Automatic merge from submit-queue (batch tested with PRs 39803, 39698, 39537, 39478)
include bootstrap admin in super-user group, ensure tokens file is correct on upgrades
Fixes https://github.com/kubernetes/kubernetes/issues/39532
Possible issues with cluster bring-up scripts:
- [x] known_tokens.csv and basic_auth.csv is not rewritten if the file already exists
* new users (like the controller manager) are not available on upgrade
* changed users (like the kubelet username change) are not reflected
* group additions (like the addition of admin to the superuser group) don't take effect on upgrade
* this PR updates the token and basicauth files line-by-line to preserve user additions, but also ensure new data is persisted
- [x] existing 1.5 clusters may depend on more permissive ABAC permissions (or customized ABAC policies). This PR adds an option to enable existing ABAC policy files for clusters that are upgrading
Follow-ups:
- [ ] both scripts are loading e2e role-bindings, which only be loaded in e2e tests, not in normal kube-up scenarios
- [ ] when upgrading, set the option to use existing ABAC policy files
- [ ] update bootstrap superuser client certs to add superuser group? ("We also have a certificate that "used to be" a super-user. On GCE, it has CN "kubecfg", on GKE it's "client"")
- [ ] define (but do not load by default) a relaxed set of RBAC roles/rolebindings matching legacy ABAC, and document how to load that for new clusters that do not want to isolate user permissions
Automatic merge from submit-queue
Fix kubectl get -f <file> -o <nondefault printer> so it prints all items in the file
**What this PR does / why we need it**: Fix kubectl get -f <file> -o <nondefault printer> so it prints all the objects in the file, instead of just the first one. Also add a test for this feature.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#38907
**Special notes for your reviewer**:
**Release note**:
```release-note
```
cc @AdoHe @deads2k @liggitt @fabianofranz @kubernetes/kubectl @kubernetes/sig-cli-misc
Fix kubectl get -f <file> -o <nondefault printer> so it prints all the
objects in the file, instead of just the first one. Also add a test for
this feature.
Automatic merge from submit-queue (batch tested with PRs 39673, 39536, 39617, 39540, 39686)
Generate stable bindata output
fixes#30621
bindata generation produces spurious diffs when run with different go versions because gzip output is not stable between versions.
It also produces spurious diffs when invoked directly vs via make/go:generate.
This PR:
* adds data to bindata uncompressed (makes translation files human-readable, and the zip files were already compressed... for reference the file was 27.7 KB before, and 20.1 KB with this change)
* runs the generation from KUBE_ROOT, so it doesn't matter whether it is invoked directly or via go:generate
supercedes https://github.com/kubernetes/kubernetes/pull/39631
Automatic merge from submit-queue (batch tested with PRs 39486, 37288, 39477, 39455, 39542)
Allow missing keys in templates by default
Switch to allowing missing keys in jsonpath templates by default.
Add support for allowing/disallowing missing keys in go templates
(default=allow).
Add --allow-missing-template-keys flag to control this behavior (default=true /
allow missing keys).
Fixes#37991
@kubernetes/sig-cli-misc @kubernetes/api-reviewers @smarterclayton @fabianofranz @liggitt @pwittrock
Automatic merge from submit-queue (batch tested with PRs 39648, 38167, 39591, 39415, 39612)
Add hack/verify-readonly-packages.sh
Create a `.readonly` file in a package. Any change between `$KUBE_VERIFY_GIT_BRANCH` and `HEAD` will lead to output like:
```shell
$ hack/verify-readonly-packages.sh
Readonly packages changed compared to "master" branch: pkg/generated
```
This is part of https://github.com/kubernetes/kubernetes/issues/39528
Automatic merge from submit-queue (batch tested with PRs 39628, 39551, 38746, 38352, 39607)
Increasing times on reconciling volumes fixing impact to AWS.
#**What this PR does / why we need it**:
We are currently blocked by API timeouts with PV volumes. See https://github.com/kubernetes/kubernetes/issues/39526. This is a workaround, not a fix.
**Special notes for your reviewer**:
A second PR will be dropped with CLI cobra options in it, but we are starting with increasing the reconciliation periods. I am dropping this without major testing and will test on our AWS account. Will be marked WIP until I run smoke tests.
**Release note**:
```release-note
Provide kubernetes-controller-manager flags to control volume attach/detach reconciler sync. The duration of the syncs can be controlled, and the syncs can be shut off as well.
```
gzip output is not stable between go releases, so bindata.go shows spurious diffs when compressed
also, half the output is human readable, and the other half is already zip compressed
Switch to allowing missing keys in jsonpath templates by default.
Add support for allowing/disallowing missing keys in go templates
(default=allow).
Add --allow-missing-template-keys flag to control this behavior
(default=true / allow missing keys).
Automatic merge from submit-queue
add import cycle checking for staging to verify scripts
Adds an import cycle check to verify scripts since we can't yet use import-boss. See https://github.com/kubernetes/gengo/pull/27 for details, but since the rule is very simple and global, this ought to provide sufficient protection.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 36229, 39450)
Bump etcd to 3.0.14 and switch to v3 API in etcd.
Ref #20504
**Release note**:
```release-note
Switch default etcd version to 3.0.14.
Switch default storage backend flag in apiserver to `etcd3` mode.
```
Automatic merge from submit-queue
Adding test-federation-cmd.sh to test kubectl with federation apiserver
There are 2 parts to the PR:
* Adding ability to run kubectl tests for a subset of resources.
* Adding test-federation-cmd.sh that runs kubectl tests for resources that are supported by federation-apiserver.
cc @kubernetes/sig-federation @kubernetes/sig-api-machinery
```release-note
Adding kubectl tests for federation
```
Automatic merge from submit-queue (batch tested with PRs 39405, 39371)
hack/local-up-cluster.sh: fix typo in error message
This commit fixes typo in error message and also removes stale comment from `hack/local-up-cluster.sh`.
