Automatic merge from submit-queue
Follow up for https://github.com/kubernetes/kubernetes/pull/47003
**What this PR does / why we need it**:
This is addressing left comments for https://github.com/kubernetes/kubernetes/pull/47003#discussion_r120888982
/cc @aveshagarwal
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 48439, 48440, 48394)
GuaranteedUpdate must write if stored data is not canonical
An optimization added to the GuaranteedUpdate loop changed the
comparison of the current objects serialization against the stored data,
instead comparing to the in memory object, which defeated the mechanism
we use to migrate stored data (GET then PUT should update the version stored in etcd if the canonical serialization has changed)
This commit preserves that optimization but correctly verifies the in
memory serialization against the on disk serialization by fetching the
latest serialized data. Since most updates are not no-ops, this should
not regress the performance of the normal path.
Fixes#48393
```release-note
When performing a GET then PUT, the kube-apiserver must write the canonical representation of the object to etcd if the current value does not match. That allows external agents to migrate content in etcd from one API version to another, across different storage types, or across varying encryption levels. This fixes a bug introduced in 1.5 where we unintentionally stopped writing the newest data.
```
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
allow a deletestrategy to opt-out of GC
Not all resources should be GC-able and we implemented an ignore list to handle this, but at the storage layer they could still set finalizers, they just hung in a stuck state forever. This updates the strategy to allow a resource to indicate that they shouldn't be GCed.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
update events' ResponseStatus at Metadata level
ResponseStatus is populated in MetadataLevel, so we also update it in
MetadataLevel.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
add validate for advanced audit policy
This change checks group name and non-resrouce URLs format for audit
policy.
**Release note**:
```
add validate for advanced audit policy, kube-apiserver will do a stricter validation and will break existing users with invalid configs.
```
An optimization added to the GuaranteedUpdate loop changed the
comparison of the current objects serialization against the stored data,
instead comparing to the in memory object, which defeated the mechanism
we use to migrate stored data.
This commit preserves that optimization but correctly verifies the in
memory serialization against the on disk serialization by fetching the
latest serialized data. Since most updates are not no-ops, this should
not regress the performance of the normal path.
Automatic merge from submit-queue
remove useless check from impersonation filter
When groupsSpecified is false, that means no other groups are added
rather than the service account groups. So this check doesn't make
any sense.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47918, 47964, 48151, 47881, 48299)
GZip openapi schema if accepted by client
**What this PR does / why we need it**: Uses gzip "Accept-Encoding" flag rather than specific path to download gzipped openapi schema.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48375
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43558, 48261, 42376, 46803, 47058)
OpenAPI downloads protobuf rather than Json
**What this PR does / why we need it**:
The current implementation of the OpenAPI getter fetches the swagger in a Json format from the apiserver. The Json file is big (~1.7mb), which means that it takes a long time to download, and then a long time to parse. Because that is going to be needed on each `kubectl` run later, we want this to be as fast as possible.
The apiserver has been modified to be able to return a protobuf version of the swagger, which this patch intends to use.
Note that there is currently no piece of code that exists that allows us to go from the protobuf version of the file, back into Json and/or `spec.Swagger`. Because the protobuf is not very different (but significantly different enough that it can't be translated), I've updated the code to use `openapi_v2.Document` (the protobuf type) everywhere rather than `spec.Swagger`. The behavior should be identical though.
There are more changes that are coming in follow-up pull-requests: using the gzip version (also provided by the new apiserver) to even further reduce the size of the downloaded content, and use the HTTP Etag cache mechanism to completely get rid of recurrent fetch requests. I'm currently working on these two features.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partly #38637
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix a typo in deletion log of apiserver
**What this PR does / why we need it**:
I just fix a typo in a log message. Nothing more 😄
**Which issue this PR fixes**
apiserver sometimes log this message "About do delete object from database". It seems that there is a typo for `to`.
```release-note
Fix a typo in apiserver log message
```
Fix the Unstructured GetDeletionGracePeriodSeconds accessor which was
always returning nil regardless of the underlying stored value. The
field value always appearing nil prevents Custom Resource instances
from being deleted when garbage collection is enabled for CRs and
when DeletePropagationOrphan is used. More generally, this fix means that
delete-on-update now works for CR instances.
Add some test coverage for Unstructured metadata deserialization.
The Unstructured DeletionGracePeriodSeconds field marshals as a value
type from JSON and as a pointer type via SetDeletionGracePeriodSeconds.
The GetDeletionGracePeriodSeconds method now supports handling both
int64 and *int64 values so that either underlying value can be returned.
Add a reflection-based unit test which attempts to exercise all the
Object Get/Set methods for nil handling.
Automatic merge from submit-queue (batch tested with PRs 45610, 47628)
Add Priority to Kubernetes API
**What this PR does / why we need it**: This is the first in a series of PRs to add priority to Kubernetes API. Subsequent PRs will add priority name resolution to admission controller.
**Release note**:
```release-note
Add PriorityClassName and Priority fields to PodSpec.
```
Automatic merge from submit-queue
shows how to wire admission control in a sample api server.
**What this PR does / why we need it**:
This PR shows how to wire admission control in a custom api server
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47484, 47904, 48034)
prioritize messages for long steps
This pull prioritizes the trace messages, so steps that are unusually large come out at the info level and all details come out a v(4) level.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
Don't bother with a mutable transformer for identity
The default value transformer can safely be the identity transformer - mutability is not required if the caller doesn't need transformation.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
incluster config will be used when creating external shared informers.
