Automatic merge from submit-queue
Switch from package syscall to golang.org/x/sys/unix
**What this PR does / why we need it**:
The syscall package is locked down and the comment in https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24 advises to switch code to use the corresponding package from golang.org/x/sys. This PR does so and replaces usage of package syscall with package golang.org/x/sys/unix where applicable. This will also allow to get updates and fixes
without having to use a new go version.
In order to get the latest functionality, golang.org/x/sys/ is re-vendored. This also allows to use Eventfd() from this package instead of calling the eventfd() C function.
**Special notes for your reviewer**:
This follows previous works in other Go projects, see e.g. moby/moby#33399, cilium/cilium#588
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
client-gen: don't ignore nil clientsets
Closes https://github.com/kubernetes/client-go/issues/240
When a clientset is nil, fail fast instead of returning a nil value as an interface.
/cc @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 49916, 50050)
GCE: Fix bug by correctly cast port to string
Code is incorrectly casting a port to a string, causing the diff-expression to always return true.
**What this PR does / why we need it**:
Fixes#50049
**Special notes for your reviewer**:
/assign @MrHohn
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48365, 49902, 49808, 48722, 47045)
Allow update to GC fields for RBAC resources
This change makes it so that no escalation check is performed when updating only the garbage collector fields (owner references and finalizers) of RBAC resources. This allows the garbage collector to delete roles that grant permissions such as "create", which it will never have.
Signed-off-by: Monis Khan <mkhan@redhat.com>
@kubernetes/sig-auth-api-reviews
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50000, 49954, 49943, 50018, 49607)
change apps/v1beta2 StatefulSet observedGeneration from a pointer to an int for consistency
**What this PR does / why we need it**:
change the StatefulSet observedGeneration from a pointer to an int for consistency
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49623
xref #49135
**Special notes for your reviewer**:
/cc @janetkuo @foxish @kow3ns
**Release note**:
```release-note
change apps/v1beta2 StatefulSet observedGeneration (optional field) from a pointer to an int for consistency
```
Automatic merge from submit-queue (batch tested with PRs 50000, 49954, 49943, 50018, 49607)
Remove extraneous white space
**What this PR does / why we need it**:
Output from command `kubectl delete --help` contains extraneous whitespace. While we are at it, paragraph in multi-paragraph section has shorter line lengths, text looks better if all paragraphs have similar line lengths.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
White space only. This PR is outward facing but so trivial I don't think it needs a release note. I'm new around here, if this assumption is incorrect please tell me. Thanks.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)
certificate manager: close existing client conns once cert rotates
After the kubelet rotates its client cert, it will keep connections to the API server open indefinitely, causing it to use its old credentials instead of the new certs. Because the API server authenticates client certs at the time of the request, and not the handshake, this could cause the kubelet to start hitting auth failures even if it rotated its certificate to a new, valid one.
When the kubelet rotates its cert, close down existing connections to force a new TLS handshake.
Ref https://github.com/kubernetes/features/issues/266
Updates https://github.com/kubernetes-incubator/bootkube/pull/663
```release-note
After a kubelet rotates its client cert, it now closes its connections to the API server to force a handshake using the new cert. Previously, the kubelet could keep its existing connection open, even if the cert used for that connection was expired and rejected by the API server.
```
/cc @kubernetes/sig-auth-bugs
/assign @jcbsmpsn @mikedanese
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)
[Bug Fix] Set NodeOODCondition to false
fixes#49839, which was introduced by #48846
This PR makes the kubelet set NodeOODCondition to false, so that the scheduler and other controllers do not consider the node to be unschedulable.
/assign @vishh
/sig node
/release-note-none
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)
GC shouldn't send empty patch
The scope of the `if` statement was wrong, causing GC to sometimes send empty patch.
Found this bug while investigating https://github.com/kubernetes/kubernetes/issues/49966.
Automatic merge from submit-queue
Log abridged set of rules at v2 in kube-proxy on error
**What this PR does / why we need it**:
this is a follow-on to https://github.com/kubernetes/kubernetes/pull/48085
**Special notes for your reviewer**:
we hit this in operations where we typically run in v2, and would like to log abridged set of output rather than full output.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50029, 48517, 49739, 49866, 49782)
Update generated deepcopy code
**What this PR does / why we need it**:
In generated deepcopy code, the method names in comments do not match the real method names.
