Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix Forward chain default reject policy for IPVS proxier
**What this PR does / why we need it**:
Testing with the IPVS mode proxier on a host with iptables FORWARD policy = DROP, as configured by docker in recent versions, I found that traffic to NodePorts failed when the NodePort forwarded the traffic to another node.
Saw the iptables FORWARD=DROP counter increasing with each packet.
IPVS mode should whitelist such traffic in a similar way to the iptables mode:
PR implementing the fix for iptables mode: #52569
**Which issue(s) this PR fixes**:
Fixes#59656
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix Forward chain default reject policy for IPVS proxier
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
not return 500 status code for insufficient quota
This is not an unexpected error, so it should not return a 500 code, I think.
@derekwaynecarr
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Show help for deprecated Kubelet flags
We recently deprecated a bunch of Kubelet flags, which caused them to disappear from `--help` output. This PR unhides these flags, so that the deprecation notice is clearly visible in `--help`.
Fixes: #62009
```release-note
NONE
```
/cc @eparis
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
use glog.Infof instead of glog.Info in volumn_host
**What this PR does / why we need it**:
use glog.Infof instead of glog.Info
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[GCE] Loadbalancer Tests
**What this PR does / why we need it**:
* Refactors existing Loadbalancer tests
- Create a new v1.Service per test, instead of a global one
- Encapsulate checking resource creation/deletion for internal and external loadbalancers in functions
* Adds tests for `gce_loadbalancer.go` - brings coverage from 10.3% -> 65.4%
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: add better test coverage to version.go
**What this PR does / why we need it**:
This PR adds unit tests for the file `kubeadm/app/cmd/version.go` via `version_test.go`. Test coverage is increased to 90% for this file. only a couple of functions are tested.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
None
**Special notes for your reviewer**:
related PRs:
https://github.com/kubernetes/kubernetes/pull/59220https://github.com/kubernetes/kubernetes/pull/58540
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58540, 62314). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add ability to specify port for kubeadm `API.ControlPlaneEndpoint`
**What this PR does / why we need it**:
When `API.ControlPlaneEndpoint` is used, the `BindPort` of the
apiserver is currently assumed, which means a load balancer cannot
listen on a different port than the apiserver. This extends the
`ControlPlaneEndpoint` to take an optional port which may differ
from the apiserver's `BindPort`.
**Release note**:
```release-note
The kubeadm config option `API.ControlPlaneEndpoint` has been extended to take an optional port which may differ from the apiserver's bind port.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: add better test coverage to reset.go
**What this PR does / why we need it**:
a PR for adding some more tests in `kubeadm/cmd` for `reset.go`.
increasing coverage from ~11% to ~92%
the remaining 8% are kind of hard to test or not worth the complexity.
original idea to add more tests in kubeadm was suggested to me by @luxas at slack.
in time, i might add better coverage to all cmd `.go` files.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
please, link issue # if you know of such.
**Special notes for your reviewer**:
none
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62486, 62471, 62183). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
provision kubelet config file for GCE instead of deprecated flags
Many Kubelet flags are now deprecated in favor of the versioned config file format. This PR adopts the versioned config file format in our cluster turn-up scripts.
```release-note
cluster/kube-up.sh now provisions a Kubelet config file for GCE via the metadata server. This file is installed by the corresponding GCE init scripts.
```
Automatic merge from submit-queue (batch tested with PRs 62486, 62471, 62183). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
sarapprover: remove self node cert
The functionality to bootstrap node certificates is ready but is blocked by a separable issue discussed in: https://github.com/kubernetes/community/pull/1982. The functionality could be useful for power users who want to write their own approvers if the feature could be promoted to beta. In it's current state this feature doesn't help anybody.
I propose that we remove automated approval of node serving certificates for now and work towards getting the node functionality to beta.
cc @awly @kubernetes/sig-auth-pr-reviews
```release-note
Remove alpha functionality that allowed the controller manager to approve kubelet server certificates.
