Automatic merge from submit-queue (batch tested with PRs 53760, 48996, 51267, 54414). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update admission webhook to handle multiple auth domains
Fixes https://github.com/kubernetes/kubernetes/issues/54404
Adds some wiring to have the admission plugin accept a config file for per-apiserver configuration.
@kubernetes/sig-auth-api-reviews @deads2k @ericchiang @liggitt in particular
@kubernetes/sig-api-machinery-pr-reviews @lavalamp @caesarxuchao @sttts @cheftako
```release-note
generic webhook admission now takes a config file which describes how to authenticate to webhook servers
```
Automatic merge from submit-queue (batch tested with PRs 53903, 53914, 54374). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add PodDisruptionBudget to scheduler cache.
**What this PR does / why we need it**:
This is the first step to add support for PodDisruptionBudget during preemption. This PR adds PDB to scheduler cache.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: None
**Release note**:
```release-note
Add PodDisruptionBudget to scheduler cache.
```
ref/ #53913
Automatic merge from submit-queue (batch tested with PRs 54363, 54333). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure port on resolved service host
The resolved host should include a port so it can be used by dialers directly. It's also not necessary to reparse the URL when constructing directly.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52792, 48963). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix range for min value in imagepolicy admission
**What this PR does / why we need it**:
This makes the range for imagepolicy admission work properly. Currently if we specify `1s` for the value of `AllowTTL` or `DenyTTL` in the configuration yaml, we get a message like the following:
```
Error: failed to initialize plugins: Couldn't init admission plugin "ImagePolicyWebhook": valid value is between 1s and 30m0s, got 1s
```
This is due to a wrong comparison which is fixed in this PR. The rest of the PR just adds tests for this behaviour.
Automatic merge from submit-queue (batch tested with PRs 52147, 54309). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update bootstrap policy with replicaset/daemonset permissions in the apps API group
Resolves#54310
Bootstrap policy was not updated when replicasets and daemonsets got promoted to the apps group
```release-note
Resolves forbidden error when accessing replicasets and daemonsets via the apps API group
```
Automatic merge from submit-queue (batch tested with PRs 54031, 54261). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow absent Weight if PrioritizeVerb is empty
The scheduler currently validates `ExtenderConfig.Weight` (the weight applied to `Prioritize`) even when `ExtenderConfig.PrioritizeVerb` is empty, which is not correct. A configuration without these two fields should be allowed.
**Release note**:
```
None
```
/sig scheduling
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make scheduler integration test faster
Not to wait for 30 seconds for every negative test case. This commit
also organizes the test code to make it more readable.
It cuts the test time from 450s to 125s.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#53302
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52753, 54034, 53982, 54209). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make test case description more accurate.
**What this PR does / why we need it**:
Make test case description more accurate. This test case tests the GCE persistent disk instead of the general one, change the name to make it consistent with AWS/Azure/ISCSI test cases.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 51310, 51458, 47636). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove useless allocation of map
This one-element map is only used for checking api. Remove it and
simplify the code.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49305, 54158). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix error print for admission test
**What this PR does / why we need it**:
fix error print to make them easy to inspect.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow fail close webhook admission
Webhook admission needs to allow failing closed. Even in an alpha state, I don't want to be one DDOS away from having an exposed cluster.
/assign caesarxuchao
/assign sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow */subresource in rbac policy rules
xref #29698
xref #38756
xref #49504
xref #38810
Allow `*/subresource` format in RBAC policy rules to support polymorphic subresources like `*/scale` for HPA.
@DirectXMan12 fyi
```release-note
RBAC PolicyRules now allow resource=`*/<subresource>` to cover `any-resource/<subresource>`. For example, `*/scale` covers `replicationcontroller/scale`.
```
Automatic merge from submit-queue (batch tested with PRs 47717, 53896). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
decode admission responses into a fresh object
Something about the way the admission request object is built causes decoding into back into it to fail with
```
W1013 14:10:42.457423 2960 admission.go:185] rejected by webhook namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations &{%!t(string=namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations) %!t(*errors.errorString=&{reflect.Value.Addr of unaddressable value})}: failed calling admission webhook "namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations": reflect.Value.Addr of unaddressable value
```
This simply creates a fresh object to decode into, which works fine for our usage and makes it possible to actually have the webhook call out to something.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/api: extract Scheme/Registry/Codecs into pkg/api/legacyscheme
This serves as
- a preparation for the pkg/api->pkg/apis/core move
- and makes the dependency to the scheme explicit when vizualizing
left depenncies.
The later helps with our our efforts to split up the monolithic repo
into self-contained sub-repos, e.g. for kubectl, controller-manager
and kube-apiserver in the future.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix the bad code comment
**What this PR does / why we need it**:
fix the bad code comment in scheduler
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 54030, 54041). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix admission webhook test failure in go1.9
**What this PR does / why we need it**:
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#54020
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 54036, 53739). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission_test.go: remove unused functions
**What this PR does / why we need it**:
PR removed unused `createNamespaceForTest()` and `createSAForTest()` functions from `admission_test.go`.
**Release note**:
```release-note
NONE
```
PTAL @liggitt @pweil-
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 53978, 54008, 53037). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Change scheduler to skip pod with updates only on pod annotations
Fixes#52914, by checking whether the pod is already assumed before scheduling it.
**Release note**:
```
Scheduler cache ignores updates to an assumed pod if updates are limited to pod annotations.
```
/sig scheduling
/assign @bsalamat
/cc @vishh
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
Automatic merge from submit-queue (batch tested with PRs 48665, 52849, 54006, 53755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Order PSP by name, prefer non-mutating PSPs
Fixes#36184Fixes#23217
Related to #23217
Removes unnecessary mutation of pods:
* Determines effective security context for pods using a wrapper containing the pod and container security context, rather than building/setting a combined struct on every admission
* Does not set `privileged:&false` on security contexts with `privileged:nil`
* Does not set `runAsNonRoot:&true` on security contexts that already have a non-nil, non-0 `runAsUser`
* Does not mutate/normalize container capabilities unless changes are required (missing defaultAddCapabilities or requiredDropCapabilities)
Defines behavior when multiple PSP objects allow a pod:
* PSPs which allow the pod as-is (no defaulting/mutating) are preferred
* If the pod must be defaulted/mutated to be allowed, the first PSP (ordered by name) to allow the pod is selected
* During update operations, when mutations to pod specs are disallowed, only non-mutating PSPs are used to validate the pod
```release-note
PodSecurityPolicy: when multiple policies allow a submitted pod, priority is given to ones which do not require any fields in the pod spec to be defaulted. If the pod must be defaulted, the first policy (ordered by name) that allows the pod is used.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Modify Schedule function
**What this PR does / why we need it**:
It is obvious that no need to prioritizing when only one node after predicate.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
@davidopp @timothysc
**Release note**:
```release-note
NONE
```
Kubernetes Submit Queue