Bump k8s.io deps

Signed-off-by: Luca Comellini <luca.com@gmail.com>

vendor/k8s.io/apiserver/pkg/audit/context.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"sync"
 
+	"k8s.io/apimachinery/pkg/types"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/klog/v2"
@@ -28,38 +29,31 @@ import (
 // The key type is unexported to prevent collisions
 type key int
 
-const (
-	// auditAnnotationsKey is the context key for the audit annotations.
-	// TODO: consolidate all audit info under the AuditContext, rather than storing 3 separate keys.
-	auditAnnotationsKey key = iota
+// auditKey is the context key for storing the audit context that is being
+// captured and the evaluated policy that applies to the given request.
+const auditKey key = iota
 
-	// auditKey is the context key for storing the audit event that is being
-	// captured and the evaluated policy that applies to the given request.
-	auditKey
+// AuditContext holds the information for constructing the audit events for the current request.
+type AuditContext struct {
+	// RequestAuditConfig is the audit configuration that applies to the request
+	RequestAuditConfig RequestAuditConfig
 
-	// auditAnnotationsMutexKey is the context key for the audit annotations mutex.
-	auditAnnotationsMutexKey
-)
+	// Event is the audit Event object that is being captured to be written in
+	// the API audit log. It is set to nil when the request is not being audited.
+	Event *auditinternal.Event
 
-// annotations = *[]annotation instead of a map to preserve order of insertions
-type annotation struct {
-	key, value string
+	// annotations holds audit annotations that are recorded before the event has been initialized.
+	// This is represented as a slice rather than a map to preserve order.
+	annotations []annotation
+	// annotationMutex guards annotations AND event.Annotations
+	annotationMutex sync.Mutex
+
+	// auditID is the Audit ID associated with this request.
+	auditID types.UID
 }
 
-// WithAuditAnnotations returns a new context that can store audit annotations
-// via the AddAuditAnnotation function.  This function is meant to be called from
-// an early request handler to allow all later layers to set audit annotations.
-// This is required to support flows where handlers that come before WithAudit
-// (such as WithAuthentication) wish to set audit annotations.
-func WithAuditAnnotations(parent context.Context) context.Context {
-	// this should never really happen, but prevent double registration of this slice
-	if _, ok := parent.Value(auditAnnotationsKey).(*[]annotation); ok {
-		return parent
-	}
-	parent = withAuditAnnotationsMutex(parent)
-
-	var annotations []annotation // avoid allocations until we actually need it
-	return genericapirequest.WithValue(parent, auditAnnotationsKey, &annotations)
+type annotation struct {
+	key, value string
 }
 
 // AddAuditAnnotation sets the audit annotation for the given key, value pair.
@@ -70,102 +64,79 @@ func WithAuditAnnotations(parent context.Context) context.Context {
 // Handlers that are unaware of their position in the overall request flow should
 // prefer AddAuditAnnotation over LogAnnotation to avoid dropping annotations.
 func AddAuditAnnotation(ctx context.Context, key, value string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}
 
-	mutex.Lock()
-	defer mutex.Unlock()
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()
 
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
-
-	addAuditAnnotationLocked(ae, ctxAnnotations, key, value)
+	addAuditAnnotationLocked(ac, key, value)
 }
 
 // AddAuditAnnotations is a bulk version of AddAuditAnnotation. Refer to AddAuditAnnotation for
 // restrictions on when this can be called.
 // keysAndValues are the key-value pairs to add, and must have an even number of items.
 func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}
 
-	mutex.Lock()
-	defer mutex.Unlock()
-
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()
 
 	if len(keysAndValues)%2 != 0 {
 		klog.Errorf("Dropping mismatched audit annotation %q", keysAndValues[len(keysAndValues)-1])
 	}
 	for i := 0; i < len(keysAndValues); i += 2 {
-		addAuditAnnotationLocked(ae, ctxAnnotations, keysAndValues[i], keysAndValues[i+1])
+		addAuditAnnotationLocked(ac, keysAndValues[i], keysAndValues[i+1])
 	}
 }
 
 // AddAuditAnnotationsMap is a bulk version of AddAuditAnnotation. Refer to AddAuditAnnotation for
 // restrictions on when this can be called.
 func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}
 
