Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Only rotate certificates in the background
Change the Kubelet to not block until the first certs have rotated (we didn't act on it anyway) and fall back to the bootstrap cert if the most recent rotated cert is expired on startup.
The certificate manager originally had a "block on startup" rotation behavior to ensure at least one rotation happened on startup. However, since rotation may not succeed within the first time window the code was changed to simply print the error rather than return it. This meant that the blocking rotation has no purpose - it cannot cause the kubelet to fail, and it *does* block the kubelet from starting static pods before the api server becomes available.
The current block behavior causes a bootstrapped kubelet that is also set to run static pods to wait several minutes before actually launching the static pods, which means self-hosted masters using static pods have a pointless delay on startup.
Since blocking rotation has no benefit and can't actually fail startup, this commit removes the blocking behavior and simplifies the code at the same time. The goroutine for rotation now completely owns the deadline, the shouldRotate() method is removed, and the method that sets rotationDeadline now returns it. We also explicitly guard against a negative sleep interval and omit the message.
Should have no impact on bootstrapping except the removal of a long delay on startup before static pods start.
The other change is that an expired certificate from the cert manager is *not* considered a valid cert, which triggers an immediate rotation. This causes the cert manager to fall back to the original bootstrap certificate until a new certificate is issued. This allows the bootstrap certificate on masters to be "higher powered" and allow the node to function prior to initial approval, which means someone configuring the masters with a pre-generated client cert can be guaranteed that the kubelet will be able to communicate to report self-hosted static pod status, even if the first client rotation hasn't happened. This makes master self-hosting more predictable for static configuration environments.
```release-note
When using client or server certificate rotation, the Kubelet will no longer wait until the initial rotation succeeds or fails before starting static pods. This makes running self-hosted masters with rotation more predictable.
```
Automatic merge from submit-queue (batch tested with PRs 57683, 59116, 58728, 59140, 58976). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
doc: fix typo in package apiserver
**What this PR does / why we need it**:
fix typo in package apiserver
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
refactor aggregator api group install
**What this PR does / why we need it**:
refactor aggregator apigroup install. move NewRESTStorage to
`staging/src/k8s.io/kube-aggregator/pkg/registry/apiservice/rest/storage_apiservice.go`
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some typos in apiserver filters
**What this PR does / why we need it**:
fix some typos
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix PodPidsLimit and ConfigTrialDuration on internal KubeletConfig type
They should both follow the convention of not being a pointer on the internal type.
This required adding a conversion function between `int64` and `*int64`. A side effect is this removes a warning in the generated code for the apps API group.
@dims
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pass listener in apiextentions-apiserver test to prevent port in use …
**What this PR does / why we need it**:
pass listener to SecureServingOptions to prevent port in use flake.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
partially fix [58936](https://github.com/kubernetes/kubernetes/issues/58936)
**Special notes for your reviewer**:
/assign @hzxuzhonghu @liggitt @sttts @caesarxuchao
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: Fix broken TCP6 listen for port forwarding
**What this PR does / why we need it**:
The IPV6 loopback address `::1` is enclosed in square brackets twice,
which cause a failure to listen on the TCP6 port.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix an issue where port forwarding doesn't forward local TCP6 ports to the pod
```
/area ipv6
/sig cli
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add a comment on specical case on authorization
In file /staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go,
function WithAuthorization() returns DecisionAllow before error check.
It is intentional to avoid leaking authorization errors to attackers.
This patch add a comment here to give a hint
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add test/fix for ErrShortBuffer edgecase
**What this PR does / why we need it**:
Found a bug with YAMLToJSONDecoder where subsequent reads after `io.ErrShortBuffer` would return values from the next yaml section, rather than the rest of the section I was reading.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59055https://github.com/kubernetes/kubernetes/issues/59055
**Special notes for your reviewer**:
**Release note**:
```release-note
YAMLDecoder Read now tracks rest of buffer on io.ErrShortBuffer
```
They should both follow the convention of not being a pointer on the
internal type. This required adding a conversion function between
`int64` and `*int64`.
A side effect is this removes a warning in the generated code for the
apps API group.
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove dead testing code
Removes a deprecated etcd server init function and stops starting an etc server during unit tests that we never use.
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove dead prefix field
The `Prefix` field was never used.
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove --tls-ca-file which had no effect
The flag has had no effect since we started configuring loopback based on the direct cert. I've marked it deprecated this release so we don't break launch scripts right away, but its coming. I think we should remove it in 1.11.
```release-note-action-required
kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before ugprading to 1.11.
```
Automatic merge from submit-queue (batch tested with PRs 56995, 58498, 57426, 58902, 58863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cleanup enable/disable api resources code
**What this PR does / why we need it**:
After #57228, `runtime-config` flag has stop support enable/disable resources of a specific groupVersion,
so this pr does some clean work about this.
Mainly delete unused code in `k8s.io/apiserver/pkg/server/storage/resource_config.go`
**Special notes for your reviewer**:
/assign @deads2k @sttts
**Release note**:
```release-note
NONE
```
/kind cleanup
This changes the Kubelet configuration flag precedence order so that
flags take precedence over config from files/ConfigMaps.
See #56171 for rationale.
Note: Feature gates accumulate with the following
precedence (greater number overrides lesser number):
1. file-based config
2. dynamic cofig
3. flag-based config
The certificate manager originally had a "block on startup" rotation
behavior to ensure at least one rotation happened on startup. However,
since rotation may not succeed within the first time window the code was
changed to simply print the error rather than return it. This meant that
the blocking rotation has no purpose - it cannot cause the kubelet to
fail, and it *does* block the kubelet from starting static pods before
the api server becomes available.
The current block behavior causes a bootstrapped kubelet that is also
set to run static pods to wait several minutes before actually launching
the static pods, which means self-hosted masters using static pods have
a pointless delay on startup.
