BuildConfigFromFlags function already calls the InClusterConfig()
function. The `--master` flag was added to clarify the log warning
message from within the `BuildConfigFromFlags` function.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adjust defaults of audit webhook backends
This PR:
- increases the default buffer size to contain at lease on the order of magnitude audit events than it's possible to have simultaneous requests (500 AFAIR)
- increase the default batch size. From our load tests .95 size of the log entry is under 2.5KB, therefore 400 entry will sum up to ~1MB request, which sounds reasonable
- increase the initial backoff size. AFAIU, if the initial value is zero, all retries will be used in under 15 seconds (with 0.2 jitter and 1.5 factor), while the backend or a proxy can be unavailable for some reason for 30 seconds and more.
- add throttling to the batching audit webhook
A PR to make these parameters configurable will follow-up
@hzxuzhonghu implemented throttling part of this PR
```release-note
Adjust batching audit webhook default parameters: increase queue size, batch size, and initial backoff.
Add throttling to the batching audit webhook. Default rate limit is 10 QPS.
```
/cc @sttts @tallclair @CaoShuFeng @ericchiang @piosz
Automatic merge from submit-queue (batch tested with PRs 53454, 53446, 52935, 53443, 52917). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use pointer for PSP allow escalation
Fixes#53437
The `AllowPrivilegeEscalation` field was added to PodSpec and PodSecurityPolicySpec in 1.8.0.
In order to remain compatible with pre-1.8.0 behavior, PodSecurityPolicy objects created against a previous release must not restrict this field, which means the field must default to true in PodSecurityPolicySpec. However, the field was added as a `bool`, not a `*bool`, which means that no defaulting is possible.
We have two options:
1. Require all pre-existing PodSecurityPolicy objects that intend to allow privileged permissions to update to set this new field to true
2. Change the field to a `*bool` and default it to true.
This PR does the latter. With this change, we have the following behavior:
A 1.8.1+ client/server now has three ways to serialize:
* `nil` values are dropped from serialization (because `omitempty`), which is interpreted correctly by other 1.8.1+ clients/servers, and is interpreted as false by 1.8.0
* `false` values are serialized and interpreted correctly by all clients/servers
* `true` values are serialized and interpreted correctly by all clients/servers
A 1.8.0 client/server has two ways to serialize:
* `false` values are dropped from serialization (because `omitempty`), which is interpreted as `false` by other 1.8.0 clients/servers, but as `nil` (and therefore defaulting to true) by 1.8.1+ clients/servers
* `true` values are serialized and interpreted correctly by all clients/servers
The primary concern is the 1.8.0 server dropping the `false` value from serialization, but I consider the compatibility break with pre-1.8 behavior to be more severe, especially if we can resolve the regression in an immediate point release.
```release-note
PodSecurityPolicy: Fixes a compatibility issue that caused policies that previously allowed privileged pods to start forbidding them, due to an incorrect default value for `allowPrivilegeEscalation`. PodSecurityPolicy objects defined using a 1.8.0 client or server that intended to set `allowPrivilegeEscalation` to `false` must be reapplied after upgrading to 1.8.1.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support field selectors for CRDs
Signed-off-by: Andy Goldstein <andy.goldstein@gmail.com>
**What this PR does / why we need it**: allow field selectors to be used with custom resources
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#51046, fixes#49424
**Special notes for your reviewer**:
**Release note**:
```release-note
Custom resources served through CustomResourceDefinition now support field selectors for `metadata.name` and `metadata.namespace`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes Authorizer and ExternalClientSet from kubeapiserver's admissi…
**What this PR does / why we need it**:
removes Authorizer and ExternalClientSet from kubeapiserver's admission initializer.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some typos in api/types
**What this PR does / why we need it**:
Fix some typos in api/types
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#53420
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 53135, 52512, 48339). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: Truncate printed body based on Verbosity level
**What this PR does / why we need it**: If log verbosity is above 8, it will print the full request and response body. These might be very big (especially when downloading the openapi), and it takes multiple seconds just to print it ... Truncates the printing of that body if the level is less than 10.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Vaguely related to #52089
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 51765, 53053, 52771, 52860, 53284). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make feature gate enablement checks lock-free
Since we almost never write to this object after initial creation (basically, just in tests or during API server startup), this is a good candidate for the ["read mostly"](https://golang.org/pkg/sync/atomic/#example_Value_readMostly) pattern which leaves the reads lock-free
Automatic merge from submit-queue (batch tested with PRs 51765, 53053, 52771, 52860, 53284). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add an option for turning on/off compaction from apiserver in etcd3 mode
…erver
**What this PR does / why we need it**:
This commit adds an option for controlling request of compaction to
etcd3 from apiserver. There is a situation that apiserver cannot fully
own its etcd cluster (e.g. sharing it with canal). In such a case,
apiserver should have limited access in terms of etcd's auth
functionality so it don't have a privilege to issue compaction
requests. It means that the compaction requests should be issued by
other component and apiserver's compaction requests are needless.
