Automatic merge from submit-queue (batch tested with PRs 64481, 64569). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Instrument envelop transformer.
**What this PR does / why we need it**:
Add metrics for envelope transformer:
transformation_operation_count
transformation_failures_count
envelope_transformation_cache_misses_count
data_key_generation_latencies_microseconds
data_key_generation_failures_count
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Cinder Volume API changes for adding support for secrets in the future
**What this PR does / why we need it**:
Many of the in-tree volume sources support specification of secret(s) for specific volumes. This support is not present in cinder currently.
This PR adds just the changes in the API, so work can be done in the future in the external openstack controller manager.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Address comments in #64006.
Address comments in #64006
@tallclair @yujuhong
@kubernetes/sig-node-pr-reviews
Signed-off-by: Lantao Liu <lantaol@google.com>
**Release note**:
```release-note
none
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiextensions: add ObjectMeta validation and pruning
This is a critical pre-requisite for further multi-version support and especially for GA of CRDs: ObjectMeta must be schema-validated and pruned, like `json.Unmarshal` does this.
This PR adds this in the incoming request serializer and the storage decoder. The former errors when schema validation fails, the later just drops invalid typed fields.
Fixes#59451
```release-note
Meta data of CustomResources is now pruned and schema checked during deserialization of requests and when read from etcd. In the former case, invalid meta data is rejected, in the later it is dropped from the CustomResource objects.
```
Automatic merge from submit-queue (batch tested with PRs 64641, 64532). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apimachinery: adapt ObjectConvertor invariant
We avoid deepcopies in the codec/conversion stack by re-using data structures. This means that the out object of a conversion must be deepcopied before mutation in order to not mutate the in object as well.
This guarantees that e.g. runtime.Encode (which uses conversion from internal -> versioned) does not mutate the input. This would be highly unexpected (and we do not mention possible mutation of the input for runtime.Encode).
Automatic merge from submit-queue (batch tested with PRs 64613, 64596, 64573, 64154, 64639). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
printers: fix json types – int64 is only allowed integer
We have the invariant in apimachinery that all integers in JSON are int64. We panic on other types on deepcopy and possibly at other occasions.
Automatic merge from submit-queue (batch tested with PRs 64613, 64596, 64573, 64154, 64639). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove extra "../" when copying from pod to local
**Release note**:
```release-note
NONE
```
Copying via `kubectl cp` from a pod to local will no longer panic if any received tar headers contain an extra "../". This can happen when specifying a remote location beyond "/" - for example:
```
# I am attempting to go backwards beyond "/"
$ kubectl cp mypod:/one/two/../../../etc/hosts ./
```
The above command results in a tar header containing an extra "../" in its name (../etc/hosts), causing a panic [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp.go#L388).
Related downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1584555
cc @soltysh
Automatic merge from submit-queue (batch tested with PRs 64613, 64596, 64573, 64154, 64639). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Openapi some cleanup
Clean-up some OpenAPI code, mostly test related (there are two implementations of "Fake").
This is going for master, but I'll probably also cherry-pick/create a similar PR for feature-serverside-apply branch since we'll need that to move some code around.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Subpath env expansion alpha tests failing
**What this PR does / why we need it**:
The alpha tests which wait for events do not get events back in the wait time
Increased timeout to set to the framework default
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64578
**Special notes for your reviewer**:
@kubernetes/sig-storage-bugs
/cc @msau42
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
ccm: recognize InstanceNotFound from InstanceID
Otherwise we won't actually delete Nodes in this code path.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
CSI fix for gRPC conn leak
**What this PR does / why we need it**:
This PR is a bug fix for leaky gRPC connection that never closes (see issue #64341 for detail)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64341
This fix was originally started with PR https://github.com/kubernetes/kubernetes/pull/64380
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64057, 63223, 64346, 64562, 64408). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Refactor the Bootstrap Tokens usage in the API types
**What this PR does / why we need it**:
This PR:
- Moves some common, generic Bootstrap Token helpers and constants from `k8s.io/kubernetes/cmd/kubeadm/app/util/token` to `k8s.io/client-go/tools/bootstrap/token/`
- Breaks out the top-level Bootstrap Token fields to a dedicated `BootstrapToken` struct with helper functions.
- Instead of representing the Bootstrap Token as a plain `string`, there is now a wrapper struct `BootstrapTokenString` that can marshal/unmarshal correctly and supports validation on create, and splitting up the full token in the ID/Secret parts automatically.
- Makes kubeadm support multiple Bootstrap Tokens automatically by supporting a slice of `BootstrapToken` in the `MasterConfiguration` API object
- Consolidates the place for kubeadm to create token-related flags in an `options` package
- Supports automatic conversion from the `v1alpha1` to `v1alpha2` API
- Adds support to set token expiration directly instead of setting a TTL (Expiration and TTL are mutually exclusive)
- Removes the old `TokenDiscovery` struct we're not using anymore inside of kubeadm
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Related to https://github.com/kubernetes/community/pull/2131
**Special notes for your reviewer**:
This is work in progress. Please only review the first two commits for now.