```
Automatic merge from submit-queue (batch tested with PRs 62486, 62471, 62183). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
CSI - Update to apply fsGroup volume ownership
**What this PR does / why we need it**:
This PR correctly fixes the CSI internal driver to apply fsGroup volume ownership value during mount.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62413
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61306, 60270, 62496, 62181, 62234). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Handle partial group and resource responses consistently
GetAPIGroupResources tolerates partial discovery responses to provide as much information to the caller as possible.
Before skipping a particular error response, check whether the response was accompanied by partial group or resource data.
There's an existing TODO to propagate partial errors that I plan to address in a follow-up, but that had more ripples and I wanted to correct this first.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61306, 60270, 62496, 62181, 62234). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
split up the huge set of flags into smaller option structs
**What this PR does / why we need it**:
To make generic, we do following work:
1. Spliting `KubeControllerManagerConfiguration` in kube-controller-manager and cloud-controller-manager into fewer smaller struct options order by controller, and modify relative flag. Also part of #59483.
2. Spliting `componentconfig` in controller-manager into fewer smaller config order by controller too.
All works follow #59582, using `option+config` logic.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cluster/gce/list-resources.sh: also list stackdriver logging sinks
**What this PR does / why we need it**: we seem to be logging stackdriver logging sinks on GCE, likely because we're not keeping track of them. (ref https://github.com/kubernetes/test-infra/issues/7295)
This doesn't fix the leaks, but it'll hopefully help us detect when that happens.
**Release note**:
```release-note
NONE
```
cc @krzyzacy @crassirostris @summit
When `API.ControlPlaneEndpoint` is used, the `BindPort` of the
apiserver is currently assumed, which means a load balancer cannot
listen on a different port than the apiserver. This extends the
`ControlPlaneEndpoint` to take an optional port which may differ
from the apiserver's `BindPort`.
This PR extends the client-side startup scripts to provision a Kubelet
config file instead of legacy flags. This PR also extends the
master/node init scripts to install this config file from the GCE
metadata server, and provide the --config argument to the Kubelet.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
root OWNERS: escape backslashes in filters
**What this PR does / why we need it**: I didn't properly test my change in #62484, and now the OWNERS file is failing to parse:
```console
$ yq '.' OWNERS
yq: Error running jq: ScannerError: while scanning a double-quoted scalar
in "OWNERS", line 22, column 3
found unknown escape character '.'
in "OWNERS", line 22, column 5.
```
(The approval bot is similarly having trouble parsing.)
@cjwagner suspects the backslashes need to be escaped, and that indeed seems to work:
```console
$ yq '.' OWNERS
{
"filters": {
".*": {
"reviewers": [
"brendandburns",
"dchen1107",
"jbeda",
"lavalamp",
"smarterclayton",
"thockin"
],
"approvers": [
"bgrant0607",
"brendandburns",
"dchen1107",
"jbeda",
"monopole",
"lavalamp",
"smarterclayton",
"thockin",
"wojtek-t"
]
},
"\\.bzl$": {
"reviewers": [
"ixdy"
],
"approvers": [
"ixdy"
]
},
"BUILD(\\.bazel)?$": {
"approvers": [
"ixdy"
]
}
}
}
```
**Release note**:
```release-note
NONE
```
/assign @cjwagner
cc @cblecker @smarterclayton @bgrant0607
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
check etcd servers by a random order
**What this PR does / why we need it**:
Every time a health check is called on the APIServer via the /healthz endpoint, an etcd healthcheck is performed. Here makes servers check with a random order.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61180
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The functionality to bootstrap node certificates is ready but is blocked
by a seperable issue discussed in:
https://github.com/kubernetes/community/pull/1982. The functionality
could be useful for power users who want to write their own approvers if
the feature could be promoted to beta. In it's current state this
feature doesn't help anybody.
I propose that we remove automated approval of node serving certificates
for now and work towards getting the node functionality to beta.
Automatic merge from submit-queue (batch tested with PRs 60476, 62462, 61391, 62535, 62394). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins"
This reverts commit c578542ad7 (PR #51098). The PR added support for containerized git, on the other hand it required git 1.8.5. This breaks git volumes on older distros (CentOS 7, Ubuntu 14.04) that have old git.
