Automatic merge from submit-queue (batch tested with PRs 50579, 50875, 51797, 51807, 51803)
oidc auth: make the OIDC claims prefix configurable
Add the following flags to control the prefixing of usernames and
groups authenticated using OpenID Connect tokens.
--oidc-username-prefix
--oidc-groups-prefix
```release-note
The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix.
```
Closes https://github.com/kubernetes/kubernetes/issues/50408
Ref https://github.com/kubernetes/kubernetes/issues/31380
cc @grillz @kubernetes/sig-auth-pr-reviews @thomastaylor312 @gtaylor
Automatic merge from submit-queue
Fixes kubernetes/kubernetes#29271: accept prefixed namespaces
**What this PR does / why we need it**: `kubectl get namespaces -o name` outputs the names of all namespaces, prefixed with `namespaces/`. This changeset allows these namespace names to be passed directly back in to `kubectl` via the `-n` flag without reprocessing them to remove `namespaces/`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#29271
**Special notes for your reviewer**:
**Release note**:
```NONE
```
Automatic merge from submit-queue
Switch audit output to v1beta1
This PR adds two switches to pick preferred version for webhook and log backends, and it switches to use `audit.k8s.io/v1beta1` as default for both.
@sttts @crassirostris ptal
**Release note**:
```release-note
Switch to audit.k8s.io/v1beta1 in audit.
```
Remove APIService OpenAPI spec when it is deleted
Add eTag support and returning httpStatus to OpenAPI spec downloader
Update aggregated OpenAPI spec periodically
Use delegate chain
Refactor OpenAPI aggregator to have separate controller and aggregation function
Enable OpenAPI spec for extensions api server
Do not filter paths. higher priority specs wins the conflicting paths
Move OpenAPI aggregation controller to pkg/controller/openapi
Automatic merge from submit-queue (batch tested with PRs 50602, 51561, 51703, 51748, 49142)
expose discovery information on scalable resources
Builds on https://github.com/kubernetes/kubernetes/pull/49971 and provides the GroupVersion information that can be used by a dynamic scale client.
@kubernetes/sig-api-machinery-pr-reviews
@foxish @DirectXMan12 since you both asked for it.
Automatic merge from submit-queue (batch tested with PRs 51301, 50497, 50112, 48184, 50993)
audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage
Impersonation will automatically add system:authenticated, system:serviceaccounts group to the impersonated user info. This pr use the newest impersonated user info in the second audit event. This will help users to debug rbac problems.
**Release note**:
```
[advanced audit] audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage
```
@liggitt @sttts
Automatic merge from submit-queue (batch tested with PRs 51301, 50497, 50112, 48184, 50993)
Introduce new flag "--include-uninitialized" to kubectl
**What this PR does / why we need it**:
Introduce `--include-uninitialized` as a global flag to kubectl
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49035
**Special notes for your reviewer**:
/assign @caesarxuchao @smarterclayton @ahmetb @deads2k
**Release note**:
```release-note
Add flag "--include-uninitialized" to kubectl annotate, apply, edit-last-applied, delete, describe, edit, get, label, set. "--include-uninitialized=true" makes kubectl commands apply to uninitialized objects, which by default are ignored if the names of the objects are not provided. "--all" also makes kubectl commands apply to uninitialized objects. Please see the [initializer](https://kubernetes.io/docs/admin/extensible-admission-controllers/) doc for more details.
```
Automatic merge from submit-queue (batch tested with PRs 51553, 51538, 51663, 51069, 51737)
Consistent Names for ControllerRevisions, ReplicaSets, and objects using GenerateName
**What this PR does / why we need it**:
Adds the rand.SafeEncodeString function and uses this function to generate names for ReplicaSets and ControllerRevisions.
```release-note
The names generated for ControllerRevision and ReplicaSet are consistent with the GenerateName functionality of the API Server and will not contain "bad words".
```
Automatic merge from submit-queue (batch tested with PRs 51583, 51283, 51374, 51690, 51716)
Unify initializer name validation
Unify the validation rules on initializer names. Fix https://github.com/kubernetes/kubernetes/issues/51843.
