forceLiveLookupCache is designed to save recently deleted namespaces.
But currently, cluster scoped resources are also put into it.
For example, when we run:
kubectl delete clusterrole edit
The "edit" is put into forceLiveLookupCache as a deleted namespace.
This change fix the invalid action.
Automatic merge from submit-queue (batch tested with PRs 49017, 45440, 48384, 45894, 48808)
Update two dependencies
**What this PR does / why we need it**:
github.com/stretchr/testify - main desired update. Old version has bugs. Specifically I encountered https://github.com/stretchr/testify/issues/347 which was fixed a year ago.
github.com/davecgh/go-spew/spew is set to the newest version, a bit
newer than required by testify. Updated from version 6 Nov 2015 to
27 Jun 2017.
github.com/stretchr/objx is not updated - testify uses version
from 27 May 2014 which is older than 28 Sep 2015 used now (latest
actually). In practice there is only a tiny difference - one method was
removed in new version.
**Release note**:
```release-note
NONE
```
/sig testing
Automatic merge from submit-queue (batch tested with PRs 49017, 45440, 48384, 45894, 48808)
Fix typo in ExecCommandParam
**What this PR does / why we need it**: Makes ExecCommandParam look like all of the other "Param"s
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48494, 48733)
Never prevent deletion of resources as part of namespace lifecycle
Namespace lifecycle should not prevent deletion of resources... its purpose is to prevent creation of resources in a terminating namespace, or create/update of resources in a non-existent namespace.
Fixes#49027
Automatic merge from submit-queue
Remove old, core/v1 specific constructs from RESTClient
Now that metav1 is abstracted from the APIs, RESTClient should also be agnostic to the core API.
* Remove `LabelSelectorParam` and `FieldSelectorParam` - use `VersionedParams` with `ListOptions`
* Remove `UintParam`
* Remove all legacy field selector logic from `VersionedParams` - ParameterCodec now handles that
* Remove special parameters (like `timeout`) which is no longer set by most clients
Automatic merge from submit-queue
Log error when failed to renew lease.
**What this PR does / why we need it**:
Log detailed error when leaderelection can not renew release.
It would add a little bit help to find direct reason of failing renew lease
```
E0626 15:23:06.269198 46443 leaderelection.go:263] Failed to update lock: etcdserver: request timed out
E0626 15:23:07.528206 46443 leaderelection.go:263] Failed to update lock: Operation cannot be fulfilled on endpoints "kube-scheduler": the object has been modified; please apply yo
ur changes to the latest version and try again
E0626 15:23:07.528260 46443 event.go:259] Could not construct reference to: '&v1.Endpoints{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"", GenerateN
ame:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*
v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]str
ing(nil), ClusterName:""}, Subsets:[]v1.EndpointSubset(nil)}' due to: 'selfLink was empty, can't make reference'. Will not report event: 'Normal' 'LeaderElection' 'gd6-k8s-noah-prod0
01-master-s0004 stopped leading'
I0626 15:23:07.528391 46443 leaderelection.go:208] failed to renew lease kube-system/kube-scheduler
F0626 15:23:07.528422 46443 server.go:134] lost master
```
github.com/davecgh/go-spew/spew is set to the newest version, a bit
newer than required by testify. Updated from version 6 Nov 2015 to
27 Jun 2017.
github.com/stretchr/objx is not updated - testify uses version
from 27 May 2014 which is older than 28 Sep 2015 used now (latest
actually). In practice there is only a tiny difference - one method was
removed in new version.
Automatic merge from submit-queue
jsonpath filter: allow intermediate missing keys
**What this PR does / why we need it**:
In jsonpath, when filtering a list, if allowMissingKeys is true, skip
over any items that are missing an intermediate key in the filter,
instead of returning a confusing error.
For example, if the filter is
{.items[?(@.metadata.annotations.foo=="bar")].metadata.name}
we should return all items where metadata.annotations.foo == bar, but if
an item in the list does not have metadata, metadata.annotations, or
metadata.annotations.foo, skip it instead of erroring.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45546
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed a bug where a jsonpath filter would return an error if one of the items being evaluated did not contain all of the nested elements in the filter query.