**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update custom-resources example in client-go
- Update client-go examples `README.md` to point to the CustomResources example instead of the deprecated TPR one.
- Delete `staging/src/k8s.io/client-go/examples/custom-resources`.
Fixing #47743.
**Release note**:
```release-note
NONE
```
/cc @ahmetb @sttts
Automatic merge from submit-queue (batch tested with PRs 48036, 48022)
apiextensions-apiserver: fix build
Can't build CRD due to this bug. This PR will fix it.
As part of ChooseHostInterface(), it will call a function to try to get the
global IP for the host, by looking at all the system interfaces and select
the first IP that is not a loopback, link-local, or point-to-point IP.
This commit does the following:
- Allows IPv6 non-local IPs to be selected.
- IPv4 takes priority (checks all interfaces for IPv4 addresses and
then checks all interfaces for IPv6), for backward compatibility.
- Adds UTs for code coverage (was no coverage of underlying function),
increasing from 62% to 84%.
- Improved logging and reporting for error conditions.
- Minor renaming of functions and variables for readability.
Automatic merge from submit-queue (batch tested with PRs 46425, 47975)
make proto time precision match json
json readers/writers see second precision, but protobuf readers/writers seen nanosecond precision. This means that a json client can read and write and accidentally mutate fields as seen by protobuf clients.
This makes the precision consistent.
@kubernetes/sig-api-machinery-misc @smarterclayton
```release-note
Update protobuf time serialization for a one second granularity
```
Automatic merge from submit-queue
Removes alpha feature gate for affinity annotations.
**What this PR does / why we need it**:
In 1.5 we added a backstop to support alpha affinity annotations. This PR removes that support in favor of the Beta fields per discussions.
It also serves as a precursor to some of the component config work that @ncdc has done around @mikedanese design proposal.
xref: https://github.com/kubernetes/kubernetes/pull/41617
**Special notes for your reviewer**:
**Release note**:
```
Removes alpha feature gate for pod affinity annotations.
```
/cc @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-cluster-lifecycle-misc
Automatic merge from submit-queue (batch tested with PRs 47650, 47936, 47939, 47986, 48006)
External dependency of k8s.io/api
Fix https://github.com/kubernetes/kubernetes/issues/48007
It's unfortunate that k8s.io/api has external dependencies.
Most of the dependencies are introduced by "k8s.io/apimachinery/pkg/util/intstr" and ugorji.
Automatic merge from submit-queue
Add token authentication method for websocket browser clients
Closes#47967
Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)
This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`
1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`
This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.
For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
"wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
[
"base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
"base64.binary.k8s.io"
]
);
```
This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```
Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```
Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)
```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
Automatic merge from submit-queue
include object fieldpath in event key
Fixes https://github.com/kubernetes/kubernetes/issues/47692#47462 exposed a bug where `getEventKey()` only keys on event fields that are common at the pod level. Events generated by different containers in the same pod will yield identical event keys. This results in events with the same message from different containers in a pod being aggregated in error.
This wasn't a problem before as the event message contained container specific information and thus didn't produce the same event key.
@derekwaynecarr @dhilipkumars @dchen1107
Automatic merge from submit-queue (batch tested with PRs 47883, 47179, 46966, 47982, 47945)
add level for print flags
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
It's ugly to print all flags whenever.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes#47932
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47883, 47179, 46966, 47982, 47945)
Add feature gating to REST Compression
**What this PR does / why we need it**: Adds feature gating to opt out of REST API compression
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46963
**Special notes for your reviewer**: This PR is a fix / addendum to #45666
**Release note**:
```release-note
```
Automatic merge from submit-queue
Lower etcd compacted loglevel
Fixes#47941
When we run apiserver, it will consistently produce logs like:
> I0620 15:27:44.627978 2765 compact.go:159] etcd: compacted rev (7825), endpoints ([http://127.0.0.1:2379])
I0620 15:32:44.632311 2765 compact.go:159] etcd: compacted rev (8193), endpoints ([http://127.0.0.1:2379])
I0620 15:37:44.643658 2765 compact.go:159] etcd: compacted rev (8552), endpoints ([http://127.0.0.1:2379])
...
which does not mean much overall, we may change the loglevel and lower the frequency.
**Release note**:
-->
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46151, 47602, 47507, 46203, 47471)
rebase gophercloud to support HTTP status 300 in pagination, so listingng Cinder v1/v2 API versions won't break
**What this PR does / why we need it**:
Since Cinder block v1/v2 support lands in 1.7, we have to ensure Cinder block api list won't fail due to https://github.com/gophercloud/gophercloud/pull/384.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47651
**Special notes for your reviewer**:
@anguslees @NickrenREN
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix link to apiextensions client-go example
Fixes link to client-go example for apiextensions-apiserver.
Fixing #47211.
**Special notes for your reviewer**:
When I run `hack/update-staging-client-go.sh`, I get this error:
```
!!! Error in staging/copy.sh:132
Error in staging/copy.sh:132. 'git commit -q -m "Snapshot" > /dev/null' exited with status 1
Call stack:
1: staging/copy.sh:132 main(...)
Exiting with status 1
```
What am I missing here?