Git volumes are getting deprecated (https://github.com/kubernetes/kubernetes/issues/60999) so we should restore it to the last working state and not touch it any longer.
**Release note**:
```release-note
gitRepo volumes in pods no longer require git 1.8.5 or newer, older git versions are supported too now.
```
I'd like to cherry-pick it into 1.10.
/sig storage
Automatic merge from submit-queue (batch tested with PRs 60476, 62462, 61391, 62535, 62394). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use function aws.Int64Value replace of deprecated function orZero
**What this PR does / why we need it**:
```
// orZero returns the value, or 0 if the pointer is nil
// Deprecated: prefer aws.Int64Value
func orZero(v *int64) int64 {
return aws.Int64Value(v)
}
```
Use function aws.Int64Value replace of deprecated function orZero and remove unused orZero .
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60476, 62462, 61391, 62535, 62394). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Private mount propagation
This PR changes the default mount propagation from "rslave" (newly added in 1.10) to "private" (default in 1.9 and before). "rslave" as default causes regressions, see below.
Value `"None"` has to be added to `MountPropagationMode` enum in API ("I don't want any propagation at all"), which translates to "private" on Linux. [We did not have use cases for it](https://github.com/kubernetes/community/pull/659#discussion_r131454319), but we have them now.
**Which issue(s) this PR fixes**
Fixes#62397, fixes#62396
**Special notes for your reviewer**:
CRI already has an option for private mount propagation in volumes, however it's called "PRIVATE", while Kubernetes API value is "None". I did not change PRIVATE to NONE to keep the interface stable. See `kubelet_pods.go`.
**Release note**:
```release-note
Default mount propagation has changed from "HostToContainer" ("rslave" in Linux terminology) to "None" ("private") to match the behavior in 1.9 and earlier releases. "HostToContainer" as a default caused regressions in some pods.
```
/sig storage
/sig node
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove invalid TODOs in kubeadm constants.
**What this PR does / why we need it**:
These TODOs are invalid now.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref https://github.com/kubernetes/kubeadm/issues/571#issuecomment-347408384
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix flaky crd e2e tests
Fixes#62345
/sig api-machinery
/kind flake
/priority failing-test
From the issue:
> All the tests that rely on creating a CustomResourceDefinition are flaky. This is because the test "AdmissionWebhook Should be able to deny custom resource creation" creates a validating webhook, called deny-crd.k8s.io, which denies all crd creations. This is an issue for any other test which will create a crd that gets run in parallel with that webhook test, causing them to fail with the message failed to create CustomResourceDefinition: admission webhook "deny-crd.k8s.io" denied the request: this webhook denies all requests
This PR changes the test webhook image to support handling a new "/crd" path which would accept and deny crd creations based on their labels, only denying if if the object has the label ```"webhook-e2e-test":"webhook-disallow"```, and updates the "AdmissionWebhook Should be able to deny custom resource creation" test to use that label.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes kubeadm upgrade plan output
Closeskubernetes/kubeadm#713
Aligns `kubeadm upgrade plan` output when kubelets have different versions.
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR fixes the output of `kubeadm upgrade plan` when kubelets have different versions.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#713
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62467, 62482, 62211). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve performance of affinity/anti-affinity predicate by 20x in large clusters
**What this PR does / why we need it**:
Improves performance of affinity/anti-affinity predicate by over 20x in large clusters. Performance improvement is smaller in small clusters, but it is still very significant and is about 4x. Also, before this PR, performance of the predicate was dropping quadratically with increasing size of nodes and pods. As the results shows, the slow down is now linear in larger clusters.
Affinity/anti-affinity predicate was checking all pods of the cluster for each node in the cluster to determine feasibility of affinit/anti-affinity terms of the pod being scheduled. This optimization first finds all the pods in a cluster that match the affinity/anti-affinity terms of the pod being scheduled once and stores the metadata. It then only checks the topology of the matching pods for each node in the cluster.
This results in major reduction of the search space per node and improves performance significantly.
