Annotations with empty values can be used, for example, in diagnostics
logging. This patch removes the client-side check for empty values in
an annotation key-value pair.
**Before**
```
$ kubectl annotate pod zookeeper-1 node-selector="" --overwrite
error: invalid annotation format: node-selector=
```
**After**
```
$ kubectl annotate pod zookeeper-1 node-selector="" --overwrite
pod "zookeper-1" annotated
```
```
$ kubectl get po/zookeeper-1 --template='{{.metadata.annotations}}'
map[... node-selector: test-label:test]
```
Automatic merge from submit-queue
add optional env var for allowing version skew in test cmd
If you only make a change to a server component and then re-run `test-cmd` you get a skew error. This is really annoying. I've left the default as it was (force version match), but now also allow `ALLOW_SKEW=true hack/test-cmd.sh` to skip the check.
@eparis worth a quick bash check, but I think I got it.
Automatic merge from submit-queue
Use patched golang1.7.1 for cross-builds targeting darwin
This PR extends #32517 to use the patched go1.7.1 introduced by that PR to build all darwin targets (e.g. kubectl).
This is necessary because binaries built with earlier versions of Go regularly segfault on macOS Sierra (see #32999 and #33070).
This solution is somewhat hacky, but we intend to cherry-pick this to 1.4, and switching all of 1.4 to build with go1.7.1 is very high risk.
I haven't yet pushed the cross build image yet, so this will fail to build. Will test locally and update with results.
First step of fixing #33801.
cc @luxas @pwittrock @david-mcmahon @liggitt @smarterclayton @jfrazelle @Starefossen @gerred
Automatic merge from submit-queue
Add OpenAPI specs to source tree
Similar to swagger spec, adding openapi specs in a separate folder api/openapi-spec
To make sure we generate a consistent spec, parameters need to be sorted first.
Automatic merge from submit-queue
add anytoken authenticator
Adds `--insecure-allow-any-token` as a flag to the API server to create an authenticator that will accept any bearer token and transform it into a user by parsing it out as `username/group1,group2,...`.
This gives an easy way to identify as a user and check permissions:
```bash
ALLOW_ANY_TOKEN=true hack/local-up-cluster.sh
kubectl config set-cluster local-kube --server=https://localhost:6443 --insecure-skip-tls-verify=true
kubectl config set-credentials david --token=david/group1
kubectl config set-context local --cluster=local-kube --user=david
kubectl config use-context local
```
@kubernetes/sig-auth
Automatic merge from submit-queue
Fixing local cluster up
hack: fix local-cluster-up advertise_address default value
Fixes: 9fc1d61
Signed-off-by: André Martins <aanm90@gmail.com>
ping @dims
Automatic merge from submit-queue
Allow anonymous API server access, decorate authenticated users with system:authenticated group
When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users
It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.
This PR:
* Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow`
* Decorates user.Info returned from configured authenticators with the group `system:authenticated`.
This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.
```release-note
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
Authenticated users are decorated with a 'system:authenticated' group.
NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
```
c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
Automatic merge from submit-queue
Change minion to node
Continuation of #1111
I tried to keep this PR down to just a simple search-n-replace to keep
things simple. I may have gone too far in some spots but its easy to
roll those back if needed - just let me know.
I avoided renaming `contrib/mesos/pkg/minion` because there's already
a `contrib/mesos/pkg/node` dir and fixing that will require a bit of work
due to a circular import chain that pops up. So I'm saving that for a
follow-on PR.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Contination of #1111
I tried to keep this PR down to just a simple search-n-replace to keep
things simple. I may have gone too far in some spots but its easy to
roll those back if needed.
I avoided renaming `contrib/mesos/pkg/minion` because there's already
a `contrib/mesos/pkg/node` dir and fixing that will require a bit of work
due to a circular import chain that pops up. So I'm saving that for a
follow-on PR.
