- Move public key functions to client-go/util/cert
- Move pki file helper functions to client-go/util/cert
- Standardize on certutil package alias
- Update dependencies to client-go/util/cert
Automatic merge from submit-queue
Increase default value of apps/v1beta2 DeploymentSpec.RevisionHistoryLimit to 10
**What this PR does / why we need it**:
All controllers that use the `RevisionHistoryLimit` field have a default value of 10 for the field, except for `Deployment`, which has a default of 2. We should increase it to 10 for consistency on its default value across controllers.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49913
**Special notes for your reviewer**:
/cc @janetkuo @foxish @liyinan926
**Release note**:
```release-note
Increase default value of apps/v1beta2 DeploymentSpec.RevisionHistoryLimit to 10
```
Automatic merge from submit-queue
fix typo in staging/src/k8s.io/apiserver/pkg/server/config.go
**What this PR does / why we need it**: Fix a typo `It's members are sorted roughly in order of importance for composers.` in `staging/src/k8s.io/apiserver/pkg/server/config.go`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Automatic merge from submit-queue
Switch from package syscall to golang.org/x/sys/unix
**What this PR does / why we need it**:
The syscall package is locked down and the comment in https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24 advises to switch code to use the corresponding package from golang.org/x/sys. This PR does so and replaces usage of package syscall with package golang.org/x/sys/unix where applicable. This will also allow to get updates and fixes
without having to use a new go version.
In order to get the latest functionality, golang.org/x/sys/ is re-vendored. This also allows to use Eventfd() from this package instead of calling the eventfd() C function.
**Special notes for your reviewer**:
This follows previous works in other Go projects, see e.g. moby/moby#33399, cilium/cilium#588
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix comment of request.go
**What this PR does / why we need it**:
Fix comment of request.go
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
client-gen: don't ignore nil clientsets
Closes https://github.com/kubernetes/client-go/issues/240
When a clientset is nil, fail fast instead of returning a nil value as an interface.
/cc @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 48365, 49902, 49808, 48722, 47045)
Improve shared informer notification dispatching
**What this PR does / why we need it**:
Locks and channels don't play well together. This is an attempt to remove locks and only use channels in shared informer. It looks much cleaner to me.
**Release note**:
```release-note
NONE
```
@deads2k @ncdc
Automatic merge from submit-queue
remove dead log handler and increase verbosity
We had a handler that no one was using and this bumps the verbosity slightly (2->3) to reduce noise at 2.
Automatic merge from submit-queue (batch tested with PRs 50000, 49954, 49943, 50018, 49607)
change apps/v1beta2 StatefulSet observedGeneration from a pointer to an int for consistency
**What this PR does / why we need it**:
change the StatefulSet observedGeneration from a pointer to an int for consistency
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49623
xref #49135
**Special notes for your reviewer**:
/cc @janetkuo @foxish @kow3ns
**Release note**:
```release-note
change apps/v1beta2 StatefulSet observedGeneration (optional field) from a pointer to an int for consistency
```
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)
make admission tolerate object without objectmeta for errors
Not all object have ObjectMeta (see SARs for instance). Admission should tolerate this condition without giving meaningless errors.
@derekwaynecarr ptal
@php-coder fyi
Automatic merge from submit-queue (batch tested with PRs 49989, 49806, 49649, 49412, 49512)
This adds an etcd health check endpoint to kube-apiserver
addressing https://github.com/kubernetes/kubernetes/issues/48215.
**What this PR does / why we need it**:
This ensures kube-apiserver `/healthz` endpoint fails whenever connectivity cannot be established to etcd, also ensures the etcd preflight checks works with unix sockets
**Which issue this PR fixes**: fixes#48215
**Special notes for your reviewer**:
This PR does not use the etcd client directly as the client object is wrapped behind the storage interface and not exposed directly for use, so I decided to reuse what's being done in the preflight. So this will only check fail for connectivity and not etcd auth related problems. I did not write tests for the endpoint because I couldn't find examples that I could follow for writing tests for healthz related endpoints, I'll be willing to write those tests if someone can point me at a relevant one.
**Release note**:
```release-note
Add etcd connectivity endpoint to healthz
```
@deads2k please help review, thanks!
Automatic merge from submit-queue
cleanup dead installer code
cleans up some installer code that was dead and reorders a little of the flow to reduce complexity.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 50029, 48517, 49739, 49866, 49782)
Update generated deepcopy code
**What this PR does / why we need it**:
In generated deepcopy code, the method names in comments do not match the real method names.