```release-note
Action required: validation rule on metadata.initializers.pending[x].name is tightened. The initializer name needs to contain at least three segments separated by dots. If you create objects with pending initializers, (i.e., not relying on apiserver adding pending initializers according to initializerconfiguration), you need to update the initializer name in existing objects and in configuration files to comply to the new validation rule.
```
Automatic merge from submit-queue
Do not mutate original UnstructuredList even temporarily to avoid data races
**What this PR does / why we need it**:
See #51521.
**Which issue this PR fixes**:
Fixes#51521.
**Release note**:
```release-note
NONE
```
/kind bug
/sig api-machinery
Automatic merge from submit-queue (batch tested with PRs 50832, 51119, 51636, 48921, 51712)
apiextensions: add maximum for validation
Missed the `Maximum` field for validation. Adding it now.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue (batch tested with PRs 51335, 51364, 51130, 48075, 50920)
Graduate custom metrics API to v1beta1
This graduates custom-metrics.metrics.k8s.io/v1alpha1 to custom-metrics.metrics.k8s.io/v1beta1. The move is more-or-less just a straightforward rename.
Part of kubernetes/features#117 and kubernetes/features#118
```release-note
the custom metrics API (custom-metrics.metrics.k8s.io) has moved from v1alpha1 to v1beta1
```
Automatic merge from submit-queue (batch tested with PRs 51335, 51364, 51130, 48075, 50920)
[API] Feature/job failure policy
**What this PR does / why we need it**: Implements the Backoff policy and failed pod limit defined in https://github.com/kubernetes/community/pull/583
**Which issue this PR fixes**:
fixes#27997, fixes#30243
**Special notes for your reviewer**:
This is a WIP PR, I updated the api batchv1.JobSpec in order to prepare the backoff policy implementation in the JobController.
**Release note**:
```release-note
Add backoff policy and failed pod limit for a job
```
Automatic merge from submit-queue (batch tested with PRs 51335, 51364, 51130, 48075, 50920)
Add the possibility to set return values for the FakeDiscovery implementation
**What this PR does / why we need it**:
As an user of the fake clientset (with the fake discovery), I want to be able to set the fake server's version on demand like this for example:
```go
func TestFakingServerVersion(t *testing.T) {
client := fakeclientset.NewSimpleClientset()
fakeDiscovery, ok := client.Discovery().(*fakediscovery.FakeDiscovery)
if !ok {
t.Fatalf("couldn't convert Discovery() to *FakeDiscovery")
}
testGitCommit := "v1.0.0"
fakeDiscovery.FakedServerVersion = &version.Info{
GitCommit: testGitCommit,
}
sv, err := client.Discovery().ServerVersion()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if sv.GitCommit != testGitCommit {
t.Fatalf("unexpected faked discovery return value: %q", sv.GitCommit)
}
}
```
This PR makes that possible, in wait for a more sophisticated FakeDiscovery implementation generally.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
basic logging and additional documentation for healthz installer
@pmorie upstream logging
- InstallHandler is the public interface through which all interaction
occurs.
- It is good to know whether the default ping is occurring to know due
to manual installation or automatic installation.
- It is good to know how many handlers are installed to see whether
code changes are taking effect.
**What this PR does / why we need it**:
add logging for external users of the genericapiserver
**Special notes for your reviewer**:
This should run exactly once at startup.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45724, 48051, 46444, 51056, 51605)
Add v1 API as a default conversion peer
Some of the APIs call do not this out, and a partial build produces
wrong results.
Automatic merge from submit-queue (batch tested with PRs 45724, 48051, 46444, 51056, 51605)
Mount propagation in kubelet
Together with #45724 it implements mount propagation as proposed in https://github.com/kubernetes/community/pull/659
There is:
- New alpha annotation that allows user to explicitly set propagation mode for each `VolumeMount` in pod containers (to be replaced with real `VolumeMount.Propagation` field during beta) + validation + tests. "Private" is the default one (= no change to existing pods).
