Automatic merge from submit-queue (batch tested with PRs 48583, 48605, 48601)
apimachinery+apiserver: separate test types in their own packages
Preparation for static deepcopy https://github.com/kubernetes/kubernetes/pull/48544
and its use of package-global deepcopy-gen tags for all runtime.Objects.
- [x] wait for #48497
Automatic merge from submit-queue (batch tested with PRs 48583, 48605, 48601)
support json output for log backend of advanced audit
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
Add json format support for advanced audit in apiserver. Use --audit-log-format=json to emit json to log backend.
```
Automatic merge from submit-queue
Record 429 and timeout errors to prometheus
Allows gathering of load being shed.
Fixes#48559
@deads2k please review, there was a logic error in apiserver RequestInfo (minor, fortunately)
```release-note
Requests with the query parameter `?watch=` are treated by the API server as a request to watch, but authorization and metrics were not correctly identifying those as watch requests, instead grouping them as list calls.
```
Automatic merge from submit-queue (batch tested with PRs 48497, 48604, 48599, 48560, 48546)
remove dead code
This removes the dead code cruft since we stopped serving TPRs.
ref #48152
Automatic merge from submit-queue (batch tested with PRs 48497, 48604, 48599, 48560, 48546)
audit: fix deepcopy registration
Remove manual registration into scheme by fixing the deepcopy tag of the api group.
This is part 2 of the effort to update ChoseHostInterface() to support IPv6
addresses (as part of issue 44848). This changeset includes:
- Supports finding IPv6 host addresses from default routes (but currently only
provided with IPv4 default routes).
- getRoutes() filters for default routes.
- getFinalIP() checks that IP is in requested family. Uses IsGlobalUnicast(),
instead of explicit tests for loopback, multicast, and link-local IPs.
- getIPFromInterace() checks for family requested.
- chooseHostInterfaceFromRoute()
* Quickly exits, if no default routes.
* Since only getting default routes, no check here.
* Searches all default routes for IPv4 addresses, and then searches all
default routes for IPv6 addresses (for backwards compatibility).
- More coverage in UTs (87.8% vs 62.6%).
- Better testing of error conditions/results.
- Tests for IPv6 IPs, throughout functions.
- Reduced duplicate testing for items tested at lower levels.
Commit has been rebased on top of PR46044.
Automatic merge from submit-queue (batch tested with PRs 47435, 46044)
IPv6 support for getting node IP
As part of ChooseHostInterface(), it will call a function to try to get the
global IP for the host, by looking at all the system interfaces and select
the first IP that is not a loopback, link-local, or point-to-point IP.
This commit does the following:
- Allows IPv6 non-local IPs to be selected.
- IPv4 takes priority (checks all interfaces for IPv4 addresses and
then checks all interfaces for IPv6), for backward compatibility.
- Adds UTs for code coverage (was no coverage of underlying function),
increasing from 62% to 85%.
- Improved logging and reporting for error conditions.
- Minor renaming of functions and variables for readability.
**What this PR does / why we need it**:
This will be part of several PRs to add IPv6 support in apimachinery area for use by Kubernetes. It partially fixes the issue.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: xref #44848
**Special notes for your reviewer**:
The intent is to break up the PR 45116 into multiple PRs to take on this change a piece at a time.
**Release note**:
```release-noteNONE
```
Automatic merge from submit-queue
Fix invalid Content-Type for 403 error
https://github.com/kubernetes/kubernetes/pull/47384 makes 403 errors return Status Object. However the Content-Type is still "text/plain"
This change fixes it.
Before this change:
kubectl get pods --as=tom
Error from server (Forbidden): {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"\" is forbidden: User \"tom\" cannot list pods in the namespace \"default\".","reason":"Forbidden","details":{"kind":"pods"},"code":403} (get pods)
After this change:
$ kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Now http header key "Audit-ID" doesn't have effect, because golang
automaticly transforms "Audit-ID" into "Audit-Id". This change use
http.Header.Get() function to canonicalize "Audit-ID" to "Audit-Id".
Automatic merge from submit-queue (batch tested with PRs 47700, 48464, 48502)
Add a refreshing discovery client
Introduce a discovery client (implementing `CachedDiscoveryInterface`) which caches discovery information in memory and which can be actively refreshed by the user.