-	mutex.Lock()
-	defer mutex.Unlock()
-
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()
 
 	for k, v := range annotations {
-		addAuditAnnotationLocked(ae, ctxAnnotations, k, v)
+		addAuditAnnotationLocked(ac, k, v)
 	}
 }
 
 // addAuditAnnotationLocked is the shared code for recording an audit annotation. This method should
 // only be called while the auditAnnotationsMutex is locked.
-func addAuditAnnotationLocked(ae *auditinternal.Event, annotations *[]annotation, key, value string) {
-	if ae != nil {
-		logAnnotation(ae, key, value)
-	} else if annotations != nil {
-		*annotations = append(*annotations, annotation{key: key, value: value})
+func addAuditAnnotationLocked(ac *AuditContext, key, value string) {
+	if ac.Event != nil {
+		logAnnotation(ac.Event, key, value)
+	} else {
+		ac.annotations = append(ac.annotations, annotation{key: key, value: value})
 	}
 }
 
 // This is private to prevent reads/write to the slice from outside of this package.
 // The audit event should be directly read to get access to the annotations.
 func addAuditAnnotationsFrom(ctx context.Context, ev *auditinternal.Event) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}
 
-	mutex.Lock()
-	defer mutex.Unlock()
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()
 
-	annotations, ok := ctx.Value(auditAnnotationsKey).(*[]annotation)
-	if !ok {
-		return // no annotations to copy
-	}
-
-	for _, kv := range *annotations {
+	for _, kv := range ac.annotations {
 		logAnnotation(ev, kv.key, kv.value)
 	}
 }
@@ -185,12 +156,13 @@ func logAnnotation(ae *auditinternal.Event, key, value string) {
 	ae.Annotations[key] = value
 }
 
-// WithAuditContext returns a new context that stores the pair of the audit
-// configuration object that applies to the given request and
-// the audit event that is going to be written to the API audit log.
-func WithAuditContext(parent context.Context, ev *AuditContext) context.Context {
-	parent = withAuditAnnotationsMutex(parent)
-	return genericapirequest.WithValue(parent, auditKey, ev)
+// WithAuditContext returns a new context that stores the AuditContext.
+func WithAuditContext(parent context.Context) context.Context {
+	if AuditContextFrom(parent) != nil {
+		return parent // Avoid double registering.
+	}
+
+	return genericapirequest.WithValue(parent, auditKey, &AuditContext{})
 }
 
 // AuditEventFrom returns the audit event struct on the ctx
@@ -209,17 +181,46 @@ func AuditContextFrom(ctx context.Context) *AuditContext {
 	return ev
 }
 
-// WithAuditAnnotationMutex adds a mutex for guarding context.AddAuditAnnotation.
-func withAuditAnnotationsMutex(parent context.Context) context.Context {
-	if _, ok := parent.Value(auditAnnotationsMutexKey).(*sync.Mutex); ok {
-		return parent
+// WithAuditID sets the AuditID on the AuditContext. The AuditContext must already be present in the
+// request context. If the specified auditID is empty, no value is set.
+func WithAuditID(ctx context.Context, auditID types.UID) {
+	if auditID == "" {
+		return
+	}
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
+		return
+	}
+	ac.auditID = auditID
+	if ac.Event != nil {
+		ac.Event.AuditID = auditID
 	}
-	var mutex sync.Mutex
-	return genericapirequest.WithValue(parent, auditAnnotationsMutexKey, &mutex)
 }
 
-// AuditAnnotationsMutex returns the audit annotations mutex from the context.
-func auditAnnotationsMutex(ctx context.Context) (*sync.Mutex, bool) {
-	mutex, ok := ctx.Value(auditAnnotationsMutexKey).(*sync.Mutex)
-	return mutex, ok
+// AuditIDFrom returns the value of the audit ID from the request context.
+func AuditIDFrom(ctx context.Context) (types.UID, bool) {
+	if ac := AuditContextFrom(ctx); ac != nil {
+		return ac.auditID, ac.auditID != ""
+	}
+	return "", false
+}
+
+// GetAuditIDTruncated returns the audit ID (truncated) from the request context.
+// If the length of the Audit-ID value exceeds the limit, we truncate it to keep
+// the first N (maxAuditIDLength) characters.
+// This is intended to be used in logging only.
+func GetAuditIDTruncated(ctx context.Context) string {
+	auditID, ok := AuditIDFrom(ctx)
+	if !ok {
+		return ""
+	}
+
+	// if the user has specified a very long audit ID then we will use the first N characters
+	// Note: assuming Audit-ID header is in ASCII
+	const maxAuditIDLength = 64
+	if len(auditID) > maxAuditIDLength {
+		auditID = auditID[:maxAuditIDLength]
+	}
+
+	return string(auditID)
 }

