Automatic merge from submit-queue (batch tested with PRs 45070, 45821, 45732, 45494, 45789)
apiextesions-server integration tests: test multiple registration
**What this PR does / why we need it**:
Add integration test for Multiple registrations XREF: #45511
**Special notes for your reviewer**:
@deads2k my first plan was to submit one single PR for both tests but I'm facing one issue with resources deregistration. Get in touch via slack
Automatic merge from submit-queue
Uses container/heap for DelayingQueue
The current implementation of DelayingQueue doesn't perform very well when a large number of items (at random delays) are inserted. The original authors seemed to be aware of this and noted it in a `TODO` comment. This is my attempt at switching the implementation to use a priority queue based on `container/heap`.
Benchmarks from before the change:
```
╰─ go test -bench=. -benchmem | tee /tmp/before.txt
BenchmarkDelayingQueue_AddAfter-8 300000 256824 ns/op 520 B/op 3 allocs/op
PASS
ok k8s.io/kubernetes/staging/src/k8s.io/client-go/util/workqueue 77.237s
```
After:
```
╰─ go test -bench=. -benchmem | tee /tmp/after.txt
BenchmarkDelayingQueue_AddAfter-8 500000 3519 ns/op 406 B/op 4 allocs/op
PASS
ok k8s.io/kubernetes/staging/src/k8s.io/client-go/util/workqueue 2.969s
```
Comparison:
```
╰─ benchcmp /tmp/before.txt /tmp/after.txt
benchmark old ns/op new ns/op delta
BenchmarkDelayingQueue_AddAfter-8 256824 3519 -98.63%
benchmark old allocs new allocs delta
BenchmarkDelayingQueue_AddAfter-8 3 4 +33.33%
benchmark old bytes new bytes delta
BenchmarkDelayingQueue_AddAfter-8 520 406 -21.92%
```
I also find the `container/heap`-based code a bit more easy to understand. The implementation of the PriorityQueue is based on the documentation for `container/heap`.
Feedback definitely welcomed. This is one of my first contributions.
```release-note
NONE
```
Module remotecommand originally part of kubernetes/pkg/client/unversioned was moved
to client-go/tools, and will be used as authoritative in kubectl, e2e and other places.
Module remotecommand relies on util/exec module which will be copied to client-go/pkg/util
Automatic merge from submit-queue
kube-apiextensions-server: Fix potential SEGV with null delegate handler
**What this PR does / why we need it**:
In the kube-apiextensions-server there is a fallback value for `null` delegate to `http.NotFoundHandler()` in handling group and versions discovery, but no fallback for custom resources endpoint.
It leads to SEGV when running with `genericapiserver.EmptyDelegate`.
ApplyTo adds the admission chain to the server configuration the method lazily initializes a generic plugin
that is appended to the list of pluginInitializers.
apiserver.Config will hold an instance of SharedInformerFactory to ensure we only have once instance.
The field will be initialized in apisever.SecureServingOptions
The usecase of this change:
When a super user grant some RBAC permissions to a group, he can use
--as-group to test whether the group get the permissions.
Note that now we support as-groups, as-user-extra in kubeconfig file
after this change.
Automatic merge from submit-queue (batch tested with PRs 44748, 45692)
Limiting client go packages visibility, round 3
Continue the work in the merged PR https://github.com/kubernetes/kubernetes/pull/45258
These packages in client-go will be gone after #44065 is fixed:
pkg/api/helper, pkg/api/util, internal version of api groups, API install packages.
This PR removes the dependency on these packages and add bazel visibility rules to prevent relapse.
Automatic merge from submit-queue (batch tested with PRs 45623, 45241, 45460, 41162)
Promotes Source IP preservation for Virtual IPs from Beta to GA
Fixes#33625. Feature issue: kubernetes/features#27.
Bullet points:
- Declare 2 fields (ExternalTraffic and HealthCheckNodePort) that mirror the ESIPP annotations.
- ESIPP alpha annotations will be ignored.
- Existing ESIPP beta annotations will still be fully supported.
- Allow promoting beta annotations to first class fields or reversely.
- Disallow setting invalid ExternalTraffic and HealthCheckNodePort on services. Default ExternalTraffic field for nodePort or loadBalancer type service to "Global" if not set.
**Release note**:
```release-note
Promotes Source IP preservation for Virtual IPs to GA.
Two api fields are defined correspondingly:
- Service.Spec.ExternalTrafficPolicy <- 'service.beta.kubernetes.io/external-traffic' annotation.
- Service.Spec.HealthCheckNodePort <- 'service.beta.kubernetes.io/healthcheck-nodeport' annotation.
```
Automatic merge from submit-queue (batch tested with PRs 45623, 45241, 45460, 41162)
Replacing “Pod Injection Policy” with “Pod Preset” in the code documentation
**What this PR does / why we need it**:
Replacing the leftovers of the old term "Pod Injection Policy" with "Pod Preset" in the code documentation.
Automatic merge from submit-queue (batch tested with PRs 45571, 45657, 45638, 45663, 45622)
Added indexer description for the API of NewIndexerInformer.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
plumb stopch to post start hook index since many of them are starting go funcs
Many post-start hooks require a stop channel to properly terminate their go funcs.
@p0lyn0mial I think you need this for https://github.com/kubernetes/kubernetes/pull/45355 ptal.
@ncdc per request
@sttts can you review too since Andy is out?
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Automatic merge from submit-queue
HTML escape apiserver errors to avoid triggering vulnerability scanners.
Simple XSS scans might fetch /<script>alert('vulnerable')</script>, and
fail when the response body includes the script tag verbatim, despite
the headers directing the browser to interpret the response as text.
This isn't a real vulnerability, but it's easier to fix this here than
it is to fix the scanners.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Remove mentioning insecure server (which is not supported anymore) from API server docs
**What this PR does / why we need it**:
Remove mentioning insecure serving from the docs, since only secure serving is supported now.
Automatic merge from submit-queue
apimachinery: NotRegisteredErr for known kinds not registered in target GV
Fixes the fall back to core v1 for *Options in the parameter encoder of the dynamic client.
The dynamic client uses NotRegisteredErr to fall back to core v1 if ListOptions is not known
in the given GV. This commit fixes the case that ListOptions is known in some group, but not
in the given one.
The dynamic client uses NotRegisteredErr to fall back to core v1 if ListOptions is not known
in the given GV. This commit fixes the case that ListOptions is known in some group, but not
in the given one.
Automatic merge from submit-queue (batch tested with PRs 45556, 45561, 45256)
add defaulting for customresources
This adds the promised defaulting for customresources. Namespaced by default, listkind=kind+List, singular=toLower(kind).
Automatic merge from submit-queue
add validation for customresourcedefintions
Add basic validation for customresource definitions.
@adohe if you had review bandwidth, this is a relatively small one.
Automatic merge from submit-queue (batch tested with PRs 45382, 45384, 44781, 45333, 45543)
Do roundtrip testing with external kinds in client-go TPR example
This tests that our serialization machinery works for TPR types, i.e. without internal counterpart and without generated code.
/cc @nilebox
Automatic merge from submit-queue (batch tested with PRs 45382, 45384, 44781, 45333, 45543)
Copy internal types to metrics
Supersedes #45306.
#45306 removed the internal types and suggested whoever needs the internal types should define their own copy, and use the code-gen tools to generated the conversion functions. Per offline discussion with @DirectXMan12, we wanted to go that direction but it's not clear where to put the internal types yet. Hence, as a temporary solution, we decided copy the referred client-go/pkg/api types into metrics api to avoid the dependency.
The commit "remove need of registry from custom_metrics/client.go" is similar to what I did to the fake client in an earlier PR. Let me know if you want to put the commit in another PR.
Automatic merge from submit-queue
Add myself to client-go OWNERS
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
This commit turns on client-gen for k8s.io/metrics. Clients are
generated for `k8s.io/metrics/pkg/apis/metrics` (both internal and
v1alpha1). `k8s.io/metrics/pkg/apis/custom_metrics` uses a bespoke
client due to the unique nature of its paths.
Automatic merge from submit-queue (batch tested with PRs 45453, 45307, 44987)
Init cache with assigned non-terminated pods before scheduling
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45220
**Release note**:
```release-note
The fix makes scheduling go routine waiting for cache (e.g. Pod) to be synced.
```
Simple XSS scans might fetch /<script>alert('vulnerable')</script>, and
fail when the response body includes the script tag verbatim, despite
the headers directing the browser to interpret the response as text.
This isn't a real vulnerability, but it's easier to fix this here than
it is to fix the scanners.
Automatic merge from submit-queue
oidc auth plugin not to override the Auth header if it's already exits
**What this PR does / why we need it**:
oidc auth client plugin should not override the `Authorization` header if it's already exits.
**Which issue this PR fixes** :
fix oidc auth plugin override the` Authorization` header
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 44798, 45537, 45448, 45432)
use apiservice.status to break apart controller and handling concerns
Still needs tests.
This starts breaking the handler and controller aspects of the aggregator by making use of status and conditions instead of actually running a specific check on demand.
@kubernetes/sig-api-machinery-pr-reviews
@luxas since you've been asking
Automatic merge from submit-queue
apiserver: injectable default watch cache size
This makes it possible to override the default watch capacity in the REST options getter. Before this PR the default is written into the storage struct explicitly, and if it is the default, the REST options getter didn't know. With this the PR the default is applied late and can be injected from the outside.
Automatic merge from submit-queue (batch tested with PRs 45481, 45463)
ThirdPartyResource example: added watcher example, code cleanup
**NOTE**: This is a cleaned and updated version of PR https://github.com/kubernetes/kubernetes/pull/43027
**What this PR does / why we need it**:
An example of using go-client for watching on ThirdPartyResource events (create/update/delete).