Automatic merge from submit-queue (batch tested with PRs 39022, 39331, 39070, 39344)
Add a build rule for the boilerplate unit test.
We recently added unit tests that just run whenever you run `hack/verify_boilerplate.sh`, which really isn't the right time to do that. This adds a build rule instead.
Automatic merge from submit-queue
Begin paths for internationalization in kubectl
This is just the first step, purposely simple so we can get the interface correct.
@kubernetes/sig-cli @deads2k
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)
Convert * users/groups to system:authenticated group in ABAC
Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.
This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.
Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992
```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
Automatic merge from submit-queue
create kuberentes-discovery image
Creates an image for `kubernetes-discovery` since this is the API registration, aggregation, and proxy image.
Automatic merge from submit-queue
Coreos kube-up now with less cloud init
This update includes significant refactoring. It moves almost all of the
logic into bash scripts, modeled after the `gci` cluster scripts.
The reason to do this is:
1. Avoid duplicating the saltbase manifests by reusing gci's parsing logic (easier maintenance)
2. Take an incremental step towards sharing more code between gci/trusty/coreos, again for better maintenance
3. Pave the way for making future changes (e.g. improved rkt support, kubelet support) easier to share
The primary differences from the gci scripts are the following:
1. Use of the `/opt/kubernetes` directory over `/home/kubernetes`
2. Support for rkt as a runtime
3. No use of logrotate
4. No use of `/etc/default/`
5. No logic related to noexec mounts or gci-specific firewall-stuff
It will make sense to move 2 over to gci, as well as perhaps a few other small improvements. That will be a separate PR for ease of review.
Ref #29720, this is a part of that because it removes a copy of them.
Fixes#24165
cc @yifan-gu
Since this logic largely duplicates logic from the gci folder, it would be nice if someone closely familiar with that gave an OK or made sure I didn't fall into any gotchas related to that, so cc @andyzheng0831
Automatic merge from submit-queue (batch tested with PRs 38426, 38917, 38891, 38935)
Remove cluster/mesos from hack/verify-flags/exceptions.txt
`cluster/mesos` scripts was removed; so remove it from `hack/verify-flags/exceptions.txt`.
The diff was generated by `hack/verify-flags-underscore.py -e > hack/verify-flags/exceptions.txt`.
Automatic merge from submit-queue
Curating Owners: hack/jenkins
cc @rmmh @spxtr @ixdy @fejta
In an effort to expand the existing pool of reviewers and establish a
two-tiered review process (first someone lgtms and then someone
experienced in the project approves), we are adding new reviewers to
existing owners files.
If You Care About the Process:
------------------------------
We did this by algorithmically figuring out who’s contributed code to
the project and in what directories. Unfortunately, that doesn’t work
well: people that have made mechanical code changes (e.g change the
copyright header across all directories) end up as reviewers in lots of
places.
Instead of using pure commit data, we generated an excessively large
list of reviewers and pruned based on all time commit data, recent
commit data and review data (number of PRs commented on).
At this point we have a decent list of reviewers, but it needs one last
pass for fine tuning.
Also, see https://github.com/kubernetes/contrib/issues/1389.
TLDR:
-----
As an owner of a sig/directory and a leader of the project, here’s what
we need from you:
1. Use PR https://github.com/kubernetes/kubernetes/pull/35715 as an example.
2. The pull-request is made editable, please edit the `OWNERS` file to
remove the names of people that shouldn't be reviewing code in the
future in the **reviewers** section. You probably do NOT need to modify
the **approvers** section. Names asre sorted by relevance, using some
secret statistics.
3. Notify me if you want some OWNERS file to be removed. Being an
approver or reviewer of a parent directory makes you a reviewer/approver
of the subdirectories too, so not all OWNERS files may be necessary.
4. Please use ALIAS if you want to use the same list of people over and
over again (don't hesitate to ask me for help, or use the pull-request
above as an example)
Automatic merge from submit-queue (batch tested with PRs 38525, 38977)
add service status detection to kubernetes-discovery
This adds an inspection of services and endpoints before adding the APIService to kubernetes-discovery. This keeps a single bad API service from killing old clients since proxying will fail.
Automatic merge from submit-queue
conversion-gen: add --skip-unsafe flag
We should expose the SkipUnsafe option, for legacy compatability, so
that conversion-go can be used in other projects, and for platforms
where unsafe is not available.
Make unsafe code generation the default though, and have the help text
hint that the resulting code is sub-optimal.
Automatic merge from submit-queue (batch tested with PRs 37468, 36546, 38713, 38902, 38614)
Remove extensions/v1beta1 Job
Fixes https://github.com/kubernetes/kubernetes/issues/32763. This endpoint was deprecated in 1.5 and was planned to be removed in 1.6.
**Release note**:
```release-note
Remove extensions/v1beta1 Jobs resource, and job/v1beta1 generator.
```
Automatic merge from submit-queue (batch tested with PRs 37468, 36546, 38713, 38902, 38614)
local-up-cluster additions
**What this PR does / why we need it**:
Changes to local-cluster-up: These include: 1) a simple additional help option. 2) additional error message to not being able to run `docker ps`. 3) fail faster when etcd is not found in path. Hopefully these make developing a bit more pleasant.
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 38888, 38895)
Bundle federation/develop directory in the test tarball for federation testing.
cc @kubernetes/sig-federation-misc
Automatic merge from submit-queue
use in-cluster kubeconfig for genericapiserver
Allow the use of the in-cluster config to communicate with the core API server for delegated authn/authz for an addon API server.
@kubernetes/sig-api-machinery @sttts
