Automatic merge from submit-queue (batch tested with PRs 44440, 44038, 44302, 44316, 43876)
Move pkg/api/ref.go and pkg/api/resource_helpers.go to subpackages
First two commits are #44296#44299. (unfortunately, removing these commits results in conflicts)
This PR moves resource_helpers.go to a subpackage. It's mostly a mechanic move, except that:
* i kept the methods of ResourceName and ResourceList in pkg/api/method.go
I'll send one more PR to separate api.Scheme etc. to their own package.
Automatic merge from submit-queue (batch tested with PRs 44424, 44026, 43939, 44386, 42914)
Preserve int data when unmarshalling for TPR
**What this PR does / why we need it**:
The Go json package converts all numbers to float64 while unmarshalling.
This exposes many of the int64 fields to corruption when marshalled back to json.
The json package provided by kubernetes also provides a way to defer conversion of numbers
(https://golang.org/pkg/encoding/json/#Decoder.UseNumber) and does the conversions to int or float.
This is also implemented in the custom json package. See:
(https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/util/json/json.go)
Now, the number is preserved as an integer till the highest int64 number - `9223372036854775807`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#30213
**Special notes for your reviewer**: See also https://github.com/kubernetes/kubernetes/pull/16964
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43545, 44293, 44221, 43888)
Avoid nil user special-casing in unsecured endpoint
The unsecured handler currently adds no `user.Info` to the request context. That means that anything that tries to authorize actions in the API server currently has to special case nil users to ensure the unsecured localhost endpoint remains capable of performing all actions.
This PR changes the unsecured localhost endpoint to be treated as a privileged user internally, so that no special casing is required by code inside the authentication layer
I'm not particularly attached to the username. It doesn't bother me for it to have a slightly uncomfortable sounding name.
Automatic merge from submit-queue
Change an Errorf to a Fatalf to prevent a panic.
In #37982 we see that if this error is hit then we will panic on the next line. Lets use `Fatalf` where appropriate :)
This does *not* fix the flake, since that's caused by the test assuming that a particular port is free.
Automatic merge from submit-queue
Make RBAC post-start hook conditional on RBAC authorizer being used
Makes the RBAC post-start hook (and reconciliation) conditional on the RBAC authorizer being used
Ensures we don't set up unnecessary objects.
```release-note
RBAC role and rolebinding auto-reconciliation is now performed only when the RBAC authorization mode is enabled.
```
Automatic merge from submit-queue (batch tested with PRs 42379, 42668, 42876, 41473, 43260)
Don't use global rand for nodeport and IP allocs
Seed it at construction.
Automatic merge from submit-queue (batch tested with PRs 42087, 43383, 43622)
move category expansion out of restmapper
RESTMapping isn't related to CategoryExpansion (the bit that expands "all" into items to be RESTMapped). This provides that separation and simplifies the RESTMapper interface.
@kubernetes/sig-cli-pr-reviews
Automatic merge from submit-queue
remove extra function call
We have read user info from context in previous line. No need to call
this function again.
**Special notes for your reviewer**:
**Release note**:
```NONE
```
The result of this was that an update to a Service would release the
NodePort temporarily (the repair loop would fix it in a minute). During
that window, another Service could get allocated that Port.
Automatic merge from submit-queue
Use namespace from context
Fixes#42653
Updates rbac_test.go to submit objects without namespaces set, which matches how actual objects are submitted to the API.
Automatic merge from submit-queue (batch tested with PRs 41890, 42593, 42633, 42626, 42609)
Remove everything that is not new from batch/v2alpha1
Fixes#37166.
@lavalamp you've asked for it
@erictune this is a prereq for moving CronJobs to beta. I initially planned to put all in one PR, but after I did that I figured out it'll be easier to review separately. ptal
@kubernetes/api-approvers @kubernetes/sig-api-machinery-pr-reviews ptal
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Admission Controller: Add Pod Preset
Based off the proposal in https://github.com/kubernetes/community/pull/254
cc @pmorie @pwittrock
TODO:
- [ ] tests
**What this PR does / why we need it**: Implements the Pod Injection Policy admission controller
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Added new Api `PodPreset` to enable defining cross-cutting injection of Volumes and Environment into Pods.
```
Automatic merge from submit-queue
Add RBAC roles for bootstrap controllers
Supercedes https://github.com/kubernetes/kubernetes/pull/42221
When locking down controllers to individual RBAC roles we need to make sure that the bootstrap controllers have the right permissions.
This adds the roles and bindings at the correct namespace scopes for the bootstrap-signer and token-cleaner controllers.
@liggitt ptal
@jbeda @luxas you got a good way to test this? It must not be covered in normal e2e or we'd've seen the issue before.
export functions from pkg/api/validation
add settings API
add settings to pkg/registry
add settings api to pkg/master/master.go
add admission control plugin for pod preset
add new admission control plugin to kube-apiserver
add settings to import_known_versions.go
add settings to codegen
add validation tests
add settings to client generation
add protobufs generation for settings api
update linted packages
add settings to testapi
add settings install to clientset
add start of e2e
add pod preset plugin to config-test.sh
Signed-off-by: Jess Frazelle <acidburn@google.com>
Automatic merge from submit-queue (batch tested with PRs 41954, 40528, 41875, 41165, 41877)
Updating apiserver to return 202 when resource is being deleted asynchronously via cascading deletion
As per https://github.com/kubernetes/kubernetes/issues/33196#issuecomment-278440622.
cc @kubernetes/sig-api-machinery-pr-reviews @smarterclayton @caesarxuchao @bgrant0607 @kubernetes/api-reviewers
```release-note
Updating apiserver to return http status code 202 for a delete request when the resource is not immediately deleted because of user requesting cascading deletion using DeleteOptions.OrphanDependents=false.
```
Automatic merge from submit-queue
Add namespaced role to inspect particular configmap for delegated authentication
Builds on https://github.com/kubernetes/kubernetes/pull/41814 and https://github.com/kubernetes/kubernetes/pull/41922 (those are already lgtm'ed) with the ultimate goal of making an extension API server zero-config for "normal" authentication cases.
This part creates a namespace role in `kube-system` that can *only* look the configmap which gives the delegated authentication check. When a cluster-admin grants the SA running the extension API server the power to run delegated authentication checks, he should also bind this role in this namespace.
@sttts Should we add a flag to aggregated API servers to indicate they want to look this up so they can crashloop on startup? The alternative is sometimes having it and sometimes not. I guess we could try to key on explicit "disable front-proxy" which may make more sense.
@kubernetes/sig-api-machinery-misc
@ncdc I spoke to @liggitt about this before he left and he was ok in concept. Can you take a look at the details?
Automatic merge from submit-queue
make reconcilation generic to handle roles and clusterroles
We have a need to reconcile regular roles, so this pull moves the reconciliation code to use interfaces (still tightly coupled) rather than structs.
@liggitt @kubernetes/sig-auth-pr-reviews