Automatic merge from submit-queue (batch tested with PRs 45508, 44258, 44126, 45441, 45320)
cloud initialize node in external cloud controller
@thockin This PR adds support in the `cloud-controller-manager` to initialize nodes (instead of kubelet, which did it previously)
This also adds support in the kubelet to skip node cloud initialization when `--cloud-provider=external`
Specifically,
Kubelet
1. The kubelet has a new flag called `--provider-id` which uniquely identifies a node in an external DB
2. The kubelet sets a node taint - called "ExternalCloudProvider=true:NoSchedule" if cloudprovider == "external"
Cloud-Controller-Manager
1. The cloud-controller-manager listens on "AddNode" events, and then processes nodes that starts with that above taint. It performs the cloud node initialization steps that were previously being done by the kubelet.
2. On addition of node, it figures out the zone, region, instance-type, removes the above taint and updates the node.
3. Then periodically queries the cloudprovider for node addresses (which was previously done by the kubelet) and updates the node if there are new addresses
```release-note
NONE
```
Following the existing instructions results in:
```
% ./staging/copy.sh
Do not run this script directly, but via hack/update-staging-client-go.sh.
```
Also format README.md as markdown.
Automatic merge from submit-queue
refactor names for the apiserver handling chain
The names and structure around the handling chain got a bit confused. This simplifies it back out into a single struct with three parts: overall handler, gorestful handler, pathrecording mux and makes the delegate wiring simpler
Automatic merge from submit-queue
remove bearer token from headers after we consume it
Updates the bearer token authenticator to remove the bearer token from the request headers after it is consumed. Nothing else in the stack should try to use it and we don't want to accidentally leak it somewhere.
@liggitt @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue
Add OWNERS for staging and api
Part of #44420
* api/ is a copy of pkg/api (same reasoning)
* staging/ is the set of people who should be allowing new top level nested packages + the set of people who can change the staging machinery code
Open to changes to staging/ - very rarely changed. Added owners for the other items
Automatic merge from submit-queue (batch tested with PRs 45182, 45429)
CustomResources in separate API server
Builds on https://github.com/kubernetes/kubernetes/pull/45115.
This adds a basic handler for custom resources. No status handling, no finalizers, no controllers, but basic CRUD runs to allow @enisoc and others to start considering migration.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
update the doc of function NewPathRecorderMux
The doc of function NewPathRecorderMux() is out of date. Update it.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
Update go-restful dependency
This is required by #44787. But because both this and the changes in 44787 need constant rebase, I am trying to get this one in separately to make less rebases.
The change is only a dependency update.
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Use dedicated UnixUserID and UnixGroupID types
**What this PR does / why we need it**:
DRYs up type definitions by using the dedicated types in apimachinery
**Which issue this PR fixes**
#38120
**Release note**:
```release-note
UIDs and GIDs now use apimachinery types
```
Automatic merge from submit-queue
OWNERS: add directxman12 to pkg/apis/autoscaling
Added directxman12 (current SIG lead of SIG-autoscaling) as a reviewer for pkg/apis/autoscaling.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix yet another bug in OpenAPI extension generation
A comment extension for a type is ignored if the type already has extensions (e.g. GVK).
Automatic merge from submit-queue (batch tested with PRs 45362, 45159, 45321, 45238)
Remove redundent GetObjectKind() defined on types
Embedding TypeMeta is enough.
Automatic merge from submit-queue
use our own serve mux that directs how we want
alternative to https://github.com/kubernetes/kubernetes/pull/44405
I really wanted to avoid writing my own, but the gorilla mux works via redirect, which would be a change. This does exact pattern matches only unless someone explicitly requests a prefix match.
@liggitt happier?
Automatic merge from submit-queue
bump(golang.org/x/oauth2): a6bd8cefa1811bd24b86f8902872e4e8225f74c4
As I tackle https://github.com/kubernetes/kubernetes/issues/42654 kubectl's OpenID Connect plugin will start using golang.org/x/oauth2 for refreshing, instead of go-oidc's own hand rolled oauth2 implementation. In preparation, update golang.org/x/oauth2 to include 7374b3f1ec which fixes refreshing with Okta.
We also somehow removed the dependency on `google.golang.org/appengine`. Maybe 8cf58155e4?
cc @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue
Remove imports of k8s.io/client-go/pkg/api
k8s.io/client-go/pkg/api will be eliminated by #44784, so we need to remove all imports of it.
This PR is large, but mostly simple changes, like:
* using constants defined in the v1 package instead of those in the internal package
* using k8s.io/client-go/kubernetes/scheme.Codecs/Schemes instead of those in k8s.io/client-go/pkg/api
* using `v1.SchemeGroupVersion` instead of `api.Registry.GroupOrDie(api.GroupName).GroupVersion` in tests
* importing `k8s.io/kubernetes/pkg/api` instead of `k8s.io/client-go/pkg/api` if possible
With this PR https://github.com/kubernetes/kubernetes/pull/45159, the only remaining imports of `k8s.io/client-go/pkg/api` are from k8s.io/metrics.
``` bash
$ git grep "\"k8s.io/client-go/pkg/api\"" | grep -v "staging/src/k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/apis/custom_metrics/install/install.go:25: "k8s.io/client-go/pkg/api"
Binary file staging/src/k8s.io/metrics/pkg/apis/custom_metrics/types.generated.go matches
staging/src/k8s.io/metrics/pkg/apis/custom_metrics/types.go:22: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/apis/metrics/install/install.go:26: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/apis/metrics/types.go:21: "k8s.io/client-go/pkg/api"
Binary file staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/zz_generated.conversion.go matches
Binary file staging/src/k8s.io/metrics/pkg/apis/metrics/zz_generated.deepcopy.go matches
staging/src/k8s.io/metrics/pkg/client/clientset_generated/clientset/fake/clientset_generated.go:24: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/client/custom_metrics/client.go:26: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/client/custom_metrics/fake/fake_client.go:24: "k8s.io/client-go/pkg/api"
```
Automatic merge from submit-queue (batch tested with PRs 45272, 45115)
initial types for TPRs
This pull starts creating the types described by https://github.com/kubernetes/community/blob/master/contributors/design-proposals/thirdpartyresources.md . In the initial pull different names were suggested. I've started this pull with `CustomResource.apiextensions.k8s.io`.
The structure begins as a separate API server to facilitate rapid prototyping and experimentation, but the end result will be added to the end of the `kube-apiserver` chain as described in https://github.com/kubernetes/community/blob/master/sig-api-machinery/api-extensions-position-statement.md .
Because it is separate to start (not included in any default server), I don't think we need a perfect name, but I'd like to be close.
@kubernetes/sig-api-machinery-misc @enisoc @smarterclayton @erictune
Automatic merge from submit-queue
Fixes broken link in PodSpec
The PodSpec reference to NodeSelector misses
the `.md` extension in the file.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45227, 43003, 45231)
separate discovery from the apiserver
This decouples the API discovery handlers from the core API server code. It separates the code into a new package and clarifies interfaces with existing TPR code.
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 45100, 45152, 42513, 44796, 45222)
apiserver: split endpoint tests from client-go
Use the example apigroup and create its own scheme.
Fixes https://github.com/kubernetes/kubernetes/issues/45209.
Automatic merge from submit-queue (batch tested with PRs 45077, 45180, 34727, 45079, 45177)
Move k8s.io/metrics to staging/
This is to break the cyclic dependency in our code base: kubernetes depends on k8s.io/metrics, which depends on kubernetes/staging/client-go.
@DirectXMan12 i actually moved it to staging because we will need the flexibility to update metrics code directly to do many planned refactors, so the copy of metrics in kubernetes has to be the source of truth.
client-gen is not enabled for the code yet, we can enable it after you port your changes to client-gen.
`make generated_files` is enabled for metrics.
Automatic merge from submit-queue
Delete "hard-coded" default value in flags usage.
**What this PR does / why we need it**:
Some flags of kubernetes components have "hard-coded" default values in their usage info. In fact, [pflag pkg](https://github.com/kubernetes/kubernetes/blob/master/vendor/github.com/spf13/pflag/flag.go#L602-L608) has already added a string `(default value)` automatically in the usage info if the flag is initialized. Then we don't need to hard-code the default value in usage info. After this PR, if we want to update the default value of a flag, we only need to update the flag where it is initialized. `pflag` will update the usage info for us. This will avoid inconsistency.
For example:
Before
```
kubelet -h
...
--node-status-update-frequency duration Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s (default 10s)
...
```
After
```
kubelet -h
...
--node-status-update-frequency duration Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. (default 10s)
...
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR doesn't delete some "hard-coded" default values because they are not explicitly initialized. We still need to hard-code them to give users friendly info.
```
--allow-privileged If true, allow containers to request privileged mode. [default=false]
```
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 44044, 44766, 44930, 45109, 43301)
add APIService conditions
Adds conditions to the APIServiceStatus struct and fixes up generators that appear to have slipped.
The first condition is "ServiceAvailable" which will provide the status currently derived in the discovery handler that decides about whether to expose the version in discovery.
@kubernetes/sig-api-machinery-pr-reviews @liggitt @ncdc
Automatic merge from submit-queue
kubectl binary plugins
**What this PR does / why we need it**:
Introduces the ability to extend `kubectl` by adding third-party plugins that will be exposed through `kubectl`.
Plugins are executable commands written in any language. To be included as a plugin, a binary or script file has to
1. be located under one of the supported plugin path locations:
1.1 `~/.kubectl/plugins` dir
1.2. one or more directory set in the `KUBECTL_PLUGINS_PATH` env var
1.3. the `kubectl/plugins` dir under one or more directory set in the `XDG_DATA_DIRS` env var, which defaults to `/usr/local/share:/usr/share`
2. in any of the plugin path above, have a subfolder with the plugin file(s)
3. in the subfolder, contain at least a `plugin.yaml` file that describes the plugin
Example:
```
$ cat ~/.kube/plugins/myplugin/plugin.yaml
name: "myplugin"
shortDesc: "My plugin's short description"
command: "echo Hello plugins!"