/cc @caesarxuchao @sttts
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
fix HostAliases' json keys to be hostAlias instead of hostMapping to reflect actual feature name
**What this PR does / why we need it**: a rename was introduce during the middle of #44641 to change from `hostMappings` to `hostAliases`. the Go structs were updated, but I neglected to update the json keys. They should be in sync.
**Special notes for your reviewer**: I messed up. This is an API change. I hope this is still ok to be in the 1.7 release.
**Release note**:
```release-note
HostAliases is now parsed with `hostAliases` json keys to be in line with the feature's name.
```
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert 44714 manually
#44714 broke backward compatibility for old swagger spec that kubectl still uses. The decision on #47448 was to revert this change but the change was not automatically revertible. Here I semi-manually remove all references to UnixUserID and UnixGroupID and updated generated files accordingly.
Please wait for tests to pass then review that as there may still be tests that are failing.
Fixes#47448
Adding release note just because the original PR has a release note. If possible, we should remove both release notes as they cancel each other.
**Release note**: (removed by caesarxuchao)
UnixUserID and UnixGroupID is reverted back as int64 to keep backward compatibility.
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert "Merge pull request #43946 from jhorwit2/jah/host-path-psp"
fixes#47863
This reverts commit b5eadb5d6b, reversing
changes made to 1889d654f5.
**What this PR does / why we need it**:
Revert whitelist host paths in psp due to API concerns. Please refer to https://github.com/kubernetes/kubernetes/pull/47811 for the concerns.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @liggitt @ericchiang @smarterclayton
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Fix rawextension decoding in update
Fixes https://github.com/kubernetes/kubernetes/issues/47842
The `Create` handler was correctly decoding into the internal version, but the `Update` handler was not.
Top-level objects were not affected, because the type of the `New()` object returned by the rest handler governs the destination group/version/kind.
If a field within the object is of type `RawExtension`, and converts to a `runtime.Object` field in the internal object, the `runtime.Object` field provides no information about the desired group/version/kind, so the decoder's groupversioner governs.
This would manifest as the resthandler's Update function being given an internal top-level object with it's runtime.Object field containing an external object.
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Clear auth config when gcp app default credentials fail
**What this PR does / why we need it**:
Specific use case is when utilizing multiple gcp accounts, the user may provide credentials for the wrong account.
This change ensures the incorrect credentials are not cached in auth config, and logs an appropriate message.
**Which issue this PR fixes** : fixes#38075
**Special notes for your reviewer**:
**Release note**:
```release-note
Tokens retrieved from Google Cloud with application default credentials will not be cached if the client fails authorization
```
Automatic merge from submit-queue (batch tested with PRs 46604, 47634)
Added example for status errors in go client
This PR adds status error handling examples to the go client examples, for both in-cluster and out-of-cluster usage. Fixes https://github.com/kubernetes/client-go/issues/163
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
Plumb service resolver into webhook AC
This is the last piece of plumbing needed for https://github.com/kubernetes/features/issues/209
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Serialized protobuf should have stable map order
Leverage `stable_marshaller_all` tag in gogo-protobuf to ensure all of our maps have stable ordering when serialized to protobuf. This preserves the behavior from JSON that we rely on to avoid writing to etcd except when the content has changed.
Will slightly increase allocations (1 slice per non-empty map in an object) during Encode, which has a minor impact on CPU. However, avoiding writes when a client issues a blind put results in significantly less CPU across the whole cluster (avoiding a new etcd version for an Endpoints object might save ~1 core/sec on large clusters).
Fixes#47678
```release-note
The protobuf serialization of API objects has been updated to store maps in a predictable order to ensure that the representation of that object does not change when saved into etcd. This prevents the same object from being seen as being modified, even when no values have changed.
```
Specific use case is when utilizing multiple
gcp accounts, the user may provide credentials
for the wrong account.
This change ensures the incorrect credentials
are not cached in auth config, and logs an
appropriate message.
Automatic merge from submit-queue
clientgo/examples: add ToC for examples
Also add authenticate- prefix to auth samples. This patch could use some
improvement explaining workqueue and TPR examples as I'm not entirely sure.
/assign @caesarxuchao
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Automatic merge from submit-queue
Fix api description
**What this PR does / why we need it**:
prefered -> preferred
the the -> the
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46884, 47557)
Rename DaemonSet and StatefulSet hash label
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47554
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @kow3ns
/cc @bgrant0607
@kubernetes/sig-apps-api-reviews
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
separate group and version priority
Fixes https://github.com/kubernetes/kubernetes/issues/46322
This just modifies the API and does the minimal plumbing. I can extend this pull or do another to fix the priority problem.
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
Fix typo in secretbox transformer prefix
Introduced by #46916 via cherry picked commit [here](12bb591dbf).
Urgent fix in my opinion, ideally should be merged before production.
@smarterclayton
Automatic merge from submit-queue (batch tested with PRs 47204, 46808, 47432, 47400, 47099)
disable GC for custom resources
xref https://github.com/kubernetes/kubernetes/issues/47431
This prevents GC on CustomResources so you don't get an uncleared finalizer that prevents deletion
Automatic merge from submit-queue (batch tested with PRs 47073, 47457, 47479)
audit: Fill in full ObjectRef, include in LevelMetadata
The previous implementation was missing several ObjectReference fields, including `APIVersion`, `Resource`, and `Subresource`. This PR adds those fields, and also fills in the `ObjectRef` when the level is `Metadata` (previously it was only filled for level `Request`).