vendor/k8s.io/apiserver/pkg/audit/evaluator.go

@@ -21,18 +21,6 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )
 
-// AuditContext is a pair of the audit configuration object that applies to
-// a given request and the audit Event object that is being captured.
-// It's a convenient placeholder to store both these objects in the request context.
-type AuditContext struct {
-	// RequestAuditConfig is the audit configuration that applies to the request
-	RequestAuditConfig RequestAuditConfig
-
-	// Event is the audit Event object that is being captured to be written in
-	// the API audit log. It is set to nil when the request is not being audited.
-	Event *audit.Event
-}
-
 // RequestAuditConfig is the evaluated audit configuration that is applicable to
 // a given request. PolicyRuleEvaluator evaluates the audit policy against the
 // authorizer attributes and returns a RequestAuditConfig that applies to the request.

vendor/k8s.io/apiserver/pkg/audit/request.go

@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"reflect"
 	"time"
 
 	authnv1 "k8s.io/api/authentication/v1"
@@ -34,7 +33,6 @@ import (
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
-	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/klog/v2"
 
 	"github.com/google/uuid"
@@ -54,7 +52,7 @@ func NewEventFromRequest(req *http.Request, requestReceivedTimestamp time.Time,
 		Level:                    level,
 	}
 
-	auditID, found := request.AuditIDFrom(req.Context())
+	auditID, found := AuditIDFrom(req.Context())
 	if !found {
 		auditID = types.UID(uuid.New().String())
 	}
@@ -154,7 +152,7 @@ func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.Grou
 	if shouldOmitManagedFields(ctx) {
 		copy, ok, err := copyWithoutManagedFields(obj)
 		if err != nil {
-			klog.Warningf("error while dropping managed fields from the request for %q error: %v", reflect.TypeOf(obj).Name(), err)
+			klog.ErrorS(err, "Error while dropping managed fields from the request", "auditID", ae.AuditID)
 		}
 		if ok {
 			obj = copy
@@ -166,7 +164,7 @@ func LogRequestObject(ctx context.Context, obj runtime.Object, objGV schema.Grou
 	ae.RequestObject, err = encodeObject(obj, objGV, s)
 	if err != nil {
 		// TODO(audit): add error slice to audit event struct
-		klog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
+		klog.ErrorS(err, "Encoding failed of request object", "auditID", ae.AuditID, "gvr", gvr.String(), "obj", obj)
 		return
 	}
 }
@@ -209,7 +207,7 @@ func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupV
 	if shouldOmitManagedFields(ctx) {
 		copy, ok, err := copyWithoutManagedFields(obj)
 		if err != nil {
-			klog.Warningf("error while dropping managed fields from the response for %q error: %v", reflect.TypeOf(obj).Name(), err)
+			klog.ErrorS(err, "Error while dropping managed fields from the response", "auditID", ae.AuditID)
 		}
 		if ok {
 			obj = copy
@@ -220,7 +218,7 @@ func LogResponseObject(ctx context.Context, obj runtime.Object, gv schema.GroupV
 	var err error
 	ae.ResponseObject, err = encodeObject(obj, gv, s)
 	if err != nil {
-		klog.Warningf("Audit failed for %q response: %v", reflect.TypeOf(obj).Name(), err)
+		klog.ErrorS(err, "Encoding failed of response object", "auditID", ae.AuditID, "obj", obj)
 	}
 }
 

vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go

@@ -62,7 +62,8 @@ const (
 var (
 	deprecatedRequestGauge = compbasemetrics.NewGaugeVec(
 		&compbasemetrics.GaugeOpts{
-			Name:           "apiserver_requested_deprecated_apis",
+			Subsystem:      APIServerComponent,
+			Name:           "requested_deprecated_apis",
 			Help:           "Gauge of deprecated APIs that have been requested, broken out by API group, version, resource, subresource, and removed_release.",
 			StabilityLevel: compbasemetrics.STABLE,
 		},
@@ -73,7 +74,8 @@ var (
 	// the upstream library supports it.
 	requestCounter = compbasemetrics.NewCounterVec(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_request_total",
+			Subsystem:      APIServerComponent,
+			Name:           "request_total",
 			Help:           "Counter of apiserver requests broken out for each verb, dry run value, group, version, resource, scope, component, and HTTP response code.",
 			StabilityLevel: compbasemetrics.STABLE,
 		},
@@ -81,7 +83,8 @@ var (
 	)
 	longRunningRequestsGauge = compbasemetrics.NewGaugeVec(
 		&compbasemetrics.GaugeOpts{
-			Name:           "apiserver_longrunning_requests",
+			Subsystem:      APIServerComponent,
+			Name:           "longrunning_requests",
 			Help:           "Gauge of all active long-running apiserver requests broken out by verb, group, version, resource, scope and component. Not all requests are tracked this way.",
 			StabilityLevel: compbasemetrics.STABLE,
 		},
@@ -89,8 +92,9 @@ var (
 	)
 	requestLatencies = compbasemetrics.NewHistogramVec(
 		&compbasemetrics.HistogramOpts{
-			Name: "apiserver_request_duration_seconds",
-			Help: "Response latency distribution in seconds for each verb, dry run value, group, version, resource, subresource, scope and component.",
+			Subsystem: APIServerComponent,
+			Name:      "request_duration_seconds",
+			Help:      "Response latency distribution in seconds for each verb, dry run value, group, version, resource, subresource, scope and component.",
 			// This metric is used for verifying api call latencies SLO,
 			// as well as tracking regressions in this aspects.
 			// Thus we customize buckets significantly, to empower both usecases.
@@ -102,8 +106,24 @@ var (
 	)
 	requestSloLatencies = compbasemetrics.NewHistogramVec(
 		&compbasemetrics.HistogramOpts{
-			Name: "apiserver_request_slo_duration_seconds",
-			Help: "Response latency distribution (not counting webhook duration) in seconds for each verb, group, version, resource, subresource, scope and component.",
+			Subsystem: APIServerComponent,
+			Name:      "request_slo_duration_seconds",
+			Help:      "Response latency distribution (not counting webhook duration) in seconds for each verb, group, version, resource, subresource, scope and component.",
+			// This metric is supplementary to the requestLatencies metric.
+			// It measures request duration excluding webhooks as they are mostly
+			// dependant on user configuration.
+			Buckets: []float64{0.05, 0.1, 0.2, 0.4, 0.6, 0.8, 1.0, 1.25, 1.5, 2, 3,
+				4, 5, 6, 8, 10, 15, 20, 30, 45, 60},
+			StabilityLevel:    compbasemetrics.ALPHA,
+			DeprecatedVersion: "1.27.0",
+		},
+		[]string{"verb", "group", "version", "resource", "subresource", "scope", "component"},
+	)
+	requestSliLatencies = compbasemetrics.NewHistogramVec(
+		&compbasemetrics.HistogramOpts{
+			Subsystem: APIServerComponent,
+			Name:      "request_sli_duration_seconds",
+			Help:      "Response latency distribution (not counting webhook duration) in seconds for each verb, group, version, resource, subresource, scope and component.",
 			// This metric is supplementary to the requestLatencies metric.
 			// It measures request duration excluding webhooks as they are mostly
 			// dependant on user configuration.
@@ -128,8 +148,9 @@ var (
 	)
 	responseSizes = compbasemetrics.NewHistogramVec(
 		&compbasemetrics.HistogramOpts{
-			Name: "apiserver_response_sizes",
-			Help: "Response size distribution in bytes for each group, version, verb, resource, subresource, scope and component.",
+			Subsystem: APIServerComponent,
+			Name:      "response_sizes",
+			Help:      "Response size distribution in bytes for each group, version, verb, resource, subresource, scope and component.",
 			// Use buckets ranging from 1000 bytes (1KB) to 10^9 bytes (1GB).
 			Buckets:        compbasemetrics.ExponentialBuckets(1000, 10.0, 7),
 			StabilityLevel: compbasemetrics.STABLE,
@@ -139,14 +160,16 @@ var (
 	// TLSHandshakeErrors is a number of requests dropped with 'TLS handshake error from' error
 	TLSHandshakeErrors = compbasemetrics.NewCounter(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_tls_handshake_errors_total",
+			Subsystem:      APIServerComponent,
+			Name:           "tls_handshake_errors_total",
 			Help:           "Number of requests dropped with 'TLS handshake error from' error",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
 	)
 	WatchEvents = compbasemetrics.NewCounterVec(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_watch_events_total",
+			Subsystem:      APIServerComponent,
+			Name:           "watch_events_total",
 			Help:           "Number of events sent in watch clients",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
@@ -154,7 +177,8 @@ var (
 	)
 	WatchEventsSizes = compbasemetrics.NewHistogramVec(
 		&compbasemetrics.HistogramOpts{
-			Name:           "apiserver_watch_events_sizes",
+			Subsystem:      APIServerComponent,
+			Name:           "watch_events_sizes",
 			Help:           "Watch event size distribution in bytes",
 			Buckets:        compbasemetrics.ExponentialBuckets(1024, 2.0, 8), // 1K, 2K, 4K, 8K, ..., 128K.
 			StabilityLevel: compbasemetrics.ALPHA,
@@ -165,7 +189,8 @@ var (
 	// it reports maximal usage during the last second.
 	currentInflightRequests = compbasemetrics.NewGaugeVec(
 		&compbasemetrics.GaugeOpts{
-			Name:           "apiserver_current_inflight_requests",
+			Subsystem:      APIServerComponent,
+			Name:           "current_inflight_requests",
 			Help:           "Maximal number of currently used inflight request limit of this apiserver per request kind in last second.",
 			StabilityLevel: compbasemetrics.STABLE,
 		},
@@ -173,7 +198,8 @@ var (
 	)
 	currentInqueueRequests = compbasemetrics.NewGaugeVec(
 		&compbasemetrics.GaugeOpts{
-			Name:           "apiserver_current_inqueue_requests",
+			Subsystem:      APIServerComponent,
+			Name:           "current_inqueue_requests",
 			Help:           "Maximal number of queued requests in this apiserver per request kind in last second.",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
@@ -182,7 +208,8 @@ var (
 
