Automatic merge from submit-queue
Run hack/update-codegen.sh in release-1.4 for generating an updated 1.4 clientset
@caesarxuchao doing steps 1 and 2 as described here https://github.com/kubernetes/kubernetes/pull/33851#issuecomment-250851272
adds apps, authentication, certificates, rbac, and storage.
The reason there are substantial deletions (aside from the oneliner "this package is generated by client-gen with arguments...") is because PR https://github.com/kubernetes/kubernetes/pull/32407 added a resource to the 1.4 clientset even though the resource is not present in 1.4 and the PR is targeted to 1.5. So this corrects that, as a bonus.
Automatic merge from submit-queue
Abstraction of endpoints in leaderelection code
**Problem Statement**:
Currently the Leader Election code is hard coded against the endpoints api. This causes performance issues on large scale clusters due to incessant iptables refreshes, see: https://github.com/kubernetes/kubernetes/issues/26637
The goal of this PR is to:
- Abstract Endpoints out of the leader election code
- Fix a known bug in the event recording
fixes#18386
**Special notes for your reviewer**:
This is a 1st pass at abstracting the details of endpoints out into an interface. Any suggestions around how we we want to refactor this interface is welcome and could be addressed in either this PR or follow on PR.
/cc @ncdc @wojtek-t @rrati
Automatic merge from submit-queue
Apply default image tags for all runtimes
Move the docker-specific logic up to the ImageManager to allow code sharing
among different implementations.
Part of #31459
/cc @kubernetes/sig-node
Automatic merge from submit-queue
Node-ip is not used when cloud provider is used
Currently --node-ip in kubelet is not being used when kubelet is configured with a cloud provider. With this fix, kubelet will get a list of IPs from the provider and parse it to return the one that matches node-ip.
This fixes#23568
Automatic merge from submit-queue
formatting json printer for runtime.Unknown
Formatting JSONPrinter.
It prints everything in one single line before.
Now it prints in well-formatted way.
Automatic merge from submit-queue
Fake docker portfoward for in-process docker CRI integration
This is necessary to pass e2e tests for in-process docker CRI integration.
This is part of #31459.
cc/ @Random-Liu @kubernetes/sig-node
Automatic merge from submit-queue
PetSet replica count status test
**What this PR does / why we need it**: It adds a test for PetSet status replica count. It should fail now, but will pass when https://github.com/kubernetes/kubernetes/pull/32117 is merged.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#31965
**Special notes for your reviewer**: It will need to be rebased after #32117 is merged in, don't need detailed review before that.
**Release note**:
```release-note
NONE
```
Added fakeKubeClient and other fake types needed to test what is sent to
API when replica count is updated. These fakes can be extended for
other tests.
Automatic merge from submit-queue
CRI: Fix mount issue in dockershim.
For https://github.com/kubernetes/kubernetes/issues/33189.
The test `Container Runtime Conformance Test container runtime conformance blackbox test when starting a container that exits should report termination message if TerminationMessagePath is set` flakes a lot. (see https://k8s-testgrid.appspot.com/google-node#kubelet-cri-gce-e2e&width=5)
After some investigation, I found the problem is that we are using pointer of iterator.
This fixes the flake.
@yujuhong @feiskyer
Automatic merge from submit-queue
Disallow headless Services with LB type
**What this PR does / why we need it**: It adds new validation rule for Services, to ensure that creating LoadBalancer type service with cluster IP set to "None" fails.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#33036
**Release note**:
```release-note
Creating LoadBalancer Service with "None" ClusterIP is no longer possible
```
Automatic merge from submit-queue
Add OpenAPI specs to source tree
Similar to swagger spec, adding openapi specs in a separate folder api/openapi-spec
To make sure we generate a consistent spec, parameters need to be sorted first.
Automatic merge from submit-queue
move core storage out of master.go
Moves the core resource creation out of master.go and makes it more congruent to the other storages.
WIP because I haven't run tests yet, but I figured I'd see what breaks in the morning.
Automatic merge from submit-queue
Allow anonymous API server access, decorate authenticated users with system:authenticated group
When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users
It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.
This PR:
* Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow`
* Decorates user.Info returned from configured authenticators with the group `system:authenticated`.
This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.
```release-note
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
Authenticated users are decorated with a 'system:authenticated' group.
NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
```
c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
Automatic merge from submit-queue
use len(params["port"]) > 0 to replace port > 0
**What this PR does / why we need it**:
port also needs to be passed to server when port is negative or zero.
this is an omission of pr https://github.com/kubernetes/kubernetes/pull/29605
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Fixes in HPA: consider only running pods; proper denominator in avg.