$ kubectl myplugin
Hello plugins!
```
~~In case the plugin declares `tunnel: true`, the plugin engine will pass the `KUBECTL_PLUGIN_API_HOST` env var when calling the plugin binary. Plugins can then access the Kube REST API in "http://$KUBECTL_PLUGIN_API_HOST/api" using the same context currently in use by `kubectl`.~~
Test plugins are provided in `pkg/kubectl/plugins/examples`. Just copy (or symlink) the files to `~/.kube/plugins` to test.
**Which issue this PR fixes**:
Related to the discussions in the proposal document: https://github.com/kubernetes/kubernetes/pull/30086 and https://github.com/kubernetes/community/pull/122.
**Release note**:
```release-note
Introduces the ability to extend kubectl by adding third-party plugins. Developer preview, please refer to the documentation for instructions about how to use it.
```
Automatic merge from submit-queue (batch tested with PRs 44868, 44350)
build external watch event so simple encoders can encode
`kube-apiserver` clients require a specific serialization of `watch.Event` to function properly. There is no reason to allow flexibility of serialization at this point since no client would able to understand a different encoding.
I found this which trying to use a simple, unstructured json encoder and the clients kept choking on watches because it serialized without the proper json tags.
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
prevent corrupted spdy stream after hijacking connection
This PR fixes corner case in spdy stream code where some bytes would never arrive at the server.
Reading directly from a hijacked connection isn't safe because some data may have already been read by the server before `Hijack` was called. To ensure all data will be received it's safer to read from the returned `bufio.Reader`. This problem seem to happen more frequently when using Go 1.8.
This is described in https://golang.org/pkg/net/http/#Hijacker:
> // The returned bufio.Reader may contain unprocessed buffered
// data from the client.
I came across this while debugging a flaky test that used code from the `k8s.io/apimachinery/pkg/util/httpstream/spdy` package. After filling the code with debug logs and long hours running the tests in loop in the hope of catching the error I finally caught something weird.
The first word on the first spdy frame [read by the server here](b625085230/vendor/github.com/docker/spdystream/spdy/read.go (L148)) had the value `0x03000100`. See, the first frame to arrive on the server was supposed to be a control frame indicating the creation of a new stream, but all control frames need the high-order bit set to 1, which was not the case here, so the saver mistakenly assumed this was a data frame and the stream would never be created. The correct value for the first word of a SYN_STREAM frame was supposed to be `0x80030001` and this lead me on the path of finding who had consumed the first 1 byte prior to the frame reader being called and finally finding the problem with the Hijack call.
I added a new test to try stressing this condition and ensuring that this bug doesn't happen anymore. However, it's quite ugly as it loops 1000 times creating streams on servers to increase the chances of this bug happening. So, I'm not sure whether it's worth it to keep this test or if I should remove it from the PR. Please let me know what you guys think and I'll be happy to update this.
Fixes#45093#45089#45078#45075#45072#45066#45023
Automatic merge from submit-queue
Prepare for move zz_generated_deepcopy.go to k8s.io/api
This is in preparation to move deep copies to with the types to the types repo (see https://github.com/kubernetes/gengo/pull/47#issuecomment-296855818). The init() function is referring the `SchemeBuilder` defined in the register.go in the same packge, so we need to revert the dependency.
This PR depends on https://github.com/kubernetes/gengo/pull/49, otherwise verification will fail.
Automatic merge from submit-queue (batch tested with PRs 45052, 44983, 41254)
Non-controversial part of #44523
For easier review of #44523, i extracted the non-controversial part out to this PR.
Automatic merge from submit-queue (batch tested with PRs 44940, 44974, 44935)
apimachinery/pkg/util/wait: Fix potential goroutine leak in pollInternal().
**What this PR does / why we need it**:
Without the change, the wait function wouldn't exit until the timeout
happens, so if the timeout is set to a big value and the Poll() is run
inside a loop, then the total goroutines will increase indefinitely.
This PR fixes the issue by closing the stop channel to tell the wait function
to exit immediately if condition is true or any error happens.
Automatic merge from submit-queue (batch tested with PRs 44940, 44974, 44935)
Remove import of internal api package in generated external-versioned listers
Follow up of https://github.com/kubernetes/kubernetes/pull/44523
One line change in cmd/libs/go2idl/lister-gen/generators/lister.go, and simple changes in pkg/apis/autoscaling/v2alpha1/register.go, other changes are generated.
The internal api package will be eliminated from client-go, so these imports should be removed. Also, it's more correct to report the versioned resource in the error.
Automatic merge from submit-queue
Fix mergepatch.HasConflicts().
**What this PR does / why we need it**:
This fixes some false negatives:
* If a map had multiple entries, only the first was checked.
* If a list had multiple entries, only the first was checked.
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
OpenAPI support for kubectl
Support for openapi spec in kubectl.
Includes:
- downloading and caching openapi spec to a local file
- parsing openapi spec into binary serializable datastructures (10x faster load times 600ms -> 40ms)
- caching parsed openapi spec in memory for each command
```release-note
NONE
```
Add support for following redirects to the SpdyRoundTripper. This is
necessary for clients using it directly (e.g. the apiserver talking
directly to the kubelet) because the CRI streaming server issues a
redirect for streaming requests.
Also extract common logic for following redirects.
Automatic merge from submit-queue (batch tested with PRs 41287, 41636, 44881, 44826)
Bump to go1.8 and remove the edge GOROOT
**What this PR does / why we need it**:
Bumps to go1.8; we get:
- performance improvements
- build time improvements
- the possibility to remove the hacky edge-GOROOT for arm and ppc64le that must use go1.8
- all other awesome features that are included in go1.8: https://golang.org/doc/go1.8
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/38228
**Special notes for your reviewer**:
@ixdy Please push the image ASAP so we can see if this passes all tests
**Release note**:
```release-note
Upgrade go version to v1.8
```
cc @ixdy @bradfitz @jessfraz @wojtek-t @timothysc @spxtr @thockin @smarterclayton @bprashanth @gmarek
Automatic merge from submit-queue (batch tested with PRs 41287, 41636, 44881, 44826)
apiserver: add pkg/util/webhook tests
This commit adds tests for pkg/util/webhooks. The purpose of this was not only for better code coverage but also to alleviate the need for consumers to write their own tests for core functionality.
**Reasoning**
While working on the generic webhook admission plugin for https://github.com/kubernetes/community/pull/132, I found out that there are no tests for `staging/k8s.io/apiserver/pkg/util/webhook` and I also noticed that various places in the k8s sources were also replicating the same core tests that could/should be handled in `staging/k8s.io/apiserver/pkg/util/webhook`:
* `staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go`
* `staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook_test.go`
* `plugin/pkg/admission/imagepolicy/admission_test.go`
* _possibly more..._
That's what this PR does, adds tests for `staging/k8s.io/apiserver/pkg/util/webhook` so that consumers no longer have to worry about testing client configuration issues, TLS issues, etc. just to use `staging/k8s.io/apiserver/pkg/util/webhook`.
cc @cjcullen
Without the change, the wait function wouldn't exit until the timeout
happens, so if the timeout is set to a big value and the Poll() is run
inside a loop, then the total goroutines will increase indefinitely.
This PR fix the issue by closing the stop channel to tell the wait function
to exit immediately if condition is true or any error happens.
Automatic merge from submit-queue
bump bazel build to go1.8.1 and remove invalid unit tests
part of https://github.com/kubernetes/kubernetes/issues/38228
I firmly believe that unit tests that check error strings are incorrect unit tests. If we care about what type of error is returned, we need to use public error types. Anywhere we are using generic errors, we don't care other then that we saw an error.
Automatic merge from submit-queue (batch tested with PRs 44601, 44842, 44893, 44491, 44588)
Define const annotation variable once
We do not need to define the const annotation var twice in pkg/volume and pkg/volume/validation
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42477, 44462)
Use storage.v1 instead of v1beta1
storage.v1beta1 was used to work around GKE which did not expose v1. Now that GKE is updated, we can switch everything to v1.
This is simple sed v1beta1 -> v1 + enabled a new test + changed preference of exposed interfaces in `storage/install/install.go`.
@msau42, PTAL and let me know when GKE is updated with storage v1 API and this PR can be actually merged.
@kubernetes/sig-storage-pr-reviews
```release-note
NONE
```
Automatic merge from submit-queue
Stop treating in-cluster-config namespace as an override
Fixes#44835
The namespace of an in-cluster config should behave like the namespace specified in a kubeconfig file... it should be used as the default namespace, but be able to be overridden by namespaces specified in yaml files passed to `kubectl create -f`.
```release-note
Restored the ability of kubectl running inside a pod to consume resource files specifying a different namespace than the one the pod is running in.
```
This commit adds tests for pkg/util/webhooks. The purpose of this was
not only for better code coverage but also to alleviate the need for
consumers to write their own tests for core functionality.
Automatic merge from submit-queue
PATCH: Fix erroneous meaningful conflict for numeric values.
The wrong json package was used, resulting in patches being unmarshaled with numbers as float64 rather than int64. This in turn confused `HasConflicts()` which expects numeric types to match.
The end result was false positives of meaningful conflicts, such as:
```
there is a meaningful conflict (firstResourceVersion: "8517", currentResourceVersion: "8519"):
diff1={"metadata":{"resourceVersion":"8519"},"spec":{"replicas":0},"status":"conditions":null,"fullyLabeledReplicas":null,"replicas":0}}
, diff2={"spec":{"replicas":0}}
```
This is branched from a discussion on https://github.com/kubernetes/kubernetes/pull/43469.