 	requestTerminationsTotal = compbasemetrics.NewCounterVec(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_request_terminations_total",
+			Subsystem:      APIServerComponent,
+			Name:           "request_terminations_total",
 			Help:           "Number of requests which apiserver terminated in self-defense.",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
@@ -191,7 +218,8 @@ var (
 
 	apiSelfRequestCounter = compbasemetrics.NewCounterVec(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_selfrequest_total",
+			Subsystem:      APIServerComponent,
+			Name:           "selfrequest_total",
 			Help:           "Counter of apiserver self-requests broken out for each verb, API resource and subresource.",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
@@ -200,7 +228,8 @@ var (
 
 	requestFilterDuration = compbasemetrics.NewHistogramVec(
 		&compbasemetrics.HistogramOpts{
-			Name:           "apiserver_request_filter_duration_seconds",
+			Subsystem:      APIServerComponent,
+			Name:           "request_filter_duration_seconds",
 			Help:           "Request filter latency distribution in seconds, for each filter type",
 			Buckets:        []float64{0.0001, 0.0003, 0.001, 0.003, 0.01, 0.03, 0.1, 0.3, 1.0, 5.0},
 			StabilityLevel: compbasemetrics.ALPHA,
@@ -211,7 +240,8 @@ var (
 	// requestAbortsTotal is a number of aborted requests with http.ErrAbortHandler
 	requestAbortsTotal = compbasemetrics.NewCounterVec(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_request_aborts_total",
+			Subsystem:      APIServerComponent,
+			Name:           "request_aborts_total",
 			Help:           "Number of requests which apiserver aborted possibly due to a timeout, for each group, version, verb, resource, subresource and scope",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
@@ -231,7 +261,8 @@ var (
 	//    within the wait threshold.
 	requestPostTimeoutTotal = compbasemetrics.NewCounterVec(
 		&compbasemetrics.CounterOpts{
-			Name:           "apiserver_request_post_timeout_total",
+			Subsystem:      APIServerComponent,
+			Name:           "request_post_timeout_total",
 			Help:           "Tracks the activity of the request handlers after the associated requests have been timed out by the apiserver",
 			StabilityLevel: compbasemetrics.ALPHA,
 		},
@@ -240,7 +271,8 @@ var (
 