This implementation fetches from discovery upon refresh and could later be improved to maintain updates from a watch.
Extracted from https://github.com/kubernetes/kubernetes/pull/47665 and https://github.com/kubernetes/kubernetes/pull/46000 to help reduce the scope of https://github.com/kubernetes/kubernetes/pull/48065.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47700, 48464, 48502)
fix error type
**What this PR does / why we need it**:
invalidToken should be errInvalideToken
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
No
**Release note**:
```
None
```
Automatic merge from submit-queue (batch tested with PRs 45467, 48091, 48033, 48498)
Refactor and simplify generic printer for unknown objects
The first two commits are part of other PRs
@kubernetes/sig-cli-pr-reviews part of the general refactoring for server side print
Automatic merge from submit-queue (batch tested with PRs 47162, 48444, 48445)
make the panic handler first
Move the panic handler to the beginning of the chain so that panics will get information in the log beyond a stack.
Automatic merge from submit-queue (batch tested with PRs 47162, 48444, 48445)
Introducing a cluster-scoped resource in the wardle.k8s.io group.
**What this PR does / why we need it**:
This PR adds a cluster-scoped resource to the wardle.k8s.io group.
The cluster scoped resource has a field that indicates Flunder.Names that are disallowed.
The resource is going to be used by an admission plugin.
The admission plugin will list the cluster-scope resources and check against banned names.
**Special notes for your reviewer**:
Issue: #47868
**Release note**:
```
NONE
```
The cluster scoped resource has a field that indicates Flunder.Names that are disallowed.
The resource is going to be used by an admission plugin.
The admission plugin will list the cluster-scope resources and check against banned names.
Issue: #47868
Automatic merge from submit-queue
remove unused function and variable from audit backend
auditStringSlice is not used here anymore.
sink variable is also not used.
**Release note**:
```
NONE
```
Fixes: #47114
Automatic merge from submit-queue
Follow up for https://github.com/kubernetes/kubernetes/pull/47003
**What this PR does / why we need it**:
This is addressing left comments for https://github.com/kubernetes/kubernetes/pull/47003#discussion_r120888982
/cc @aveshagarwal
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 48439, 48440, 48394)
GuaranteedUpdate must write if stored data is not canonical
An optimization added to the GuaranteedUpdate loop changed the
comparison of the current objects serialization against the stored data,
instead comparing to the in memory object, which defeated the mechanism
we use to migrate stored data (GET then PUT should update the version stored in etcd if the canonical serialization has changed)
This commit preserves that optimization but correctly verifies the in
memory serialization against the on disk serialization by fetching the
latest serialized data. Since most updates are not no-ops, this should
not regress the performance of the normal path.
Fixes#48393
```release-note
When performing a GET then PUT, the kube-apiserver must write the canonical representation of the object to etcd if the current value does not match. That allows external agents to migrate content in etcd from one API version to another, across different storage types, or across varying encryption levels. This fixes a bug introduced in 1.5 where we unintentionally stopped writing the newest data.
```
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
allow a deletestrategy to opt-out of GC
Not all resources should be GC-able and we implemented an ignore list to handle this, but at the storage layer they could still set finalizers, they just hung in a stuck state forever. This updates the strategy to allow a resource to indicate that they shouldn't be GCed.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
update events' ResponseStatus at Metadata level
ResponseStatus is populated in MetadataLevel, so we also update it in
MetadataLevel.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47784, 47793, 48334, 48435, 48354)
add validate for advanced audit policy
This change checks group name and non-resrouce URLs format for audit
policy.
**Release note**:
```
add validate for advanced audit policy, kube-apiserver will do a stricter validation and will break existing users with invalid configs.
```
An optimization added to the GuaranteedUpdate loop changed the
comparison of the current objects serialization against the stored data,
instead comparing to the in memory object, which defeated the mechanism
we use to migrate stored data.
This commit preserves that optimization but correctly verifies the in
memory serialization against the on disk serialization by fetching the
latest serialized data. Since most updates are not no-ops, this should
not regress the performance of the normal path.