For kubernetes/features#22
/cc @ericchiang @ihmccreery
Automatic merge from submit-queue (batch tested with PRs 46441, 43987, 46921, 46823, 47276)
Remove PartitionStatefulSetStrategyType
This PR removes PartitionStatefulSetStrategyType add adds a parameter to RollingUpdateStatefulSetStrategyType as described in the issue below. We need this PR to ensure that the StatefulSet API conforms to the existing API for DaemonSet.
fixes#46975
```release-note
NONE
```
@kargakis
@smarterclayton
@janetkuo
Automatic merge from submit-queue (batch tested with PRs 46441, 43987, 46921, 46823, 47276)
Azure plugin for client auth
This is an Azure Active Directory plugin for client authentification. It provides an integration with Azure CLI 2.0 login command. It can also be used standalone, in that case it will use the device code flow to acquire an access token.
More details are provided in the README.md file.
https://github.com/kubernetes/kubectl/issues/29
cc @brendandburns @colemickens
Automatic merge from submit-queue (batch tested with PRs 46929, 47391, 47399, 47428, 47274)
Remove empty lines from log
Everything() returns a new line end with "\n", it's not necessary
to add another one.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46678, 45545, 47375)
update gophercloud/gophercloud dependency
**What this PR does / why we need it**:
**Which issue this PR fixes**
fixes#44461
**Special notes for your reviewer**:
**Release note**:
```release-note
update gophercloud/gophercloud dependency for reauthentication fixes
```
Automatic merge from submit-queue
Made image as required in v1 Container struct.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47244
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue
bazel: stamp multiple packages by using x_defs instead of linkstamp in go_binary rules
**What this PR does / why we need it**: Fixes regression introduced sometime in the last few months that prevented bazel-built clusters from identifying version properly.
It does so by updating the bazelbuild/rules_go and kubernetes/repo-infra dependencies to support using stamp values in `go_binary` `x_defs`, and then changing our `go_binary` rules to use `x_defs` instead of `linkstamp`.
This whole charade is necessary because we need to stamp version information in multiple packages.
This pretty much only affects the bazel build, so it should be low risk.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45298
**Special notes for your reviewer**: depends on https://github.com/kubernetes/repo-infra/pull/18; should not be merged before it.
**Release note**:
```release-note
NONE
```
/assign @spxtr @mikedanese
Automatic merge from submit-queue
StorageOS Volume Plugin
**What this PR does / why we need it**:
This PR adds a new volume plugin for StorageOS volumes. StorageOS runs as a container on Kubelet nodes, aggregating local or attached storage and making its capacity available to all nodes within the cluster. More information at http://storageos.com.
The StorageOS plugin supports:
1. Dynamic Provisioning using Storage Classes
2. Persistent Volumes and Persistent Volume Claims.
**Which issue this PR fixes**
A feature request has been created:
https://github.com/kubernetes/features/issues/190
This isn't on the schedule for 1.6 as I wasn't sure when it would be ready. We intend to make the StorageOS container openly available within the 1.6 lifetime.
**Special notes for your reviewer**:
Separate commits for feature and godep changes.
**Release note**:
```release-note
StorageOS Volume Driver
[StorageOS](http://www.storageos.com) can be used as a storage provider for Kubernetes. With StorageOS, capacity from local or attached storage is pooled across the cluster, providing converged infrastructure for cloud-native applications.
```
Automatic merge from submit-queue (batch tested with PRs 36376, 47251)
client-go: GetOptions for dynamic client
Looks like `GetOptions` were forgotten in the dynamic client. Without them it's hard to write a dynamic initializer controller (useful for custom resources).
Automatic merge from submit-queue
Make gcp auth provider not to override the Auth header if it's already exits
**What this PR does / why we need it**:
Make AuthProvider not wrap the transport if beartoken or basic auth is enabled
**Which issue this PR fixes** :
fixes#44476
**Special notes for your reviewer**:
**Release note**:
```
GCP auth plugin no longer overwrites existing Authorization headers.
```
Automatic merge from submit-queue
Allow pods to opt out of PodPreset mutation via an annotation on the pod
An annotation in the pod spec of the form:
podpreset.admission.kubernetes.io/PodPresetOptOut: "true"
Will cause the admission controller to skip manipulating the pod spec,
no matter the labelling.
This is an alternative implementation to pull #44163.
```release-note
Allow pods to opt out of PodPreset mutation via an annotation on the pod.
```
Automatic merge from submit-queue
Deprecated binding for 1.7
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#10043
```release-note
Deprecated Binding objects in 1.7.
```
Automatic merge from submit-queue (batch tested with PRs 46979, 47078, 47138, 46916)
Add a secretbox and AES-CBC path for encrypt at rest
Add a secretbox and AES-CBC encrypt at rest provider and alter the config, based on feedback from security review. AES-CBC is more well reviewed and generally fits better with common criteria and FIPS, secretbox is newer and faster than CBC.
```release-note
Add secretbox and AES-CBC encryption modes to at rest encryption. AES-CBC is considered superior to AES-GCM because it is resistant to nonce-reuse attacks, and secretbox uses Poly1305 and XSalsa20.
