Automatic merge from submit-queue (batch tested with PRs 46519, 49794, 49720, 49692, 49821)
fix missing verb at end of format string
**What this PR does / why we need it**:
A missing verb at end of format string in Errorf call happens in `vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc_test.go`, This PR fixes this problem.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Automatic merge from submit-queue
Add KMS plugin registry
Allows supporting KMS services as encryption providers using a plugin mechanism similar to admission plugins.
Simplifies #48574
Progresses #48522
@deads2k PTAL
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
conversion-gen: support recursive types
Currently, conversion-gen goes into an infinite recursion for recursive types. This fixes it to support recursive types.
Needed for #47263.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
Add support for `no_new_privs` via AllowPrivilegeEscalation
**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes#38417
Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.
Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.
Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.
**Release note**:
```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
StatefulSet: Remove `initialized` annotation from apps/v1beta2.
The annotation was already removed from apps/v1beta1 in #49251, but this copy survived due to another concurrent PR.
ref #41605
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Enable garbage collection of custom resources
Enhance the garbage collector to periodically refresh the resources it monitors (via discovery) to enable custom resource definition GC (addressing #44507 and reverting #47432).
This is a replacement for #46000.
/cc @lavalamp @deads2k @sttts @caesarxuchao
/ref https://github.com/kubernetes/kubernetes/pull/48065
```release-note
The garbage collector now supports custom APIs added via CustomeResourceDefinition or aggregated apiservers. Note that the garbage collector controller refreshes periodically, so there is a latency between when the API is added and when the garbage collector starts to manage it.
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Use the core client with version
**What this PR does / why we need it**:
Replace the **deprecated** `clientSet.Core()` with `clientSet.CoreV1()`.
**Which issue this PR fixes**: fixes#49535
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Currently, the conversion-gen goes into an infinite recursion
for recursive types.
rename: currentlyBuildingTypes -> alreadyVisitedTypes
use a cachingEqual func
update comment
Automatic merge from submit-queue
copy OWNERS to k8s.io/api
`staging/src/k8s.io/api/OWNERS` is combination of `pkg/api/OWNERS` and `pkg/apis/OWNERS`. Other `OWNERS` files are copied from `pkg/apis/<group_name>/OWNERS`.
Since this PR is essentially copying files, so we don't need approval from everyone listed in the OWNERS.
Automatic merge from submit-queue
Fix crd delete nil pointer in example
**What this PR does / why we need it**:
When error is `IsAlreadyExists`, crd will be nil, then `defer` statement will `nil pointer`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add apiserver metric for response sizes
Fixes https://github.com/kubernetes/kubernetes/issues/47728
This should help us understand GET/LIST call latencies better. It'll also help catch differences in object sizes across kubemark and real cluster.
I'm labelling the metrics by namespace (hoping that there won't be toooo many of them).
/cc @smarterclayton @gmarek
cc @kubernetes/sig-scalability-misc @kubernetes/sig-api-machinery-misc @lavalamp @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 49712, 49694, 49714, 49670, 49717)
fix arg type error in printf
**What this PR does / why we need it**:
A value of wrong type is passed as arg to a `Errorf` in `vendor/k8s.io/apimachinery/pkg/fields/selector_test.go`, This PR fixes this problem.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Enhance the garbage collector to periodically refresh the resources it
monitors (via discovery) to enable custom resource definition GC.
This implementation caches Unstructured structs for any kinds not
covered by a shared informer. The existing meta-only codec only supports
compiled types; an improved codec which supports arbitrary types could
be introduced to optimize caching to store only metadata for all
non-informer types.
Automatic merge from submit-queue (batch tested with PRs 49081, 49318, 49219, 48989, 48486)
Use case-insensitive header keys for `--requestheader-group-headers`.
This flag is documented as being case-insensitive, but the code was
doing a case-sensitive map lookup.
**Release note**:
```release-note
Bug fix: Parsing of `--requestheader-group-headers` in requests should be case-insensitive.
