Automatic merge from submit-queue (batch tested with PRs 48074, 47971, 48044, 47514, 47647)
Use more meaningful and consistent variable names in glusterfs plugin.
Automatic merge from submit-queue
Get rid of 30s ResyncPeriod in endpoint controller
Ref: #47597
This should fix one of the demons of endpoint controller.
/cc @smarterclayton @gmarek
Automatic merge from submit-queue
kubelet should let cloud-controller-manager set the node addresses
*Before this change:*
1. cloud-controller-manager sets all the addresses for a node.
2. kubelet on that node replaces these addresses with an incomplete set. (i.e. replace InternalIP and Hostname and delete all other addresses--ExternalIP, etc.)
*After this change:*
kubelet doesn't touch its node's addresses when there is an external cloudprovider.
Fixes#47155
```release-note
NONE
```
Automatic merge from submit-queue
Cleanup pkg/kubectl
I was reading through `pkg/kubectl` in preparation for completing https://github.com/kubernetes/kubectl/issues/11 and noticed several opportunities for improvement. This should be easy to review since it's mostly mechanical changes. The only complicated changes are in `addFromEnvFile`, which I refactored into two functions and wrote tests for.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47869, 48013, 48016, 48005)
Fix kubectl api-versions caching
xref https://github.com/kubernetes/kubectl/issues/41
The point of the `api-versions` and `version` commands is to ask the server for its API groups or versions, so we don't want to use cached data
Automatic merge from submit-queue
Removes alpha feature gate for affinity annotations.
**What this PR does / why we need it**:
In 1.5 we added a backstop to support alpha affinity annotations. This PR removes that support in favor of the Beta fields per discussions.
It also serves as a precursor to some of the component config work that @ncdc has done around @mikedanese design proposal.
xref: https://github.com/kubernetes/kubernetes/pull/41617
**Special notes for your reviewer**:
**Release note**:
```
Removes alpha feature gate for pod affinity annotations.
```
/cc @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-cluster-lifecycle-misc
Automatic merge from submit-queue
fixed the logging of which conversions.
Hi Guys,
After enable the function of logging of which conversions at [TestSpecificKind](d31a7cb301/pkg/api/serialization_test.go (L140)), I got the below errors:
```
pkg/api/serialization_test.go:140: cannot refer to unexported name api.scheme
pkg/api/serialization_test.go:140: undefined: api.scheme in api.scheme.Log
ok k8s.io/kubernetes/cmd/genutils 0.066s
```
So, this PR will fix that.
Automatic merge from submit-queue (batch tested with PRs 47776, 46220, 46878, 47942, 47947)
fix comment mistake
fix comment mistake
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 47776, 46220, 46878, 47942, 47947)
update openstack metadata-service url
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 47776, 46220, 46878, 47942, 47947)
Add statefulset to the completion candidates of kubectl scale
**What this PR does / why we need it**: This commit adds `statefulset` to the completion candidates of kubectl scale.
```
$ kubectl scale <tab>
deployment job --replicas replicaset replicationcontroller statefulset
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixeskubernetes/kubectl#14
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add token authentication method for websocket browser clients
Closes#47967
Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)
This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`
1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`
This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.
For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
"wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
[
"base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
"base64.binary.k8s.io"
]
);
```
This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```
Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```
Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)
```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
Automatic merge from submit-queue
Fix const naming in node/metrics
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47993, 47892, 47591, 47469, 47845)
deprecate created-by annotation for cronjob
**What this PR does / why we need it**: This PR deprecates created-by annotation for cronjob. This is needed as we now have ControllerRef.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: xref #44407
**Special notes for your reviewer**: I will create 3 PRs to fix the issue as the annotation is used in various parts of the codebase: cronjob, pod drain, and e2e test framework. This is the first PR. Other PRs can be found here: #47471, #47475
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 47993, 47892, 47591, 47469, 47845)
Only do string trim when it's necessary
This will enhance performance a little bit.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
storageclass ceph add imageformat parameter
**What this PR does / why we need it**:
Add a imageformat parameter for StorageClass(ceph rbd)
k8s hard coded ceph imageformat 1, according to [ceph manual](http://docs.ceph.com/docs/master/man/8/rbd/), imageformat 1 was deprecated, we should add an extra ceph parameter to set ceph rbd imageformat. Ceph rbd imageformat can only be 1 or 2, set the default value to 1.
