Automatic merge from submit-queue
Add metric for remaining lifetime of certificates authenticating requests
fixes#50778
When incoming requests to the API server are authenticated by a certificate, the expiration of the certificate can affect the validity of the authentication. With auto rotation of certificates, which is starting with kubelet certificates, the goal is to use shorter lifetimes and let the kubelet renew the certificate as desired. Monitoring certificates which are approaching expiration and not renewing would be an early warning sign that nodes are about to stop participating in the cluster.
**Release note**:
```release-note
Add new Prometheus metric that monitors the remaining lifetime of certificates used to authenticate requests to the API server.
```
The current error message prints a pointer value rather than the actual
type, which is really not useful.
e.g.:
```
unknown transport type: &{0xc42044a7b0 0xc4208d6dc0}
unknown transport type: *gcp.conditionalTransport
```
Automatic merge from submit-queue (batch tested with PRs 50758, 48057)
continue fix the typo in staging file
**What this PR does / why we need it**:
in kubernetes has left two place to modify the word of explicit,thanks
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50680
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49115, 47480)
Upgrade advanced audit to version v1beta1
This change does nothing but only upgrades advanced audit to version v1beta1.
There will be following up changes which does real effect to advanced audit feature.
After this change audit policy file should contain apiVersion and kind and has such format:
```
apiVersion: audit.k8s.io/v1alpha1
kind: Policy
rules:
- level: None
```
or use the v1beta1 policy:
```
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: None
```
Updates #48561
**Release note**:
```
Upgrade advanced audit to version v1beta1.
```
Automatic merge from submit-queue (batch tested with PRs 50711, 50742, 50204)
Move List (the type) into metav1 but preserve the exposed type
Make a list something that other components can use without depending on the core API. This does not change the public API exposure of `List` (it is still in `v1`) but makes the interface common across both.
Automatic merge from submit-queue (batch tested with PRs 50023, 50639)
Extend SetHeader Requests method ito accept multiple values
This allows to set headers that are multivalued directly.
The headers variable is not directly accessible and currently
SetHeaders allows to set only one value.
```release-note
NONE
```
Automatic merge from submit-queue
advanced audit: shutdown batching audit webhook gracefully
Follow-up of https://github.com/kubernetes/kubernetes/pull/50439
When the `stopCh` passed to the batching audit webhook is closed, it stops accepting new events and when `Shutdown` method is called afterwards, it blocks until the last request to the webhook has finished.
/cc @tallclair @soltysh
Automatic merge from submit-queue
FeatureGate: update comments
The godoc - https://godoc.org/k8s.io/apiserver/pkg/util/feature - does not contain descriptions of the functions. This PR adds them.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue
Cleanup DaemonSet templateGeneration
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49336
**Special notes for your reviewer**:
/cc @janetkuo @foxish
~~Depends on #49071~~ (Merged)
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 49129, 50436, 50417, 50553, 47587)
add validation for fed-apiserver and apiserver run options
**What this PR does / why we need it**:
Add validation for fed-apiserver and apiserver run options
**Which issue this PR fixes**
fixes#50552
**Special notes for your reviewer**:
This is a follow-up of #50135
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49129, 50436, 50417, 50553, 47587)
Fix Type Taint comment
**What this PR does / why we need it**:
remvoe redundant words in Type `Taint`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
/assign @k82cn
**Release note**:
```release-note
None
```
This allows to set headers that are multivalued directly.
The headers variable is not directly accessible and currently
SetHeaders allows to set only one value.
Signed-off-by: Simo Sorce <simo@redhat.com>
Automatic merge from submit-queue
codegen: skip generation of informers and listers on resources with missing verbs
This patch will prevent generation of listers and informers for resources that does not implement the required verbs (list, get, watch). Currently informers and listers are generated for those resources which cause a compilation failure.
Automatic merge from submit-queue (batch tested with PRs 47034, 50329)
RawExtension unmarshal will produce empty objects if the original object was nil #50323
**What this PR does / why we need it**:
marshaled nil objects will be unmarshaled as nil objects instead of a byte array "null", which better represents the original object before marshaling
fixes#50323
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47724, 49984, 49785, 49803, 49618)
Fix conflict about getPortByIp
**What this PR does / why we need it**:
Currently getPortByIp() get port of instance only based on IP.
If there are two instances in diffent network and the CIDR of
their subnet are same, getPortByIp() will be conflict.
My PR gets port based on IP and Name of instance.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fix#43909
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Enable caching successful token authentication
Resolves#50472
To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication
```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Manage BUILD files using gazelle + kazel
**What this PR does / why we need it**: uses the upstream `gazelle` tool to manage go rules in BUILD files.
This is needed to support Bazel builds on Mac OS and Bazel cross compilation in general.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47558
**Special notes for your reviewer**:
It's probably easiest to review this commit-by-commit:
* bump to latest `rules_go` (for recent `cgo_library` and `gazelle` improvements)
* update `kazel` with recent compatibility fixes (https://github.com/kubernetes/repo-infra/pull/28, https://github.com/kubernetes/repo-infra/pull/27), update `hack` scripts to download/build `gazelle`, and then run both `gazelle` and `kazel`. (Additionally make `gazelle` skip things it shouldn't touch.)
* run `hack/update-bazel.sh` to autogenerate everything
* remove the old `cgo_genrule` rules - these are now part of `go_library`
* remove the `automanaged` tags from all go rules - `gazelle` doesn't use them, and it prevents an old version of `kazel/gazel` from messing with the rules
* remove the `licenses()` rules from everywhere but `third_party/` - we don't need them, and `gazelle` won't add them on new `BUILD` files it generates.
**Release note**:
```release-note
NONE
```
for review:
/assign @mikedanese @spxtr
for approval:
/assign @thockin
Automatic merge from submit-queue
validate kube-apiserver options
**What this PR does / why we need it**:
Create Validate() or add more checks in existing Validate() for the following files:
* vendor/k8s.io/apiextensions-apiserver/pkg/cmd/server/start.go:80
* vendor/k8s.io/kube-aggregator/pkg/cmd/server/start.go:104
* vendor/k8s.io/sample-apiserver/pkg/cmd/server/start.go:82
* cmd/kube-apiserver/app/options/validation.go:49
**Which issue this PR fixes**:
fixes#50301
**Special notes for your reviewer**:
This PR follows #50135
**Release note**:
```release-note
NONE
```
When incoming requests to the API server are authenticated by a
certificate, the expiration of the certificate can affect the validity
of the authentication. With auto rotation of certificates, which is
starting with kubelet certificates, the goal is to use shorter lifetimes
and let the kubelet renew the certificate as desired. Monitoring
certificates which are approaching expiration and not renewing would be
an early warning sign that nodes are about to stop participating in the
cluster.
