Automatic merge from submit-queue (batch tested with PRs 46519, 49794, 49720, 49692, 49821)
fix missing verb at end of format string
**What this PR does / why we need it**:
A missing verb at end of format string in Errorf call happens in `vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc_test.go`, This PR fixes this problem.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Automatic merge from submit-queue
Add KMS plugin registry
Allows supporting KMS services as encryption providers using a plugin mechanism similar to admission plugins.
Simplifies #48574
Progresses #48522
@deads2k PTAL
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
conversion-gen: support recursive types
Currently, conversion-gen goes into an infinite recursion for recursive types. This fixes it to support recursive types.
Needed for #47263.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
Add support for `no_new_privs` via AllowPrivilegeEscalation
**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes#38417
Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.
Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.
Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.
**Release note**:
```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
StatefulSet: Remove `initialized` annotation from apps/v1beta2.
The annotation was already removed from apps/v1beta1 in #49251, but this copy survived due to another concurrent PR.
ref #41605
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Enable garbage collection of custom resources
Enhance the garbage collector to periodically refresh the resources it monitors (via discovery) to enable custom resource definition GC (addressing #44507 and reverting #47432).
This is a replacement for #46000.
/cc @lavalamp @deads2k @sttts @caesarxuchao
/ref https://github.com/kubernetes/kubernetes/pull/48065
```release-note
The garbage collector now supports custom APIs added via CustomeResourceDefinition or aggregated apiservers. Note that the garbage collector controller refreshes periodically, so there is a latency between when the API is added and when the garbage collector starts to manage it.
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Use the core client with version
**What this PR does / why we need it**:
Replace the **deprecated** `clientSet.Core()` with `clientSet.CoreV1()`.
**Which issue this PR fixes**: fixes#49535
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
SuggestClientDelay is returning whether the server has requested that
the client delay their next action. It is *not* about whether the client
should retry the action. Webhook was using it incorrectly, and the
method is now up to date.
Our rules are that code of the error must match code of the response. We
were also not setting the correct reason. This updates the timeout
filter to be consistent with other clients, without changing the error
code (504 is correct). The new message properly indicates the request
may still be running, which the old message did not do.
The POSIX standard restricts environment variable names to uppercase
letters, digits, and the underscore character in shell contexts only.
For generic application usage, it is stated that all other characters
shall be tolerated.
This change relaxes the rules to some degree. Namely, we stop requiring
environment variable names to be strict C_IDENTIFIERS and start
permitting lowercase, dot, and dash characters.
Public container images using environment variable names beyond the
shell-only context can benefit from this relaxation. Elasticsearch is
one popular example.
Currently, the conversion-gen goes into an infinite recursion
for recursive types.
rename: currentlyBuildingTypes -> alreadyVisitedTypes
use a cachingEqual func
update comment
Automatic merge from submit-queue
copy OWNERS to k8s.io/api
`staging/src/k8s.io/api/OWNERS` is combination of `pkg/api/OWNERS` and `pkg/apis/OWNERS`. Other `OWNERS` files are copied from `pkg/apis/<group_name>/OWNERS`.
Since this PR is essentially copying files, so we don't need approval from everyone listed in the OWNERS.
Automatic merge from submit-queue
Fix crd delete nil pointer in example
**What this PR does / why we need it**:
When error is `IsAlreadyExists`, crd will be nil, then `defer` statement will `nil pointer`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add apiserver metric for response sizes
Fixes https://github.com/kubernetes/kubernetes/issues/47728
This should help us understand GET/LIST call latencies better. It'll also help catch differences in object sizes across kubemark and real cluster.
I'm labelling the metrics by namespace (hoping that there won't be toooo many of them).
/cc @smarterclayton @gmarek
cc @kubernetes/sig-scalability-misc @kubernetes/sig-api-machinery-misc @lavalamp @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 49712, 49694, 49714, 49670, 49717)
fix arg type error in printf
**What this PR does / why we need it**:
A value of wrong type is passed as arg to a `Errorf` in `vendor/k8s.io/apimachinery/pkg/fields/selector_test.go`, This PR fixes this problem.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Enhance the garbage collector to periodically refresh the resources it
monitors (via discovery) to enable custom resource definition GC.
This implementation caches Unstructured structs for any kinds not
covered by a shared informer. The existing meta-only codec only supports
compiled types; an improved codec which supports arbitrary types could
be introduced to optimize caching to store only metadata for all
non-informer types.
Automatic merge from submit-queue (batch tested with PRs 49081, 49318, 49219, 48989, 48486)
Use case-insensitive header keys for `--requestheader-group-headers`.
This flag is documented as being case-insensitive, but the code was
doing a case-sensitive map lookup.
**Release note**:
```release-note
Bug fix: Parsing of `--requestheader-group-headers` in requests should be case-insensitive.
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
Bumps go-oidc version to include fix for jwt header parsing
**What this PR does / why we need it**:
This bumps the go-oidc dependency to use a fix merged in https://github.com/coreos/go-oidc/pull/153 for OIDC providers that don't set an `Expires` header
**Which issue this PR fixes** :
Partially addresses #42654
Also related: https://github.com/coreos/go-oidc/issues/136
**Special notes for your reviewer**:
None
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
ParseEncryptionConfiguration: simplify code
**What this PR does / why we need it**:
Reorder `if`-s to make code a bit more readable. It also improves godoc comment and error message.
**Release note**:
```release-note
NONE
```
PTAL @sakshamsharma
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
adds an admission plugin initializer to the sample apiserver.
**What this PR does / why we need it**:
this PR adds an admission plugin initializer to the sample apiserver.
the plugin initializer is going to be used by an admission plugin
that will use generated informers/listers to list the cluster-scoped resources.
#47868
**Release note**:
```
NONE
```