Since blocking rotation has no benefit and can't actually fail startup,
this commit removes the blocking behavior and simplifies the code at the
same time. The goroutine for rotation now completely owns the deadline,
the shouldRotate() method is removed, and the method that sets
rotationDeadline now returns it. We also explicitly guard against a
negative sleep interval and omit the message.
Should have no impact on bootstrapping except the removal of a long
delay on startup before static pods start.
Also add a guard condition where if the current cert in the store is
expired, we fall back to the bootstrap cert initially (we use the
bootstrap cert to communicate with the server). This is consistent with
when we don't have a cert yet.
Automatic merge from submit-queue (batch tested with PRs 58903, 58141, 58900). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
auth/gcp: configurable scopes for gcp default credentials
**What this PR does / why we need it**:
- add `config.scopes` field comma-separated scope URLs, to be used with Google
Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
- users now should be able to set a gserviceaccount key in GOOGLE_APPLICATION_CREDENTIALS
env, craft a kubeconfig file with GKE master IP+CA cert and should be able to authenticate
to GKE in headless mode _without requiring gcloud_ CLI, and they can now use the
email address of the gserviceaccount in RBAC role bindings and _not use Google Cloud IAM at all._
- gcp default scopes now include userinfo.email scope, so authenticating to GKE
using gserviceaccount keys can now be done without gcloud as well.
- since userinfo.email scope is now a default, users who have existing RBAC bindings
that use numeric uniqueID of the gserviceaccount will be broken (this behavior was
never documented/guaranteed). from now on email address of the service account
should be used as the subject in RBAC Role Bindings.
**Release note**:
```release-note
Google Cloud Service Account email addresses can now be used in RBAC
Role bindings since the default scopes now include the "userinfo.email"
scope. This is a breaking change if the numeric uniqueIDs of the Google
service accounts were being used in RBAC role bindings. The behavior
can be overridden by explicitly specifying the scope values as
comma-separated string in the "users[*].config.scopes" field in the
KUBECONFIG file.
```
/assign @cjcullen
/sig gcp
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use SSH tunnel for webhook communication iff the webhook is deployed as a service
**What this PR does / why we need it**:
We are getting the following error when the apiserver connects the webhook on localhost (configured via URL). We should only use the SSL tunnel for the connections to nodes when the webhooks are running as services.
```
I0119 17:41:18.678436 1 ssh.go:400] [4cdf44753cc3705d: localhost:10258] Dialing...
W0119 17:41:18.678483 1 ssh.go:424] SSH tunnel not found for address "localhost", picking random node
I0119 17:41:18.679810 1 ssh.go:402] [4cdf44753cc3705d: localhost:10258] Dialed in 1.398691ms.
W0119 17:41:18.679928 1 admission.go:256] Failed calling webhook, failing closed xxx: failed calling admission webhook "xxx": Post xxx: ssh: rejected: connect failed (Connection refused)
I0119 17:41:18.680346 1 wrap.go:42] POST /api/v1/namespaces/kube-system/pods: (5.725588ms) 500
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubernetes/issues/58779
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver is changed to use SSH tunnels for webhook iff the webhook is not directly routable from apiserver's network environment.
```
/assign @lavalamp @caesarxuchao @cheftako
Automatic merge from submit-queue (batch tested with PRs 58783, 58800, 58846). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
runtime-config bug in kube-aggregator
**What this PR does / why we need it**:
kube-aggregator api has upgraded to v1, and introduce a little bug. I have to fix it.
**Special notes for your reviewer**:
/assign @deads2k
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55792, 58342). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a metric to track usage of inflight request limit.
This one is tricky. The goal is to know how 'loaded' given apiserver is before we start dropping the load, to so we need to somehow expose 'fullness' of channels.
Sadly this metric is pretty volatile so it's not clear how to do this correctly. I decided to do pre-aggregation to smoothen the metric a bit. In the current implementation the metric publishes maximum "usage" of the inflight is previous second.
If you have any ideas please share.
@smarterclayton @lavalamp @wojtek-t @liggitt @deads2k @caesarxuchao @sttts @crassirostris @hulkholden
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add binary configmap
Reviving code from https://github.com/kubernetes/kubernetes/pull/33549 submitted by @zreigz
**What this PR does / why we need it**:
Add support for binary files in ConfigMap
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#32432
**Special notes for your reviewer**:
**Release note**:
```release-note
ConfigMap objects now support binary data via a new `binaryData` field. When using `kubectl create configmap --from-file`, files containing non-UTF8 data will be placed in this new field in order to preserve the non-UTF8 data. Use of this feature requires 1.10+ apiserver and kubelets.
```
Automatic merge from submit-queue (batch tested with PRs 58518, 58771, 58101, 56829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Resource version parsing should all be in one place
This is 100% refactoring that ought to be a no-op at run time. It puts resource version parsing in a single file. Doing this because I want to follow up with a change which will make it obvious to users of the system our rules about resource version. Don't want to mix that with this refactor (on the off chance it gets rolled back).
Part of: #58112
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Never let cluster-scoped resources skip webhooks
Fix#57964
This allows user write webhooks for cluster-scoped custom resources.
We still need to figure out how to selectively exempt cluster-scoped resources from webhooks to avoid bootstrapping deadlocks. For now, if a deadlock occurs, users can work around by first deleting the webhook configuration, then rebooting the webhook, then re-enabling the webhook configuration.
```release-note
Bug fix: webhooks now do not skip cluster-scoped resources
Action required: Before upgrading your Kubernetes clusters, double check if you had configured webhooks for cluster-scoped objects (e.g., nodes, persistentVolume), these webhooks will start to take effect. Delete/modify the configs if that's not desirable.
```