Automatic merge from submit-queue
remove useless check from impersonation filter
When groupsSpecified is false, that means no other groups are added
rather than the service account groups. So this check doesn't make
any sense.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47918, 47964, 48151, 47881, 48299)
GZip openapi schema if accepted by client
**What this PR does / why we need it**: Uses gzip "Accept-Encoding" flag rather than specific path to download gzipped openapi schema.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48375
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43558, 48261, 42376, 46803, 47058)
OpenAPI downloads protobuf rather than Json
**What this PR does / why we need it**:
The current implementation of the OpenAPI getter fetches the swagger in a Json format from the apiserver. The Json file is big (~1.7mb), which means that it takes a long time to download, and then a long time to parse. Because that is going to be needed on each `kubectl` run later, we want this to be as fast as possible.
The apiserver has been modified to be able to return a protobuf version of the swagger, which this patch intends to use.
Note that there is currently no piece of code that exists that allows us to go from the protobuf version of the file, back into Json and/or `spec.Swagger`. Because the protobuf is not very different (but significantly different enough that it can't be translated), I've updated the code to use `openapi_v2.Document` (the protobuf type) everywhere rather than `spec.Swagger`. The behavior should be identical though.
There are more changes that are coming in follow-up pull-requests: using the gzip version (also provided by the new apiserver) to even further reduce the size of the downloaded content, and use the HTTP Etag cache mechanism to completely get rid of recurrent fetch requests. I'm currently working on these two features.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partly #38637
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix a typo in deletion log of apiserver
**What this PR does / why we need it**:
I just fix a typo in a log message. Nothing more 😄
**Which issue this PR fixes**
apiserver sometimes log this message "About do delete object from database". It seems that there is a typo for `to`.
```release-note
Fix a typo in apiserver log message
```
Fix the Unstructured GetDeletionGracePeriodSeconds accessor which was
always returning nil regardless of the underlying stored value. The
field value always appearing nil prevents Custom Resource instances
from being deleted when garbage collection is enabled for CRs and
when DeletePropagationOrphan is used. More generally, this fix means that
delete-on-update now works for CR instances.
Add some test coverage for Unstructured metadata deserialization.
The Unstructured DeletionGracePeriodSeconds field marshals as a value
type from JSON and as a pointer type via SetDeletionGracePeriodSeconds.
The GetDeletionGracePeriodSeconds method now supports handling both
int64 and *int64 values so that either underlying value can be returned.
Add a reflection-based unit test which attempts to exercise all the
Object Get/Set methods for nil handling.
Automatic merge from submit-queue (batch tested with PRs 45610, 47628)
Add Priority to Kubernetes API
**What this PR does / why we need it**: This is the first in a series of PRs to add priority to Kubernetes API. Subsequent PRs will add priority name resolution to admission controller.
**Release note**:
```release-note
Add PriorityClassName and Priority fields to PodSpec.
```
Automatic merge from submit-queue
shows how to wire admission control in a sample api server.
**What this PR does / why we need it**:
This PR shows how to wire admission control in a custom api server
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47484, 47904, 48034)
prioritize messages for long steps
This pull prioritizes the trace messages, so steps that are unusually large come out at the info level and all details come out a v(4) level.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
Don't bother with a mutable transformer for identity
The default value transformer can safely be the identity transformer - mutability is not required if the caller doesn't need transformation.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
incluster config will be used when creating external shared informers.
**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update custom-resources example in client-go
- Update client-go examples `README.md` to point to the CustomResources example instead of the deprecated TPR one.
- Delete `staging/src/k8s.io/client-go/examples/custom-resources`.
Fixing #47743.
**Release note**:
```release-note
NONE
```
/cc @ahmetb @sttts
Automatic merge from submit-queue (batch tested with PRs 48036, 48022)
apiextensions-apiserver: fix build
Can't build CRD due to this bug. This PR will fix it.
As part of ChooseHostInterface(), it will call a function to try to get the
global IP for the host, by looking at all the system interfaces and select
the first IP that is not a loopback, link-local, or point-to-point IP.
This commit does the following:
- Allows IPv6 non-local IPs to be selected.
- IPv4 takes priority (checks all interfaces for IPv4 addresses and
then checks all interfaces for IPv6), for backward compatibility.
- Adds UTs for code coverage (was no coverage of underlying function),
increasing from 62% to 84%.
- Improved logging and reporting for error conditions.
- Minor renaming of functions and variables for readability.