 	requestTimestampComparisonDuration = compbasemetrics.NewHistogramVec(
 		&compbasemetrics.HistogramOpts{
-			Name:           "apiserver_request_timestamp_comparison_time",
+			Subsystem:      APIServerComponent,
+			Name:           "request_timestamp_comparison_time",
 			Help:           "Time taken for comparison of old vs new objects in UPDATE or PATCH requests",
 			Buckets:        []float64{0.0001, 0.0003, 0.001, 0.003, 0.01, 0.03, 0.1, 0.3, 1.0, 5.0},
 			StabilityLevel: compbasemetrics.ALPHA,
@@ -256,6 +288,7 @@ var (
 		longRunningRequestsGauge,
 		requestLatencies,
 		requestSloLatencies,
+		requestSliLatencies,
 		fieldValidationRequestLatencies,
 		responseSizes,
 		TLSHandshakeErrors,
@@ -502,8 +535,9 @@ func MonitorRequest(req *http.Request, verb, group, version, resource, subresour
 	fieldValidationRequestLatencies.WithContext(req.Context()).WithLabelValues(fieldValidation, fieldValidationEnabled)
 
 	if wd, ok := request.LatencyTrackersFrom(req.Context()); ok {
-		sloLatency := elapsedSeconds - (wd.MutatingWebhookTracker.GetLatency() + wd.ValidatingWebhookTracker.GetLatency()).Seconds()
-		requestSloLatencies.WithContext(req.Context()).WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(sloLatency)
+		sliLatency := elapsedSeconds - (wd.MutatingWebhookTracker.GetLatency() + wd.ValidatingWebhookTracker.GetLatency()).Seconds()
+		requestSloLatencies.WithContext(req.Context()).WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(sliLatency)
+		requestSliLatencies.WithContext(req.Context()).WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(sliLatency)
 	}
 	// We are only interested in response sizes of read requests.
 	if verb == "GET" || verb == "LIST" {
@@ -548,6 +582,20 @@ func InstrumentHandlerFunc(verb, group, version, resource, subresource, scope, c
 	}
 }
 
+// NormalizedVerb returns normalized verb
+func NormalizedVerb(req *http.Request) string {
+	verb := req.Method
+	if requestInfo, ok := request.RequestInfoFrom(req.Context()); ok {
+		// If we can find a requestInfo, we can get a scope, and then
+		// we can convert GETs to LISTs when needed.
+		scope := CleanScope(requestInfo)
+		verb = CanonicalVerb(strings.ToUpper(verb), scope)
+	}
+
+	// mark APPLY requests and WATCH requests correctly.
+	return CleanVerb(verb, req)
+}
+
 // CleanScope returns the scope of the request.
 func CleanScope(requestInfo *request.RequestInfo) string {
 	if requestInfo.Name != "" || requestInfo.Verb == "create" {
@@ -588,7 +636,7 @@ func CleanVerb(verb string, request *http.Request) string {
 	if verb == "WATCHLIST" {
 		reportedVerb = "WATCH"
 	}
-	if verb == "PATCH" && request.Header.Get("Content-Type") == string(types.ApplyPatchType) && utilfeature.DefaultFeatureGate.Enabled(features.ServerSideApply) {
+	if verb == "PATCH" && request.Header.Get("Content-Type") == string(types.ApplyPatchType) {
 		reportedVerb = "APPLY"
 	}
 	return reportedVerb