I rolled back some of this from a previous commit because it just got
to big/messy. Will follow up with additional PRs
Signed-off-by: Doug Davis <dug@us.ibm.com>
Automatic merge from submit-queue
Add jbeda to OWNERS for build, cluster, hack
I'd like to start getting more PRs to review here. I promise I'll stay on top of them now that I have new and improved mail filters.
This splits off all the bash stuff into an interface, and plumbs
through a separate interface to bring up a cluster using "kops"
instead. Right now it assumes kops == AWS.
Automatic merge from submit-queue
build kube-discovery and kubeadm with release
This will start publishing binaries from our ci builds.
@errordeveloper @dgoodwin
Automatic merge from submit-queue
Add a lower-bound for conntrack (128k default)
Fixes#32435
kube-proxy will use a lower-bound, default 128k, for conntrack records. This
is in concert with the per-core scaling factor.
Automatic merge from submit-queue
local-up-cluster.sh: add SERVICE_CLUSTER_IP_RANGE as option
Allows the user the use an environment variable to specify the SERVICE_CLUSTER_IP_RANGE without modifying the `hack/local-up-cluster.sh` script.
Signed-off-by: André Martins <aanm90@gmail.com>
Automatic merge from submit-queue
Make upload-to-gcs.sh use a different prefix for tests in other repos.
For kubernetes/test-infra#476.
Also, put the repo in the build metadata so Gubernator can link to the
right thing for postsubmit jobs.
For PR #$NUM in a given repo, the logs will go to these places:
kubernetes/kubernetes => /pr-logs/pull/$NUM
kubernetes/test-infra => /pr-logs/pull/test-infra/$NUM
google/cadvisor => /pr-logs/pull/google_cadvisor/$NUM
Tested with a manual harness. Note that this leaves the latest/indirect
untouched as well as postsubmit jobs-- *job names* are still unique, the
main issue was that PR numbers might collide. Disturbing as little
structure as possible reduces how many things will break.
Automatic merge from submit-queue
Un-xmlWrap the Test function.
#33361 is pretty much useless.
We should probably take a look at better integrating the new JUnit results into the munger/testgrid/gubernator, but this should make things better for now.
For kubernetes/test-infra#476.
Also, put the repo in the build metadata so Gubernator can link to the
right thing for postsubmit jobs.
For PR #$NUM in a given repo, the logs will go to these places:
kubernetes/kubernetes => /pr-logs/pull/$NUM
kubernetes/test-infra => /pr-logs/pull/test-infra/$NUM
google/cadvisor => /pr-logs/pull/google_cadvisor/$NUM
Tested with a manual harness. Note that this leaves the latest/indirect
untouched as well as postsubmit jobs-- *job names* are still unique, the
main issue was that PR numbers might collide. Disturbing as little
structure as possible reduces how many things will break.
Automatic merge from submit-queue
kubeadm
**What this PR does / why we need it**:
This PR add alpha version of `kubeadm` tool, which allows user to boostrap a cluster rather quite easily. This is the initial contribution from @kubernetes/sig-cluster-lifecycle members, who's aim is to build easy-to-use tools that help to operate a cluster throughout its lifetime.
**Which issue this PR fixes**: a leap towards kubernetes/features#11
**Special notes for your reviewer**: previously seen by many folks in #31221
**Release note**:
```release-note
`kubeadm` (alpha) provides an easy way to securely bootstrap Kubernetes on Linux, see http://kubernetes.io/docs/kubeadm/
```
Automatic merge from submit-queue
Added e2e framweork and a simple test for HA master.
Added e2e framweork for testing HA master. Added one simple e2e test for HA master that first grows and then shrinks GCE cluster.
Automatic merge from submit-queue
Automatic generation of man pages
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**:
Currently genman supports only kubectl command, so this PR will enable genman to generate man pages for rest of the command like - kube-apiserver, kube-controller-manager, kube-proxy, kube-scheduler, kubelet
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
N/A
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
juanvallejo