Automatic merge from submit-queue (batch tested with PRs 45272, 45115)
initial types for TPRs
This pull starts creating the types described by https://github.com/kubernetes/community/blob/master/contributors/design-proposals/thirdpartyresources.md . In the initial pull different names were suggested. I've started this pull with `CustomResource.apiextensions.k8s.io`.
The structure begins as a separate API server to facilitate rapid prototyping and experimentation, but the end result will be added to the end of the `kube-apiserver` chain as described in https://github.com/kubernetes/community/blob/master/sig-api-machinery/api-extensions-position-statement.md .
Because it is separate to start (not included in any default server), I don't think we need a perfect name, but I'd like to be close.
@kubernetes/sig-api-machinery-misc @enisoc @smarterclayton @erictune
Automatic merge from submit-queue (batch tested with PRs 45239, 45230)
Create a single CA for both client and server certs
**What this PR does / why we need it**:
The following test:
"Certificates API [It] should support building a client with a CSR"
fails with local-up-cluster, but works in the existing CI jobs. This
is because the other CI jobs use a single CA cert while local-up-cluster
can use 2 different sets of CA(s). We need a way to mimic the other
CI jobs (or alternatively change everything to have separate CA's). Just
updating local-up-cluster with a flag seems to be the easy route.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The following test:
"Certificates API [It] should support building a client with a CSR"
fails with local-up-cluster, but works in the existing CI jobs. This
is because the other CI jobs use a single CA cert while local-up-cluster
can use 2 different sets of CA(s). We need a way to mimic the other
CI jobs (or alternatively change everything to have separate CA's). Just
updating local-up-cluster with a flag seems to be the easy route.
Automatic merge from submit-queue
Use munged semantic version for side-loaded docker tag
**What this PR does / why we need it**: rather than using the md5sum of the dockerized binary for each side-loaded docker image, use the semantic version (with `+`s replaced with `_`s) for the side-loaded docker images.
The use of the md5sum for the docker tag dates to #6326 2 years ago. I'm not sure why that was chosen, short of it being fairly unique.
My main motivation for changing this is that it makes building the docker images using Bazel's docker rules easier, since the semantic version doesn't depend on the build output.
An added benefit is that the list of images on a running kubernetes cluster is also more straightfoward; rather than a list of opaque, meaningless hexadecimal strings, you get something that indicates the provenance of the image. It'd also be clearer that all of the images came from the same build.
I was able to start a cluster with this change on GCE using both `make quick-release` and `make bazel-release`.
Note that this change has no effect on the tag that's pushed to gcr.io during releases; that's still controlled via `KUBE_IMAGE_DOCKER_TAG`, though we may want to merge this functionality at some point.
@kubernetes/sig-node-pr-reviews is there any reason to stick with using the md5sum strategy? @dchen1107 do you remember why we went with md5sums originally?
cc @spxtr @mikedanese
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45077, 45180, 34727, 45079, 45177)
Allow specifying cluster signing ca/key
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45077, 45180, 34727, 45079, 45177)
Refactor kube-proxy configuration
This is a proof of concept refactoring of the configuration and startup of kube-proxy. Most flags have been removed and replaced by a single config file, specified by `--config`. This is in regards to the component configuration improvement suggestions listed in #32215.
Also during this effort, I discovered that Hyperkube is roughly reimplementing portions of cobra, and that the current cobra command definitions are solely used to generated docs and man pages. I would like to move the individual commands as well as Hyperkube to using cobra, but that is a separate issue and discussion.
cc @mikedanese @liggitt @deads2k @eparis @sttts @smarterclayton @dgoodwin @timothysc
Automatic merge from submit-queue (batch tested with PRs 45077, 45180, 34727, 45079, 45177)
Move k8s.io/metrics to staging/
This is to break the cyclic dependency in our code base: kubernetes depends on k8s.io/metrics, which depends on kubernetes/staging/client-go.
@DirectXMan12 i actually moved it to staging because we will need the flexibility to update metrics code directly to do many planned refactors, so the copy of metrics in kubernetes has to be the source of truth.
client-gen is not enabled for the code yet, we can enable it after you port your changes to client-gen.
`make generated_files` is enabled for metrics.
Automatic merge from submit-queue
don't use build tags to mark integration tests
This is a bad pattern that leads to checked in code that isn't check for compilation. We should avoid this if it doesn't provide value, which it seems like it doesn't.
Automatic merge from submit-queue (batch tested with PRs 41583, 45117, 45123)
Implement shared PID namespace in the dockershim
**What this PR does / why we need it**: Defaults the Docker CRI to using a shared PID namespace for pods. Implements proposal in https://github.com/kubernetes/community/pull/207 tracked by #1615.
//cc @dchen1107 @vishh @timstclair
**Special notes for your reviewer**: none
**Release note**:
```release-note
Some container runtimes share a process (PID) namespace for all containers in a pod. This will become the default for Docker in a future release of Kubernetes. You can preview this functionality if running with the CRI and Docker 1.13.1 by enabling the --experimental-docker-enable-shared-pid kubelet flag.