```
cc @timothysc @smarterclayton @stevekuznetsov @mengqiy @liggitt @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
remove some people from OWNERS so they don't get reviews anymore
These are googlers who don't work on the project anymore but are still
getting reviews assigned to them:
- @bprashanth
- @rjnagal
- @vmarmol
Automatic merge from submit-queue (batch tested with PRs 48812, 48276)
client-go support IPv6 addresses for PortForwarder getListener()
Currently, client-go requires that an IPv6 address string for hostname has
square brackets surrounding, so that it can be used with address:port in
an API request.
This change, removes that requirement, and has getListener() add the
square brackets, if needed. If the hostname is a name, an IPv4 address
string, or an IPv6 address already with square brackets, no change is made.
Decided to change here, rather than everywhere client-go is used (thinking
that there may be places where we DON'T want the square brackets applied).
This issue was found in kubelet, which, at startup, creates a listener for
services and nodes. If an IPv6 address is used, the URI was malformed.
**What this PR does / why we need it**:
Ensures that client-go will handle IPv6 addresses as hostnames, without any special encoding by caller.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48225
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48864, 48651, 47703)
Do not persist SelfLink into etcd storage
This behavior regressed in an earlier release. Clearing the self link reduces the size of the stored object by a small amount and keeps etcd marginally cleaner. Add tests to verify that Create and Update result in no SelfLink stored in etcd.
Currently, client-go requires that an IPv6 address string for hostname has
square brackets surrounding, so that it can be used with address:port in
an API request.
This change, removes that requirement, and has getListener() add the
square brackets for IPv6 addresses for hosts. If IPv4 or hostname, the name
will not be modified.
Decided to change here, rather than everywhere client-go is used (thinking
that there may be places where we DON'T want the square brackets applied).
This issue was found in kubelet, which, at startup, creates a listener for
services and nodes. If an IPv6 address is used, the URI was malformed.
This behavior regressed in an earlier release. Clearing the self link
ensures that a new version is always written and reduces the size of the
stored object by a small amount. Add tests to verify that Create and
Update result in no SelfLink stored in etcd.
Automatic merge from submit-queue (batch tested with PRs 48594, 47042, 48801, 48641, 48243)
Prepare to introduce websockets for exec and portforward
Refactor the code in remotecommand to better represent the structure of
what is common between portforward and exec.
Ref #48633
Automatic merge from submit-queue (batch tested with PRs 48698, 48712, 48516, 48734, 48735)
Name change: s/timstclair/tallclair/
I changed my name, and I'm migrating my user name to be consistent.
Automatic merge from submit-queue
remove svg mime type extension
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
I found that [kubernetes requires go version 1.6 or greater](https://github.com/kubernetes/kubernetes/blob/master/hack/lib/golang.sh#L335).
While the [commit](21e47d831b) which adds "image/svg+xml" type for extension ".svg", has been merged to go from version 1.5 to 1.9beta.
So it's safe to remove code ```mime.AddExtensionType(".svg", "image/svg+xml")```.
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47948, 48631, 48693, 48549, 47593)
add generated clients. modify codegen script
**What this PR does / why we need it**:
Adds in the generated clientsets for the sample apiserver. Modifies the update-codgen script to copy over the client from the generated location. We need it in order to be able to add integrations and unit tests that make use of the clientsets and their fakes.
**Special notes for your reviewer**:
@deads2k @p0lyn0mial hopefully done the correct thing here. Not 100% sure on needing the copy but it seemed what was needed to get the import paths correct?
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47948, 48631, 48693, 48549, 47593)
add a regression test for Audit-ID http header
This change add a test for: https://github.com/kubernetes/kubernetes/pull/48492
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46865, 48661, 48598, 48658, 48614)
remove extra WriteHeader function
The deleted two functions will be called later in the function
SerializeObject(). Not necessary to call them twice.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47232, 48625, 48613, 48567, 39173)
Include leaderelection in client-go;
Fix#39117
Fix https://github.com/kubernetes/client-go/issues/28
This PR:
* includes the leaderelection to the staging client-go
* to avoid conflict with golang's testing package, renames package /testing to /testutil, and renames cache/testing to cache/testframework
```release-note
client-go now includes the leaderelection package
```
Automatic merge from submit-queue (batch tested with PRs 48196, 42783, 48507, 47719, 46138)
IPv6 support for getting IP from default route
This is another part of the effort to update ChoseHostInterface() to support
IPv6. In particular, this focuses on the call path, starting from
chooseHostInterfaceFromRoute(), which attempts to find the node IP by
using default route information.