**Release note**:
```release-note
Allow StorageClass Ceph RBD to specify image format and image features.
```
Automatic merge from submit-queue
Enhance message in cluster-info dump
**What this PR does / why we need it**:
This PR fixes the information message prints in the end after the cluster-info dump command.
- Added newline in the end
- Enhanced the message for dumping information to standard out
**Which issue this PR fixes** *
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
This doesn't seem to be affecting anything and I'm not sure what the
correct behavior needs to be here. I'll highlight this in the code
review and hopefully work out a correct solution with the help of the
reviewers.
Run() is too overloaded in the codebase already. The other commands have
a pattern of RunExpose, RunScale, and so on. Since the command name is
"run", the associated function should be called RunRun.
Automatic merge from submit-queue
Ignore ErrNotFound when delete LB resources
IsNotFound error is fine since that means the object is
deleted already, so let's check it before return error.
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Make different container runtimes constant
Make different container runtimes constant to avoid hardcode
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
delete the for loops that done nothing
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Output TYPE for getting service
**What this PR does / why we need it**:
Now service already supported 4 ServiceTypes, ServiceTypes is
friendly to distinguish services, so outputing service type better
when running 'kubectl get service'.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47958, 46261, 46667, 47709, 47579)
Clean up Deployment overlap annotation code
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#43322
**Special notes for your reviewer**:
**Release note**:
```
None
```
Automatic merge from submit-queue (batch tested with PRs 47958, 46261, 46667, 47709, 47579)
use appsv1beta1 for statefulsets
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes https://github.com/kubernetes/kubernetes/issues/46922
Automatic merge from submit-queue (batch tested with PRs 47958, 46261, 46667, 47709, 47579)
Delete meaningless err check
**What this PR does / why we need it**:
Delete meaningless err check
We don't need to care about err check. In cited function, if err is not nil, I return t.Errorf directly.
So it does not matter that whether data is nil or err is nil.
**Release note**:
```release-note\
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47958, 46261, 46667, 47709, 47579)
Add a feature gate for Debug Containers
**What this PR does / why we need it**: Adds a feature gate for Debug Containers feature proposed in kubernetes/community#649. This feature requires changes to the kubelet, apiserver and kubectl which can be decoupled except for the gate.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46151, 47602, 47507, 46203, 47471)
deprecate created-by annotation for pod drain
**What this PR does / why we need it**: This PR deprecates created-by annotation for pod drain. This is required as we now have ControllerRef.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: xref #44407
**Special notes for your reviewer**: This is the second PR for deprecating created-by annotation. Other PRs can be found here: https://github.com/kubernetes/kubernetes/pull/47469 , #47475
**Release note**:
```release-note
```
Automatic merge from submit-queue
Add alpha command to kubectl
Also allow new commands to disable themselves by returning a nil value. This can be used to disable commands based on feature gates.
**What this PR does / why we need it**: Method of enabling alpha functionality in kubectl
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: ref #45922
**Special notes for your reviewer**: Part of a discussion in #45922 with @pwittrock
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475)
AWS: Fix suspicious loop comparing permissions
Because we only ever call it with a single UserId/GroupId, this would
not have been a problem in practice, but this fixes the code.
Fix#36902
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475)
Change second StorageClass Column to provisioner
Some provisioners have key-value pairs in parameters map which key is type, here TYPE in StorageClass columns may be confused.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#storageclasses
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475)
kubelet should resume csr bootstrap
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue (batch tested with PRs 47403, 46646, 46906, 46527, 46792)
Add test case for namespace
**What this PR does / why we need it**:
Unit test case need add that when name is "".