```
Automatic merge from submit-queue (batch tested with PRs 46979, 47078, 47138, 46916)
DeleteCollection should include uninitialized resources
Users who delete a collection expect all resources to be deleted, and
users can also delete an uninitialized resource. To preserve this
expectation, DeleteCollection selects all resources regardless of
initialization.
The namespace controller should list uninitialized resources in order to
gate cleanup of a namespace.
Fixes#47137
Automatic merge from submit-queue (batch tested with PRs 45877, 46846, 46630, 46087, 47003)
Remove duplicate errors from an aggregate error input.
This PR, in general, removes duplicate errors from an aggregate error input, and returns unique errors with their occurrence count. Specifically, this PR helps with some scheduler errors that fill the log enormously. For example, see the following `truncated` output from a 300-plus nodes cluster, as there was a same error from almost all nodes.
[SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found.........
After this PR, the output looks like (on a 2-node cluster):
SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected.(Count=2)
@derekwaynecarr @smarterclayton @kubernetes/sig-scheduling-pr-reviews
Fixes https://github.com/kubernetes/kubernetes/issues/47145
Automatic merge from submit-queue (batch tested with PRs 47024, 47050, 47086, 47081, 47013)
apiextensions-apiserver: Fix decoding of DeleteOptions.
Fixes#47072 by making apiextensions-apiserver capable of decoding unversioned DeleteOptions, rather than only handling Unstructured objects (i.e. Custom Resources).
This also closes#46736 and #37554 since the added regression test works for TPR as well.
Automatic merge from submit-queue (batch tested with PRs 47024, 47050, 47086, 47081, 47013)
client-go: deprecate TPR example and add CRD example
/cc @nilebox
Part of https://github.com/kubernetes/kubernetes/issues/46702
Users who delete a collection expect all resources to be deleted, and
users can also delete an uninitialized resource. To preserve this
expectation, DeleteCollection selects all resources regardless of
initialization.
The namespace controller should list uninitialized resources in order to
gate cleanup of a namespace.
Automatic merge from submit-queue (batch tested with PRs 46235, 44786, 46833, 46756, 46669)
implements StatefulSet update
**What this PR does / why we need it**:
1. Implements rolling update for StatefulSets
2. Implements controller history for StatefulSets.
3. Makes StatefulSet status reporting consistent with DaemonSet and ReplicaSet.
https://github.com/kubernetes/features/issues/188
**Special notes for your reviewer**:
**Release note**:
```release-note
Implements rolling update for StatefulSets. Updates can be performed using the RollingUpdate, Paritioned, or OnDelete strategies. OnDelete implements the manual behavior from 1.6. status now tracks
replicas, readyReplicas, currentReplicas, and updatedReplicas. The semantics of replicas is now consistent with DaemonSet and ReplicaSet, and readyReplicas has the semantics that replicas did prior to this release.
```
Automatic merge from submit-queue
Fix etcd storage location for CRs
Fixes https://github.com/kubernetes/kubernetes/issues/46031
The first commit is easy, the second commit is hard.
@sttts Read the second commit very carefully and search the repo to make sure that you agree this is only affecting aggregator and apiextensions.
@pmorie @derekwaynecarr make sure you check to see if service catalog is double prefixing. Looks like we missed it in 1.6, but no one was using it.
Automatic merge from submit-queue (batch tested with PRs 47083, 44115, 46881, 47082, 46577)
Revert "Optimize selector for single-matching items"
This reverts commit f93a270edc.
Fix: #46851
@smarterclayton
The problem was that removing the requirement from the predicate resulted in not using "trigger" function in Cacher, which is super critical for performance. And this was messed up.
Automatic merge from submit-queue (batch tested with PRs 47083, 44115, 46881, 47082, 46577)
Add an e2e test for server side get
Print a better error from the response. Performs validation to ensure it
does not regress in alpha state.
This is tests and bug fixes for https://github.com/kubernetes/community/pull/363
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)
Update docs/ links to point to main site
**What this PR does / why we need it**:
This updates various links to either point to kubernetes.io or to the kubernetes/community repo instead of the legacy docs/ tree in k/k
Pre-requisite for #46813
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-docs-maintainers @chenopis @ahmetb @thockin
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)
handle unversioned objects for encoding for CRs
Fixes https://github.com/kubernetes/kubernetes/issues/47036
This updates the encoding for "special" types like `Status` when coming back through the CR APIs. It also closes a bug this allowed to be exposed in validation for CRs
xref: https://github.com/kubernetes/features/issues/95
Automatic merge from submit-queue
add gzip compression to GET and LIST requests
Fixes https://github.com/kubernetes/kubernetes/issues/44164
Enable compressed response bodies for non-watch GET and LIST requests on API Objects.
**What this PR does / why we need it**: Adds compression via Accept-Encoding header, returns Content-Encoding header on responses (only supports gzip at this time). Enabled solely for GET and LIST requests which can return very large response bodies.
**Special notes for your reviewer**:
See https://github.com/kubernetes/kubernetes/issues/44164 for discussion.
**Release note**:
```release-note-
```
Automatic merge from submit-queue
Rename {kube- ->}apiextensions-{-> api}server
Completely mechanical renaming, as preparation of the repo sync. This repo is generic, the prefix does not make sense.
Part of issue https://github.com/kubernetes/kubernetes/issues/46702
TODOs
- [ ] Waiting for the submit queue to settle, then rebase.
