Automatic merge from submit-queue
Only skip petset test if resource is missing
**What this PR does / why we need it**:
Unblock testing petset on other providers.
cc @pwittrock. Would like to cherrypick onto 1.4 but this is test code only, so it can wait til after release cut.
Automatic merge from submit-queue
add local subject access review API
Adds a local subject access review endpoint to allow a project-admin (someone with full rights within a namespace) the power to inspect whether a person can perform an action in his namespace. This is a separate resource be factoring like this ensures that it is impossible for him to look outside his namespace and makes it possible to create authorization rules that can restrict this power to a project-admin in his own namespace. Other factorings require introspection of objects.
@kubernetes/sig-auth
Automatic merge from submit-queue
make --runtime-config=api/all=true|false work
`Passing --runtime-config=api/all=true|false to apiserver will enable/disable all registered api groups`
Previously, only api/all=false was recognized, and it only disabled groups with resources.
Automatic merge from submit-queue
Skip kubectl tests (create quota and exit code) on not supported versions
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**: Fixing broken kubernetes-e2e-gke-1.4-1.3-kubectl-skew tests. Because we're running 1.4 kubectl tests against 1.3 kubectl, some kubectl tests need to be skipped on older kubectl versions.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: @pwittrock
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
NONE
```
Automatic merge from submit-queue
Enable DynamicKubeletConfig in benchmark test properties
This PR fixes "change QPS limit" failure by adding "TEST_ARGS='--feature-gates=DynamicKubeletConfig=true'" in jenkins-benchmark.properties
Automatic merge from submit-queue
Kubelet: remove name filter from CRI
Since #30753 and #30463, `name` is not used to identify the container/sandbox, so remove it from CRI.
cc @yujuhong @kubernetes/sig-node @kubernetes/sig-rktnetes
Automatic merge from submit-queue
Add flag to set CNI bin dir, and use it on gci nodes
**What this PR does / why we need it**:
When using `kube-up` on GCE, following #31023 which moved the workers from debian to gci, CNI just isn't working. The root cause is basically as discussed in #28563: one flag (`--network-plugin-dir`) means two different things, and the `configure-helper` script uses it for the wrong purpose.
This PR adds a new flag `--cni-bin-dir`, then uses it to configure CNI as desired.
As discussed at #28563, I have also added a flag `--cni-conf-dir` so users can be explicit
**Which issue this PR fixes** : fixes#28563
**Special notes for your reviewer**:
I left the old flag largely alone for backwards-compatibility, with the exception that I stop setting the default when CNI is in use. The value of `"/usr/libexec/kubernetes/kubelet-plugins/net/exec/"` is unlikely to be what is wanted there.
**Release note**:
```release-note
Added new kubelet flags `--cni-bin-dir` and `--cni-conf-dir` to specify where CNI files are located.
Fixed CNI configuration on GCI platform when using CNI.
```
Automatic merge from submit-queue
Adding support for upgrading testing across image types.
Adds support for upgrade testing across image types.
@spxtr @vishh @ixdy @pwittrock
This change only affects upgrade testing. This does not touch production code and hence should be safe for cherrypicks into the 1.4 release branch.
Automatic merge from submit-queue
dockershim: add unit tests for sandbox/container status
Also add a fake clock in the FakeDockerClient to allow testing container
CreatedAt, StartedAt, FinishedAt timestamps.
Automatic merge from submit-queue
Update release notes of OpenAPI support
OpenAPI support is enabled by default in 1.4 (no documentation or automation system depends on it yet), this PR reflect the fact that it is enabled by default in release notes.
Currently, only api/all=false does something (disables
all groups that have resources). Make api/all=false disable all groups
(not just those with resources), and make api/all=true enable
all groups
Automatic merge from submit-queue
Re-enable Federated Ingress e2e test to check connectivity to global load balancer
...Now that it works properly.
Should not merge before #31600, as it will fail until then.
Automatic merge from submit-queue
Enabled Rescheduler e2e for GKE
The Rescheduler is now enabled on GKE (cl/132886258).
Ref #32500
@pwittrock let's wait for cherry-pick until it passes on gke-serial.
Automatic merge from submit-queue
Allow webhook authenticator to use TokenReviewsInterface
Refactors the authentication webhook to be able to be fed a kubeconfig file or a TokenReviewsInterface
Fixes a bug with webhooks not retrying on 429/500 errors
Related to https://github.com/kubernetes/kubernetes/pull/32518#discussion_r78450170
Automatic merge from submit-queue
Allow namespace to be loaded from in-cluster config
This is a follow on from the previous commit that fixed ClientConfig.
Namespace can also be defaulted from ICC, and this correctly handles
that logic. Also add two debugging lines to ensure that it is easier in
the future to uncover problems here.
Fixes#32352
@deads2k
Automatic merge from submit-queue
Doc API group suffix, add test to catch new groups
Spawned from discussion in https://github.com/kubernetes/kubernetes/pull/31887
Doc and add tests to ensure new API groups are suffixed.
Also changed the doc to reference an API group containing the suffix as a starting point for new API groups.
Automatic merge from submit-queue
Improvements on OpenAPI spec generation
- Generating models using go2idl library (no reflection anymore)
- Remove dependencies on go-restful/swagger
- Generate one swagger.json file for each web-service
- Bugfix: fixed a bug in trie implementation
Reference: #13414
**Release note**:
```release-note
Generate separate OpenAPI spec for each API GroupVersion on /<Group>/<Version>/swagger.json
```
Wojciech Tyczynski