I know about proposal for real API fields for alpha feature in https://docs.google.com/document/d/1wuoSqHkeT51mQQ7dIFhUKrdi3-1wbKrNWeIL4cKb9zU/edit, but it seems it's not implemented yet. It would save me quite lot of code and ugly annotation.
- Updated CRI API to transport chosen propagation to Docker.
- New `kubelet --experimental-mount-propagation` option to enable the previous bullet without modifying types.go (worked around with changing `KubeletDeps`... not nice, but it's better than adding a parameter to `NewMainKubelet` and removing it in the next release...)
```release-note
kubelet has alpha support for mount propagation. It is disabled by default and it is there for testing only. This feature may be redesigned or even removed in a future release.
```
@derekwaynecarr @dchen1107 @kubernetes/sig-node-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 45724, 48051, 46444, 51056, 51605)
Add selfsubjectrulesreview in authorization
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes#47834#31292
**Special notes for your reviewer**:
**Release note**:
```release-note
Add selfsubjectrulesreview API for allowing users to query which permissions they have in a given namespace.
```
/cc @deads2k @liggitt
Automatic merge from submit-queue (batch tested with PRs 51632, 51055, 51676, 51560, 50007)
Split APIVersion into APIGroup and APIVersion in audit events
audit.Event.ObjectRef.APIVersion currently holds both the the API group and
version, separated by a /. This change break these out into separate fields.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 51632, 51055, 51676, 51560, 50007)
fixing a typo in staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
**What this PR does / why we need it**:
Fix a typo in `staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Add a feature gate in the apiserver to control whether paging can be
used. Add controls to the storage factory that allow it to be disabled
per resource. Use a JSON encoded continuation token that can be
versioned. Create a 410 error if the continuation token is expired.
Adds GetContinue() to ListMeta.
Automatic merge from submit-queue
Use json-iterator instead of ugorji for JSON.
@smarterclayton @wojtek-t
Fixes#36120
xref #18762
```release-note
Switch JSON marshal/unmarshal to json-iterator library. Performance should be close to previous with no generated code.
```
Automatic merge from submit-queue (batch tested with PRs 49971, 51357, 51616, 51649, 51372)
add information for subresource kind determination
xref https://github.com/kubernetes/kubernetes/issues/38810https://github.com/kubernetes/kubernetes/issues/38756
Polymorphic subresources usually have different groupVersions for their discovery kinds than their "native" groupVersions. Even though the APIResourceList shows the kind properly, it does not reflect the group or version of that kind, which makes it impossible to unambiguously determine if the subresource matches you and it is impossible to determine how to serialize your data. See HPA controller.
This adds an optional Group and Version to the discovery doc, which can be used to communicate the "native" groupversion of an endpoint. Doing this does not preclude fancier contenttype negotiation in the future and doesn't prevent future expansion from indicating equivalent types, but it does make it possible to solve the problem we have today or polymorphic categorization.
@kubernetes/sig-api-machinery-misc @smarterclayton
@cheftako since @lavalamp is out.
```release-note
Adds optional group and version information to the discovery interface, so that if an endpoint uses non-default values, the proper value of "kind" can be determined. Scale is a common example.
```
Automatic merge from submit-queue (batch tested with PRs 51574, 51534, 49257, 44680, 48836)
audit policy: support subresources and resource names
Updates #48561
policy:
- level: Metadata
resources:
- group: ""
resources ["pods/logs"]
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
The top level resource no longer matches the subresource. For example "pods"
no longer matches requests to the logs subresource on pods.
```release-note
Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources.
```
/cc @sttts @soltysh @crassirostris @ihmccreery @timstclair
Automatic merge from submit-queue (batch tested with PRs 50719, 51216, 50212, 51408, 51381)
Surface reasonable error when connection closed
Try to detect connection closure when API server closed the connection due to timeout.
Surface reasonable error when connection closed.
Further improvement may be retrying when detect connection closure
related to #51353
```release-note
Surface reasonable error when client detects connection closed.
```
/assign @mml @caesarxuchao