**Special notes for your reviewer**:
refer to https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/namespace.go#L74
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47403, 46646, 46906, 46527, 46792)
add ContainerRuntimeVersion to `kubectl get nodes -o=wide` output
**What this PR does / why we need it**: adds container runtime version to `kubectl get nodes -o=wide` output as a way to surface more node-level information
When upgrading to a new container runtime version (docker 1.11 -> docker 1.12) or when experimenting with a different container runtime version (experimenting with rkt in a docker cluster), it's useful for cluster operators to see which nodes are running which container runtime version. `kubectl get nodes -o=wide` already provides kernel and OS version, and I believe adding container runtime version would be good.
**Release note**:
```release-note
container runtime version has been added to the output of `kubectl get nodes -o=wide` as `CONTAINER-RUNTIME`
```
Automatic merge from submit-queue
Fix error message of isDir
**What this PR does / why we need it**:
Use IsRegular to replace isDir
Accoding to the code logic, using IsRegular is proper.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
add test for kubectl create pdb
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47227, 47119, 46280, 47414, 46696)
Mark deprecated info in short description of deprecated commands.
**What this PR does / why we need it**:
Mark deprecated commands in 'kubectl help'. See https://github.com/kubernetes/kubectl/issues/20
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubectl/issues/20
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47227, 47119, 46280, 47414, 46696)
Move seccomp helper methods and tests to platform-specific files.
**What this PR does / why we need it**:
Seccomp helper methods are for linux only, move them to linux-specific helper file.
As discussed in https://github.com/kubernetes/kubernetes/pull/46744
**Which issue this PR fixes**
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 47227, 47119, 46280, 47414, 46696)
Improve code coverage for pkg/printer
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47227, 47119, 46280, 47414, 46696)
controller: fix error message
**What this PR does / why we need it**:
just fix error typo, think you :)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
volumes: SetNodeStatusUpdateNeeded on error
If an error happened during the UpdateNodeStatuses loop, there were some
code paths where we would not call SetNodeStatusUpdateNeeded, leaking
the state. Add it to all paths by adding a function.
Part of #40583
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47922, 47195, 47241, 47095, 47401)
AWS: Set CredentialsChainVerboseErrors
This avoids a rather confusing error message.
Fix#39374
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47922, 47195, 47241, 47095, 47401)
Run cAdvisor on the same interface as kubelet
**What this PR does / why we need it**:
cAdvisor currently binds to all interfaces. Currently the only
solution is to use iptables to block access to the port. We
are better off making cAdvisor to bind to the interface that
kubelet uses for better security.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#11710
**Special notes for your reviewer**:
**Release note**:
```release-note
cAdvisor binds only to the interface that kubelet is running on instead of all interfaces.
```
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable. Also using a list watch here eliminates a race condition
where a watch event is missed and the kubelet stalls.
Don't revert, change boundingdirs in Makefile for deepcopy-gen
manually fix pkg/client/clientset_generated/clientset/typed/core/v1/pod_expansion.go because external policy types are moved now
Automatic merge from submit-queue
hide operator when describe pod with empty value tolerations
**What this PR does / why we need it**:
The tolerations printing in `kubectl descirbe pod` is not correct when toleration.value is empty, this PR is to fix it.
Before:
```
Tolerations: node.alpha.kubernetes.io/notReady=:Exists:NoExecute for 300s
node.alpha.kubernetes.io/unreachable=:Exists:NoExecute for 300s
```
After:
```
Tolerations: node.alpha.kubernetes.io/notReady:NoExecute for 300s
node.alpha.kubernetes.io/unreachable:NoExecute for 300s
```
Also updated tests to cover all possible cases of describing pod with tolerations. See changes in of `TestDescribePodTolerations()` in `describe_test.go`
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
fix HostAliases' json keys to be hostAlias instead of hostMapping to reflect actual feature name
**What this PR does / why we need it**: a rename was introduce during the middle of #44641 to change from `hostMappings` to `hostAliases`. the Go structs were updated, but I neglected to update the json keys. They should be in sync.
**Special notes for your reviewer**: I messed up. This is an API change. I hope this is still ok to be in the 1.7 release.
**Release note**:
```release-note
HostAliases is now parsed with `hostAliases` json keys to be in line with the feature's name.
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
volumes: simplify append-to-slice code
Minor simplification - can append to empty/nil slice.