```release-note
Fix false positive "meaningful conflict" detection for strategic merge patch with integer values.
```
Automatic merge from submit-queue (batch tested with PRs 44837, 44779, 44492)
remove duplicate code from restful namer
The deleted codes have the same logic with function ObjectName.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44837, 44779, 44492)
Default ObjectNameFunc for all REST Stores
All `Store`s in Kubernetes follow the same logic for determining the name of an object. This change makes it so that `CompleteWithOptions` defaults the `ObjectNameFunc` if it is not specified. Thus a user does not need to remember to use `ObjectMeta.Name`. Using the wrong field as the name can lead to an object which has a name that bypasses normal object name validation.
Signed-off-by: Monis Khan <mkhan@redhat.com>
cc @liggitt @soltysh for review
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Fix Content-Type error of apis
**What this PR does / why we need it**:
Response's Content-type of `/apis` is `text/plain`, not `application/json`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#44646
**Special notes for your reviewer**:
We could use `responsewriters.WriteObjectNegotiated()` to write Content-type correctly.
**Release note**:
```release-note
```
Automatic merge from submit-queue
etcd component status check should include credentials
- [x] Add TLS credentials into `pkg/genericapiserver.Backend`.
- [x] Add TLS credentials into `pkg/registry/core/componentstatus.Server`.
- [x] `pkg/probe/http.httpProber` should accept the TLS credentials.
Now it is working.
```console
$ kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health": "true"}
```
Fixes https://github.com/kubernetes/kubernetes/issues/27343.
The wrong json package was used, resulting in patches being unmarshaled
with numbers as float64 rather than int64.
This in turn confused HasConflicts() which expects numeric types to match.
The end result was false positives of meaningful conflicts, such as:
```
there is a meaningful conflict (firstResourceVersion: "8517",
currentResourceVersion: "8519"):
diff1={"metadata":{"resourceVersion":"8519"},"spec":{"replicas":0},"status":{"conditions":null,"fullyLabeledReplicas":null,"replicas":0}}
, diff2={"spec":{"replicas":0}}
```
This fixes some false negatives:
* If a map had multiple entries, only the first was checked.
* If a list had multiple entries, only the first was checked.
Automatic merge from submit-queue
Explicit namespace from kubeconfig should override in-cluster config
Fixes#43662
If an explicitly specified namespace is read from a kubeconfig file, we should not fall back to in-cluster config
```release-note
kubectl commands run inside a pod using a kubeconfig file now use the namespace specified in the kubeconfig file, instead of using the pod namespace. If no kubeconfig file is used, or the kubeconfig does not specify a namespace, the pod namespace is still used as a fallback.
```
All Stores in Kubernetes follow the same logic for determining the name
of an object. This change makes it so that CompleteWithOptions defaults
the ObjectNameFunc if it is not specified. Thus a user does not need to
remember to use ObjectMeta.Name. Using the wrong field as the name can
lead to an object which has a name that bypasses normal object name
validation.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Automatic merge from submit-queue (batch tested with PRs 42202, 40784, 44642, 44623, 44761)
Split out AdmissionOptions
**What this PR does / why we need it**: The changes in this PR split out AdmissionOptions from ServerRunOptions. In the long term AdmissionOptions will accepts various dependencies
and spit out AdmissionControl
**Release note**:
NONE
Automatic merge from submit-queue
Include system:authenticated group when impersonating
Fixes#43227
An authorized impersonation request solely for a specific username previously resulted in a `user.Info` that did not include either the `system:authenticated` or `system:unauthenticated` groups. That meant that permissions intended to be granted to all users, like discovery, would be denied the impersonated user.
This allows `kubectl get pods --as=<username>` to work as expected
```release-note
API requests using impersonation now include the `system:authenticated` group in the impersonated user automatically.
```
Automatic merge from submit-queue
client-go PortForwarder: don't log an error if net.Listen fails
**What this PR does / why we need it**:
If ipv6 is disabled the client-go PortForwarder logs an error:
```
E0406 17:26:06.983609 29625 portforward.go:209] Unable to create listener: Error listen tcp6 [::1]:30143: socket: address family not supported by protocol
```
This pull request removes this error log. Reasons:
* Tunnel creation might still succeed on ipv4 and the error just confuses the user (see https://github.com/kubernetes/helm/issues/2223).
* If the tunnel can't be created the error gets also loggen in `listenOnPort`.
* runtime.HandleError should only be used on errors "_when a non-user facing piece of code cannot return an error"_ which isn't the case here.
**Which issue this PR fixes**
Fixes https://github.com/kubernetes/helm/issues/2223
Automatic merge from submit-queue
Minor cleanups
Minor improvements:
- `ValidateNoNewFinalizers`: remove unused const
- Mention that mutation of `spec.initContainers[*].image` field is allowed
- Improve godoc comments
Automatic merge from submit-queue (batch tested with PRs 44594, 44651)
remove strings.compare(), use string native operation
I notice we use strings.Compare() in some code, we can remove it and use native operation.
Automatic merge from submit-queue (batch tested with PRs 42177, 42176, 44721)
Job: Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings Job into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
This ensures that Job does not fight with other controllers over control of Pods.
Ref: #24433
**Special notes for your reviewer**:
**Release note**:
```release-note
Job controller now respects ControllerRef to avoid fighting over Pods.
```
cc @erictune @kubernetes/sig-apps-pr-reviews
Automatic merge from submit-queue
apiserver: Update genericapiserver to panic on listener error
Previously runServer would try to listen again if a listener error occurred. This commit changes the response to a panic to allow a process manager (systemd/kubelet/etc) to react to the failure.
**Release note**:
```release-note
The Kubernetes API server now exits if it encounters a networking failure (e.g. the networking interface hosting its address goes away) to allow a process manager (systemd/kubelet/etc) to react to the problem. Previously the server would log the failure and try again to bind to its configured address:port.
```
cc: @liggitt @sttts @deads2k @derekwaynecarr
Reading directly from a hijacked connection isn't safe because some
data may have already been read by the server before Hijack was called.
To ensure all data will be received it's safer to read from the returned
bufio.Reader.
The Job Listers still use selectors, because this is the
behavior expected by callers. This clarifies the meaning of the
returned list. Some callers may need to switch to using
GetControllerOf() instead, but that is a separate, case-by-case issue.
api/ is a copy of pkg/api (same reasoning)
staging/ is the set of people who should be allowing new top level
nested packages + the set of people who can change the staging machinery
code
staging/src/k8s.io/apimachinery/ is the set of core machinery people
Previously runServer would try to listen again if a listener error
occurred. This commit changes the response to a panic to allow a
process manager (systemd/kubelet/etc) to react to the failure.
Automatic merge from submit-queue (batch tested with PRs 40055, 42085, 44509, 44568, 43956)
revert BUILD changes at the end of DRY_RUN=n copy.sh
Fixes https://github.com/kubernetes/kubernetes/issues/44567
cc @caesarxuchao @ixdy @spxtr
Automatic merge from submit-queue (batch tested with PRs 40055, 42085, 44509, 44568, 43956)
Fix gofmt errors
**What this PR does / why we need it**:
There were some gofmt errors on master. Ran the following to fix:
```
hack/verify-gofmt.sh | grep ^diff | awk '{ print $2 }' | xargs gofmt -w -s
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: none
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
error word
dummyController Struct comment "disonnected " is error word
WaitForCacheSync method comment "contoller" is error word
Automatic merge from submit-queue (batch tested with PRs 44569, 44398)
Move v1/refs and v1/resource
This PR moves pkg/api/v1/ref.go and pkg/api/v1/resource_helper.go to their own sub packages, it's very similar to 44299 and 44302.
The PR is mostly mechanical, except that
* i moved some utility function from resource.go to pkg/api/v1/pod and pkg/api/v1/node, as they are more appropriate
* i updated the staging/copy.sh to copy the new subpackages, so that helper functions are copied. We can get rid of this copy after client-go stops copying API types.
Automatic merge from submit-queue (batch tested with PRs 44519, 43194, 44513)
Use regexp instead of substring to do search and replace.
enisoc pointed out how ToLower can change (lengthen even!) the length of
a string given arbitrary input.
Follow-up to #44421 for #44419
etcd has support for client-cert-auth, which can be configured via the flag `--ca-file`,
when that is enabled, all the client requests must present with a client certificate,
however, the current component status check uses a single transport for all of the checks,
this is wrong, the checks should be different for each of different component, and make
each of them use different transport(tls configurations).
Automatic merge from submit-queue
vendor: Update elazarl/goproxy to fix e2e test with go1.8
**What this PR does / why we need it**:
This updates the dependency `github.com/elazarl/goproxy` to include this fix c4fc26588b which makes kubernetes e2e tests build with go1.8. It was crashing before as described in https://github.com/elazarl/goproxy/issues/188#issuecomment-281092250 and #38228
**Which issue this PR fixes**
This is part of the fix for #38228
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Use OS-specific libs when computing client User-Agent in kubectl, etc.
**What this PR does / why we need it**:
The User-Agent reported by clients (e.g. kubectl) in request
headers should include the name of the client executable
but not the full path to that executable.
This PR changes how this name is determined by using the
operating-system specific package "path/filepath" (meant for
working with file system paths) instead of the "path" package
(meant for URL paths).
This fixes a problem on the Windows OS in the case where, if the
user has not set their PATH to point to the location of their
client executable, the User-Agent includes the full path - which
is unnecessary.
Fixes: #44419
```release-note
Use OS-specific libs when computing client User-Agent in kubectl, etc.