Automatic merge from submit-queue (batch tested with PRs 46425, 47975)
make proto time precision match json
json readers/writers see second precision, but protobuf readers/writers seen nanosecond precision. This means that a json client can read and write and accidentally mutate fields as seen by protobuf clients.
This makes the precision consistent.
@kubernetes/sig-api-machinery-misc @smarterclayton
```release-note
Update protobuf time serialization for a one second granularity
```
Automatic merge from submit-queue
Removes alpha feature gate for affinity annotations.
**What this PR does / why we need it**:
In 1.5 we added a backstop to support alpha affinity annotations. This PR removes that support in favor of the Beta fields per discussions.
It also serves as a precursor to some of the component config work that @ncdc has done around @mikedanese design proposal.
xref: https://github.com/kubernetes/kubernetes/pull/41617
**Special notes for your reviewer**:
**Release note**:
```
Removes alpha feature gate for pod affinity annotations.
```
/cc @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-cluster-lifecycle-misc
Automatic merge from submit-queue (batch tested with PRs 47650, 47936, 47939, 47986, 48006)
External dependency of k8s.io/api
Fix https://github.com/kubernetes/kubernetes/issues/48007
It's unfortunate that k8s.io/api has external dependencies.
Most of the dependencies are introduced by "k8s.io/apimachinery/pkg/util/intstr" and ugorji.
Automatic merge from submit-queue
Add token authentication method for websocket browser clients
Closes#47967
Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)
This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`
1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`
This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.
For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
"wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
[
"base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
"base64.binary.k8s.io"
]
);
```
This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```
Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```
Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)
```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
Automatic merge from submit-queue
include object fieldpath in event key
Fixes https://github.com/kubernetes/kubernetes/issues/47692#47462 exposed a bug where `getEventKey()` only keys on event fields that are common at the pod level. Events generated by different containers in the same pod will yield identical event keys. This results in events with the same message from different containers in a pod being aggregated in error.
This wasn't a problem before as the event message contained container specific information and thus didn't produce the same event key.
@derekwaynecarr @dhilipkumars @dchen1107
Automatic merge from submit-queue (batch tested with PRs 47883, 47179, 46966, 47982, 47945)
add level for print flags
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
It's ugly to print all flags whenever.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes#47932
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47883, 47179, 46966, 47982, 47945)
Add feature gating to REST Compression
**What this PR does / why we need it**: Adds feature gating to opt out of REST API compression
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46963
**Special notes for your reviewer**: This PR is a fix / addendum to #45666
**Release note**:
```release-note
```
Automatic merge from submit-queue
Lower etcd compacted loglevel
Fixes#47941
When we run apiserver, it will consistently produce logs like:
> I0620 15:27:44.627978 2765 compact.go:159] etcd: compacted rev (7825), endpoints ([http://127.0.0.1:2379])
I0620 15:32:44.632311 2765 compact.go:159] etcd: compacted rev (8193), endpoints ([http://127.0.0.1:2379])
I0620 15:37:44.643658 2765 compact.go:159] etcd: compacted rev (8552), endpoints ([http://127.0.0.1:2379])
...
which does not mean much overall, we may change the loglevel and lower the frequency.
**Release note**:
-->
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46151, 47602, 47507, 46203, 47471)
rebase gophercloud to support HTTP status 300 in pagination, so listingng Cinder v1/v2 API versions won't break
**What this PR does / why we need it**:
Since Cinder block v1/v2 support lands in 1.7, we have to ensure Cinder block api list won't fail due to https://github.com/gophercloud/gophercloud/pull/384.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47651
**Special notes for your reviewer**:
@anguslees @NickrenREN
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix link to apiextensions client-go example
Fixes link to client-go example for apiextensions-apiserver.
Fixing #47211.
**Special notes for your reviewer**:
When I run `hack/update-staging-client-go.sh`, I get this error:
```
!!! Error in staging/copy.sh:132
Error in staging/copy.sh:132. 'git commit -q -m "Snapshot" > /dev/null' exited with status 1
Call stack:
1: staging/copy.sh:132 main(...)
Exiting with status 1
```
What am I missing here?