vendor/k8s.io/apiserver/pkg/endpoints/request/auditid.go

@@ -1,65 +0,0 @@
-/*
-Copyright 2021 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package request
-
-import (
-	"context"
-
-	"k8s.io/apimachinery/pkg/types"
-)
-
-type auditIDKeyType int
-
-// auditIDKey is the key to associate the Audit-ID value of a request.
-const auditIDKey auditIDKeyType = iota
-
-// WithAuditID returns a copy of the parent context into which the Audit-ID
-// associated with the request is set.
-//
-// If the specified auditID is empty, no value is set and the parent context is returned as is.
-func WithAuditID(parent context.Context, auditID types.UID) context.Context {
-	if auditID == "" {
-		return parent
-	}
-	return WithValue(parent, auditIDKey, auditID)
-}
-
-// AuditIDFrom returns the value of the audit ID from the request context.
-func AuditIDFrom(ctx context.Context) (types.UID, bool) {
-	auditID, ok := ctx.Value(auditIDKey).(types.UID)
-	return auditID, ok
-}
-
-// GetAuditIDTruncated returns the audit ID (truncated) from the request context.
-// If the length of the Audit-ID value exceeds the limit, we truncate it to keep
-// the first N (maxAuditIDLength) characters.
-// This is intended to be used in logging only.
-func GetAuditIDTruncated(ctx context.Context) string {
-	auditID, ok := AuditIDFrom(ctx)
-	if !ok {
-		return ""
-	}
-
-	// if the user has specified a very long audit ID then we will use the first N characters
-	// Note: assuming Audit-ID header is in ASCII
-	const maxAuditIDLength = 64
-	if len(auditID) > maxAuditIDLength {
-		auditID = auditID[0:maxAuditIDLength]
-	}
-
-	return string(auditID)
-}

vendor/k8s.io/apiserver/pkg/features/kube_features.go

@@ -35,6 +35,13 @@ const (
 	// of code conflicts because changes are more likely to be scattered
 	// across the file.
 
+	// owner: @jefftree @alexzielenski
+	// alpha: v1.26
+	//
+	// Enables an single HTTP endpoint /discovery/<version> which supports native HTTP
+	// caching with ETags containing all APIResources known to the apiserver.
+	AggregatedDiscoveryEndpoint featuregate.Feature = "AggregatedDiscoveryEndpoint"
+
 	// owner: @smarterclayton
 	// alpha: v1.8
 	// beta: v1.9
@@ -81,8 +88,15 @@ const (
 	// audited.
 	AdvancedAuditing featuregate.Feature = "AdvancedAuditing"
 
+	// owner: @cici37 @jpbetz
+	// kep: http://kep.k8s.io/3488
+	// alpha: v1.26
+	//
+	// Enables expression validation in Admission Control
+	ValidatingAdmissionPolicy featuregate.Feature = "ValidatingAdmissionPolicy"
+
 	// owner: @cici37
-	// kep: http://kep.k8s.io/2876
+	// kep: https://kep.k8s.io/2876
 	// alpha: v1.23
 	// beta: v1.25
 	//
@@ -108,14 +122,14 @@ const (
 	EfficientWatchResumption featuregate.Feature = "EfficientWatchResumption"
 
 	// owner: @aramase
-	// kep: http://kep.k8s.io/3299
+	// kep: https://kep.k8s.io/3299
 	// alpha: v1.25
 	//
 	// Enables KMS v2 API for encryption at rest.
 	KMSv2 featuregate.Feature = "KMSv2"
 
 	// owner: @jiahuif
-	// kep: http://kep.k8s.io/2887
+	// kep: https://kep.k8s.io/2887
 	// alpha: v1.23
 	// beta: v1.24
 	//
@@ -124,7 +138,7 @@ const (
 	OpenAPIEnums featuregate.Feature = "OpenAPIEnums"
 
 	// owner: @jefftree
-	// kep: http://kep.k8s.io/2896
+	// kep: https://kep.k8s.io/2896
 	// alpha: v1.23
 	// beta: v1.24
 	//
@@ -156,7 +170,7 @@ const (
 	ServerSideApply featuregate.Feature = "ServerSideApply"
 