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875)
[advanced audit] fix invalid status code for hijacker
Fixes#47035
When using hijacker to take over the connection, the http status code
should be 101 not 200.
PS:
Use "kubectl exec" as an example to review this change.
Part of https://github.com/kubernetes/features/issues/22
Automatic merge from submit-queue (batch tested with PRs 46112, 46764, 46727, 46974, 46968)
empty audit policy file is legal configuration
Empty audit policy file or policy file contains only comments means
using default audit level for all requests.
**Release note**:
```
NONE
```
Part of https://github.com/kubernetes/features/issues/22
Automatic merge from submit-queue
Add EmptyDir volume capacity isolation
This PR adds the support for isolating the emptyDir volume use. If user
sets a size limit for emptyDir volume, kubelet's eviction manager monitors its usage
and evict the pod if the usage exceeds the limit.
This feature is part of local storage capacity isolation and described in the proposal kubernetes/community#306
**Release note**:
```release-note
Alpha feature: allows users to set storage limit to isolate EmptyDir volumes. It enforces the limit by evicting pods that exceed their storage limits
```
Automatic merge from submit-queue (batch tested with PRs 46967, 46992, 43338, 46717, 46672)
Generate protobuf for the audit API
Add protobuf generation & annotations for the advanced auditing API. We're not using them directly now, but settling on the field numbering will help with some 3rd party integrations.
For kubernetes/features#22
/cc @ihmccreery
Automatic merge from submit-queue (batch tested with PRs 46967, 46992, 43338, 46717, 46672)
Add group alias names to API resources to allow discovery
**What this PR does / why we need it**:
Adds `GroupNames []string` to API resources, which represents the list of group aliases that every resource belongs to.
Partially fixes https://github.com/kubernetes/kubernetes/issues/41353
This moves the logic of "all" (which currently [translates](fbc94c0896/pkg/kubectl/cmd/util/shortcut_restmapper.go (L106)) to "pods,replicationcontrollers,services,...") to the server-side. Will allow clients like `kubectl` to discover group aliases instead of having it hardcoded and the API server to better handle consistency across multiple clients, version skew, etc; and will make "all" un-special and allow other groups to be created.
As a follow-up we'll patch `kubectl` to make groups aliases discoverable and the hardcoded list a fallback while we still have to support it.
Related to https://github.com/kubernetes/kubernetes/pull/42595#issuecomment-286839885.
**Release note**:
```release-note
Adds the `Categories []string` field to API resources, which represents the list of group aliases (e.g. "all") that every resource belongs to.
```
@kubernetes/sig-api-machinery-misc @deads2k @bgrant0607
Automatic merge from submit-queue (batch tested with PRs 46967, 46992, 43338, 46717, 46672)
deflake CRD watch tests
Fixes https://github.com/kubernetes/kubernetes/issues/46446. Again...
This flake window is caused by the watch cache starting late. This pull updates the test to do fancy list/create/watch/delete semantics to catch the problem. In the field, this should be treated the same as any other "resourceVersion tool old" error and handled with a list/watch. The test cannot be level driven, it is actually testing the edge behavior, so we have to do something weird like this.
@sttts @liggitt let's try this again...
Automatic merge from submit-queue (batch tested with PRs 44883, 46836, 46765, 46683, 46050)
Fix round-trip of Unstructured.OwnerReferences
**What this PR does / why we need it**:
Previously `setOwnerReference()` was storing pointers but `extractOwnerReference()` is expecting pointer fields as plain values so it cannot read those pointers. And hence you cannot read what you've just stored.
**Which issue this PR fixes**
#46817
**Special notes for your reviewer**:
This is similar to #43346.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44883, 46836, 46765, 46683, 46050)
update copyed doc for advanced audit
doc for WithAudit is copyed from WithLegacyAudit, it's out of date.
This change update doc for these two functions.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46550, 46663, 46816, 46820, 46460)
Add configuration for encryption providers
## Additions
Allows providing a configuration file (using flag `--experimental-encryption-provider-config`) to use the existing AEAD transformer (with multiple keys) by composing mutable transformer, prefix transformer (for parsing providerId), another prefix transformer (for parsing keyId), and AES-GCM transformers (one for each key). Multiple providers can be configured using the configuration file.
Example configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- namespaces
providers:
- aes:
keys:
- name: key1
secret: c2vjcmv0iglzihnly3vyzq==
- name: key2
secret: dghpcybpcybwyxnzd29yza==
- identity: {}
```
Need for configuration discussed in:
#41939
[Encryption](3418b4e4c6/contributors/design-proposals/encryption.md)
**Pathway of a read/write request**:
1. MutableTransformer
2. PrefixTransformer reads the provider-id, and passes the request further if that matches.
3. PrefixTransformer reads the key-id, and passes the request further if that matches.
4. GCMTransformer tries decrypting and authenticating the cipher text in case of reads. Similarly for writes.
## Caveats
1. To keep the command line parameter parsing independent of the individual transformer's configuration, we need to convert the configuration to an `interface{}` and manually parse it in the transformer. Suggestions on better ways to do this are welcome.
2. Flags `--encryption-provider` and `--encrypt-resource` (both mentioned in [this document](3418b4e4c6/contributors/design-proposals/encryption.md) ) are not supported in this because they do not allow more than one provider, and the current format for the configuration file possibly supersedes their functionality.