For such use cases, this commit adds a new flag
storagebackend.Config.DoCompaction. If the flag is true (default),
apiserver issues the compaction requests like current behaviour. If it
is false, apiserver doesn't issue the requests.
**Related issue (etcd)**
https://github.com/coreos/etcd/issues/8458
/cc @xiang90 @struz
**Release note:**
```release-note
Add --etcd-compaction-interval to apiserver for controlling request of compaction to etcd3 from apiserver.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
threadSafeMap: panic if index function call fails
**Which issue this PR fixes**
Fixes#43605
**Release note**:
```release-note
NONE
```
/kind bug
/sig api-machinery
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ring buffer for shared informer notifications
**What this PR does / why we need it**:
Improves memory allocation for shared informer listeners. Instead of always appending to the slice use as a ring buffer, avoiding reslice operations as long as there is room in the slice. See https://github.com/kubernetes/kubernetes/pull/47045#issuecomment-317621259 for details. This is a follow up PR for #47045.
Results from BenchmarkListener:
```
Current code (from the #47045):
1000000 1540 ns/op 109 B/op 1 allocs/op
```
```
New code:
1000000 1162 ns/op 16 B/op 1 allocs/op
```
**Special notes for your reviewer**:
Only review the last commit, this branch is based on #47045 PR. I'll rebase onto master once it is merged.
**Release note**:
```release-note
NONE
```
/kind enhancement
/sig api-machinery
/cc @deads2k @ncdc
Automatic merge from submit-queue (batch tested with PRs 53263, 52967, 53262, 52654, 53187). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix sample-apiserver artifacts
The example yaml file for sample-apiserver has some errors. Fix them.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Endpoints can add a get or connect options type in their group
optionsExternalVersion is being used for shared types (meta.k8s.io). The
installer should first look in the current API group for GET and CONNECT
options objects before checking in `v1`.
OpenShift hit this while registering a new connect handler endpoint in an api group for an api that is aggregated. OpenShift should not be registering its API types into the core API group.
Automatic merge from submit-queue (batch tested with PRs 50280, 52529, 53093, 53108, 53168). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add 201/Status to the list of returned objects.
**What this PR does / why we need it**:
Adds 201/202 to the list of codes/objects returned by `POST` and 201 to the list of codes returned by `PUT` requests in Swagger/OpenAPI
**Special notes for your reviewer**:
This helps fix
https://github.com/kubernetes-client/csharp/issues/29
**Release note**:
```release-note
Adds 201/202 to the list of codes/objects returned by `POST` and 201 to the list of codes returned by `PUT` requests in Swagger/OpenAPI
```
Automatic merge from submit-queue (batch tested with PRs 49249, 53203, 53209, 53208, 53177). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
vendor/k8s.io/client-go/tools/record: Fix two swallowed errors in tests
**What this PR does / why we need it**: Fixes two dropped errors in client-go.
```release-note NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
exposes a method on AdmissionOptions
**What this PR does / why we need it**:
exposes a method on AdmissionOptions that will set default admission plugin names when none were provided from the command line.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a negotiate method media type for use in explicit contexts
There are more cases now where we want to negotiate from contexts where we have a media type but no request.
