Automatic merge from submit-queue
add tokenreviews endpoint to implement webhook
Wires up an API resource under `apis/authentication.k8s.io/v1beta1` to expose the webhook token authentication API as an API resource. This allows one API server to use another for authentication and uses existing policy engines for the "authoritative" API server to controller access to the endpoint.
@cjcullen you wrote the initial type
Automatic merge from submit-queue
Support terminal resizing for exec/attach/run
```release-note
Add support for terminal resizing for exec, attach, and run. Note that for Docker, exec sessions
inherit the environment from the primary process, so if the container was created with tty=false,
that means the exec session's TERM variable will default to "dumb". Users can override this by
setting TERM=xterm (or whatever is appropriate) to get the correct "smart" terminal behavior.
```
Fixes#13585
Add support for terminal resizing for exec, attach, and run. Note that for Docker, exec sessions
inherit the environment from the primary process, so if the container was created with tty=false,
that means the exec session's TERM variable will default to "dumb". Users can override this by
setting TERM=xterm (or whatever is appropriate) to get the correct "smart" terminal behavior.
Automatic merge from submit-queue
don't migrate files you can't access
If you can't access a file, you shouldn't try to migrate it.
Ref https://github.com/openshift/origin/issues/9581
@fabianofranz
Automatic merge from submit-queue
Lock all possible kubecfg files at the beginning of ModifyConfig.
Prevent concurrent calls to ModifyConfig on the same (or overlapping) kubeconfig files.
Automatic merge from submit-queue
Use preferred group version when discovery fails due to 403
```
kubectl get pods --as bob
```
Returns:
```
error: failed to negotiate an api version; server supports: map[], client supports: map[autoscaling/v1:{} rbac.authorization.k8s.io/v1alpha1:{} federation/v1alpha1:{} batch/v1:{} v1:{} authentication.k8s.io/v1beta1:{} apps/v1alpha1:{} componentconfig/v1alpha1:{} authorization.k8s.io/v1beta1:{} batch/v2alpha1:{} extensions/v1beta1:{} policy/v1alpha1:{}]
```
It should return:
```
User "deads" cannot "impersonate" "users" with name "bob" in project ""
```
`serverVersions` is empty when discovery fails, thus we fallback to the `preferredGV`.
See openshift/origin#9307 and [openshift/origin/pull/9389](https://github.com/openshift/origin/pull/9389) for further details.
Automatic merge from submit-queue
federation: replacing string credentials field by secretRef
Fixes https://github.com/kubernetes/kubernetes/issues/25761
Replaced the string Credentials field in ClusterSpec by secretRef as discussed in https://github.com/kubernetes/kubernetes/issues/25761.
Also updated the clusterController to use this new secretRef field while creating a client to talk to a k8s cluster.
cc @lavalamp @kubernetes/sig-cluster-federation
Wojciech Tyczynski