I will work on splitting up this PR in smaller chunks.
I will also write unit tests tomorrow.
**Release note**:
```release-note
[action required] kubeadm: The Token-related fields in the `MasterConfiguration` object have now been refactored. Instead of the top-level `.Token`, `.TokenTTL`, `.TokenUsages`, `.TokenGroups` fields, there is now a `BootstrapTokens` slice of `BootstrapToken` objects that support the same features under the `.Token`, `.TTL`, `.Usages`, `.Groups` fields.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @mattmoyer @liztio
Automatic merge from submit-queue (batch tested with PRs 64057, 63223, 64346, 64562, 64408). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cloud node controller: improve error handling for node registration
**What this PR does / why we need it**:
Improves error handling for (external) node registration.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64057, 63223, 64346, 64562, 64408). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate the in-tree keystone plugin
**What this PR does / why we need it**:
We now have the `client-keystone-auth` in cloud-provider-openstack
repository:
https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md
So let's drop the in-tree one, so we can remove it in 1.12
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
in-tree support for openstack credentials is now deprecated. please use the "client-keystone-auth" from the cloud-provider-openstack repository. details on how to use this new capability is documented here - https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md
```
Automatic merge from submit-queue (batch tested with PRs 64057, 63223, 64346, 64562, 64408). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Schedule DaemonSet Pods in scheduler.
Signed-off-by: Da K. Ma <klaus1982.cn@gmail.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
part of #59194
**Special notes for your reviewer**:
**Release note**:
```release-note
`ScheduleDaemonSetPods` is an alpha feature (since v1.11) that causes DaemonSet Pods
to be scheduler by default scheduler, instead of Daemonset controller. When it is enabled,
the `NodeAffinity` term (instead of `.spec.nodeName`) is added to the DaemonSet Pods;
this enables the default scheduler to bind the Pod to the target host. If node affinity
of DaemonSet Pod already exists, it will be replaced.
DaemonSet controller will only perform these operations when creating DaemonSet Pods;
and those operations will only modify the Pods of DaemonSet, no changes are made to the
`.spec.template` of DaemonSet.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix formatAndMount func issue on Windows
**What this PR does / why we need it**:
disk format code is missing in formatAndMount func on Windows, currently it only has mount related code:
b87a392b1a/pkg/util/mount/mount_windows.go (L356-L377)
format code is now here, which is not correct(invoked in `azuredisk.WaitForAttach` operation, it's not correct, these code should be in `formatAndMount` func and invoked by `MountDevice` operation finally)
b87a392b1a/pkg/volume/azure_dd/azure_common_windows.go (L100-L117)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63236
**Special notes for your reviewer**:
This is the first PR, in second PR, I will remove disk format code in azure_common_windows.go
b87a392b1a/pkg/volume/azure_dd/azure_common_windows.go (L100-L117)
Also need to mention that there would not be issue if following command invoked twice(by `WaitForAttach` and `formatAndMount`)
```
Get-Disk -Number 4 | Where partitionstyle -eq 'raw' | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize | Format-Volume -FileSystem ntfs -Confirm:$false
```
**Release note**:
```
fix formatAndMount func issue on Windows
```
/sig windows
/assign @rootfs
cc @msau42
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix Windows CNI for the sandbox case
**What this PR does / why we need it**:
Windows supports both sandbox and non-sandbox cases. The non-sandbox
case is for Windows Server 2016 and for Windows Server version greater
than 1709 which use Hyper-V containers.
Currently, the CNI on Windows fetches the IP from the containers
within the pods regardless of the mode. This should be done only
in the non-sandbox mode where the IP of the actual container
will be different than the IP of the sandbox container.
In the case where the sandbox container is supported, all the containers
from the same pod will share the network details of the sandbox container.
This patch updates the CNI to fetch the IP from the sandbox container
when this mode is supported.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64188
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
We avoid deepcopies in the codec/conversion stack by re-using data structures.
This means that the out object of a conversion must be deepcopied before mutation
in order to not mutate the in object as well.
This guarantees that e.g. runtime.Encode (which uses conversion from internal -> versioned)
does not mutate the input. This would be highly unexpected (and we do not mention possible
mutation of the input for runtime.Encode).
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add PST to main SECURITY_CONTACTS as formality
Add the Product Security Team as the security contacts for the main
repository and they can use the OWNERS files in each subsystem/dir to find
the correct owners.
cc @liggitt @cjcullen @tallclair @philips
```release-note
NONE
```
closes#64265
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
Kubernetes Submit Queue