In the original code, routes are collected, and examined to find default
routes. For a default route, the IPs for the associated interface are
checked to see if there is one that is a V4 address, and is not a
loopback, link local, or multicast address. If found, that IP will be
used for the node IP.
With this PR, there are some slight changes to prepare for allowing IPs
from IPv6 default routes. The routes (IPv4 at this time - a subsequent
PR will handle IPv6) are collected as before. If the route is a default
route AND it's GW address is a global unicast address, then the IPs
for the associated interface are checked. This time though, we just pick
the IP that is on the same subnet as the gateway IP.
This ensures it is not a link local, loopback, or multicast address. It
saves time, by nt checking IPs for interfaces that don't have a "global"
default route. It also will ensure the right IP is used, when using both
IPv4 and IPv6 addresses.
For example, if we have eth0 with global IPv4 and IPv6 addresses, and
an IPv6 default route, we want to select the IPv6 address, as it is
associated with the default route.
Another case is that same interface, along with eth1 containing an IPv4
address with a default route. We want to select eth1's IPv4 address,
and not the IPv4 on eth0.
This change adds more UT coverage to several methods, and removes UTs
that are redundantly testing at a higher level. Coverage is slightly
improved.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: xref #44848
**Special notes for your reviewer**:
This goes along with PR 46044, and will have another PR to the next part.
**Release note**:
```release-noteNONE
```
fix issue where binaries not being removed. Add new client packages to lint
put new linted packages in correct location. remove flag from variables
Add all pkgs that should be linted and run sort
Add output from hack/update-bazel.sh
remove genclient=true from FischerList and regenerate client
re update bazel build files
fix missing resource method in register.go
In jsonpath, when filtering a list, if allowMissingKeys is true, skip
over any items that are missing an intermediate key in the filter,
instead of returning a confusing error.
For example, if the filter is
{.items[?(@.metadata.annotations.foo=="bar")].metadata.name}
we should return all items where metadata.annotations.foo == bar, but if
an item in the list does not have metadata, metadata.annotations, or
metadata.annotations.foo, skip it instead of erroring.
Automatic merge from submit-queue (batch tested with PRs 48583, 48605, 48601)
apimachinery+apiserver: separate test types in their own packages
Preparation for static deepcopy https://github.com/kubernetes/kubernetes/pull/48544
and its use of package-global deepcopy-gen tags for all runtime.Objects.
- [x] wait for #48497
Automatic merge from submit-queue (batch tested with PRs 48583, 48605, 48601)
support json output for log backend of advanced audit
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
Add json format support for advanced audit in apiserver. Use --audit-log-format=json to emit json to log backend.
```
Automatic merge from submit-queue
Record 429 and timeout errors to prometheus
Allows gathering of load being shed.
Fixes#48559
@deads2k please review, there was a logic error in apiserver RequestInfo (minor, fortunately)
```release-note
Requests with the query parameter `?watch=` are treated by the API server as a request to watch, but authorization and metrics were not correctly identifying those as watch requests, instead grouping them as list calls.
```
Automatic merge from submit-queue (batch tested with PRs 48497, 48604, 48599, 48560, 48546)
remove dead code
This removes the dead code cruft since we stopped serving TPRs.
ref #48152
Automatic merge from submit-queue (batch tested with PRs 48497, 48604, 48599, 48560, 48546)
audit: fix deepcopy registration
Remove manual registration into scheme by fixing the deepcopy tag of the api group.
This is part 2 of the effort to update ChoseHostInterface() to support IPv6
addresses (as part of issue 44848). This changeset includes:
- Supports finding IPv6 host addresses from default routes (but currently only
provided with IPv4 default routes).
- getRoutes() filters for default routes.
- getFinalIP() checks that IP is in requested family. Uses IsGlobalUnicast(),
instead of explicit tests for loopback, multicast, and link-local IPs.
- getIPFromInterace() checks for family requested.
- chooseHostInterfaceFromRoute()
* Quickly exits, if no default routes.
* Since only getting default routes, no check here.
* Searches all default routes for IPv4 addresses, and then searches all
default routes for IPv6 addresses (for backwards compatibility).