```
**What this PR does / why we need it**:
The User-Agent reported by clients (e.g. kubectl) in request
headers should include the name of the client executable
but not the full path to that executable.
This PR changes how this name is determined by using the
operating-system specific package "path/filepath" (meant for
working with file system paths) instead of the "path" package
(meant for URL paths).
This fixes a problem on the Windows OS in the case where, if the
user has not set their PATH to point to the location of their
client executable, the User-Agent unnecessarily includes the
full path.
Fixes: #44419
Automatic merge from submit-queue (batch tested with PRs 44362, 44421, 44468, 43878, 44480)
Drop leading path of KUBECTL.EXE if it shows up in User-Agent.
Partial fix for #44419
Release note: kube-apiserver now drops unneeded path information if an older version of Windows kubectl sends it.
Automatic merge from submit-queue (batch tested with PRs 44440, 44038, 44302, 44316, 43876)
Move pkg/api/ref.go and pkg/api/resource_helpers.go to subpackages
First two commits are #44296#44299. (unfortunately, removing these commits results in conflicts)
This PR moves resource_helpers.go to a subpackage. It's mostly a mechanic move, except that:
* i kept the methods of ResourceName and ResourceList in pkg/api/method.go
I'll send one more PR to separate api.Scheme etc. to their own package.
Automatic merge from submit-queue (batch tested with PRs 44424, 44026, 43939, 44386, 42914)
remove defaulting from conversion path
follow up for #42764
* remove call to defaulting from conversion path (defaulting is a separate step from conversion)
* remove non-top-level-object defaulting registration (unused after conversion call is removed)
* generate missing top-level defaults for some api groups:
* autoscaling/v2alpha1
* policy/v1alpha1
* policy/v1beta1
* register top-level defaults for some api groups that were missing them:
* autoscaling/v2alpha1
* settings/v1alpha1
Automatic merge from submit-queue (batch tested with PRs 44424, 44026, 43939, 44386, 42914)
`failure-domain` is no longer used in command line arg.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44406, 41543, 44071, 44374, 44299)
Move pkg/api/ref.go to a subpackage
First commit is #44296. (unfortunately, removing that commit results in conflicts)
This PR moves the pkg/api/ref.go to its own subpackage. It's mostly a mechanic move.
I'll send a few more PRs to make the k8s.io/kubernetes/pkg/api package only contains the code we want in the k8s.io/api repo, then we can run a [script](a0015fd1be (diff-7a2fbb4371972350ee414c6b88aee1c8)) to cut the new repo.
Automatic merge from submit-queue (batch tested with PRs 44406, 41543, 44071, 44374, 44299)
Decouple remotecommand
Refactored unversioned/remotecommand to decouple it from undesirable dependencies:
- term package now is not required, and functionality required to resize terminal size can be plugged in directly in kubectl
- in order to remove dependency on kubelet package - constants from kubelet/server/remotecommand were moved to separate util package (pkg/util/remotecommand)
- remotecommand_test.go moved to pkg/client/tests module
Automatic merge from submit-queue
add deregistration for paths
Aggregation and TPRs require the ability to de-register endpoints. This adds the capability and makes it threadsafe.
Automatic merge from submit-queue
Non global admission plugin registry
For testing the global state is a problem. This PR turns the actual registry into a struct that must be instantiated. For the beginning, we do this in `pkg/kubeapiserver/admission`. In some follow-up (where we hunt down all globals some day), we will move this into the genericapiserver.
Automatic merge from submit-queue
Conversionlint
**What this PR does / why we need it**:
This PR adds a comment placeholder for the exported or public functions in conversion generator files. Such functions without a comment results into golint failure in various generated files. The changes in this patch takes care of about 36 related lint failures.
Given below is an example lint error,
zz_generated.conversion.go:91:1: exported function Convert_v1alpha1_Binding_To_servicecatalog_Binding should have comment or be unexported
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Considering minor changes no issue is created.
**Special notes for your reviewer**:
Hello, I am trying to fix golint failures as we see them in the kubernetes-incubator/service-catalog project. I have separate PRs opened for lint issues related to other generator code which are in separate libraries like gengo. Thanks!
**Release note**:
```release-note
```
Automatic merge from submit-queue
delete rolebinding from correct namespace
Fixes#44212
The rolebinding needs to be deleted from the namespace we create it in.
@mdshuai
Automatic merge from submit-queue
Move api helpers.go to a subpackage
Part of https://github.com/kubernetes/kubernetes/issues/44065.
This PR moves the pkg/api/helpers.go to its own subpackage. It's mostly a mechanic move, except that
* I removed ConversionError in helpers.go, it's not used by anyone
* I moved the 3 methods of Taint and Toleration to pkg/api/methods.go, and left a TODO saying refactoring these methods to functions.
I'll send a few more PRs to make the k8s.io/kubernetes/pkg/api package only contains the code we want in the k8s.io/api repo, then we can run a [script](a0015fd1be (diff-7a2fbb4371972350ee414c6b88aee1c8)) to cut the new repo.
Automatic merge from submit-queue
Bugfix: OpenAPI generator should pass generate type extensions
OpenAPI spec generator does not pass generated type extensions (using `x-kubernetes-` tags on types). This is already working for field extensions but not for types.
Automatic merge from submit-queue
Remove alphaProvisioner in PVController and AlphaStorageClassAnnotation
remove alpha annotation and alphaProvisioner
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43304, 41427, 43490, 44352)
Update etcd-client godep to 3.1.5
This transitively level sets the godeps to yank in the 3.1.5 client.
Currently WIP, b/c it required some regen and I had some weird local permissions issue.
xref: #41143
/cc @xiang90 @mml
The exported or public functions requires a doc comment to pass golint.
This commit has changes of conversion generated code. The actual doc
changes are added into a separate commit for a clean review.
Automatic merge from submit-queue (batch tested with PRs 43545, 44293, 44221, 43888)
validateClusterInfo: use clientcmdapi.NewCluster()
Change validateClusterInfo to use clientcmdapi.NewCluster() instead of
clientcmdapi.Cluster{} when comparing against the passed in clusterInfo.
clusterInfo most likely will be a combination of
clientcmdapi.NewCluster() merged with potential overrides. This is
necessary because otherwise, the DeepEqual between what is supposed to
be an empty Cluster and clusterInfo will fail, resulting in an error
that doesn't allow fall-through to checking for in-cluster
configuration.
https://github.com/kubernetes/kubernetes/pull/40508 changed `DirectClientConfig.getContext()` to start with a `clientcmdapi.NewCluster()` instead of the zero value for `clientcmdapi.Cluster`. This means that the `Extensions` map in the `Cluster` is initialized instead of `nil`, which breaks the `DeepEqual` test unless you compare `clusterInfo` against an initialized `clientcmdapi.NewCluster()`.
cc @smarterclayton @sttts @vjsamuel @liggitt @deads2k @soltysh @fabianofranz @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 43545, 44293, 44221, 43888)
make unstructured items correspond to other items for storage
"normal" `Items` elements include the struct itself, not a pointer to the struct. Some of the deeper bits of storage rely on this behavior in reflective paths.
This updates the `UnstructuredList` to be "normal".
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
remove dependency on gorestful for rest handling
There's no reason for us to rely upon go-restful for our REST handling. This separates the layers so that gorestful route functions are built on top of native `http.HandlerFuncs`.
@DirectXMan12 I think this is the sort of handling you wanted to be able to add and remove at will, right? I have other commits that demonstrate how to wire these into "normal" `http.Handlers` if its useful to you.
@kubernetes/sig-api-machinery-pr-reviews @smarterclayton @sttts @lavalamp
Automatic merge from submit-queue
add "/apis/" to kube-aggregator apisHandler
This makes the following two urls have the same result.
https://ip:443/apishttps://ip:443/apis/
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 43887, 41914, 44170)
Make NetworkPolicy docs reflect reality
spinoff of #39164; this just updates the docs to reflect the way the v1beta1 API has actually been implemented
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43273, 44287, 44281)
Remove ObjectMetaFor
Builds on https://github.com/kubernetes/kubernetes/pull/43767
The second commit removes `ObjectMetaFor`. This was debt we left around after we created the interfaces. Fixing this makes it possible to start running `Unstructured` through generic storage.
@kubernetes/sig-api-machinery-pr-reviews @smarterclayton @lavalamp
Automatic merge from submit-queue (batch tested with PRs 43866, 42748)
hack/cluster: download cfssl if not present
hack/local-up-cluster.sh uses cfssl to generate certificates and
will exit it cfssl is not already installed. But other cluster-up
mechanisms (GCE) that generate certs just download cfssl if not
present. Make local-up-cluster.sh do that too so users don't have
to bother installing it from somewhere.
Automatic merge from submit-queue
remove go-restful from namer for rest handling
Our RESTHandler code is currently tightly coupled to go-restful, but there's no reason for this coupling. It makes integrations that want API handling (decode, sanity check, admission, verb handling), but don't need the REST installer flow impractical. I know of two layers now: metrics and TPR.
This starts the process of unwinding by switching the `ScopeNamer` (used for request identification and selflinks) to use the standard http library along with the `RequestInfo` we place in the context for authorization and any other interested layer.
@kubernetes/sig-api-machinery-misc @smarterclayton @ncdc @sttts
Automatic merge from submit-queue
only log stacks on server errors
Stack traces on http logging statements can be useful, but you usually only need them for server errors not for things like redirects or even client errors since the server won't be fixing those.
This tightens the "log stack" behavior to only happen for server errors. Messages will still be logged, but the automatic stacks will only come out for server errors.
@enj @mfojtik @smarterclayton
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 43777, 44121)
Add patchMergeKey and patchStrategy support to OpenAPI
Support generating Open API extensions for strategic merge patch tags in go struct tags
Support `patchStrategy` and `patchMergeKey`.
