Automatic merge from submit-queue
Refactor cert utils into one pkg, add funcs from bootkube for kubeadm to use
**What this PR does / why we need it**:
We have ended-up with rather incomplete and fragmented collection of utils for handling certificates. It may be worse to consider using `cfssl` for doing all of these things, but for now there is some functionality that we need in `kubeadm` that we can borrow from bootkube. It makes sense to move the utils from bookube into core, as discussed in #31221.
**Special notes for your reviewer**: I've taken the opportunity to review names of existing funcs and tried to make some improvements in that area (with help from @peterbourgon).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
to talk to the api server
* Add a new authenticator that checks for this specific bearer token
Fixes#13598
Automatic merge from submit-queue
simplify RC and SVC listers
Make the RC and SVC listers use the common list functions that more closely match client APIs, are consistent with other listers, and avoid unnecessary copies.
Automatic merge from submit-queue
Fix possible panic in PodAffinityChecker
In `PodAffinityChecker.getMatchingAntiAffinityTerms()` `affinity.PodAntiAffinity` can be `nil` in this place. This problem occurs e.g. when `nil` is passed as `meta` to `PodAffinityChecker.InterPodAffinityMatches()`.
Stumbled upon it while working on #31136 (someone PTAL at that PR too, I've submitted it a month ago and seemingly no one noticed it), kube-controller-manager was crashing there.
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
to talk to the api server
* Add a new authenticator that checks for this specific bearer token
Fixes#13598
Automatic merge from submit-queue
Fix minor nits in test cases
Found a group of nits when doing #30844, fixed them in a this PR since 30844 requires a long time to review.
Automatic merge from submit-queue
Exit scheduler retry loop correctly
The error was being eaten and shadowed, which means we would never exit
this loop. This might lead to a goroutine in the scheduler being used
forever without exiting at maximum backoff.
Switched to use the real client to make later refactors easier.
@wojtek-t this may lead to scheduler informer exhaustion - not that familiar with retries
Automatic merge from submit-queue
plugin/pkg: add ericchiang to owners for OpenID Connect plugins
On the CoreOS side I'm taking over these components.
@erictune has suggested `pkg/registry/{cluster}role{binding}s/OWNERS` as well but I'd feel more comfortable as a reviewer for those specific parts of RBAC for a couple more cycles since @liggitt and @deads2k have had way more experience in the registry code.
Beyond that the only existing OWNERS files for auth are `pkg/auth/OWNERS` and `plugin/pkg/auth/OWNERS` both of which include @liggitt and @erictune. There's also nothing in the `plugin/pkg/client` path. I'm a little unclear on the implications for future PRs that are assigned to me (e.g. webhook or RBAC reviews).
cc @kubernetes/sig-auth
The error was being eaten and shadowed, which means we would never exit
this loop. This might lead to a goroutine in the scheduler being used
forever without exiting at maximum backoff.
Switched to use the real client to make later refactors easier.
Bump version of golang.org/x/oauth2
Vendor google.golang.org/cloud/
Vendor google.golang.org/api/
Vendor cloud.google.com/go/compute/
Replace google.golang.org/cloud with cloud.google.com/go/
Fixes#30069
Automatic merge from submit-queue
Allow webhook authenticator to use TokenReviewsInterface
Refactors the authentication webhook to be able to be fed a kubeconfig file or a TokenReviewsInterface
Fixes a bug with webhooks not retrying on 429/500 errors
Related to https://github.com/kubernetes/kubernetes/pull/32518#discussion_r78450170
Automatic merge from submit-queue
Ensure that we are closing files.
**What this PR does / why we need it**: In several places we are leaking file descriptors. This could be problematic on systems with low ulimits for them.
**Release note**:
```release-note
```
Automatic merge from submit-queue
Change rbac roleref to reflect the information we want
@liggitt @ericchiang This is a version of https://github.com/kubernetes/kubernetes/pull/31359 which updates the `RoleRef` to be (I think) the type that we want, with a group, resource, and name.
This is **not** backwards compatible with any existing data. I'm ok with doing this since rbac was considered alpha, but its something to consider.
If we want this instead, I'll close the previous pull (or update it with this content).
Automatic merge from submit-queue
Update scheduler config file compatibility tests
**What this PR does / why we need it**:
Added missing compatibility tests for scheduler config file options.
**Which issue this PR fixes**
fixes#30099
**Special notes for your reviewer**:
I came up with the options based on the contents of default.go in each branch.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
make deep copy of quota objects before mutations
The code currently makes shallow copies which ensures that we aren't accidentally reslicing anything in weird ways, but the usage maps are pointers, so they end up being shared.
This makes a couple copies when we know we're going to mutate to avoid changing shared maps.
Automatic merge from submit-queue
ClientConfig should not default to http://localhost:8080
This changes clientcmd to skip the default cluster, but preserves the
behavior in kubectl. This prevents the possibility of an administrator
misconfiguration in kubelet or other server component from allowing a
third party who can bind to 8080 on that host from potentially
impersonating an API server and gaining root access.
@mikedanese @deads2k this removes the defaulting of http://localhost:8080 for server from everything except kubectl.
```release-note
Kubernetes server components using `kubeconfig` files no longer default to `http://localhost:8080`. Administrators must specify a server value in their kubeconfig files.
```
This changes clientcmd to skip the default cluster, but preserves the
behavior in kubectl. This prevents the possibility of an administrator
misconfiguration in kubelet or other server component from allowing a
third party who can bind to 8080 on that host from potentially
impersonating an API server and gaining root access.
