* Allow aggregate-to-edit roles to get jobs status
Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create. This change extends `aggregate-to-edit` rules to include `jobs/status`.
* Move jobs/status to aggregate-to-view rules
* Add aggregate-to-view policy to view PVCs status
* Update fixtures to include new read permissions
* Add more status subresources
* Update cluster-roles.yaml
* Re-order deployment permissions
* Run go fmt
* Add more permissions
* Fix tests
* Re-order permissions in test data
* Automatically update yamls
add startup sequence duration and readyz endpoint
add rbac bootstrapping policy for readyz
add integration test around grace period and readyz
rename startup sequence duration flag
copy health checks to fields
rename health-check installed boolean, refactor clock injection logic
cleanup clock injection code
remove todo about poststarthook url registration from healthz
At times, for some reason endpoint/service creation can fail in a setup. As we
currently create endpoint/service after volume creation, later we need rollback
of this volume transaction if endpoint/service creation failed. Considering
endpoint/service creation is light weight, this patch promote endpoint/service
creation to an early stage.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
promote TokenRequest and projection to beta in 1.12
```release-note
TokenRequest and TokenRequestProjection are now beta features. To enable these feature, the API server needs to be started with the following flags:
* --service-account-issuer
* --service-account-signing-key-file
* --service-account-api-audiences
```
This extends the Kubelet to create and periodically update leases in a
new kube-node-lease namespace. Based on [KEP-0009](https://github.com/kubernetes/community/blob/master/keps/sig-node/0009-node-heartbeat.md),
these leases can be used as a node health signal, and will allow us to
reduce the load caused by over-frequent node status reporting.
- add NodeLease feature gate
- add kube-node-lease system namespace for node leases
- add Kubelet option for lease duration
- add Kubelet-internal lease controller to create and update lease
- add e2e test for NodeLease feature
- modify node authorizer and node restriction admission controller
to allow Kubelets access to corresponding leases
Automatic merge from submit-queue (batch tested with PRs 65254, 64837, 64782, 64555, 64850). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Short-circuit node authorizer graph edges for mirror pods
When building the graph of resources allowed to a node by a given pod, short-circuit adding edges to other resources for mirror pods. A node must never be able to create a pod that grants them permissions on other API objects. The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.
/assign @tallclair
/sig auth
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63624, 59847). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
explicit kubelet config key in Node.Spec.ConfigSource.ConfigMap
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.
As part of this change, we are retiring ConfigMapRef for ConfigMap.
```release-note
You must now specify Node.Spec.ConfigSource.ConfigMap.KubeletConfigKey when using dynamic Kubelet config to tell the Kubelet which key of the ConfigMap identifies its config file.
```
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.
As part of this change, we are retiring ConfigMapRef for ConfigMap.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
sync code from copy destination
**What this PR does / why we need it**:
sync code from copy destination
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60890, 63244, 60741, 63254). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Indicate clusterrolebinding, rolebinding subjects are optional fields
**What this PR does / why we need it**: With this PR, clusterrolebinding and rolebinding subjects are marked optional instead of required. Currently we cannot create clusterrolebinding and rolebinding with subjects are empty using `kubectl create/apply/replace -f`.
```
$ kubectl create rolebinding test --clusterrole view
rolebinding "test" created
$ kubectl get rolebinding test -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: 2018-03-02T06:58:16Z
name: test
namespace: default
resourceVersion: "5606612"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/test
uid: 155c5c29-1de7-11e8-9f6f-fa163ec89f2a
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects: null
$ kubectl get rolebinding test -o yaml | kubectl replace -f -
error: error validating "STDIN": error validating data: ValidationError(RoleBinding): missing required field "subjects" in io.k8s.api.rbac.v1.RoleBinding; if you choose to ignore these errors, turn validation off with --validate=false
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**: This is a same issue with https://github.com/kubernetes/kubernetes/issues/59403. /cc @liggitt
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62590, 62818, 63015, 62922, 63000). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
authz: nodes should not be able to delete themselves
@kubernetes/sig-auth-pr-reviews
```release-note
kubelets are no longer allowed to delete their own Node API object. Prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup. If a legacy kubelet encounters this situation, a cluster admin can remove the Node object:
* `kubectl delete node/<nodeName>`
or grant self-deletion permission explicitly:
* `kubectl create clusterrole self-deleting-nodes --verb=delete --resource=nodes`
* `kubectl create clusterrolebinding self-deleting-nodes --clusterrole=self-deleting-nodes --group=system:nodes`
```
After K8s 1.10 is upgraded to K8s 1.11 finalizer [kubernetes.io/pvc-protection] is added to PVCs
because StorageObjectInUseProtection feature will be GA in K8s 1.11.
However, when K8s 1.11 is downgraded to K8s 1.10 and the StorageObjectInUseProtection feature is disabled
the finalizers remain in the PVCs and as pvc-protection-controller is not started in K8s 1.10 finalizers
are not removed automatically from deleted PVCs and that's why deleted PVC are not removed from the system
but remain in Terminating phase.
The same applies to pv-protection-controller and [kubernetes.io/pvc-protection] finalizer in PVs.
That's why pvc-protection-controller is always started because the pvc-protection-controller removes finalizers
from PVCs automatically when a PVC is not in active use by a pod.
Also the pv-protection-controller is always started to remove finalizers from PVs automatically when a PV is not
Bound to a PVC.
Related issue: https://github.com/kubernetes/kubernetes/issues/60764
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add statefulset scaling permission to admins, editors, and viewers
StatefulSets are missing scale permissions, so users can't scale them.
```release-note
fix permissions to allow statefulset scaling for admins, editors, and viewers
```