Also support checking if the Open API extension and struct tags match.
```release-note
Support generating Open API extensions for strategic merge patch tags in go struct tags
```
cc: @pwittrock @ymqytw
(Description mostly copied from #43833)
Automatic merge from submit-queue
move constants to their own file
A step towards #44065
These constants are part of the API and will be moved to k8s.io/api. The helper functions are not and will remain in the main repo. This PR separates them to different files. Next step is put all the helper functions into sub-packages, so that the package `k8s.io/kubernetes/pkg/api` only contains code we want to move to k8s.io/api.
I added the retest-not-required label because this just moves code to another file in the same package.
Automatic merge from submit-queue
Ensure invalid username/password returns 401 error, not 403
If a user attempts to use basic auth, and the username/password combination
is rejected, the authenticator should return an error. This distinguishes
requests that did not provide username/passwrod (and are unauthenticated
without error) from ones that attempted to, and failed.
Related to:
https://github.com/kubernetes/kubernetes/pull/39408
Automatic merge from submit-queue (batch tested with PRs 44119, 42538, 43802, 42336, 43396)
iSCSI CHAP support
**What this PR does / why we need it**:
To support CHAP authentication in a multi-tenant setup
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Support iSCSI CHAP authentication
```
Automatic merge from submit-queue (batch tested with PRs 44119, 42538, 43802, 42336, 43396)
remove ListMetaFor
Finish replacing `ListMetaFor` with `ListAccessor`. This gives more flexibility for list handling as intended. `UnstructuredList` matches now.
@kubernetes/sig-api-machinery-pr-reviews
Change validateClusterInfo to use clientcmdapi.NewCluster() instead of
clientcmdapi.Cluster{} when comparing against the passed in clusterInfo.
clusterInfo most likely will be a combination of
clientcmdapi.NewCluster() merged with potential overrides. This is
necessary because otherwise, the DeepEqual between what is supposed to
be an empty Cluster and clusterInfo will fail, resulting in an error
that doesn't allow fall-through to checking for in-cluster
configuration.
Automatic merge from submit-queue (batch tested with PRs 43373, 41780, 44141, 43914, 44180)
fix some typos in apiserver
**What this PR does / why we need it**:
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44084, 42964)
Updated AddOrUpdateTolerationInPod to return bool only.
Updated AddOrUpdateTolerationInPod to return bool only, as there's no case to generate error (the error was used for annotation, it'll not return error after moving to field); and also update admission & daemonset accordingly.
- ValidateNoNewFinalizers: remove unused const
- Mention that mutation of spec.initContainers[*].image field is allowed
- Improve godoc comments
- validation_test.go(expectPrefix): remove unused function
Automatic merge from submit-queue (batch tested with PRs 42288, 44055)
Fixed inaccurate comments for Secret and ConfigMap
**What this PR does / why we need it**:
Updates the comments for ConfigMap and Secret in types.go to correspond to the regex used in validation.go
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#42203
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
We have a old boltdb/bolt, etcd has moved to newer boltdb, so we should
do the same. Specifically this change needs to be in our tree:
92410e0673
as this fixes intermittent issues we see in our CI runs. So in this
PR, we vendor the v1.3.0 version of boltdb/bolt.
Fixes#43973
hack/local-up-cluster.sh uses cfssl to generate certificates and
will exit it cfssl is not already installed. But other cluster-up
mechanisms (GCE) that generate certs just download cfssl if not
present. Make local-up-cluster.sh do that too.
Automatic merge from submit-queue
Support status.hostIP in downward API
**What this PR does / why we need it**:
Exposes pod's hostIP (node IP) via downward API.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes https://github.com/kubernetes/kubernetes/issues/24657
**Special notes for your reviewer**:
Not sure if there's more documentation that's needed, please point me in the right direction and I will add some :)
Automatic merge from submit-queue
Update godoc to match
**What this PR does / why we need it**:
comments don't match the code. I can also just remove them.
**Which issue this PR fixes**
golint if it was run, but it is nice to have comments that appear to be relevant to the code.
**Special notes for your reviewer**:
docs only
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update my OWNERS entries.
Not sure why I was set as a reviewer for apimachinery and apiserver stuff. Adding myself to build/.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Make RBAC post-start hook conditional on RBAC authorizer being used
Makes the RBAC post-start hook (and reconciliation) conditional on the RBAC authorizer being used
Ensures we don't set up unnecessary objects.
```release-note
RBAC role and rolebinding auto-reconciliation is now performed only when the RBAC authorization mode is enabled.
```
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
Fix typo
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
delete etcd socket file for unit tests
This change clean up the environment for etcd3 unit test.
Without this change, "make test" will leave some socket files in
workspace. And these socket files make hack/verify-generated-protobuf.sh
fails.
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 38741, 41301, 43645, 43779, 42337)
Plumb cipher/tls version serving options
Needed to allow servers to harden or relax default tls versions and ciphers
This change clean up the environment for etcd3 unit test.
Without this change, "make test" will leave some socket files in
workspace. And these socket files make hack/verify-generated-protobuf.sh
fails.
This PR implements a standard admission plugin initializer for the generic API server.
The initializer accepts external clientset, external informers and the authorizer.
Automatic merge from submit-queue (batch tested with PRs 42835, 42974)
remove legacy insecure port options from genericapiserver
The insecure port has been a source of problems and it will prevent proper aggregation into a cluster, so the genericapiserver has no need for it. In addition, there's no reason for it to be in the main kube-apiserver flow either. This pull removes it from genericapiserver and removes it from the shared kube-apiserver code. It's still wired up in the command, but its no longer possible for someone to mess up and start using in mainline code.
@kubernetes/sig-api-machinery-misc @ncdc
Automatic merge from submit-queue (batch tested with PRs 42087, 43383, 43622)
move category expansion out of restmapper
RESTMapping isn't related to CategoryExpansion (the bit that expands "all" into items to be RESTMapped). This provides that separation and simplifies the RESTMapper interface.
@kubernetes/sig-cli-pr-reviews
Automatic merge from submit-queue
proxy to IP instead of name, but still use host verification
I think I found a setting that lets us proxy to an IP and still do hostname verification on the certificate.
@liggitt @sttts Can you see if you agree that this knob does what I think it does? Last commit only, still needs tests.
Automatic merge from submit-queue (batch tested with PRs 43681, 40423, 43562, 43008, 43381)
k8s.io/apiserver: make maxRetryWhenPatchConflicts public
This variable used to be public (before https://github.com/kubernetes/kubernetes/pull/37468). It is pretty use-full to write reliable integration tests that involve resource patching, and it is used in downstream project for that purpose.
Automatic merge from submit-queue (batch tested with PRs 43694, 41262, 42911)
Bump go-systemd to v14
**What this PR does / why we need it**: bump go-systemd to the latest release, which includes a build tag fix so non-cgo systems can compile.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: go-systemd added an option to unset the `NOTIFY_SOCKET` environment variable as part of the execution of `SdNotify`. I have set that to true, which means that child processes (if any) won't have that set. If anyone thinks it should remain set, I'm happy to change it to false - just let me know.
**Release note**:
```release-note
```
cc @smarterclayton @sdodson @deads2k @sttts @lavalamp @caesarxuchao
Automatic merge from submit-queue (batch tested with PRs 42900, 43044, 42896, 43308, 43621)
enable generation
Looks like the deep equals and conversion generation were turned off for sample-apiserver and kube-aggregator. This turns them back on.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 42900, 43044, 42896, 43308, 43621)
require codecfactory
The genericapiserver requires a codec to start. Help new comers to the API by forcing them to set it when they create a new config.
Automatic merge from submit-queue
rewire aggregation handling chain to be normal
Uses https://github.com/kubernetes/kubernetes/pull/42886 to allow the aggregator to be "normal" as far as the handling chain goes. This will allow for cleaner composition.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue
allow combining API servers
Builds on https://github.com/kubernetes/kubernetes/pull/42886 (already lgtm'ed)
We need to be able to chain multiple API servers together so that a fallthrough case from to another results in delegated handling without double wrapping. We also need to be able to combine shared lists like healthz and poststarthooks so that a single API server start will run all the poststarthooks and present a unified view of health. This creates an interface and methods to provide that wiring.
@kubernetes/sig-api-machinery-misc @ncdc
Automatic merge from submit-queue (batch tested with PRs 43429, 43416, 43312, 43141, 43421)
Create controller to auto register TPRs with the aggregator
Builds on https://github.com/kubernetes/kubernetes/pull/42732 (already lgtmed)
Creates a simple controller to wire TPRs with the API Service autoregistration controller.
@kubernetes/sig-api-machinery-misc @ncdc
Automatic merge from submit-queue (batch tested with PRs 43429, 43416, 43312, 43141, 43421)
add singular resource names to discovery
Adds the singular resource name to our resource for discovery. This is something we've discussed to remove our pseudo-pluralization library which is unreliable even for english and really has no hope of properly handling other languages or variations we can expect from TPRs and aggregated API servers.
This pull simply adds the information to discovery, it doesn't not re-wire any RESTMappers.
@kubernetes/sig-cli-misc @kubernetes/sig-apimachinery-misc @kubernetes/api-review
```release-note
API resource discovery now includes the `singularName` used to refer to the resource.
```
Automatic merge from submit-queue (batch tested with PRs 43429, 43416, 43312, 43141, 43421)
remove timed_queue from workqueue
Fix https://github.com/kubernetes/kubernetes/issues/40494.
It's added to gather metrics of the workqueue used in the garbage collector. Now that a regular workqueue has supported the metrics, we can remove timed_queue.