/cc @caesarxuchao @sttts
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
fix HostAliases' json keys to be hostAlias instead of hostMapping to reflect actual feature name
**What this PR does / why we need it**: a rename was introduce during the middle of #44641 to change from `hostMappings` to `hostAliases`. the Go structs were updated, but I neglected to update the json keys. They should be in sync.
**Special notes for your reviewer**: I messed up. This is an API change. I hope this is still ok to be in the 1.7 release.
**Release note**:
```release-note
HostAliases is now parsed with `hostAliases` json keys to be in line with the feature's name.
```
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert 44714 manually
#44714 broke backward compatibility for old swagger spec that kubectl still uses. The decision on #47448 was to revert this change but the change was not automatically revertible. Here I semi-manually remove all references to UnixUserID and UnixGroupID and updated generated files accordingly.
Please wait for tests to pass then review that as there may still be tests that are failing.
Fixes#47448
Adding release note just because the original PR has a release note. If possible, we should remove both release notes as they cancel each other.
**Release note**: (removed by caesarxuchao)
UnixUserID and UnixGroupID is reverted back as int64 to keep backward compatibility.
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert "Merge pull request #43946 from jhorwit2/jah/host-path-psp"
fixes#47863
This reverts commit b5eadb5d6b, reversing
changes made to 1889d654f5.
**What this PR does / why we need it**:
Revert whitelist host paths in psp due to API concerns. Please refer to https://github.com/kubernetes/kubernetes/pull/47811 for the concerns.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @liggitt @ericchiang @smarterclayton
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Fix rawextension decoding in update
Fixes https://github.com/kubernetes/kubernetes/issues/47842
The `Create` handler was correctly decoding into the internal version, but the `Update` handler was not.
Top-level objects were not affected, because the type of the `New()` object returned by the rest handler governs the destination group/version/kind.
If a field within the object is of type `RawExtension`, and converts to a `runtime.Object` field in the internal object, the `runtime.Object` field provides no information about the desired group/version/kind, so the decoder's groupversioner governs.
This would manifest as the resthandler's Update function being given an internal top-level object with it's runtime.Object field containing an external object.
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Clear auth config when gcp app default credentials fail
**What this PR does / why we need it**:
Specific use case is when utilizing multiple gcp accounts, the user may provide credentials for the wrong account.
This change ensures the incorrect credentials are not cached in auth config, and logs an appropriate message.
**Which issue this PR fixes** : fixes#38075
**Special notes for your reviewer**:
**Release note**:
```release-note
Tokens retrieved from Google Cloud with application default credentials will not be cached if the client fails authorization
```
Automatic merge from submit-queue (batch tested with PRs 46604, 47634)
Added example for status errors in go client
This PR adds status error handling examples to the go client examples, for both in-cluster and out-of-cluster usage. Fixes https://github.com/kubernetes/client-go/issues/163
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
Plumb service resolver into webhook AC
This is the last piece of plumbing needed for https://github.com/kubernetes/features/issues/209
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Serialized protobuf should have stable map order
Leverage `stable_marshaller_all` tag in gogo-protobuf to ensure all of our maps have stable ordering when serialized to protobuf. This preserves the behavior from JSON that we rely on to avoid writing to etcd except when the content has changed.
Will slightly increase allocations (1 slice per non-empty map in an object) during Encode, which has a minor impact on CPU. However, avoiding writes when a client issues a blind put results in significantly less CPU across the whole cluster (avoiding a new etcd version for an Endpoints object might save ~1 core/sec on large clusters).
Fixes#47678
```release-note
The protobuf serialization of API objects has been updated to store maps in a predictable order to ensure that the representation of that object does not change when saved into etcd. This prevents the same object from being seen as being modified, even when no values have changed.
```
Specific use case is when utilizing multiple
gcp accounts, the user may provide credentials
for the wrong account.
This change ensures the incorrect credentials
are not cached in auth config, and logs an
appropriate message.
Automatic merge from submit-queue
clientgo/examples: add ToC for examples
Also add authenticate- prefix to auth samples. This patch could use some
improvement explaining workqueue and TPR examples as I'm not entirely sure.
/assign @caesarxuchao
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Automatic merge from submit-queue
Fix api description
**What this PR does / why we need it**:
prefered -> preferred
the the -> the
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46884, 47557)
Rename DaemonSet and StatefulSet hash label
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47554
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @kow3ns
/cc @bgrant0607
@kubernetes/sig-apps-api-reviews
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
separate group and version priority
Fixes https://github.com/kubernetes/kubernetes/issues/46322
This just modifies the API and does the minimal plumbing. I can extend this pull or do another to fix the priority problem.