**Which issue this PR fixes**: fixes#49755
**Special notes for your reviewer**:
/assign @sttts @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49990, 49997, 44278, 49936, 49891)
adds an admission plugin to the sample apiserver.
**What this PR does / why we need it**:
adds an admission plugin to the sample apiserver.
the admission plugin checks whether `Flunder.Name` is not on the banned list.
including a unit test with various test scenarios.
**Special notes for your reviewer**:
https://github.com/kubernetes/kubernetes/issues/47868
**Release note**:
```
NONE
```
Automatic merge from submit-queue
fix sample-apiserver apiservice.yaml to add groupPriorityMinimum
fix sample-apiserver apiservice.yaml example to add groupPriorityMinimum and versionPriority, which is added in v1.7
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Reintegrate aggregation support for OpenAPI
Reintegrating changes of #46734
Changes summary:
- Extracted all OpenAPI specs to new repo `kube-openapi`
- Make OpenAPI spec aggregator to copy and rename any non-requal model (even with documentation change only).
- Load specs when adding APIServices and retry on failure until successful spec retrieval or a 404.
- Assumes all Specs except aggregator's Spec are static
- A re-register of any APIService will result in updating the spec for that service (Suggestion for TPR: they should be registered to aggregator API Server, Open for discussion if any more changes needed for another PR.)
fixes#48548
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Correctly handle empty watch event cache
Fixes https://github.com/kubernetes/kubernetes/issues/49956
Introduced by ada60236f7 which did not adjust the oldest available resourceVersion for an empty watch event cache.
Exposed by 74b9ba3b4d, which allowed controllers to get list results from etcd before the watch cache is ready (normally they list with resourceVersion=0 which serves the list request from the watch cache, blocking until it is ready)
When the watch cache had an empty cache of watch events, it currently allows establishing a watch as if it can deliver a watch event for its currently synced resourceVersion. This results in an off-by-one error which can result in a missed watch event.
Scenario:
bob:
1. creates object at resourceVersion=11
sally:
1. does a list API request, gets a list resourceVersion of 10 (just before bob creates the object)
2. starts watch handled by watch cache at resourceVersion=10
Watch cache:
1. initial list gets resourceVersion=11, including the item created by bob
2. when determining the initial watch events to send to sally's watch, there are no watch events in the cache, so no initial watch events are sent.
3. the cache listerwatcher watches etcd starting at resourceVersion=11, so future events are fed into the event cache and to sally's watch
The watch cache should have dropped sally's watch from resourceVersion=10 with a "gone" error, since it can't deliver the watch event for resourceVersion=11. This would force sally to relist (where she would get a list at resourceVersion=11) and rewatch (from resourceVersion=11)
This particularly affects tests that create CRD/TPRs and establish watches on the new types as the storage layer's watch cache is also populating for that type.
```release-note
Fix a bug in watch cache sometimes causing missing events after watch cache initialization.
```
Automatic merge from submit-queue (batch tested with PRs 46519, 49794, 49720, 49692, 49821)
fix missing verb at end of format string
**What this PR does / why we need it**:
A missing verb at end of format string in Errorf call happens in `vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc_test.go`, This PR fixes this problem.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Automatic merge from submit-queue
Add KMS plugin registry
Allows supporting KMS services as encryption providers using a plugin mechanism similar to admission plugins.
Simplifies #48574
Progresses #48522
@deads2k PTAL
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
conversion-gen: support recursive types
Currently, conversion-gen goes into an infinite recursion for recursive types. This fixes it to support recursive types.
Needed for #47263.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
Add support for `no_new_privs` via AllowPrivilegeEscalation
**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes#38417
Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.
Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.
Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.
**Release note**:
```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
StatefulSet: Remove `initialized` annotation from apps/v1beta2.
The annotation was already removed from apps/v1beta1 in #49251, but this copy survived due to another concurrent PR.
ref #41605
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Enable garbage collection of custom resources
Enhance the garbage collector to periodically refresh the resources it monitors (via discovery) to enable custom resource definition GC (addressing #44507 and reverting #47432).
This is a replacement for #46000.
/cc @lavalamp @deads2k @sttts @caesarxuchao
/ref https://github.com/kubernetes/kubernetes/pull/48065
```release-note
The garbage collector now supports custom APIs added via CustomeResourceDefinition or aggregated apiservers. Note that the garbage collector controller refreshes periodically, so there is a latency between when the API is added and when the garbage collector starts to manage it.
```
Christoph Blecker