```
Automatic merge from submit-queue (batch tested with PRs 44044, 44766, 44930, 45109, 43301)
e2e test: test azure disk volume
**What this PR does / why we need it**:
E2E test Azure disk volume
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
@kubernetes/sig-testing-pr-reviews
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44044, 44766, 44930, 45109, 43301)
Fixes get -oname for unstructured objects
Fixes https://github.com/kubernetes/kubernetes/issues/44832
Make sure we display kind in `kubectl get -o name` for unknown resource types.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Prune examples and e2es per discussion on sig-testing
**What this PR does / why we need it**:
Prune k8petstore from examples and e2es per discussion on sig-testing
**Special notes for your reviewer**:
This can live elsewhere outside the main repository.
**Release note**:
```
NONE
```
/cc @jayunit100 @fejta @kubernetes/sig-testing-pr-reviews
Automatic merge from submit-queue
Don't check in zz_generated.openapi.go.
`zz_generated.openapi.go` is the file that causes the most merge conflicts of all. In #33440, @thockin updated the makefile to support generating these files on demand, but that didn't play well with bazel/gazel.
In this PR, I add a new build macro that will generate this file with a `go_genrule`. I added support for keeping the BUILD file up to date in mikedanese/gazel#34.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44591, 44549)
Update repo-infra bazel dependency and use new gcs_upload rule
This PR provides similar functionality to push-build.sh entirely within Bazel rules (though it relies on gsutil).
It's an alternative to #44306.
Depends on https://github.com/kubernetes/repo-infra/pull/13.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
OpenAPI support for kubectl
Support for openapi spec in kubectl.
Includes:
- downloading and caching openapi spec to a local file
- parsing openapi spec into binary serializable datastructures (10x faster load times 600ms -> 40ms)
- caching parsed openapi spec in memory for each command
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41287, 41636, 44881, 44826)
Enable default signer implementation
**What this PR does / why we need it**:
The Kubernetes controller manager provides a default implementation
of a signer. We should enable it by passing the --cluster-signing-cert-file
and --cluster-signing-key-file parameters to the controller manager
with paths to your Certificate Authority’s keypair. Hoping this will
help pass the "Certificates API [It] should support building a client with a CSR"
e2e test when run against k8s started using local-up-cluster.sh
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
bump bazel build to go1.8.1 and remove invalid unit tests
part of https://github.com/kubernetes/kubernetes/issues/38228
I firmly believe that unit tests that check error strings are incorrect unit tests. If we care about what type of error is returned, we need to use public error types. Anywhere we are using generic errors, we don't care other then that we saw an error.
Automatic merge from submit-queue (batch tested with PRs 44601, 44842, 44893, 44491, 44588)
kubeadm: add flag to skip token print out
**What this PR does / why we need it**: When kubeadm init is used in an automated context, it still prints the token to standard out. When standard output ends up in a log file, it can be considered that the token is leaked there and can be compromised. This PR adds a flag you can select to not have it print out and explicitly disable this behavior.
This is a continuation from https://github.com/kubernetes/kubernetes/pull/42823 since it had to be closed.
**Which issue this PR fixes** : fixes #https://github.com/kubernetes/kubeadm/issues/160
**Special notes for your reviewer**: /cc @luxas @errordeveloper
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 40060, 44860, 44865, 44825, 44162)
Validate etcd only when expecting to run etcd
If running kubelet only, there is no need to validate etcd as the script will not attempt to start etcd. In fact, validating etcd here may cause the script to fail when one wants to run "nokubelet" right before "kubeletonly" because etcd will definitely be running
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44862, 42241, 42101, 43181, 44147)
Feature/hpa upscale downscale delay configurable
**What this PR does / why we need it**:
Makes "upscale forbidden window" and "downscale forbidden window" duration configurable in arguments of kube-controller-manager. Those are options of horizontal pod autoscaler.
**Special notes for your reviewer**:
Please have a look @DirectXMan12 , the PR as discussed in Slack.
**Release note**:
```
Make "upscale forbidden window" and "downscale forbidden window" duration configurable in arguments of kube-controller-manager. Those are options of horizontal pod autoscaler. Right now are hardcoded 3 minutes for upscale, and 5 minutes to downscale. But sometimes cluster administrator might want to change this for his own needs.
```
The Kubernetes controller manager provides a default implementation
of a signer. We should enable it by passing the --cluster-signing-cert-file
and --cluster-signing-key-file parameters to the controller manager
with paths to your Certificate Authority’s keypair. Hoping this will
help pass the "Certificates API [It] should support building a client with a CSR"
e2e test when run against k8s started using local-up-cluster.sh
The docker image is nowhere to be found, so lets remove it.
There have been a request for the Dockerfile here [1], but nobody
seems to care.
redis-proxy is replaced with redis-master in test-cmd-util.sh, to
ensure that the tests still works.
The redis-proxy pod in test/fixtures/doc-yaml/user-guide/multi-pod.yaml
is replaced with valid-pod from test/fixtures/doc-yaml/admin/limitrange/valid-pod.yaml,
so redis-proxy is removed every where.
[1] https://github.com/kubernetes/kubernetes/issues/4914#issuecomment-77209779
Automatic merge from submit-queue (batch tested with PRs 43500, 44073)
[Federation] Add option to retrieve e2e cluster config from secrets
Previously the federation e2e setup was reading member cluster configuration from the test run's kubeconfig. This change removes that dependency in favor of reading member cluster configuration from secrets in the hosting cluster, and caches the configuration to avoid having to read it separately for each test.
cc: @kubernetes/sig-federation-pr-reviews @perotinus