- More coverage in UTs (87.8% vs 62.6%).
- Better testing of error conditions/results.
- Tests for IPv6 IPs, throughout functions.
- Reduced duplicate testing for items tested at lower levels.
Commit has been rebased on top of PR46044.
Automatic merge from submit-queue (batch tested with PRs 47435, 46044)
IPv6 support for getting node IP
As part of ChooseHostInterface(), it will call a function to try to get the
global IP for the host, by looking at all the system interfaces and select
the first IP that is not a loopback, link-local, or point-to-point IP.
This commit does the following:
- Allows IPv6 non-local IPs to be selected.
- IPv4 takes priority (checks all interfaces for IPv4 addresses and
then checks all interfaces for IPv6), for backward compatibility.
- Adds UTs for code coverage (was no coverage of underlying function),
increasing from 62% to 85%.
- Improved logging and reporting for error conditions.
- Minor renaming of functions and variables for readability.
**What this PR does / why we need it**:
This will be part of several PRs to add IPv6 support in apimachinery area for use by Kubernetes. It partially fixes the issue.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: xref #44848
**Special notes for your reviewer**:
The intent is to break up the PR 45116 into multiple PRs to take on this change a piece at a time.
**Release note**:
```release-noteNONE
```
Automatic merge from submit-queue
Fix invalid Content-Type for 403 error
https://github.com/kubernetes/kubernetes/pull/47384 makes 403 errors return Status Object. However the Content-Type is still "text/plain"
This change fixes it.
Before this change:
kubectl get pods --as=tom
Error from server (Forbidden): {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"\" is forbidden: User \"tom\" cannot list pods in the namespace \"default\".","reason":"Forbidden","details":{"kind":"pods"},"code":403} (get pods)
After this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Now http header key "Audit-ID" doesn't have effect, because golang
automaticly transforms "Audit-ID" into "Audit-Id". This change use
http.Header.Get() function to canonicalize "Audit-ID" to "Audit-Id".
Automatic merge from submit-queue (batch tested with PRs 47700, 48464, 48502)
Add a refreshing discovery client
Introduce a discovery client (implementing `CachedDiscoveryInterface`) which caches discovery information in memory and which can be actively refreshed by the user.
This implementation fetches from discovery upon refresh and could later be improved to maintain updates from a watch.
Extracted from https://github.com/kubernetes/kubernetes/pull/47665 and https://github.com/kubernetes/kubernetes/pull/46000 to help reduce the scope of https://github.com/kubernetes/kubernetes/pull/48065.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47700, 48464, 48502)
fix error type
**What this PR does / why we need it**:
invalidToken should be errInvalideToken
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
No
**Release note**:
```
None
```
Automatic merge from submit-queue (batch tested with PRs 45467, 48091, 48033, 48498)
Refactor and simplify generic printer for unknown objects
The first two commits are part of other PRs
@kubernetes/sig-cli-pr-reviews part of the general refactoring for server side print
Automatic merge from submit-queue (batch tested with PRs 47162, 48444, 48445)
make the panic handler first
Move the panic handler to the beginning of the chain so that panics will get information in the log beyond a stack.
Automatic merge from submit-queue (batch tested with PRs 47162, 48444, 48445)
Introducing a cluster-scoped resource in the wardle.k8s.io group.
**What this PR does / why we need it**:
This PR adds a cluster-scoped resource to the wardle.k8s.io group.
The cluster scoped resource has a field that indicates Flunder.Names that are disallowed.
The resource is going to be used by an admission plugin.
The admission plugin will list the cluster-scope resources and check against banned names.
**Special notes for your reviewer**:
Issue: #47868
**Release note**:
```
NONE
```
The cluster scoped resource has a field that indicates Flunder.Names that are disallowed.
The resource is going to be used by an admission plugin.
The admission plugin will list the cluster-scope resources and check against banned names.
Issue: #47868
Automatic merge from submit-queue
remove unused function and variable from audit backend
auditStringSlice is not used here anymore.
sink variable is also not used.