Automatic merge from submit-queue (batch tested with PRs 43144, 42671, 43226, 43314, 43361)
use - to indicate audit log goes to system out
When debugging API servers, particularly aggregated API servers, it's really useful to see the audit trail in their normal pod logs. This makes `--audit-log-path=-` direct audit information to stdout.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 43144, 42671, 43226, 43314, 43361)
start informers as a post-start-hook
Switches the shared informer start to a post start hook to make future API server composition easier. PostStartHooks will have to be unioned for server composition and this ensures that we don't accidentally skip starting them.
Automatic merge from submit-queue (batch tested with PRs 42998, 42902, 42959, 43020, 42948)
Add Host field to TCPSocketAction
Currently, TCPSocketAction always uses Pod's IP in connection. But when a pod uses the host network, sometimes firewall rules may prevent kubelet from connecting through the Pod's IP.
This PR introduces the 'Host' field for TCPSocketAction, and if it is set to non-empty string, the probe will be performed on the configured host rather than the Pod's IP. This gives users an opportunity to explicitly specify 'localhost' as the target for the above situations.
```release-note
Add Host field to TCPSocketAction
```
Automatic merge from submit-queue
allow fallthrough handling from go-restful routes
This sets up the gorestful routes to fall through to a default handler and reorders the API to be ahead of the other endpoints. This makes it possible to cleanly support cases of "match, fail, try this other handler" which we'll need for API server composition.
@kubernetes/sig-api-machinery-pr-reviews @ncdc
Automatic merge from submit-queue
add local option to APIService
APIServices need an option to avoid proxying in cases where the groupversion is handled later in the chain. This will allow a coherent and complete set of APIServices, but won't require extra connections.
@kubernetes/sig-api-machinery-misc @ncdc @cheftako
Automatic merge from submit-queue (batch tested with PRs 42672, 42770, 42818, 42820, 40849)
use separate scheme to serve the kube-aggregator
This removes a hack which used the client scheme to serve the kube-aggregator. This switches it to run from its own scheme.
@kubernetes/sig-api-machinery-pr-reviews
@ncdc
Automatic merge from submit-queue
update kubeconfig document url in comments
**What this PR does / why we need it**:
update kubeconfig document url in comments
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
NONE
Many of our core loops rotate around JitterUntil, which means we create
a lot of garbage at steady state for timers. Add proper timer reuse in
this loop.
Automatic merge from submit-queue (batch tested with PRs 43313, 43257, 43271, 43307)
Remove 'all namespaces' meaning of empty list in PodAffinityTerm
Removes the distinction between `null` and `[]` for the PodAffinityTerm#namespaces field (option 4 discussed in https://github.com/kubernetes/kubernetes/issues/43203#issuecomment-287237992), since we can't distinguish between them in protobuf (and it's a less than ideal API)
Leaves the door open to reintroducing "all namespaces" function via a dedicated field or a dedicated token in the list of namespaces
Wanted to get a PR open and tests green in case we went with this option.
Not sure what doc/release-note is needed if the "all namespaces" function is not present in 1.6
Automatic merge from submit-queue
Prevent protobuf storage with etcd2
Prevents accidentally storing protobuf content in etcd2 when upgrading to 1.6
c.f. https://github.com/kubernetes/kubernetes/issues/42976#issuecomment-286537139
```release-note
if kube-apiserver is started with `--storage-backend=etcd2`, the media type `application/json` is used.
```
Automatic merge from submit-queue (batch tested with PRs 40964, 42967, 43091, 43115)
Update hack scripts to use godep v79 and ensure_godep_version
**What this PR does / why we need it**:
Based on #42965 and https://github.com/kubernetes/kubernetes/pull/42958#discussion_r105568318, this pins the godep version at v79, which should fix some issues when running godep in go1.8 local environments.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#42817
**Special notes for your reviewer**:
This should likely get the v1.6 milestone so that it can be merged into master. While I'm setting a default godep version, I'm continuing to use the local pins per this comment: https://github.com/kubernetes/kubernetes/pull/42965#issuecomment-285962723 .
**Release note**:
```release-note
NONE
```
cc: @sttts
Automatic merge from submit-queue (batch tested with PRs 42802, 42927, 42669, 42988, 43012)
update to latest version of coreos/go-oidc
Includes updates that enable OIDC with OKTA as a IDP
**What this PR does / why we need it**:
Updates to the latest version of coreos/go-oidc
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # TBD
**Special notes for your reviewer**:
Updates coreos/go-oidc module to include fixes for https://github.com/coreos/go-oidc/issues/137 which prevent OKTA being used as an IDP
**Release note**:
```release-note
NONE
```
cc:/ @ericchiang
Automatic merge from submit-queue (batch tested with PRs 41794, 42349, 42755, 42901, 42933)
Fix DefaultTolerationSeconds admission plugin
DefaultTolerationSeconds is not working as expected. It is supposed to add default tolerations (for unreachable and notready conditions). but no pod was getting these toleration. And api server was throwing this error:
```
Mar 08 13:43:57 fedora25 hyperkube[32070]: E0308 13:43:57.769212 32070 admission.go:71] expected pod but got Pod
Mar 08 13:43:57 fedora25 hyperkube[32070]: E0308 13:43:57.789055 32070 admission.go:71] expected pod but got Pod
Mar 08 13:44:02 fedora25 hyperkube[32070]: E0308 13:44:02.006784 32070 admission.go:71] expected pod but got Pod
Mar 08 13:45:39 fedora25 hyperkube[32070]: E0308 13:45:39.754669 32070 admission.go:71] expected pod but got Pod
Mar 08 14:48:16 fedora25 hyperkube[32070]: E0308 14:48:16.673181 32070 admission.go:71] expected pod but got Pod
```
The reason for this error is that the input to admission plugins is internal api objects not versioned objects so expecting versioned object is incorrect. Due to this, no pod got desired tolerations and it always showed:
```
Tolerations: <none>
```
After this fix, the correct tolerations are being assigned to pods as follows:
```
Tolerations: node.alpha.kubernetes.io/notReady=:Exists:NoExecute for 300s
node.alpha.kubernetes.io/unreachable=:Exists:NoExecute for 300s
```
@davidopp @kevin-wangzefeng @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-scheduling-bugs @derekwaynecarr
Fixes https://github.com/kubernetes/kubernetes/issues/42716
Automatic merge from submit-queue (batch tested with PRs 42786, 42553)
Updated auto generated protobuf codes.
Generated by `./hack/update-generated-protobuf-dockerized.sh` in Mac.
Automatic merge from submit-queue (batch tested with PRs 42786, 42553)
Updated comments for TaintBasedEvictions.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 42692, 42169, 42173)
DaemonSet: Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings DaemonSet into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
This ensures that DaemonSet does not fight with other controllers over control of Pods.
**Special notes for your reviewer**:
**Release note**:
```release-note
DaemonSet now respects ControllerRef to avoid fighting over Pods.
```
cc @erictune @kubernetes/sig-apps-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42692, 42169, 42173)
Add pprof trace support
Add support for `/debug/pprof/trace`
Can wait for master to reopen for 1.7.
cc @smarterclayton @wojtek-t @gmarek @timothysc @jeremyeder @kubernetes/sig-scalability-pr-reviews
The DaemonSet Listers still use selectors, because this is the
behavior expected by callers. This clarifies the meaning of the
returned list. Some callers may need to switch to using
GetControllerOf() instead, but that is a separate, case-by-case issue.
Automatic merge from submit-queue
Adding note saying client-go examples only work with the code in the same branch
Adding this note because the problem has confused many users.
It's doc change and only affects client-go examples, so adding the milestone.
Automatic merge from submit-queue (batch tested with PRs 42637, 42648)
Support multiple --feature-gates flags in the command line
Fixes the issue in https://github.com/kubernetes/kubernetes/pull/42647.
Before this change the whole set of gates was replaced with new values. Now values are overridden one by one.
Automatic merge from submit-queue (batch tested with PRs 41890, 42593, 42633, 42626, 42609)
Remove everything that is not new from batch/v2alpha1
Fixes#37166.
@lavalamp you've asked for it
@erictune this is a prereq for moving CronJobs to beta. I initially planned to put all in one PR, but after I did that I figured out it'll be easier to review separately. ptal
@kubernetes/api-approvers @kubernetes/sig-api-machinery-pr-reviews ptal
Automatic merge from submit-queue (batch tested with PRs 42506, 42585, 42596, 42584)
Preserve custom etcd prefix compatibility for etcd3
Fixes#42505
```release-note
restored normalization of custom `--etcd-prefix` when `--storage-backend` is set to etcd3
```
Automatic merge from submit-queue (batch tested with PRs 42080, 41653, 42598, 42555)
Support whitespace in command path for gcp auth plugin
```
External command option on gcp client auth plugin supports whitespace in command path.
```
Splitting on whitespace to get cmd+args breaks when the path the executable contains spaces. Resolve by adding a new "cmd-args" field to config to allow the full string of "cmd-path" to be interpreted as path to executable.
This change is backwards compatible with existing behavior.
Automatic merge from submit-queue (batch tested with PRs 42080, 41653, 42598, 42555)
StatefulSet: Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings StatefulSet into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
Fixes#36859
**Special notes for your reviewer**:
**Release note**:
```release-note
StatefulSet now respects ControllerRef to avoid fighting over Pods. At the time of upgrade, **you must not have StatefulSets with selectors that overlap** with any other controllers (such as ReplicaSets), or else [ownership of Pods may change](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md#upgrading).
```
cc @erictune @kubernetes/sig-apps-pr-reviews
The Deployment Listers still use selectors, because this is the
behavior expected by callers. This clarifies the meaning of the
returned list. Some callers may need to switch to using
GetControllerOf() instead, but that is a separate, case-by-case issue.
