Automatic merge from submit-queue (batch tested with PRs 57082, 64325, 64016, 64443, 64403). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
services must listen on port 443 for aggregation
If a clusterIP service isn't listening on port 443, don't mark it as available.
@mfojtik you've got an issue, right?
@kubernetes/sig-api-machinery-bugs
/assign @sttts
/kind bug
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61803, 64305, 64170, 64361, 64339). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove some unnecessarily gendered pronouns in comments
**What this PR does / why we need it**:
A bunch of comments are unnecessarily gendered. I've changed them to gender-neutral they/theirs.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61803, 64305, 64170, 64361, 64339). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add TLS support to exec authenticator plugin
**What this PR does / why we need it**:
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md#tls-client-certificate-support
Allows exec plugin to return raw TLS key/cert data. This data populates
transport.Config.TLS field.
This requires a change to AuthProvider interface to expose TLS configs,
not only RoundTripper.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61421
**Special notes for your reviewer**:
**Release note**:
```release-note
Exec authenticator plugin supports TLS client certificates.
```
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix persist typo
I wonder this pr should pull to kubernetes/kubernetes or kubernetes/client-go ?
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Possible cipher suites values and tls versions in help for apiserver and kubelet
**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: https://github.com/kubernetes/kubernetes/pull/48859#discussion_r162413223
**Which issue(s) this PR fixes**
NONE
**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR https://github.com/kubernetes/kubernetes/pull/48859
The help output looks like this:
```
--tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
--tls-cipher-suites strings Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use. Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
--tls-min-version string Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
--tls-private-key-file string File containing the default x509 private key matching --tls-cert-file.
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add metadata to kubelet eviction event annotations
**What this PR does / why we need it**:
Add annotations to kubelet eviction events. Annotations include
"offending_containers" : comma-seperated list of containers.
"offending_containers_usage": comma-seperated list of usage.
"starved_resource": v1.ResourceName of the starved resource
**Special notes for your reviewer**:
Adding annotations to events required changing the `EventRecorder` interface to add a `AnnotatedEventf` function, which can add annotations to an event.
**Release note**:
```release-note
NONE
```
/assign @dchen1107
cc @mwielgus @schylek @kgrygiel
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: start fresh with owner file
After client-go's OWNER file has grown to 50ish many reviewers, It's time to start fresh and re-add those who really want to review. Please don't be shy to come forward if you want to stay on that list. I will re-add you.
Currently when LoopbackHostPort() is called with 0.0.0.0 and [::] it returns the first loopback
address returned from net.InterfaceAddrs() which is typically 127.0.0.1 (golang does not
specify an order that interfaces are returned). It would be more appropriate if when calling
LoopbackHostPort() with [::] that an IPv6 loopback address is returned, this prevents some cert.
generation failures.
Automatic merge from submit-queue (batch tested with PRs 64300, 64375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
HandleError include the type of the error object
**What this PR does / why we need it**:
/kind feature
HandleError include the type of the error object
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64244
**Special notes for your reviewer**:
/cc @MikeSpreitzer
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add conversion to properly parse query parameter propagationPolicy
**What this PR does / why we need it**:
This delete request query parameter has been broken for a year. I'm not sure if we want to deprecate the non-standard DeleteOptions body on delete request eventually.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#43329
**Special notes for your reviewer**:
**Release note**:
```release-note
API server properly parses propagationPolicy as a query parameter sent with a delete request
```
/sig api-machinery
Automatic merge from submit-queue (batch tested with PRs 64175, 63893). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Expose openapi schema to handlers
**What this PR does / why we need it**:
Build an openapi spec for each api resource handler. This spec will be able to be consumed by server-side apply and server-side openapi validation.
The reason for putting it into master is so we can work on implementing server side validation against the openapi spec as well as server side apply, and it will make merging the server side apply feature branch a smaller, less risky PR
/sig api-machinery
/kind feature
cc @liggitt @lavalamp @seans3 @mbohlool @apelisse
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61963, 64279, 64130, 64125, 64049). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make serverAddressByClientCIDRs in discovery API optional
**What this PR does / why we need it**:
See https://github.com/kubernetes/kubernetes/issues/61868
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61868
**Special notes for your reviewer**:
WIP: I'm having trouble updating swagger-spec using our update scripts. Thinking about removing swagger-spec from our code base as it has long passed deprecation. Sending this PR now to see the test results.
**Release note**:
```release-note
Property `serverAddressByClientCIDRs` in `metav1.APIGroup` (discovery API) now become optional instead of required
```
/sig api-machinery
Automatic merge from submit-queue (batch tested with PRs 63319, 64248, 64250, 63890, 64233). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
replace `__internal` with runtime.APIVersionInternal
**What this PR does / why we need it**:
Replace `__internal` with runtime.APIVersionInternal
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64060, 63904, 64218, 64208, 64247). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apimachinery: remove unused UnstructuredObjectConverter
This is not in apiextensions-apiserver for CR conversion.
Automatic merge from submit-queue (batch tested with PRs 64060, 63904, 64218, 64208, 64247). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
prevent zero for leader election timeouts
Add conditional checks for a stupid error that took me 20 minutes to find.
I don't see a reason to allow zero for any of the leader election tuning params
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64127, 63895, 64066, 64215, 64202). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix documentation of GA is in APIService's PriorityVersion and CRD's Versions
Explain what GA is in APIService's PriorityVersion and CRD's Versions.
ref #64136
```release-note
NONE
```
Add the Product Security Team as the security contacts for the main
repository and they can use the OWNERS files in each subsystem/dir to find
the correct owners.
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
