Automatic merge from submit-queue (batch tested with PRs 46884, 47557)
Auto approve kubelet server certificate signing requests.
Fixes https://github.com/kubernetes/kubernetes/issues/47208
**Release note**:
```release-note
Adds an approval work flow to the the certificate approver that will approve certificate signing requests from kubelets that meet all the criteria of kubelet server certificates.
```
Automatic merge from submit-queue
fix --local flag for kubectl commands
Fixes https://github.com/kubernetes/kubernetes/issues/47079
**Release note**:
```release-note
NONE
```
Fixes the `--local` flag for `kubectl set ...` sub-commands.
**As of the 1.7 release**, `PrinterForCommand` was updated to [use a mapper and typer for unstructured objects](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/util/factory_builder.go#L52), which further prevented the use of `--local` when there was no connection to an api server.
**before** (with no connection to a server)
```
$ kubectl set resources -f pod.json --limits=cpu=200m,memory=512Mi --local
error: unable to connect to a server to handle "pods": Get https://10.13.137.149:8443/api: dial tcp 10.13.137.149:8443: getsockopt: connection refused
```
**after** (with no connection to a server)
```
$ kubectl set resources -f pod.json --limits=cpu=200m,memory=512Mi --local
NAME READY STATUS RESTARTS AGE
mypod 0/1 0 <unknown>
```
cc @smarterclayton @fabianofranz
Automatic merge from submit-queue
Fixed e2e test flake - ClusterDns - should create pod that uses dns
**What this PR does / why we need it**:
String replaced in this test for example pod yaml (dns-frontend-pod.yaml) file is incorrect.
**Which issue this PR fixes** :
fixes#45915
Automatic merge from submit-queue
Add some debug info for deployment e2e testing
Add some debug info to printout all the ReplicaSets if there is no deployment object created, and add a enhancement to wait the pod to ready
**Release note**:
```
None
```
Automatic merge from submit-queue
Don't start any Typha instances if not using Calico
**What this PR does / why we need it**:
Don't start any Typha instances if Calico isn't being used. A recent change now includes all add-ons on the master, but we don't always want a Typha replica.
**Which issue this PR fixes**
Fixes https://github.com/kubernetes/kubernetes/issues/47622
**Release note**:
```release-note
NONE
```
cc @dnardo
Automatic merge from submit-queue (batch tested with PRs 47562, 47605)
Adding option in node start script to add "volume-plugin-dir" flag to kubelet.
**What this PR does / why we need it**: Adds a variable to allow specifying FlexVolume driver directory through cluster/kube-up.sh. Without this, the process of setting up FlexVolume in a non-default directory is very manual.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47561
Automatic merge from submit-queue
Add encryption provider support via environment variables
These changes are needed to allow cloud providers to use the encryption providers as an alpha feature. The version checks can be done in the respective cloud providers'.
Context: #46460 and #46916
@destijl @jcbsmpsn @smarterclayton
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
Revert "Ignore `daemonset-controller-hash` label key in federation before comparing the federated object with its cluster equivalent."
This reverts commit 3530c9ce87.
~This needs to wait for #47258, otherwise federation test won't pass~ (merged)
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
debian-base: don't remove libcap2
**What this PR does / why we need it**: when I updated the `debian-base` image earlier this week, it apparently removed the libcap2 libraries needed for some dependent images (e.g. fluentd-gcp, #47600).
By holding this package, the library isn't removed from the base image. I've verified by running https://github.com/moul/docker-diff against the `debian-base` image from 2017-02-24.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: x-ref #47386
**Special notes for your reviewer**: nothing is pushed yet.
**Release note**:
```release-note
NONE
```
/cc @timstclair @dchen1107 @luxas @kubernetes/sig-release-misc
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
kubeadm: Fix kube-proxy regression caused by #46372
**What this PR does / why we need it**:
Fixes: https://github.com/kubernetes/kubeadm/issues/306
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Required for kubeadm v1.7 to work
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @cmluciano
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
AWS: Cache instances for ELB to avoid #45050
We maintain a cache of all instances, and we invalidate the cache
whenever we see a new instance. For ELBs that should be sufficient,
because our usage is limited to instance ids and security groups, which
should not change.
Fix#45050
```release-note
AWS: Maintain a cache of all instances, to fix problem with > 200 nodes with ELBs
```
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
CRD: Test delete both with and without cascading.