Part of #40583
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
volumes: promote some logs from info -> warning
Part of #40583
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
Remove controller node plugin driver dependency for non-attachable fl…
…ex volume drivers (Ex: NFS).
**What this PR does / why we need it**:
Removes requirement to install flex volume drivers on master node for non-attachable drivers likes NFS.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47109
```release-note
Fixes issue w/Flex volume, introduced in 1.6.0, where drivers without an attacher would fail (node indefinitely waiting for attach). Drivers that don't implement attach should return `attach: false` on `init`.
```
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert 44714 manually
#44714 broke backward compatibility for old swagger spec that kubectl still uses. The decision on #47448 was to revert this change but the change was not automatically revertible. Here I semi-manually remove all references to UnixUserID and UnixGroupID and updated generated files accordingly.
Please wait for tests to pass then review that as there may still be tests that are failing.
Fixes#47448
Adding release note just because the original PR has a release note. If possible, we should remove both release notes as they cancel each other.
**Release note**: (removed by caesarxuchao)
UnixUserID and UnixGroupID is reverted back as int64 to keep backward compatibility.
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert "Merge pull request #43946 from jhorwit2/jah/host-path-psp"
fixes#47863
This reverts commit b5eadb5d6b, reversing
changes made to 1889d654f5.
**What this PR does / why we need it**:
Revert whitelist host paths in psp due to API concerns. Please refer to https://github.com/kubernetes/kubernetes/pull/47811 for the concerns.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @liggitt @ericchiang @smarterclayton
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Adding alpha feature gate to node statuses from local storage capacity isolation.
**What this PR does / why we need it**: The Capacity.storage node attribute should not be exposed since it's part of an alpha feature. Added an feature gate.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47809
There should be a test for new statuses in the alpha feature. Will include in a different PR.
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
not allow backsteps in local volume plugin
**Which issue this PR fixes** : fixes#47207
**Special notes for your reviewer**:
cc @msau42 @ddysher
Just follow @liggitt [commented](https://github.com/kubernetes/kubernetes/issues/47107#issuecomment-306831175).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
remove unused constant
**What this PR does / why we need it**:
In flexvolume constant definitions, fix typo StatusFailure string to "Failure", not "Failed" at
b359034817/pkg/volume/flexvolume/flexvolume_util.go (L45)
**Which issue this PR fixes** _(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)_: fixes #
#34510
**Special notes for your reviewer**:
Simple string literal change, but hopefully will prevent future confusion for developers.
Automatic merge from submit-queue
Add E2E tests for Azure internal loadbalancer support, fix an issue for public IP resource deletion.
**What this PR does / why we need it**:
- Add E2E tests for Azure internal loadbalancer support: https://github.com/kubernetes/kubernetes/pull/43510
- Fix an issue that public IP resource not get deleted when switching from external loadbalancer to internal static loadbalancer.
**Special notes for your reviewer**:
1. Add new Azure resource tag to Public IP resources to indicate kubernetes managed resources.
Currently we determine whether the public IP resource should be deleted by looking at LoadBalancerIp property on spec. In the scenario 'Switching from external loadbalancer to internal loadbalancer with static IP', that value might have been updated for internal loadbalancer. So here we're to add an explicit tag for kubernetes managed resources.
2. Merge cleanupPublicIP logic into cleanupLoadBalancer
**Release note**:
NONE
CC @brendandburns @colemickens
To ensure kubelet doesn't attempt network teardown on HostNetwork
containers that no longer exist but are still checkpointed, make
sure we preserve the HostNetwork property in checkpoints. If
the checkpoint indicates the container was a HostNetwork one,
don't tear down the network since that would fail anyway.
Related: https://github.com/kubernetes/kubernetes/issues/44307#issuecomment-299548609
Automatic merge from submit-queue
Separate serviceaccount and secret storage config
Fixes#47815, and is required in order to enable the secret encryption feature with a recommended configuration
This passes distinct storage options for serviceaccounts and secrets, since secrets can now have an encrypting transformer associated with them
If unspecified in probe definition, User-Agent will be set to
`kube-probe/<version major.minor>` on httpGet probe types
instead of the default Go User-Agent.
