Automatic merge from submit-queue (batch tested with PRs 53747, 54528, 55279, 55251, 55311). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update podtolerations admission to mutate and validate separately
Updates the podtolerations admission plugin to mutate and validate separately. This also fixes the bug where the toleration whitelist isn't respected for memory pressure.
```release-note-action-required
The `node.kubernetes.io/memory-pressure` taint now respects the configured whitelist. If you need to use it, you'll have to add it to the whitelist.
```
Automatic merge from submit-queue (batch tested with PRs 53273, 55058, 55237, 50140). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
split some admission plugins into mutation and validation halves
Splits the podnodeselector, serviceaccount, and priority admission plugins into validating and mutating admission plugins.
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission: wire through validating-only admission
Based on https://github.com/kubernetes/kubernetes/pull/54232.
This is important and required for beta because it affects the shape of the webhook admission plugins that are going to be produced and is needed to make sure that our existing chain continues to properly verify and protect the API objects based on their final state after webhook admission mutators run.
We discussed this in the October 11 API machinery call with @erictune and @caesarxuchao and we agreed to do this as a requirement for beta. See this part of the recording: https://www.youtube.com/watch?v=mrgDPHyr4VY#t=325 .
Automatic merge from submit-queue (batch tested with PRs 54800, 53898, 54812, 54921, 53558). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow override of cluster level (default, whitelist) tolerations by namespace level empty (default, whitelist) tolerations.
Currently In PodTolerationRestriction admission plugin, if namespace level default and whitelist of tolerations are nil or empty, they do not override cluster level default and whitelist tolerations.
This PR fixes the plugin to not override cluster level tolerations only when namespace level toleration are nil. IOW, if namespace level toleration are empty, they override cluster level tolerations. To be more clear, if following annotations are set to empty, they override cluster level tolerations.
```
scheduler.alpha.kubernetes.io/defaultTolerations : ""
scheduler.alpha.kubernetes.io/tolerationsWhitelist: ""
```
This behavior is inline with PodNodeSelector admission plugin too.
@sjenning @derekwaynecarr
**Release Note**:
```release-note
In PodTolerationRestriction admisson plugin, if namespace level tolerations are empty, now they override cluster level tolerations.
```
Automatic merge from submit-queue (batch tested with PRs 54761, 54748, 53991, 54485, 46951). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission: unify plugin constructors
It's common in Go to return the actual object in constructors, not **one interface**
it implements. This allows us to implement multiple interfaces, but only have
one constructor. As having private types in constructors, we export all plugin structs, of course with private fields.
Note: super interfaces do not work if there are overlapping methods.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update wrong group for priorityclasses
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#54690
**Special notes for your reviewer**:
assgin @bsalamat
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 53760, 48996, 51267, 54414). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update admission webhook to handle multiple auth domains
Fixes https://github.com/kubernetes/kubernetes/issues/54404
Adds some wiring to have the admission plugin accept a config file for per-apiserver configuration.
@kubernetes/sig-auth-api-reviews @deads2k @ericchiang @liggitt in particular
@kubernetes/sig-api-machinery-pr-reviews @lavalamp @caesarxuchao @sttts @cheftako
```release-note
generic webhook admission now takes a config file which describes how to authenticate to webhook servers
```
Automatic merge from submit-queue (batch tested with PRs 54363, 54333). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure port on resolved service host
The resolved host should include a port so it can be used by dialers directly. It's also not necessary to reparse the URL when constructing directly.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52792, 48963). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix range for min value in imagepolicy admission
**What this PR does / why we need it**:
This makes the range for imagepolicy admission work properly. Currently if we specify `1s` for the value of `AllowTTL` or `DenyTTL` in the configuration yaml, we get a message like the following:
```
Error: failed to initialize plugins: Couldn't init admission plugin "ImagePolicyWebhook": valid value is between 1s and 30m0s, got 1s
```
This is due to a wrong comparison which is fixed in this PR. The rest of the PR just adds tests for this behaviour.
Automatic merge from submit-queue (batch tested with PRs 51310, 51458, 47636). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove useless allocation of map
This one-element map is only used for checking api. Remove it and
simplify the code.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49305, 54158). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix error print for admission test
**What this PR does / why we need it**:
fix error print to make them easy to inspect.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow fail close webhook admission
Webhook admission needs to allow failing closed. Even in an alpha state, I don't want to be one DDOS away from having an exposed cluster.
/assign caesarxuchao
/assign sttts
Automatic merge from submit-queue (batch tested with PRs 47717, 53896). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
decode admission responses into a fresh object
Something about the way the admission request object is built causes decoding into back into it to fail with
```
W1013 14:10:42.457423 2960 admission.go:185] rejected by webhook namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations &{%!t(string=namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations) %!t(*errors.errorString=&{reflect.Value.Addr of unaddressable value})}: failed calling admission webhook "namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations": reflect.Value.Addr of unaddressable value
```
This simply creates a fresh object to decode into, which works fine for our usage and makes it possible to actually have the webhook call out to something.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/api: extract Scheme/Registry/Codecs into pkg/api/legacyscheme
This serves as
- a preparation for the pkg/api->pkg/apis/core move
- and makes the dependency to the scheme explicit when vizualizing
left depenncies.
The later helps with our our efforts to split up the monolithic repo
into self-contained sub-repos, e.g. for kubectl, controller-manager
and kube-apiserver in the future.
Automatic merge from submit-queue (batch tested with PRs 54030, 54041). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix admission webhook test failure in go1.9
**What this PR does / why we need it**:
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#54020
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes k8s.io/kubernetes/pkg/api dependency from the webhook plugin.
**What this PR does / why we need it**: removes `k8s.io/kubernetes/pkg/api` dependency from `webhook` plugin. The runtime.scheme can be injected to the webhook from the plugin initializer.
**Release note**:
```
NONE
```