**Which issue this PR fixes**: fixes#49755
**Special notes for your reviewer**:
/assign @sttts @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50029, 48517, 49739, 49866, 49782)
Pod affinity test clean up as AffinitInAnnotation is removed.
**What this PR does / why we need it**:
These tests are already covered under "empty topologyKey" pod affinity test cases.
These test cases were added only to test the scenario when the AffinitInAnnotation
feature was disabled. Since AffinitInAnnotation is removed now, these test cases are
no longer needed as they are duplicate now.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
@kubernetes/sig-scheduling-misc @bsalamat
Automatic merge from submit-queue (batch tested with PRs 50029, 48517, 49739, 49866, 49782)
iptables_test should not run on OSX or Windows
**What this PR does / why we need it**:
Fix for failing tests. Let's just skip these on darwin and windows
platforms as iptables is not available on these.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#48509
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Have a uniform format for filenames across controllers
**What this PR does / why we need it**:
Bring in uniformity in filename format across all the controllers. Now controllers are of the format
`<controllerName>_controller.go`
From
```
./pkg/controller/node/nodecontroller.go
./pkg/controller/route/routecontroller.go
./pkg/controller/service/servicecontroller.go
./pkg/controller/cloud/nodecontroller.go
./pkg/controller/ttl/ttlcontroller.go
./pkg/controller/job/jobcontroller.go
./pkg/controller/daemon/daemoncontroller.go
```
TO
```
./pkg/controller/node/node_controller.go
./pkg/controller/route/route_controller.go
./pkg/controller/service/service_controller.go
./pkg/controller/cloud/node_controller.go
./pkg/controller/ttl/ttl_controller.go
./pkg/controller/job/job_controller.go
./pkg/controller/daemon/daemon_controller.go
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
None
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Emit event and retry when fail to start healthz server on kube-proxy
**What this PR does / why we need it**: Enhance kube-proxy's logic when fail to start healthz server.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: From #49263.
**Special notes for your reviewer**:
/assign @thockin @nicksardo @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Reintegrate aggregation support for OpenAPI
Reintegrating changes of #46734
Changes summary:
- Extracted all OpenAPI specs to new repo `kube-openapi`
- Make OpenAPI spec aggregator to copy and rename any non-requal model (even with documentation change only).
- Load specs when adding APIServices and retry on failure until successful spec retrieval or a 404.
- Assumes all Specs except aggregator's Spec are static
- A re-register of any APIService will result in updating the spec for that service (Suggestion for TPR: they should be registered to aggregator API Server, Open for discussion if any more changes needed for another PR.)
fixes#48548
Automatic merge from submit-queue (batch tested with PRs 49871, 49422, 49092, 49858, 48999)
ScaleIO Volume Plugin - Volume attribute fixes and updates
**What this PR does / why we need it**:
This is a housekeeping PR for small enhancements and fixes to the ScaleIO volume plugin to address issues:
- Enforcement of fsGroup
- Enable ScaleIO multiple-instance volume mapping
- Tighter validation of PVC parameters
- Injection of default PVC capacity when omitted
- Better alignment of PVC, PV, and volume names for dynamic provisioning
**Special notes for your reviewer**:
**Release note**:
```release-note
Enforcement of fsGroup; enable ScaleIO multiple-instance volume mapping; default PVC capacity; alignment of PVC, PV, and volume names for dynamic provisioning
```
Automatic merge from submit-queue
If error continue for loop
If err does not add continue, type conversion will be error.
If do not add continue, pod. (* V1.Pod) may cause panic to run.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49870, 49416, 49872, 49892, 49908)
fix alpha/beta endpoint when api endpoint is specified
fix a bug in alpha/beta compute API endpoint bootstraping when api-endpiont is specified.
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 49870, 49416, 49872, 49892, 49908)
FC volume plugin: remove block device at DetachDisk
**What this PR does / why we need it**:
After a volume is unmounted from pod and worker node, and then PV and PVC are deleted, cluster admin or external-provisioner might delete the disk from storage, therefore block device on the node should be cleaned up beforehand.