Automatic merge from submit-queue (batch tested with PRs 45268, 47573, 47632, 47818)
Fixed statefulset PVC's capacity in kubectl description.
**What this PR does / why we need it**:
We should use object instead of pointer for `String()`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47571
**Release note**:
```release-note-none
Fix VolumeClaims/capacity in "kubectl describe statefulsets" output.
```
Automatic merge from submit-queue
New annotation to add existing Security Groups to ELBs created by AWS cloudprovider
**What this PR does / why we need it**:
When K8S cluster is deployed in existing VPC there might be a need to attach extra SecurityGroups to ELB created by AWS cloudprovider. Example of it can be cases, where such Security Groups are maintained by another team.
**Special notes for your reviewer**:
For tests to pass depends on https://github.com/kubernetes/kubernetes/pull/45168 and therefore includes it
**Release note**:
```release-note
New 'service.beta.kubernetes.io/aws-load-balancer-extra-security-groups' Service annotation to specify extra Security Groups to be added to ELB created by AWS cloudprovider
```
- Wrapping all node statuses from local storage capacity isolation under an alpha feature check. Currently there should not be any storage statuses.
- Replaced all "storage" statuses with "storage.kubernetes.io/scratch". "storage" should never be exposed as a status.
Automatic merge from submit-queue
AWS: Remove blackhole routes in our managed range
Blackhole routes otherwise acccumulate unboundedly. We also are careful
to ensure that we do so only within the managed range, which requires
enlisting the help of the routecontroller.
Fix#47524
```release-note
AWS: clean up blackhole routes when using kubenet
```
Automatic merge from submit-queue
volumes: add comment on getNodeAndVolume
Add comments on getNodeAndVolume to explain the code - it is a little
subtle, and it confused me on first reading.
Part of #40583
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
pod spec was not validating envFrom
**What this PR does / why we need it**:
adds missing validation for envFrom in a pod.spec.containers.envFrom
fixes validation of pod.spec.containers.env.configMapRef.name
fixes validation of pod.spec.containers.env.secretRef.name
**Which issue this PR fixes**
Fixes https://github.com/kubernetes/kubernetes/issues/46908
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
Additional e2e for StatefulSet Update
**What this PR does / why we need it**:
This PR adds additional e2e tests for StatefulSet update
fixes: #46942
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
manually revert #45528
**What this PR does / why we need it**:
Revert #45528
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47657
**Special notes for your reviewer**:
@humblec @liggitt @saad-ali @kubernetes/kubernetes-release-managers
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Don't rerun certificate manager tests 1000 times.
**What this PR does / why we need it**:
Running every testcase 1000 times needlessly bloats the logs.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Serialized protobuf should have stable map order
Leverage `stable_marshaller_all` tag in gogo-protobuf to ensure all of our maps have stable ordering when serialized to protobuf. This preserves the behavior from JSON that we rely on to avoid writing to etcd except when the content has changed.
Will slightly increase allocations (1 slice per non-empty map in an object) during Encode, which has a minor impact on CPU. However, avoiding writes when a client issues a blind put results in significantly less CPU across the whole cluster (avoiding a new etcd version for an Endpoints object might save ~1 core/sec on large clusters).
Fixes#47678
```release-note
The protobuf serialization of API objects has been updated to store maps in a predictable order to ensure that the representation of that object does not change when saved into etcd. This prevents the same object from being seen as being modified, even when no values have changed.
```
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
add unit test cases for kubelet.util.sliceutils
What this PR does / why we need it:
I have not found any unit test case for this file, so i do it, thank you!
Fixes#47001
Now service already supported 4 ServiceTypes, ServiceTypes is
friendly to distinguish services, so outputing service type better
when running 'kubectl get service'.
Automatic merge from submit-queue
Turn off the alpha features by default
Fix https://github.com/kubernetes/kubernetes/issues/47687.
@liggitt @sttts do you know if it's intentional to turn on rbac v1alpha1?