Specific use case is GKE users running gcloud/kubectl on Windows
with a cloud sdk installation path containing spaces. Also improving
test coverage using trick borrowed from exec_test.go
Automatic merge from submit-queue (batch tested with PRs 31783, 41988, 42535, 42572, 41870)
Clean user agent to reduce metrics cardinality
**What this PR does / why we need it**:
This PR is an example implementation for my issue #31781.
``` release-note
```
This commit cleans common browser user-agents to reduce the metrics
cardinality in exported prometheus metrics.
Resolveskubernetes/kubernetes#31781
The StatefulSet Listers still use selectors, because this is the
behavior expected by callers. This clarifies the meaning of the
returned list. Some callers may need to switch to using
GetControllerOf() instead, but that is a separate, case-by-case issue.
Automatic merge from submit-queue
make the system:authenticated group adder smarter
Fixes#42437
This prevents the group adder from adding the system:authenticated group when:
1. it's already in the list
2. the user is system:anonymous
3. system:unauthenticated is in the list
Smaller alternative to https://github.com/kubernetes/kubernetes/pull/42421 for 1.6.
@kubernetes/sig-auth-pr-reviews @enj @liggitt
Automatic merge from submit-queue (batch tested with PRs 42443, 38924, 42367, 42391, 42310)
Apply custom defaults to init containers
Adds overridden defaults to init containers. They were not being defaulted the same way normal containers were.
Automatic merge from submit-queue (batch tested with PRs 41306, 42187, 41666, 42275, 42266)
discovery restmapping should always prefer /v1
The core kube API, empty group, version==v1 should always be the most preferred group and resource from a rest mapper. This special cases that. All the others should be based on discovery order as we previously agreed.
@kubernetes/sig-cli-pr-reviews @kubernetes/sig-api-machinery-pr-reviews
@enj
Automatic merge from submit-queue (batch tested with PRs 41306, 42187, 41666, 42275, 42266)
Server timeout returns an incorrect error
Not a valid Status object in JSON
Part of #42163
Automatic merge from submit-queue (batch tested with PRs 41984, 41682, 41924, 41928)
RC/RS: Fully Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings ReplicaSet and ReplicationController into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
Although RC/RS had partially implemented ControllerRef, they didn't use it to determine which controller to sync, or to update expectations. This could lead to instability or controllers getting stuck.
Ref: https://github.com/kubernetes/kubernetes/issues/24433
**Special notes for your reviewer**:
**Release note**:
```release-note
```
cc @erictune @kubernetes/sig-apps-pr-reviews
Automatic merge from submit-queue
Only set a groupresource on errors if a resource was specified
@deads2k this gets rid of the weird .meta.k8s.io error on unauthorized errors
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Fix panic on nil invalid field error
bug fix for validation panic
if a field.Invalid is constructed with a nil badvalue, the Error() method panics, since reflect.TypeOf() returns nil
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Add storage.k8s.io/v1 API
This is combined version of reverted #40088 (first 4 commits) and #41646. The difference is that all controllers and tests use old `storage.k8s.io/v1beta1` API so in theory all tests can pass on GKE.
Release note:
```release-note
StorageClassName attribute has been added to PersistentVolume and PersistentVolumeClaim objects and should be used instead of annotation `volume.beta.kubernetes.io/storage-class`. The beta annotation is still working in this release, however it will be removed in a future release.
```
Automatic merge from submit-queue (batch tested with PRs 41672, 42084, 42233, 42165, 42273)
Keep entries of apimachinery in client-go's Godeps.json
1. copy.sh now copies staging/ to a temp dir, creates snapshots for them, and then adds the temp dir to GOPATH before running `godep save`. This way, we don't need the `go list` check added in #41987 so that's removed @sttts.
2. copy.sh fills the entries for k8s.io/apimachinery with dummy SHA1 in client-go's Godeps.json. The publish robot will later fill the actually published one.
3. copy.sh removes the entire `_vendor` from client-go. We cannot keep `_vendor` because it makes hard to use the `git filter-branch` magic for client-go, because the filtered commits might contain changes to `_vendor` while client-go only has `vendor/`.
Some notes on point 3: the robot will restore the vendor/ later, but exclude k8s.io/* and glog, so that users retrieving client-go with `go get` won't end up with multiple copies of them. I think this should be a ***general rule*** for published k8s.io/* repos: every published repos should have complete Godeps.json with latest commit hashes of other k8s.io/* repos, but vendor/k8s.io/* and vendor/glog will be removed from all repos.
@sttts @lavalamp @deads2k
Automatic merge from submit-queue (batch tested with PRs 42126, 42130, 42232, 42245, 41932)
apiserver/pkg/server: include scheme in insecure self client config
Noticed this during bootkube development: https://github.com/kubernetes-incubator/bootkube/issues/325
In Go 1.8's `url.Parse` became more strict, and `url.Parse("127.0.0.1:8080")` now fails.
https://beta.golang.org/doc/go1.8#net_urlhttps://play.golang.org/p/dw_cPeotG4
Accidentally compiled bootkube with 1.8 and tracked a panic down to the loopback client config. Though we're still using the old "genericapiserver", this seems to be translated from the old one.
The actual panic we observed was
```
E0222 19:40:11.364949 5 server.go:254] Failed to create clientset: parse 127.0.0.1:8080: first path segment in URL cannot contain colon
panic: parse 127.0.0.1:8080: first path segment in URL cannot contain colon
goroutine 35 [running]:
github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion.NewForConfigOrDie(0xc420728ea0, 0xc420738e30)
/home/eric/src/github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/core_client.go:132 +0x62
github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/master.(*Config).Complete(0xc420739db8, 0x0)
/home/eric/src/github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/master/master.go:180 +0x40a
github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app.Run(0xc42007a3c0, 0x0, 0x0)
/home/eric/src/github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:347 +0x1e8d
github.com/kubernetes-incubator/bootkube/pkg/bootkube.(*bootkube).Run.func1(0xc4206b01e0, 0xc420164300)
/home/eric/src/github.com/kubernetes-incubator/bootkube/pkg/bootkube/bootkube.go:124 +0x2f
created by github.com/kubernetes-incubator/bootkube/pkg/bootkube.(*bootkube).Run
/home/eric/src/github.com/kubernetes-incubator/bootkube/pkg/bootkube/bootkube.go:124 +0xb0
```
I don't actually know if this is the correct fix or if there should be changes to `NewForConfigOrDie`. Am looking for comments more than anything.
edit: @abourget pointed out over on bootkube that the actual panic was fixed in the internalclient by https://github.com/kubernetes/kubernetes/pull/38519.
cc @deads2k @sttts @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Admission Controller: Add Pod Preset
Based off the proposal in https://github.com/kubernetes/community/pull/254
cc @pmorie @pwittrock
TODO:
- [ ] tests
**What this PR does / why we need it**: Implements the Pod Injection Policy admission controller
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Added new Api `PodPreset` to enable defining cross-cutting injection of Volumes and Environment into Pods.
```
Automatic merge from submit-queue
Add RBAC roles for bootstrap controllers
Supercedes https://github.com/kubernetes/kubernetes/pull/42221
When locking down controllers to individual RBAC roles we need to make sure that the bootstrap controllers have the right permissions.
This adds the roles and bindings at the correct namespace scopes for the bootstrap-signer and token-cleaner controllers.
@liggitt ptal
@jbeda @luxas you got a good way to test this? It must not be covered in normal e2e or we'd've seen the issue before.
The RC/RS Listers still use selectors, because this is the behavior
expected by callers. This clarifies the meaning of the returned list.
Some callers may need to switch to using GetControllerOf() instead,
but that is a separate, case-by-case issue.
Automatic merge from submit-queue
Re-writing of the resolv.conf file generated by docker
Fixes#17406
Docker 1.12 will contain feature "The option --dns and --net=host should not be mutually exclusive" (docker/docker#22408)
This patch adds optional support for this ability in kubelet (for now in case of "hostNetwork: true" set all dns settings are ignored if any).
To enable feature use newly added kubelet flag: --allow-dns-for-hostnet=true
Introduced chages:
1. Re-writing of the resolv.conf file generated by docker.
Cluster dns settings aren't passed anymore to docker api in all cases, not only for pods with host network:
the resolver conf will be overwritten after infra-container creation to override docker's behaviour.
2. Added new one dnsPolicy - 'ClusterFirstWithHostNet', so now there are:
- ClusterFirstWithHostNet - use dns settings in all cases, i.e. with hostNet=true as well
- ClusterFirst - use dns settings unless hostNetwork is true
- Default
Fixes#17406
Automatic merge from submit-queue (batch tested with PRs 41597, 42185, 42075, 42178, 41705)
stop spamming logs on restart of api server
**What this PR does / why we need it**:
This PR reduces an excessive amount of log spam on startup of any API server with larger amounts of content. We have experienced server restart times ~5 minutes that is a consequence of us tracing each directory in etcd during our initial decoding. This spams the journald process, and results in much of those messages getting rate limited and dropped, and making actual problems much harder to debug. This stops us logging discrete keys in favor of just knowing that an operation was slow for the particular object type (which is enough information!)
this PR also makes it so we know what trace operation was ended in our log messages!
sample log now:
```
Trace "decodeNodeList *[]api.PolicyBinding" (started 2017-02-20 22:20:33.98771112 +0000 UTC)
Decoded 10718 nodes
decodeNodeList *[]api.PolicyBinding [500ms] END
```
Automatic merge from submit-queue (batch tested with PRs 41597, 42185, 42075, 42178, 41705)
auto discovery CA for extension API servers
This is what the smaller pulls were leading to. Only the last commit is unique and I expect I'll still tweak some pod definitions, but this is where I was going.
@sttts @liggitt
Automatic merge from submit-queue (batch tested with PRs 41597, 42185, 42075, 42178, 41705)
Don't log context or full request URI due to security concerns