Automatic merge from submit-queue (batch tested with PRs 47510, 47516, 47482, 47521, 47537)
Fix typo in secretbox transformer prefix
Introduced by #46916 via cherry picked commit [here](12bb591dbf).
Urgent fix in my opinion, ideally should be merged before production.
@smarterclayton
Automatic merge from submit-queue (batch tested with PRs 47204, 46808, 47432, 47400, 47099)
disable GC for custom resources
xref https://github.com/kubernetes/kubernetes/issues/47431
This prevents GC on CustomResources so you don't get an uncleared finalizer that prevents deletion
Automatic merge from submit-queue (batch tested with PRs 47073, 47457, 47479)
audit: Fill in full ObjectRef, include in LevelMetadata
The previous implementation was missing several ObjectReference fields, including `APIVersion`, `Resource`, and `Subresource`. This PR adds those fields, and also fills in the `ObjectRef` when the level is `Metadata` (previously it was only filled for level `Request`).
For kubernetes/features#22
/cc @ericchiang @ihmccreery
Automatic merge from submit-queue (batch tested with PRs 46441, 43987, 46921, 46823, 47276)
Remove PartitionStatefulSetStrategyType
This PR removes PartitionStatefulSetStrategyType add adds a parameter to RollingUpdateStatefulSetStrategyType as described in the issue below. We need this PR to ensure that the StatefulSet API conforms to the existing API for DaemonSet.
fixes#46975
```release-note
NONE
```
@kargakis
@smarterclayton
@janetkuo
Automatic merge from submit-queue (batch tested with PRs 46441, 43987, 46921, 46823, 47276)
Azure plugin for client auth
This is an Azure Active Directory plugin for client authentification. It provides an integration with Azure CLI 2.0 login command. It can also be used standalone, in that case it will use the device code flow to acquire an access token.
More details are provided in the README.md file.
https://github.com/kubernetes/kubectl/issues/29
cc @brendandburns @colemickens
Automatic merge from submit-queue (batch tested with PRs 46929, 47391, 47399, 47428, 47274)
Remove empty lines from log
Everything() returns a new line end with "\n", it's not necessary
to add another one.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46678, 45545, 47375)
update gophercloud/gophercloud dependency
**What this PR does / why we need it**:
**Which issue this PR fixes**
fixes#44461
**Special notes for your reviewer**:
**Release note**:
```release-note
update gophercloud/gophercloud dependency for reauthentication fixes
```
Automatic merge from submit-queue
Made image as required in v1 Container struct.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47244
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue
bazel: stamp multiple packages by using x_defs instead of linkstamp in go_binary rules
**What this PR does / why we need it**: Fixes regression introduced sometime in the last few months that prevented bazel-built clusters from identifying version properly.
It does so by updating the bazelbuild/rules_go and kubernetes/repo-infra dependencies to support using stamp values in `go_binary` `x_defs`, and then changing our `go_binary` rules to use `x_defs` instead of `linkstamp`.
This whole charade is necessary because we need to stamp version information in multiple packages.
This pretty much only affects the bazel build, so it should be low risk.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45298
**Special notes for your reviewer**: depends on https://github.com/kubernetes/repo-infra/pull/18; should not be merged before it.
**Release note**:
```release-note
NONE
```
/assign @spxtr @mikedanese
Automatic merge from submit-queue
StorageOS Volume Plugin
**What this PR does / why we need it**:
This PR adds a new volume plugin for StorageOS volumes. StorageOS runs as a container on Kubelet nodes, aggregating local or attached storage and making its capacity available to all nodes within the cluster. More information at http://storageos.com.
The StorageOS plugin supports:
1. Dynamic Provisioning using Storage Classes
2. Persistent Volumes and Persistent Volume Claims.
**Which issue this PR fixes**
A feature request has been created:
https://github.com/kubernetes/features/issues/190
This isn't on the schedule for 1.6 as I wasn't sure when it would be ready. We intend to make the StorageOS container openly available within the 1.6 lifetime.