```release-note
The following alpha API groups were unintentionally enabled by default in previous releases, and will no longer be enabled by default in v1.8:
rbac.authorization.k8s.io/v1alpha1
settings.k8s.io/v1alpha1
If you wish to continue using them in v1.8, please enable them explicitly using the `--runtime-config` flag of the apiserver (for example, `--runtime-config="rbac.authorization.k8s.io/v1alpha1,settings.k8s.io/v1alpha1"`)
```
Automatic merge from submit-queue (batch tested with PRs 47626, 47674, 47683, 47290, 47688)
validate host paths on the kubelet for backsteps
**What this PR does / why we need it**:
This PR adds validation on the kubelet to ensure the host path does not contain backsteps that could allow the volume to escape the PSP's allowed host paths. Currently, there is validation done at in API server; however, that does not account for mismatch of OS's on the kubelet vs api server.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47107
**Special notes for your reviewer**:
cc @liggitt
**Release note**:
```release-note
Paths containing backsteps (for example, "../bar") are no longer allowed in hostPath volume paths, or in volumeMount subpaths
```
Automatic merge from submit-queue (batch tested with PRs 38751, 44282, 46382, 47603, 47606)
Adding 'flexvolume' prefix to FlexVolume plugin names.
**What this PR does / why we need it**: Adds a prefix to FlexVolume plugin names in order to more easily identify plugins as FlexVolume. Improves debugging.
**Special notes for your reviewer**: Unfortunately the delimiter after 'flexvolume' is restricted to either '-' or '.' . This makes the prefix seem like it's part of the vendor name. Not sure if this could cause issues later on.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 38751, 44282, 46382, 47603, 47606)
kubectl logs with label selector supports specifying a container name
**What this PR does / why we need it**:
Allows `kubectl logs` to take both a label selector and container name. This allows me to fetch logs from pods by selector whose pods have multiple containers with a common name. This is a common action when debugging components like the service-catalog that ship more than one container in their pod. With this change, the following command lets me get logs for service-catalog.
```
$ kubectl logs -l app=sc-catalog-apiserver --namespace=service-catalog --container=apiserver
```
Automatic merge from submit-queue
Raise a warning instead of info if br-netfilter is missing or unset
Took quite a while to figure out why service VIP is unreachable on my cluster. It turns out br-nf-call-iptables is unset. I wish this message could be a warning to attract considerable attention.
Automatic merge from submit-queue
Fix api description
**What this PR does / why we need it**:
prefered -> preferred
the the -> the
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46884, 47557)
Rename DaemonSet and StatefulSet hash label
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47554
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @kow3ns
/cc @bgrant0607
@kubernetes/sig-apps-api-reviews
Automatic merge from submit-queue
fix --local flag for kubectl commands
Fixes https://github.com/kubernetes/kubernetes/issues/47079
**Release note**:
```release-note
NONE
```
Fixes the `--local` flag for `kubectl set ...` sub-commands.
**As of the 1.7 release**, `PrinterForCommand` was updated to [use a mapper and typer for unstructured objects](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/util/factory_builder.go#L52), which further prevented the use of `--local` when there was no connection to an api server.
**before** (with no connection to a server)
```
$ kubectl set resources -f pod.json --limits=cpu=200m,memory=512Mi --local
error: unable to connect to a server to handle "pods": Get https://10.13.137.149:8443/api: dial tcp 10.13.137.149:8443: getsockopt: connection refused
```
**after** (with no connection to a server)
```
$ kubectl set resources -f pod.json --limits=cpu=200m,memory=512Mi --local
NAME READY STATUS RESTARTS AGE
mypod 0/1 0 <unknown>
```
cc @smarterclayton @fabianofranz
Internal attach/detach controller timers should be configurable and tests
should use much shorter values.
reconcilerSyncDuration is deliberately left out of TimerConfig because it's
the only one that's not a constant one, it's configurable by user.
Alpha commands can be added under `kubectl alpha` and are always
accessible (regardless of feature gates). If no alpha commands have been
defined then `alpha` is not displayed in `help`.
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
AWS: Cache instances for ELB to avoid #45050
We maintain a cache of all instances, and we invalidate the cache
whenever we see a new instance. For ELBs that should be sufficient,
because our usage is limited to instance ids and security groups, which
should not change.
