Automatic merge from submit-queue
move constants to their own file
A step towards #44065
These constants are part of the API and will be moved to k8s.io/api. The helper functions are not and will remain in the main repo. This PR separates them to different files. Next step is put all the helper functions into sub-packages, so that the package `k8s.io/kubernetes/pkg/api` only contains code we want to move to k8s.io/api.
I added the retest-not-required label because this just moves code to another file in the same package.
Automatic merge from submit-queue
Ensure invalid username/password returns 401 error, not 403
If a user attempts to use basic auth, and the username/password combination
is rejected, the authenticator should return an error. This distinguishes
requests that did not provide username/passwrod (and are unauthenticated
without error) from ones that attempted to, and failed.
Related to:
https://github.com/kubernetes/kubernetes/pull/39408
Automatic merge from submit-queue (batch tested with PRs 44119, 42538, 43802, 42336, 43396)
iSCSI CHAP support
**What this PR does / why we need it**:
To support CHAP authentication in a multi-tenant setup
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Support iSCSI CHAP authentication
```
Automatic merge from submit-queue (batch tested with PRs 44119, 42538, 43802, 42336, 43396)
remove ListMetaFor
Finish replacing `ListMetaFor` with `ListAccessor`. This gives more flexibility for list handling as intended. `UnstructuredList` matches now.
@kubernetes/sig-api-machinery-pr-reviews
Change validateClusterInfo to use clientcmdapi.NewCluster() instead of
clientcmdapi.Cluster{} when comparing against the passed in clusterInfo.
clusterInfo most likely will be a combination of
clientcmdapi.NewCluster() merged with potential overrides. This is
necessary because otherwise, the DeepEqual between what is supposed to
be an empty Cluster and clusterInfo will fail, resulting in an error
that doesn't allow fall-through to checking for in-cluster
configuration.
Automatic merge from submit-queue (batch tested with PRs 43373, 41780, 44141, 43914, 44180)
fix some typos in apiserver
**What this PR does / why we need it**:
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44084, 42964)
Updated AddOrUpdateTolerationInPod to return bool only.
Updated AddOrUpdateTolerationInPod to return bool only, as there's no case to generate error (the error was used for annotation, it'll not return error after moving to field); and also update admission & daemonset accordingly.
- ValidateNoNewFinalizers: remove unused const
- Mention that mutation of spec.initContainers[*].image field is allowed
- Improve godoc comments
- validation_test.go(expectPrefix): remove unused function
Automatic merge from submit-queue (batch tested with PRs 42288, 44055)
Fixed inaccurate comments for Secret and ConfigMap
**What this PR does / why we need it**:
Updates the comments for ConfigMap and Secret in types.go to correspond to the regex used in validation.go
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#42203
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
We have a old boltdb/bolt, etcd has moved to newer boltdb, so we should
do the same. Specifically this change needs to be in our tree:
92410e0673
as this fixes intermittent issues we see in our CI runs. So in this
PR, we vendor the v1.3.0 version of boltdb/bolt.
Fixes#43973
hack/local-up-cluster.sh uses cfssl to generate certificates and
will exit it cfssl is not already installed. But other cluster-up
mechanisms (GCE) that generate certs just download cfssl if not
present. Make local-up-cluster.sh do that too.
Automatic merge from submit-queue
Support status.hostIP in downward API
**What this PR does / why we need it**:
Exposes pod's hostIP (node IP) via downward API.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes https://github.com/kubernetes/kubernetes/issues/24657
**Special notes for your reviewer**:
Not sure if there's more documentation that's needed, please point me in the right direction and I will add some :)
Automatic merge from submit-queue
Update godoc to match
**What this PR does / why we need it**:
comments don't match the code. I can also just remove them.
**Which issue this PR fixes**
golint if it was run, but it is nice to have comments that appear to be relevant to the code.
**Special notes for your reviewer**:
docs only
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update my OWNERS entries.
Not sure why I was set as a reviewer for apimachinery and apiserver stuff. Adding myself to build/.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Make RBAC post-start hook conditional on RBAC authorizer being used
Makes the RBAC post-start hook (and reconciliation) conditional on the RBAC authorizer being used
Ensures we don't set up unnecessary objects.
```release-note
RBAC role and rolebinding auto-reconciliation is now performed only when the RBAC authorization mode is enabled.
```
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
Fix typo
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
delete etcd socket file for unit tests
This change clean up the environment for etcd3 unit test.
Without this change, "make test" will leave some socket files in
workspace. And these socket files make hack/verify-generated-protobuf.sh
fails.
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 38741, 41301, 43645, 43779, 42337)
Plumb cipher/tls version serving options
Needed to allow servers to harden or relax default tls versions and ciphers
This change clean up the environment for etcd3 unit test.
Without this change, "make test" will leave some socket files in
workspace. And these socket files make hack/verify-generated-protobuf.sh
fails.
This PR implements a standard admission plugin initializer for the generic API server.
The initializer accepts external clientset, external informers and the authorizer.
Automatic merge from submit-queue (batch tested with PRs 42835, 42974)
remove legacy insecure port options from genericapiserver
The insecure port has been a source of problems and it will prevent proper aggregation into a cluster, so the genericapiserver has no need for it. In addition, there's no reason for it to be in the main kube-apiserver flow either. This pull removes it from genericapiserver and removes it from the shared kube-apiserver code. It's still wired up in the command, but its no longer possible for someone to mess up and start using in mainline code.
@kubernetes/sig-api-machinery-misc @ncdc
Automatic merge from submit-queue (batch tested with PRs 42087, 43383, 43622)
move category expansion out of restmapper
RESTMapping isn't related to CategoryExpansion (the bit that expands "all" into items to be RESTMapped). This provides that separation and simplifies the RESTMapper interface.
@kubernetes/sig-cli-pr-reviews
Automatic merge from submit-queue
proxy to IP instead of name, but still use host verification
I think I found a setting that lets us proxy to an IP and still do hostname verification on the certificate.
@liggitt @sttts Can you see if you agree that this knob does what I think it does? Last commit only, still needs tests.