Below results are obtained by running scheduler benchmarks:
```
make test-integration WHAT=./test/integration/scheduler_perf KUBE_TEST_ARGS="-run=xxx -bench=.*BenchmarkSchedulingAntiAffinity"
```
```
AntiAffinity Topology: Hostname
before: BenchmarkSchedulingAntiAffinity/500Nodes/250Pods-12 37031638 ns/op
after: BenchmarkSchedulingAntiAffinity/500Nodes/250Pods-12 10373222 ns/op
before: BenchmarkSchedulingAntiAffinity/500Nodes/5000Pods-12 134205302 ns/op
after: BenchmarkSchedulingAntiAffinity/500Nodes/5000Pods-12 12000580 ns/op
befor: BenchmarkSchedulingAntiAffinity/1000Nodes/10000Pods-12 498439953 ns/op
after: BenchmarkSchedulingAntiAffinity/1000Nodes/10000Pods-12 24692552 ns/op
AntiAffinity Topology: Region
before: BenchmarkSchedulingAntiAffinity/500Nodes/250Pods-12 60003672 ns/op
after: BenchmarkSchedulingAntiAffinity/500Nodes/250Pods-12 13346400 ns/op
before: BenchmarkSchedulingAntiAffinity/1000Nodes/10000Pods-12 600085491 ns/op
after: BenchmarkSchedulingAntiAffinity/1000Nodes/10000Pods-12 27783333 ns/op
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
ref/ #56032#47318#25319
**Release note**:
```release-note
improve performance of affinity/anti-affinity predicate of default scheduler significantly.
```
/sig scheduling
Automatic merge from submit-queue (batch tested with PRs 62467, 62482, 62211). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure resources created by `run --rm` are cleaned up
**Release note**:
```release-note
NONE
```
Resources created by `kubectl run --rm ...` are now cleaned up, even in the event of an error.
Relevant downstream issue: https://github.com/openshift/origin/issues/13276
cc @soltysh
Automatic merge from submit-queue (batch tested with PRs 62467, 62482, 62211). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix nsenter GetFileType issue in containerized kubelet
**What this PR does / why we need it**:
UnmountDevice would fail in containerized kubelet in v1.9.x, and in the end, pod with volume mount could not be scheduled from one node to another since the original volume will never be released. This PR fixed this issue.
In [nsenter_mount.GetFileType func](https://github.com/kubernetes/kubernetes/blob/master/pkg/util/mount/nsenter_mount.go#L238), return error of following code will be different than [mount_linux.GetFileType func](https://github.com/kubernetes/kubernetes/blob/master/pkg/util/mount/mount.go#L347)
```
outputBytes, err := mounter.ne.Exec("stat", []string{"-L", `--printf "%F"`, pathname}).CombinedOutput()
```
Return error and output would be like following in nsenter_mount.GetFileType func:
error: `exit status 1`
output: `/usr/bin/stat: cannot stat '2': No such file or directory`
This PR makes the return error consistent as mount_linux.GetFileType func, and finally makes [isDeviceOpened func](https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/util/operationexecutor/operation_generator.go#L1340) work.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62282
**Special notes for your reviewer**:
/assign @dixudx
**Release note**:
```
fix nsenter GetFileType issue in containerized kubelet
```
/sig node
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add msau42 to approvers for volume scheduling
**What this PR does / why we need it**:
Add me as an approver for the volume scheduling code
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
The err has checked in TearDownAt func/kind bug
**What this PR does / why we need it**:
The err has checked in TearDownAt func/kind bug
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61608, 62304). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove isNotDir error check
**What this PR does / why we need it**:
This check was supposed to handle the "subpath file" scenario, but:
1. It's wrong (should have been !)
2. It's not needed anymore. `IsLikelyNotMountPoint` was fixed to handle file mounts via https://github.com/kubernetes/kubernetes/pull/58433
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
PSP: move internal types to policy API group
**What this PR does / why we need it**:
This is a part of the PSP migration from extensions to policy API group. This PR moves internal types to the its final destination.
**Which issue(s) this PR fixes**:
Addressed to https://github.com/kubernetes/features/issues/5
vikaschoudhary16