**Release note**:
```
NONE
```
Fixes: #47114
Automatic merge from submit-queue
Follow up for https://github.com/kubernetes/kubernetes/pull/47003
**What this PR does / why we need it**:
This is addressing left comments for https://github.com/kubernetes/kubernetes/pull/47003#discussion_r120888982
/cc @aveshagarwal
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 48439, 48440, 48394)
GuaranteedUpdate must write if stored data is not canonical
An optimization added to the GuaranteedUpdate loop changed the
comparison of the current objects serialization against the stored data,
instead comparing to the in memory object, which defeated the mechanism
we use to migrate stored data (GET then PUT should update the version stored in etcd if the canonical serialization has changed)
This commit preserves that optimization but correctly verifies the in
memory serialization against the on disk serialization by fetching the
latest serialized data. Since most updates are not no-ops, this should
not regress the performance of the normal path.
Fixes#48393
```release-note
When performing a GET then PUT, the kube-apiserver must write the canonical representation of the object to etcd if the current value does not match. That allows external agents to migrate content in etcd from one API version to another, across different storage types, or across varying encryption levels. This fixes a bug introduced in 1.5 where we unintentionally stopped writing the newest data.
```
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
allow a deletestrategy to opt-out of GC
Not all resources should be GC-able and we implemented an ignore list to handle this, but at the storage layer they could still set finalizers, they just hung in a stuck state forever. This updates the strategy to allow a resource to indicate that they shouldn't be GCed.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
update events' ResponseStatus at Metadata level
ResponseStatus is populated in MetadataLevel, so we also update it in
MetadataLevel.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
add validate for advanced audit policy
This change checks group name and non-resrouce URLs format for audit
policy.
**Release note**:
```
add validate for advanced audit policy, kube-apiserver will do a stricter validation and will break existing users with invalid configs.
```
An optimization added to the GuaranteedUpdate loop changed the
comparison of the current objects serialization against the stored data,
instead comparing to the in memory object, which defeated the mechanism
we use to migrate stored data.
This commit preserves that optimization but correctly verifies the in
memory serialization against the on disk serialization by fetching the
latest serialized data. Since most updates are not no-ops, this should
not regress the performance of the normal path.
Automatic merge from submit-queue
remove useless check from impersonation filter
When groupsSpecified is false, that means no other groups are added
rather than the service account groups. So this check doesn't make
any sense.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47918, 47964, 48151, 47881, 48299)
GZip openapi schema if accepted by client
**What this PR does / why we need it**: Uses gzip "Accept-Encoding" flag rather than specific path to download gzipped openapi schema.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48375
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43558, 48261, 42376, 46803, 47058)
OpenAPI downloads protobuf rather than Json
**What this PR does / why we need it**:
The current implementation of the OpenAPI getter fetches the swagger in a Json format from the apiserver. The Json file is big (~1.7mb), which means that it takes a long time to download, and then a long time to parse. Because that is going to be needed on each `kubectl` run later, we want this to be as fast as possible.
The apiserver has been modified to be able to return a protobuf version of the swagger, which this patch intends to use.
Note that there is currently no piece of code that exists that allows us to go from the protobuf version of the file, back into Json and/or `spec.Swagger`. Because the protobuf is not very different (but significantly different enough that it can't be translated), I've updated the code to use `openapi_v2.Document` (the protobuf type) everywhere rather than `spec.Swagger`. The behavior should be identical though.
There are more changes that are coming in follow-up pull-requests: using the gzip version (also provided by the new apiserver) to even further reduce the size of the downloaded content, and use the HTTP Etag cache mechanism to completely get rid of recurrent fetch requests. I'm currently working on these two features.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partly #38637
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix a typo in deletion log of apiserver
**What this PR does / why we need it**:
I just fix a typo in a log message. Nothing more 😄
**Which issue this PR fixes**
apiserver sometimes log this message "About do delete object from database". It seems that there is a typo for `to`.
```release-note
Fix a typo in apiserver log message
```
Fix the Unstructured GetDeletionGracePeriodSeconds accessor which was
always returning nil regardless of the underlying stored value. The
field value always appearing nil prevents Custom Resource instances
from being deleted when garbage collection is enabled for CRs and
when DeletePropagationOrphan is used. More generally, this fix means that
delete-on-update now works for CR instances.
Add some test coverage for Unstructured metadata deserialization.
The Unstructured DeletionGracePeriodSeconds field marshals as a value
type from JSON and as a pointer type via SetDeletionGracePeriodSeconds.