**Special notes for your reviewer**:
Separate commits for feature and godep changes.
**Release note**:
```release-note
StorageOS Volume Driver
[StorageOS](http://www.storageos.com) can be used as a storage provider for Kubernetes. With StorageOS, capacity from local or attached storage is pooled across the cluster, providing converged infrastructure for cloud-native applications.
```
Automatic merge from submit-queue (batch tested with PRs 36376, 47251)
client-go: GetOptions for dynamic client
Looks like `GetOptions` were forgotten in the dynamic client. Without them it's hard to write a dynamic initializer controller (useful for custom resources).
Automatic merge from submit-queue
Make gcp auth provider not to override the Auth header if it's already exits
**What this PR does / why we need it**:
Make AuthProvider not wrap the transport if beartoken or basic auth is enabled
**Which issue this PR fixes** :
fixes#44476
**Special notes for your reviewer**:
**Release note**:
```
GCP auth plugin no longer overwrites existing Authorization headers.
```
Automatic merge from submit-queue
Allow pods to opt out of PodPreset mutation via an annotation on the pod
An annotation in the pod spec of the form:
podpreset.admission.kubernetes.io/PodPresetOptOut: "true"
Will cause the admission controller to skip manipulating the pod spec,
no matter the labelling.
This is an alternative implementation to pull #44163.
```release-note
Allow pods to opt out of PodPreset mutation via an annotation on the pod.
```
Automatic merge from submit-queue
Deprecated binding for 1.7
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#10043
```release-note
Deprecated Binding objects in 1.7.
```
Automatic merge from submit-queue (batch tested with PRs 46979, 47078, 47138, 46916)
Add a secretbox and AES-CBC path for encrypt at rest
Add a secretbox and AES-CBC encrypt at rest provider and alter the config, based on feedback from security review. AES-CBC is more well reviewed and generally fits better with common criteria and FIPS, secretbox is newer and faster than CBC.
```release-note
Add secretbox and AES-CBC encryption modes to at rest encryption. AES-CBC is considered superior to AES-GCM because it is resistant to nonce-reuse attacks, and secretbox uses Poly1305 and XSalsa20.
```
Automatic merge from submit-queue (batch tested with PRs 46979, 47078, 47138, 46916)
DeleteCollection should include uninitialized resources
Users who delete a collection expect all resources to be deleted, and
users can also delete an uninitialized resource. To preserve this
expectation, DeleteCollection selects all resources regardless of
initialization.
The namespace controller should list uninitialized resources in order to
gate cleanup of a namespace.
Fixes#47137
Automatic merge from submit-queue (batch tested with PRs 45877, 46846, 46630, 46087, 47003)
Remove duplicate errors from an aggregate error input.
This PR, in general, removes duplicate errors from an aggregate error input, and returns unique errors with their occurrence count. Specifically, this PR helps with some scheduler errors that fill the log enormously. For example, see the following `truncated` output from a 300-plus nodes cluster, as there was a same error from almost all nodes.
[SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected., SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found.........
After this PR, the output looks like (on a 2-node cluster):
SchedulerPredicates failed due to persistentvolumeclaims "mongodb" not found, which is unexpected.(Count=2)
@derekwaynecarr @smarterclayton @kubernetes/sig-scheduling-pr-reviews
Fixes https://github.com/kubernetes/kubernetes/issues/47145
Automatic merge from submit-queue (batch tested with PRs 47024, 47050, 47086, 47081, 47013)
apiextensions-apiserver: Fix decoding of DeleteOptions.
Fixes#47072 by making apiextensions-apiserver capable of decoding unversioned DeleteOptions, rather than only handling Unstructured objects (i.e. Custom Resources).
This also closes#46736 and #37554 since the added regression test works for TPR as well.
Automatic merge from submit-queue (batch tested with PRs 47024, 47050, 47086, 47081, 47013)
client-go: deprecate TPR example and add CRD example
/cc @nilebox
Part of https://github.com/kubernetes/kubernetes/issues/46702
Users who delete a collection expect all resources to be deleted, and
users can also delete an uninitialized resource. To preserve this
expectation, DeleteCollection selects all resources regardless of
initialization.
The namespace controller should list uninitialized resources in order to
gate cleanup of a namespace.
Clayton Coleman