
/var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c/libffi/autogen.sh: 2: exec: autoreconf: not found
libffi.mk:6: recipe for target '"/var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c/libffi-x86_64-linux-gnu"/.libs/libffi_convenience.a' failed
make: *** ["/var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c/libffi-x86_64-linux-gnu"/.libs/libffi_convenience.a] Error 127
make failed, exit code 2
Gem files will remain installed in /var/lib/gems/2.3.0/gems/ffi-1.9.21 for inspection.
Results logged to /var/lib/gems/2.3.0/extensions/x86_64-linux/2.3.0/ffi-1.9.21/gem_make.out
The command '/bin/sh -c BUILD_DEPS="make gcc g++ libc6-dev ruby-dev" && clean-install $BUILD_DEPS ca-certificates libjemalloc1 ruby && echo 'gem: --no-document' >> /etc/gemrc && gem install --file Gemfile && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $BUILD_DEPS && clean-apt && ulimit -n 65536' returned a non-zero code: 1
```
added the libffi-dev dependency solves the build error.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
controller-manager: switch to options+config pattern and add https+auth
This PR switch the {kube,cloud}-controller-managers to use the Options+Config struct pattern for bootstrapping, as we use it throughout all apiservers. This allows us to easily plug in https and authn/z support.
Fixes parts of https://github.com/kubernetes/kubernetes/issues/59483
This is equivalent to https://github.com/kubernetes/kubernetes/pull/59408 after squashing.
```release-note
Deprecate insecure HTTP port of kube-controller-manager and cloud-controller-manager. Use `--secure-port` and `--bind-address` instead.
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add HTTPProxyCheck to preflight checks for 'kubeadm join' subcommand
**What this PR does / why we need it:**
Add HTTPProxyCheck for API servers
It makes sense to check API servers and print warnings if they're
going to be accessed through proxy. This is similar to what's
already done for 'kubeadm init'.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove bootstrap kubelet config on reset
**What this PR does / why we need it**:
Remove /etc/kubernetes/bootstrap-kubelet.conf when running 'kubeadm reset'
to ensure it will not be reused when joining the cluster next time.
**Release note**:
```release-note
NONE
```
rename ALLOW_SECURITY_CONTEXT to DENY_SECURITY_CONTEXT_ADMISSION to be
in line with the other admission plugins (like PSP_ADMISSION). Make
sure by default, this plugin is not enabled as well.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ignore 0% and 100% eviction thresholds
Primarily, this gives a way to explicitly disable eviction, which is
necessary to use omitempty on EvictionHard.
See: https://github.com/kubernetes/kubernetes/pull/53833#discussion_r166672137
As justification for this approach, neither 0% nor 100% make sense as
eviction thresholds; in the "less-than" case, you can't have less than
0% of a resource and 100% perpetually evicts; in the
"greater-than" case (assuming we ever add a resource with this
semantic), the reasoning is the reverse (not more than 100%, 0%
perpetually evicts).
```release-note
Eviction thresholds set to 0% or 100% are now ignored.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admissionregistration use shared informer instead of poll
**What this PR does / why we need it**:
poll with 1s interval influence apiserver's performance
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56357
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Format some import statements in scheduler pkg
**What this PR does / why we need it**:
As the title says, apply `goimports` on some files under `pkg/scheduler` pkg.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove myself (timothysc) from OWNERS files on areas that I do not maintain
I do not actively participate in api-machinery, so I'm removing myself from the OWNERS files.
/cc @ncdc
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pass listener in integration test
**What this PR does / why we need it**:
pass listener to `SecureServingOptions` to prevent port in use flake.
partially fix#58936
**Special notes for your reviewer**:
/assign @liggitt @sttts @caesarxuchao
**Release note**:
```release-note
NONE
```
Use "find -exec" instead of plain "find | xargs" to fix handling of
difficult file names (such as those containing spaces). Also, use
"mapfile" for creating the array from the output instead of letting the
shell split the results into the array. Add double quotes to places
where variable handling needs it to prevent splitting and globbing.
The current code
if ! [[ " ${INTERNAL_DIRS[@]:-} " =~ " ${int_group} " ]]; then
is broken because the array is concatenated in [[ .. ]] structure. This
means that the match will be done to any substring in the resulting
string which just happens to include ${int_group}. Fix this to use a
loop instead, and do exact matching. Also make tabs consistent in the
for loop.
Use "mapfile" and "read" to split the $KUBE_AVAILABLE_GROUP_VERSIONS
string into an array using space as the delimiter. This prevents shell
from globbing and splitting the string in potentially wrong places.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Audit support resource wildcard matching
**What this PR does / why we need it**:
audit policy support "resource/subresources" wildcard matching "resource/*", "*/subresource","*"
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#55305
**Special notes for your reviewer**:
**Release note**:
```release-note
[advanced audit] support subresources wildcard matching.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase timeout on waiting on cluster resize in autoscaling tests
Looks like autoscaling tests in GKE are failing due to insufficient wait time for master resize. Increasing the timeout by 1 minute to help with this.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove /ui/ redirect
The existing kube-apiserver hard-codes `/ui` to redirect to an optional add-on, which is not appropriate. It does not work in the following scenarios:
* https-enabled dashboards
* the dashboard is deployed to a different namespace or service name
* the dashboard is not installed at all
* authorization is enabled and does not allow access to /ui
This PR removes the hard-coded `/ui` redirect.
```release-note
apiserver: the /ui kube-dashboard redirect has been removed. Follow instructions specific to your deployment to access kube-dashboard
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
code-generator: add boilerplate header
Currently, the boilerplate header from k8s.io/kubernetes is used. If k8s.io/kubernetes is not in the GOPATH, a
panic will occur.
Making this a part of k8s.io/code-generator will prevent this panic.
Fixeskubernetes/code-generator#6
**Release note**:
```release-note
NONE
```
/assign sttts
Use double quotes around variables in places where they might be
used in globbing. Also replace an "echo | sed" construct with bash
variable substitution.
You can compare the variable substitution with this example:
$ addresses="foo;bar,test"
$ for token in $(echo $addresses | sed 's/[,;]/\n/g'); do echo "token: $token"; done
token: foo
token: bar
token: test
$ for token in ${addresses//[,;]/' '}; do echo "token: $token" ; done
token: foo
token: bar
token: test
Kubernetes Submit Queue