The GetDeletionGracePeriodSeconds method now supports handling both
int64 and *int64 values so that either underlying value can be returned.
Add a reflection-based unit test which attempts to exercise all the
Object Get/Set methods for nil handling.
Automatic merge from submit-queue (batch tested with PRs 45610, 47628)
Add Priority to Kubernetes API
**What this PR does / why we need it**: This is the first in a series of PRs to add priority to Kubernetes API. Subsequent PRs will add priority name resolution to admission controller.
**Release note**:
```release-note
Add PriorityClassName and Priority fields to PodSpec.
```
Automatic merge from submit-queue
shows how to wire admission control in a sample api server.
**What this PR does / why we need it**:
This PR shows how to wire admission control in a custom api server
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47484, 47904, 48034)
prioritize messages for long steps
This pull prioritizes the trace messages, so steps that are unusually large come out at the info level and all details come out a v(4) level.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
Don't bother with a mutable transformer for identity
The default value transformer can safely be the identity transformer - mutability is not required if the caller doesn't need transformation.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
incluster config will be used when creating external shared informers.
**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update custom-resources example in client-go
- Update client-go examples `README.md` to point to the CustomResources example instead of the deprecated TPR one.
- Delete `staging/src/k8s.io/client-go/examples/custom-resources`.
Fixing #47743.
**Release note**:
```release-note
NONE
```
/cc @ahmetb @sttts
Automatic merge from submit-queue (batch tested with PRs 48036, 48022)
apiextensions-apiserver: fix build
Can't build CRD due to this bug. This PR will fix it.
As part of ChooseHostInterface(), it will call a function to try to get the
global IP for the host, by looking at all the system interfaces and select
the first IP that is not a loopback, link-local, or point-to-point IP.
This commit does the following:
- Allows IPv6 non-local IPs to be selected.
- IPv4 takes priority (checks all interfaces for IPv4 addresses and
then checks all interfaces for IPv6), for backward compatibility.
- Adds UTs for code coverage (was no coverage of underlying function),
increasing from 62% to 84%.
- Improved logging and reporting for error conditions.
- Minor renaming of functions and variables for readability.
Automatic merge from submit-queue (batch tested with PRs 46425, 47975)
make proto time precision match json
json readers/writers see second precision, but protobuf readers/writers seen nanosecond precision. This means that a json client can read and write and accidentally mutate fields as seen by protobuf clients.
This makes the precision consistent.
@kubernetes/sig-api-machinery-misc @smarterclayton
```release-note
Update protobuf time serialization for a one second granularity
```
Automatic merge from submit-queue
Removes alpha feature gate for affinity annotations.
**What this PR does / why we need it**:
In 1.5 we added a backstop to support alpha affinity annotations. This PR removes that support in favor of the Beta fields per discussions.
It also serves as a precursor to some of the component config work that @ncdc has done around @mikedanese design proposal.
xref: https://github.com/kubernetes/kubernetes/pull/41617
**Special notes for your reviewer**:
**Release note**:
```
Removes alpha feature gate for pod affinity annotations.
```
/cc @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-cluster-lifecycle-misc
Automatic merge from submit-queue (batch tested with PRs 47650, 47936, 47939, 47986, 48006)
External dependency of k8s.io/api
Fix https://github.com/kubernetes/kubernetes/issues/48007
It's unfortunate that k8s.io/api has external dependencies.
Most of the dependencies are introduced by "k8s.io/apimachinery/pkg/util/intstr" and ugorji.
Automatic merge from submit-queue
Add token authentication method for websocket browser clients
Closes#47967
Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)
This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`
1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`
This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.
For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
"wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
[
"base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
"base64.binary.k8s.io"
]
);
```
This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```
Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```
Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)
```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
Automatic merge from submit-queue
include object fieldpath in event key
Fixes https://github.com/kubernetes/kubernetes/issues/47692#47462 exposed a bug where `getEventKey()` only keys on event fields that are common at the pod level. Events generated by different containers in the same pod will yield identical event keys. This results in events with the same message from different containers in a pod being aggregated in error.
This wasn't a problem before as the event message contained container specific information and thus didn't produce the same event key.
@derekwaynecarr @dhilipkumars @dchen1107
Dr. Stefan Schimanski