3. Currently, it can be tested by adding `--experimental-encryption-provider-config=config.yml` to `hack/local-up-cluster.sh` on line 511, and placing the above configuration in `config.yml` in the root project directory.
Previous discussion on these changes:
https://github.com/sakshamsharma/kubernetes/pull/1
@jcbsmpsn @destijl @smarterclayton
## TODO
1. Investigate if we need to store keys on disk (per [encryption.md](3418b4e4c6/contributors/design-proposals/encryption.md (option-1-simple-list-of-keys-on-disk)))
2. Look at [alpha flag conventions](https://github.com/kubernetes/kubernetes/blob/master/pkg/features/kube_features.go)
3. Need to reserve `k8s:enc` prefix formally for encrypted data. Else find a better way to detect transformed data.
Automatic merge from submit-queue (batch tested with PRs 46550, 46663, 46816, 46820, 46460)
Update cAdvisor version to v0.26.0
issue: #46658
I have requested a 1 day exception for code freeze.
/assign @dchen1107
```release-note
Fix disk partition discovery for brtfs
Add ZFS support
Add overlay2 storage driver support
```
Handle failure cases on startup gracefully to avoid causing cascading
errors and poor initialization in other components. Initial errors from
config load cause the initializer to pause and hold requests. Return
typed errors to better communicate failures to clients.
Add code to handle two specific cases - admin wants to bypass
initialization defaulting, and mirror pods (which want to bypass
initialization because the kubelet owns their lifecycle).
This PR adds two features:
1. add support for isolating the emptyDir volume use. If user
sets a size limit for emptyDir volume, kubelet's eviction manager
monitors its usage
and evict the pod if the usage exceeds the limit.
2. add support for isolating the local storage for container overlay. If
the container's overly usage exceeds the limit defined in container
spec, eviction manager will evict the pod.
An annotation in the pod spec of the form:
podpreset.admission.kubernetes.io/exclude: "true"
Will cause the admission controller to skip manipulating the pod spec,
no matter the labelling.
The annotation for a podpreset acting on a pod has also been slightly
modified to contain a podpreset prefix:
podpreset.admission.kubernetes.io/podpreset-{name} = resource version
Fixes#44161
Automatic merge from submit-queue (batch tested with PRs 46734, 46810, 46759, 46259, 46771)
OpenAPI aggregation for kube-aggregator
This PR implements OpenAPI aggregation layer for kube-aggregator. On each API registration, it tries to download swagger.spec of the user api server. On failure it will try again next time (either on another add or get /swagger.* on aggregator server) up to five times. To merge specs, it first remove all unrelated paths from the downloaded spec (anything other than group/version of the API service) and then remove all unused definitions. Adding paths are straightforward as they won't have any conflicts, but definitions will most probably have conflicts. To resolve that, we would reused any definition that is not changed (documentation changes are fine) and rename the definition otherwise.
To use this PR, kube aggregator should have nonResourceURLs (for get verb) to user apiserver.
```release-note
Support OpenAPI spec aggregation for kube-aggregator
```
fixes: #43717
Automatic merge from submit-queue
delete the useless "gv" in Errorf
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
Fix "no formatting directive in Errorf call"
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)
Enable Dialer on the Aggregator
Centralize the creation of the dialer during startup.
Have the dialer then passed in to both APIServer and Aggregator.
Aggregator the uses the dialer as its Transport base.
**What this PR does / why we need it**:Enables the Aggregator to use the Dialer/SSHTunneler to connect to the user-apiserver.
**Which issue this PR fixes** : fixes ##46679
**Special notes for your reviewer**:
**Release note**: None
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)
Add annotation for image policy webhook fail open.
**What this PR does / why we need it**: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers.
**Release note**: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open.
```release-note
Add the `alpha.image-policy.k8s.io/failed-open=true` annotation when the image policy webhook encounters an error and fails open.
```
Automatic merge from submit-queue (batch tested with PRs 40760, 46706, 46783, 46742, 46751)
Pre-generate SNI test certs
Pre-generates test certs for SNI tests, since doing this dynamically can take a loooong time in entropy-starved or CPU-bound test envs (like in a container).
Automatic merge from submit-queue
Implement Daemonset history
~Depends on #45867 (the 1st commit, ignore it when reviewing)~ (already merged)
Ref https://github.com/kubernetes/community/pull/527/ and https://github.com/kubernetes/community/pull/594
@kubernetes/sig-apps-api-reviews @kubernetes/sig-apps-pr-reviews @erictune @kow3ns @lukaszo @kargakis
---
TODOs:
- [x] API changes
- [x] (maybe) Remove rollback subresource if we decide to do client-side rollback
- [x] deployment controller
- [x] controller revision
- [x] owner ref (claim & adoption)
- [x] history reconstruct (put revision number, hash collision avoidance)
- [x] de-dup history and relabel pods
- [x] compare ds template with history
- [x] hash labels (put it in controller revision, pods, and maybe deployment)
- [x] clean up old history
- [x] Rename status.uniquifier when we reach consensus in #44774
- [x] e2e tests
- [x] unit tests
- [x] daemoncontroller_test.go
- [x] update_test.go
- [x] ~(maybe) storage_test.go // if we do server side rollback~
kubectl part is in #46144
---
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 46620, 46732, 46773, 46772, 46725)
Instrument advanced auditing
Add prometheus metrics for audit logging, including:
- A total count of audit events generated and sent to the output backend
- A count of audit events that failed to be audited due to an error (per backend)
- A count of request audit levels (1 per request)
For https://github.com/kubernetes/features/issues/22
- [x] TODO: Call `HandlePluginError` from the webhook backend, once https://github.com/kubernetes/kubernetes/pull/45919 merges (in this or a separate PR, depending on timing of the merge)
/cc @ihmccreery @sttts @soltysh @ericchiang
Automatic merge from submit-queue
Add initializer support to admission and uninitialized filtering to rest storage
Initializers are the opposite of finalizers - they allow API clients to react to object creation and populate fields prior to other clients seeing them.