 	// owner: @kevindelgado
-	// kep: http://kep.k8s.io/2885
+	// kep: https://kep.k8s.io/2885
 	// alpha: v1.23
 	// beta: v1.24
 	//
@@ -194,21 +208,25 @@ func init() {
 // To add a new feature, define a key for it above and add it here. The features will be
 // available throughout Kubernetes binaries.
 var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
+	AggregatedDiscoveryEndpoint: {Default: false, PreRelease: featuregate.Alpha},
+
 	APIListChunking: {Default: true, PreRelease: featuregate.Beta},
 
 	APIPriorityAndFairness: {Default: true, PreRelease: featuregate.Beta},
 
 	APIResponseCompression: {Default: true, PreRelease: featuregate.Beta},
 
-	APIServerIdentity: {Default: false, PreRelease: featuregate.Alpha},
+	APIServerIdentity: {Default: true, PreRelease: featuregate.Beta},
 
 	APIServerTracing: {Default: false, PreRelease: featuregate.Alpha},
 
 	AdvancedAuditing: {Default: true, PreRelease: featuregate.GA},
 
+	ValidatingAdmissionPolicy: {Default: false, PreRelease: featuregate.Alpha},
+
 	CustomResourceValidationExpressions: {Default: true, PreRelease: featuregate.Beta},
 
-	DryRun: {Default: true, PreRelease: featuregate.GA},
+	DryRun: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
 
 	EfficientWatchResumption: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 
@@ -222,7 +240,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	RemoveSelfLink: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 
-	ServerSideApply: {Default: true, PreRelease: featuregate.GA},
+	ServerSideApply: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
 
 	ServerSideFieldValidation: {Default: true, PreRelease: featuregate.Beta},
 

vendor/k8s.io/apiserver/pkg/server/httplog/httplog.go

@@ -27,6 +27,7 @@ import (
 	"sync"
 	"time"
 
+	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/endpoints/metrics"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/endpoints/responsewriter"
@@ -59,7 +60,7 @@ type respLogger struct {
 	statusRecorded bool
 	status         int
 	statusStack    string
-	// mutex is used when accessing addedInfo and addedKeyValuePairs.
+	// mutex is used when accessing addedInfo, addedKeyValuePairs and logStacktracePred.
 	// They can be modified by other goroutine when logging happens (in case of request timeout)
 	mutex              sync.Mutex
 	addedInfo          strings.Builder
@@ -181,6 +182,8 @@ func Unlogged(req *http.Request, w http.ResponseWriter) http.ResponseWriter {
 // StacktraceWhen sets the stacktrace logging predicate, which decides when to log a stacktrace.
 // There's a default, so you don't need to call this unless you don't like the default.
 func (rl *respLogger) StacktraceWhen(pred StacktracePred) *respLogger {
+	rl.mutex.Lock()
+	defer rl.mutex.Unlock()
 	rl.logStacktracePred = pred
 	return rl
 }
@@ -239,17 +242,8 @@ func SetStacktracePredicate(ctx context.Context, pred StacktracePred) {
 // Log is intended to be called once at the end of your request handler, via defer
 func (rl *respLogger) Log() {
 	latency := time.Since(rl.startTime)
-	auditID := request.GetAuditIDTruncated(rl.req.Context())
-
-	verb := rl.req.Method
-	if requestInfo, ok := request.RequestInfoFrom(rl.req.Context()); ok {
-		// If we can find a requestInfo, we can get a scope, and then
-		// we can convert GETs to LISTs when needed.
-		scope := metrics.CleanScope(requestInfo)
-		verb = metrics.CanonicalVerb(strings.ToUpper(verb), scope)
-	}
-	// mark APPLY requests and WATCH requests correctly.
-	verb = metrics.CleanVerb(verb, rl.req)
+	auditID := audit.GetAuditIDTruncated(rl.req.Context())
+	verb := metrics.NormalizedVerb(rl.req)
 
 	keysAndValues := []interface{}{
 		"verb", verb,
@@ -316,6 +310,8 @@ func (rl *respLogger) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 }
 
 func (rl *respLogger) recordStatus(status int) {
+	rl.mutex.Lock()
+	defer rl.mutex.Unlock()
 	rl.status = status
 	rl.statusRecorded = true
 	if rl.logStacktracePred(status) {