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
Bumps go-oidc version to include fix for jwt header parsing
**What this PR does / why we need it**:
This bumps the go-oidc dependency to use a fix merged in https://github.com/coreos/go-oidc/pull/153 for OIDC providers that don't set an `Expires` header
**Which issue this PR fixes** :
Partially addresses #42654
Also related: https://github.com/coreos/go-oidc/issues/136
**Special notes for your reviewer**:
None
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
ParseEncryptionConfiguration: simplify code
**What this PR does / why we need it**:
Reorder `if`-s to make code a bit more readable. It also improves godoc comment and error message.
**Release note**:
```release-note
NONE
```
PTAL @sakshamsharma
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
adds an admission plugin initializer to the sample apiserver.
**What this PR does / why we need it**:
this PR adds an admission plugin initializer to the sample apiserver.
the plugin initializer is going to be used by an admission plugin
that will use generated informers/listers to list the cluster-scoped resources.
#47868
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
Add apps/v1beta2.ReplicaSet
~Depends on #48746~ (merged)
~Depends on #49357~ (merged)
xref: #49135
```release-note
Add a new API object apps/v1beta2.ReplicaSet
```
Automatic merge from submit-queue (batch tested with PRs 49665, 49689, 49495, 49146, 48934)
make it possible to allow discovery errors for controllers
Update the discovery client to return partial discovery information *and* an error. Since we can aggregate API servers, discovery of some resources can fail independently. Callers of this function who want to tolerate the errors can, existing callers will still get an error and fail in normal blocks.
@kubernetes/sig-api-machinery-misc @sttts
Automatic merge from submit-queue (batch tested with PRs 47357, 49514, 49271, 49572, 49476)
Updates etcd-client to 3.1.10
I have no idea why azure sdk update became transitive but godeps we're restored before update
Fixes: https://github.com/kubernetes/kubernetes/issues/49386
xref: https://github.com/kubernetes/kubernetes/pull/49393
```
NONE
```
/cc @kubernetes/sig-scalability-pr-reviews @kubernetes/sig-api-machinery-misc @hongchaodeng @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 49259, 49350)
Add envelope encryption transformer
Essential to implement envelope encryption, using a KEK-DEK based encryption scheme which uses an external root of trust (cloudkms, hardware etc).
* Caches known DEKs.
* Creates a new DEK for each write (most common and recommended way of implementing envelope encryption).
* Relies on an implementation of `envelope.Service` which actually implements the encryption and decryption using the external root of trust.
Essential for #48522
@smarterclayton @jcbsmpsn @cheftako @lavalamp @php-coder @destijl @cjcullen
This PR is generic, and independent of any cloudprovider / cloud / KMS code.
For more context: #48574
Automatic merge from submit-queue (batch tested with PRs 49259, 49350)
update json-patch to fix nil value issue when creating mergepatch
**What this PR does / why we need it**:
When [creating a patch for merge](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/annotate.go#L255), nil value will be considered as different value. This has been fixed and merged in [evanphx/json-patch #45](https://github.com/evanphx/json-patch/pull/45).
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49044
**Special notes for your reviewer**:
/cc @MikeSpreitzer @mengqiy
**Release note**:
```release-note
Fix nil value issue when creating json patch for merge
```
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
apimachinery: fail early with deepcopy problems during roundtrip tests
If deepcopy is broken for some type, it's easy to diagnose. This PR let's the roundtrip test to fail early in this case.
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
Expose informer constructors
**What this PR does / why we need it**:
See #45939
**Which issue this PR fixes**
Fixes#45939
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
[client-go] Fake Dynamic Client
This commit converts `"k8s.io/client-go/dynamic".Client` to an interface, and implements fake versions of both `ClientPool` and `Client`. This allows components which make uses of these clients to be tested in the same way that clientset-based components can be tested, using the standard `testing.Fake` machinery.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
add reflector metrics
This adds metrics (optionally prometheus) to reflectors so that you can see when one reflector is behaving poorly and just how poorly its doing.
@eparis
```release-note
Adds metrics for checking reflector health.
```