High level description:
1. Add `metadata.initializers` field to all objects
2. By default, filter objects with > 0 initializers from LIST and WATCH to preserve legacy client behavior (known as partially-initialized objects)
3. Add an admission controller that populates .initializer values per type, and denies mutation of initializers except by certain privilege levels (you must have the `initialize` verb on a resource)
4. Allow partially-initialized objects to be viewed via LIST and WATCH for initializer types
5. When creating objects, the object is "held" by the server until the initializers list is empty
6. Allow some creators to bypass initialization (set initializers to `[]`), or to have the result returned immediately when the object is created.
The code here should be backwards compatible for all clients because they do not see partially initialized objects unless they GET the resource directly. The watch cache makes checking for partially initialized objects cheap. Some reflectors may need to change to ask for partially-initialized objects.
```release-note
Kubernetes resources, when the `Initializers` admission controller is enabled, can be initialized (defaulting or other additive functions) by other agents in the system prior to those resources being visible to other clients. An initialized resource is not visible to clients unless they request (for get, list, or watch) to see uninitialized resources with the `?includeUninitialized=true` query parameter. Once the initializers have completed the resource is then visible. Clients must have the the ability to perform the `initialize` action on a resource in order to modify it prior to initialization being completed.
```
Automatic merge from submit-queue
update gophercloud that fixed code format
**What this PR does / why we need it**:
mainly to include [#265](https://github.com/gophercloud/gophercloud/pull/265), which fixed the code format including below two files:
* vendor/github.com/gophercloud/gophercloud/openstack/blockstorage/v1/apiversions/urls.go
* vendor/github.com/gophercloud/gophercloud/openstack/compute/v2/images/results.go
When using hijacker to take over the connection, the http status code
should be 101 not 200.
PS:
Use "kubectl exec" as an example to review this change.
Automatic merge from submit-queue (batch tested with PRs 46456, 46675, 46676, 46416, 46375)
prevent illegal verb/name combinations in default policy rules
Names aren't presented with some kinds of "normal" verbs. This prevents people from making common mistakes.
@timothysc as I noted in your pull. This will prevent some classes of errors.
Automatic merge from submit-queue (batch tested with PRs 46456, 46675, 46676, 46416, 46375)
Fix doc about Verb for advanced audit feature
This patch is commited to address the following comment:
https://github.com/kubernetes/kubernetes/pull/45315#discussion_r117107507
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)
Dynamic webhook admission control plugin
Unit tests pass.
Needs plumbing:
* [ ] service resolver (depends on @wfender PR)
* [x] client cert (depends on ????)
* [ ] hook source (depends on @caesarxuchao PR)
Also at least one thing will need to be renamed after Chao's PR merges.
```release-note
Allow remote admission controllers to be dynamically added and removed by administrators. External admission controllers make an HTTP POST containing details of the requested action which the service can approve or reject.
```
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)
move labels to components which own the APIs
During the apimachinery split in 1.6, we accidentally moved several label APIs into apimachinery. They don't belong there, since the individual APIs are not general machinery concerns, but instead are the concern of particular components: most commonly the kubelet. This pull moves the labels into their owning components and out of API machinery.
@kubernetes/sig-api-machinery-misc @kubernetes/api-reviewers @kubernetes/api-approvers
@derekwaynecarr since most of these are related to the kubelet
Automatic merge from submit-queue (batch tested with PRs 46726, 41912, 46695, 46034, 46551)
Event aggregation: include latest event message in aggregate event
**What this PR does / why we need it**:
This changes the event aggregation behavior so that, when multiple events are deduplicated, the aggregated event includes the message of the latest related event.
This fixes an issue where the original event expires due to TTL, and the aggregate event doesn't contain any useful message.
**Which issue this PR fixes**:
fixes#45971
```release-note
Duplicate recurring Events now include the latest event's Message string
```
Add support for creating resources that are not immediately visible to
naive clients, but must first be initialized by one or more privileged
cluster agents. These controllers can mark the object as initialized,
allowing others to see them.
Permission to override initialization defaults or modify an initializing
object is limited per resource to a virtual subresource "RESOURCE/initialize"
via RBAC.
Initialization is currently alpha.
Automatic merge from submit-queue (batch tested with PRs 46801, 45184, 45930, 46192, 45563)
Tweak client-gen to support metrics API
This PR adds support to client-gen for readonly APIs as well as for customizing the resource name used for a given type.
This is required to support the clients generated for `k8s.io/metrics/pkg/apis/metrics`.
cc @caesarxuchao
Currently based on #45180
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46648, 46500, 46238, 46668, 46557)
Admissionregistration nonnamespace
The two types are root scoped.
Just adding a couple of tags. Other code is generated.
Haoran Wang