Fixes in HPA: consider only running pods; proper denominator in avg request calculations.
Automatic merge from submit-queue
Support Access-Control-Expose-Headers in CORS Handler
Our typical HTTP Response has a "Date" Header, if we don't add an
additional http header "Access-Control-Expose-Headers: Date" then
the browser based clients cannot use the Date HTTP Header.
Fixes#33231
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
When CORS Handler is enabled, we now add a new HTTP header named "Access-Control-Expose-Headers" with a value of "Date". This allows the "Date" HTTP header to be accessed from XHR/JavaScript.
```
Automatic merge from submit-queue
add linebreak between resource groups
**Release note**:
```release-note
release-note-none
```
Printing multiple groups via `kubectl get all` can produce output that is
hard to read in cases where there are a lot of resource types to display
/ some resource types contain varying column amounts.
This patch adds a linebreak above each group of resources only when
there is more than one group to display, and always omitting the
linebreak above the first group. This makes for slightly improved
output.
Linebreaks are printed to stderr, and honor the `--no-headers` option.
**Before**
```
$ kubectl get all
NAME READY STATUS RESTARTS AGE
po/database-1-u9m9l 1/1 Running 3 5d
po/idling-echo-1-9fmz6 2/2 Running 8 5d
po/idling-echo-1-gzb0v 2/2 Running 4 5d
NAME DESIRED CURRENT READY AGE
rc/database-1 1 1 1 6d
rc/idling-echo-1 2 2 2 6d
NAME CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
svc/database 172.30.11.104 <none> 5434/TCP
6d
svc/frontend 172.30.196.217 <none> 5432/TCP
6d
svc/idling-echo 172.30.115.67 <none> 8675/TCP,3090/UDP
6d
svc/kubernetes 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP
6d
svc/mynodeport 172.30.81.254 <nodes> 8080/TCP
5d
svc/mynodeport1 172.30.198.193 <nodes> 8080/TCP
5d
svc/mynodeport2 172.30.149.48 <nodes> 8080/TCP
5d
svc/mynodeport3 172.30.195.235 <nodes> 8080/TCP
5d
```
**After**
```
$ kubectl get all
NAME READY STATUS RESTARTS AGE
po/database-1-u9m9l 1/1 Running 3 5d
po/idling-echo-1-9fmz6 2/2 Running 8 5d
po/idling-echo-1-gzb0v 2/2 Running 4 5d
NAME DESIRED CURRENT READY AGE
rc/database-1 1 1 1 6d
rc/idling-echo-1 2 2 2 6d
NAME CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
svc/database 172.30.11.104 <none> 5434/TCP
6d
svc/frontend 172.30.196.217 <none> 5432/TCP
6d
svc/idling-echo 172.30.115.67 <none> 8675/TCP,3090/UDP
6d
svc/kubernetes 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP
6d
svc/mynodeport 172.30.81.254 <nodes> 8080/TCP
5d
svc/mynodeport1 172.30.198.193 <nodes> 8080/TCP
5d
svc/mynodeport2 172.30.149.48 <nodes> 8080/TCP
5d
svc/mynodeport3 172.30.195.235 <nodes> 8080/TCP
5d
```
cc @fabianofranz @liggitt
Automatic merge from submit-queue
suggest use of `kube explain <resource>` in kube get output
**Release note**:
```release-note
release-note-none
```
This patch improves usability flow, making it easier for a user to
discover the command `kube explain <resource>` through `kube get` output.
##### After
```
$ kube get
You must specify the type of resource to get. Valid resource types include:
* componentstatuses (aka 'cs')
* configmaps (aka 'cm')
* daemonsets (aka 'ds')
* deployments (aka 'deploy')
* events (aka 'ev')
* endpoints (aka 'ep')
* horizontalpodautoscalers (aka 'hpa')
* ingress (aka 'ing')
* jobs
* limitranges (aka 'limits')
* nodes (aka 'no')
* namespaces (aka 'ns')
* petsets (alpha feature, may be unstable)
* pods (aka 'po')
* persistentvolumes (aka 'pv')
* persistentvolumeclaims (aka 'pvc')
* quota
* resourcequotas (aka 'quota')
* replicasets (aka 'rs')
* replicationcontrollers (aka 'rc')
* secrets
* serviceaccounts (aka 'sa')
* services (aka 'svc')
error: Required resource not specified.
Use "kubectl explain <resource>" for a detailed description of that resource (e.g. kubectl explain pods).
See 'kubectl get -h' for help and examples.
```