The photon volume plugin already has same functionality.
**Which issue this PR fixes**: fixes#49392
**Special notes for your reviewer**:
/assign @rootfs
/cc @jsafrane @saad-ali
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49870, 49416, 49872, 49892, 49908)
Renamed zoneNotReadyOrUnreachableTainer to zoneNoExecuteTainer.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partially fixes#42001
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 49898, 49897, 49919, 48860, 49491)
Fix usage a make(struct, len()) followed by append()
A couple of places in the code we allocate with make() but then use
append(), instead of copy() or direct assignment. This results in a
slice with len() zero elements at the front followed by the expected
data. The correct form for such usage is `make(struct, 0, len())`.
I found these by running:
```
$ git grep -EI -A7 'make\([^,]*, len\(' | grep 'append(' -B7 | grep -v vendor
```
And then manually looking through the results. I'm sure something better
could exist.
**Release note**:
```release-note
NONE
```
After the kubelet rotates its client cert, it will keep connections
to the API server open indefinitely, causing it to use its old
credentials instead of the new certs
When the kubelet rotates its cert, close down existing connections
to force a new TLS handshake.
Automatic merge from submit-queue
Validate if service has duplicate port
**What this PR does / why we need it**:
Validate if a service has duplicate Spec.Ports.Port (same number with same protocol)
xref #47221
fixes this part:
>It is possible to express a Service with multiple ports blocks with the same number. This is not very useful and may cause trouble for implementations of Services.
**Special notes for your reviewer**:
/cc @thockin @liggitt @mengqiy
@kubernetes/sig-network-pr-reviews
**Release note**:
```release-note
NONE
```
This change makes it so that no escalation check is performed when
updating only the garbage collector fields (owner references and
finalizers) of RBAC resources. This allows the
garbage collector to delete roles that grant permissions such
as "create", which it will never have.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Automatic merge from submit-queue (batch tested with PRs 46519, 49794, 49720, 49692, 49821)
[route_controller] Emit event when failed to create route
**What this PR does / why we need it**:
When route controller failed to create route for nodes, pod's networking is likely broken. We surface this situation through node condition (https://github.com/kubernetes/kubernetes/blob/v1.7.2/pkg/controller/route/routecontroller.go#L197-L231), but this might not be easily tracked when user have a large cluster with many nodes. Surface the error through event might make things more obvious.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46519, 49794, 49720, 49692, 49821)
Log attach detach controller skipping pods at higher priority
This will help us in tracking down problems related to pods
not getting added to desired state of world because of events
arriving out of order or some other problem related to that.
cc @kubernetes/sig-storage-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
skip WaitForAttachAndMount for terminated pods in syncPod
Fixes https://github.com/kubernetes/kubernetes/issues/49663
I tried to tread lightly with a small localized change because this needs to be picked to 1.7 and 1.6 as well.
I suspect this has been as issue since we started unmounting volumes on pod termination https://github.com/kubernetes/kubernetes/pull/37228
xref openshift/origin#14383
@derekwaynecarr @eparis @smarterclayton @saad-ali @jwforres
/release-note-none
Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
Supply Portworx StorageClass paramters in volume spec labels for server-side processing
**What this PR does / why we need it**:
This change offloads the requirement of successfully parsing all existing and new portworx volume parameters to it's server-side components. As a result, for fixing bugs in existing volume parameters parsing and adding new support, we will not need to submit a k8s PR.
**Which issue this PR fixes**: fixes#49525
**Release note**:
```release-note
Fix incorrect parsing of io_priority in Portworx volume StorageClass and add support for new paramters.
```
Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
Change pod config to manifest
**What this PR does / why we need it**:
As per https://github.com/kubernetes/kubernetes/pull/46494#discussion_r119675805, change `config` to `manifest` to avoid ambiguous.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Since it's a minor fix, there is no issue here.
/cc @mtaufen
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
amend spec.PersistentVolume.Spec
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
Add support for `no_new_privs` via AllowPrivilegeEscalation
**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes#38417
Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.
Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.
Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.
**Release note**:
```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