Fixes#47431
Depends on #47432 (included for now; will rebase if needed)
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
append KUBE-HOSTPORTS to system chains instead of prepend
Bug fix for conflicting iptables rules between hostport and kube-proxy
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
Ignore 404s on evict
One of our upgrades failed with
```
error: error when evicting pod \"boo-2-deploy\": pods \"boo-2-deploy\" not found"
```
@derekwaynecarr since you already fixed half of it
cc: @kubernetes/sig-cli-bugs
I failed terribly at adding a unit test mostly because draining involves discovery for the eviction API and the fake client stuff for discovery are far from functional - will spawn a separate issue about it.
fyi @jupierce
related: https://github.com/kubernetes/kubectl/issues/28
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
kubeadm: Fix subtle versioning ordering issue with v1.8.0-alpha.0
**What this PR does / why we need it**:
`--kubernetes-version latest` is broken since it evals to `v1.8.0-alpha.0` which actually is `v1.7.0-beta.0`, so kubeadm enables features that don't exist
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Fix flaking cluster-autoscaler e2e
Ref: https://github.com/kubernetes/autoscaler/issues/89
Scale-down e2e require 5 healthy nodes to pass reliably, this PR should fix the flaking "should correctly scale down after a node is not needed and one node is broken" e2e.
Automatic merge from submit-queue
[GCE] Bump GLBC version to 0.9.5
Fixes#47559
```release-note
Bump GLBC version to 0.9.5 - fixes [loss of manually modified GCLB health check settings](https://github.com/kubernetes/kubernetes/issues/47559) upon upgrade from pre-1.6.4 to either 1.6.4 or 1.6.5, or from pre-1.5.8 to 1.5.8.
```
Automatic merge from submit-queue
Strip container id from events
**What this PR does / why we need it**:
reduces spam events from kubelet in bad pod scenarios
**Which issue this PR fixes**:
relates to https://github.com/kubernetes/kubernetes/issues/47366
**Special notes for your reviewer**:
pods in permanent failure states created unique events
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
image name must not have leading or trailing whitespace
**What this PR does / why we need it**:
verifies that an image name can not have leading or trailing whitespace
**Which issue this PR fixes**
fixes https://github.com/kubernetes/kubernetes/issues/47490
**Special notes for your reviewer**:
i was surprised we had not caught this, so if there is an image spec that says leading and trailing whitespace is a good thing, i am open to correction.
i was made aware of downstream users of validate pod template spec that used " " as a special token. as a result, i only do the validation of image name " " in the `Pod` only.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
delete dependent pods for rs when deleting deployments
Fix#44046, where user reported that the garbage collector didn't delete pods when a deployment was deleted with PropagationPolicy=Background.
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
Update addons with upstream CVE fixes
**What this PR does / why we need it**: refreshes the cluster-proportional-autoscaler, metadata-proxy, and fluentd-gcp addons with new base images with fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-8859
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-9526
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: x-ref #47386, though there are still a few images left to update
**Release note**:
```release-note
Update cluster-proportional-autoscaler, metadata-proxy, and fluentd-gcp addons with fixes for CVE-2016-4448, CVE-2016-8859, CVE-2016-9841, CVE-2016-9843, and CVE-2017-9526.
```
/cc @timstclair @MrHohn @Q-Lee @crassirostris
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
separate group and version priority
Fixes https://github.com/kubernetes/kubernetes/issues/46322
This just modifies the API and does the minimal plumbing. I can extend this pull or do another to fix the priority problem.
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
Fix TPR watches.
Fixes#47027
TPR watch has been broken since #44350.
Automatic merge from submit-queue
Fix dangling reference to gcloud alpha API for GCI (should be beta)
This reference to the alpha API was missed (fixed in GCE, but not GCI)
Fixes#47494
```release-note
none
```
We maintain a cache of all instances, and we invalidate the cache
whenever we see a new instance. For ELBs that should be sufficient,
because our usage is limited to instance ids and security groups, which
should not change.
Fix#45050
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
Fix typo in secretbox transformer prefix
Introduced by #46916 via cherry picked commit [here](12bb591dbf).
Urgent fix in my opinion, ideally should be merged before production.
@smarterclayton
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
cni: Don't try and map ports with an unset HostPort
The CNI Host function GetPodPortMappings also includes unmapped ports (this is apparently by design). This is normal, and the CNI network plugin invoker should not attempt to map these ports.
This matches the functionality in the kubenet hostport mapper.
Fixes: #47529
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
Batch AWS getInstancesByNodeNames calls with FilterNodeLimit
We are going to limit the getInstancesByNodeNames call with a batch
size of 150.
Fixes - #47271
```release-note
AWS: Batch DescribeInstance calls with nodeNames to 150 limit, to stay within AWS filter limits.
```
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
Allow autoscaler min at 0 in GCE
Allow scaling migs to zero in GCE startup scripts. This only makes sense when there is more than 1 mig. The main use case (for now) will be to test scaling to to zero in e2e tests.
Automatic merge from submit-queue
Don't test the debug /logs endpoint on GKE.
GKE will not enable the /logs endpoint in 1.7. I'd like this test to still test the other cluster level endpoints.
Kubernetes Submit Queue