Fix#45050
```release-note
AWS: Maintain a cache of all instances, to fix problem with > 200 nodes with ELBs
```
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
append KUBE-HOSTPORTS to system chains instead of prepend
Bug fix for conflicting iptables rules between hostport and kube-proxy
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
Ignore 404s on evict
One of our upgrades failed with
```
error: error when evicting pod \"boo-2-deploy\": pods \"boo-2-deploy\" not found"
```
@derekwaynecarr since you already fixed half of it
cc: @kubernetes/sig-cli-bugs
I failed terribly at adding a unit test mostly because draining involves discovery for the eviction API and the fake client stuff for discovery are far from functional - will spawn a separate issue about it.
fyi @jupierce
related: https://github.com/kubernetes/kubectl/issues/28
Automatic merge from submit-queue
Strip container id from events
**What this PR does / why we need it**:
reduces spam events from kubelet in bad pod scenarios
**Which issue this PR fixes**:
relates to https://github.com/kubernetes/kubernetes/issues/47366
**Special notes for your reviewer**:
pods in permanent failure states created unique events
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
image name must not have leading or trailing whitespace
**What this PR does / why we need it**:
verifies that an image name can not have leading or trailing whitespace
**Which issue this PR fixes**
fixes https://github.com/kubernetes/kubernetes/issues/47490
**Special notes for your reviewer**:
i was surprised we had not caught this, so if there is an image spec that says leading and trailing whitespace is a good thing, i am open to correction.
i was made aware of downstream users of validate pod template spec that used " " as a special token. as a result, i only do the validation of image name " " in the `Pod` only.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
delete dependent pods for rs when deleting deployments
Fix#44046, where user reported that the garbage collector didn't delete pods when a deployment was deleted with PropagationPolicy=Background.
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
separate group and version priority
Fixes https://github.com/kubernetes/kubernetes/issues/46322
This just modifies the API and does the minimal plumbing. I can extend this pull or do another to fix the priority problem.
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
Fix TPR watches.
Fixes#47027
TPR watch has been broken since #44350.
We maintain a cache of all instances, and we invalidate the cache
whenever we see a new instance. For ELBs that should be sufficient,
because our usage is limited to instance ids and security groups, which
should not change.
Fix#45050
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
cni: Don't try and map ports with an unset HostPort
The CNI Host function GetPodPortMappings also includes unmapped ports (this is apparently by design). This is normal, and the CNI network plugin invoker should not attempt to map these ports.
This matches the functionality in the kubenet hostport mapper.
Fixes: #47529
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
Batch AWS getInstancesByNodeNames calls with FilterNodeLimit
We are going to limit the getInstancesByNodeNames call with a batch
size of 150.
Fixes - #47271
```release-note
AWS: Batch DescribeInstance calls with nodeNames to 150 limit, to stay within AWS filter limits.
```
Blackhole routes otherwise acccumulate unboundedly. We also are careful
to ensure that we do so only within the managed range, which requires
enlisting the help of the routecontroller.
Fix#47524
Automatic merge from submit-queue (batch tested with PRs 47204, 46808, 47432, 47400, 47099)
Remove broken getvolumename and pass PV or volume name to attach call
Cherry-picking https://github.com/kubernetes/kubernetes/pull/46249 to master
What this PR does / why we need it:
Flex getvolumename is broken in 1.6. It needs to be fixed comprehensively in 1.7 release. Removing the api in 1.6. Also pass PV or volume name to the driver during attach call. Detach uses PV or volume name, so plugin can use that information to map to PV.
Which issue this PR fixes (optional, in fixes #(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #
Fixes - #44737
Automatic merge from submit-queue (batch tested with PRs 47204, 46808, 47432, 47400, 47099)
Make the generic webhook admission controller use the dynamic webhook config manager
Based on #46672 and #46388.
Only the last commit is unique.
* removed `SetWebhookSource` from the PluginInitializer
* implemented `SetExternalClientset` for the generic webhook admisson controller, initializing an ExternalWebhookConfigurationManager in the method.