Automatic merge from submit-queue
NodeController sets NodeTaints instead of deleting Pods
```release-note
Add an alpha feature that makes NodeController set Taints instead of deleting Pods from not Ready Nodes.
```
cc @timothysc @wojtek-t @davidopp
@aveshagarwal - this PR just uses library functions from previous one.
@kevin-wangzefeng - the only thing that's left is to write an admission controller. I don't remember what was the agreements. Are you going to write it, or should I?
Automatic merge from submit-queue
hack/verify-staging-client-go.sh: fail verbosely if working dir is dirty
Fail early and show verbose error message if repository is dirty.
Automatic merge from submit-queue (batch tested with PRs 41667, 41820, 40910, 41645, 41361)
Changing --use-kubernetes-version to --kubernetes-version for kubeadm beta
**What this PR does / why we need it**: to follow-up agreement on SIG-Cluster-Lifecycle on 2017-02-21, flag for `kubeadm init` should be renamed.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: Meeting minutes for SIG-Cluster-Lifecycle 2017-02-21
**Release note**:
```release-note
Flag --use-kubernetes-version for kubeadm init renamed to --kubernetes-version
```
Automatic merge from submit-queue
hack/verify-staging-client-go.sh: use git-archive to survive dirty working tree
We used rsync before and copied over the checkout. If some other script, created or changed files, godep refused to run.
Now the script uses git-archive against HEAD instead.
Automatic merge from submit-queue
move kube-dns to a separate service account
Switches the kubedns addon to run as a separate service account so that we can subdivide RBAC permission for it. The RBAC permissions will need a little more refinement which I'm expecting to find in https://github.com/kubernetes/kubernetes/pull/38626 .
@cjcullen @kubernetes/sig-auth since this is directly related to enabling RBAC with subdivided permissions
@thockin @kubernetes/sig-network since this directly affects now kubedns is added.
```release-note
`kube-dns` now runs using a separate `system:serviceaccount:kube-system:kube-dns` service account which is automatically bound to the correct RBAC permissions.
```
third_party/etcd isn't guaranteed to be present, this was causing
the script to fail prior to printing out the error message about
version mismatch
fixes#41989
Automatic merge from submit-queue (batch tested with PRs 41812, 41665, 40007, 41281, 41771)
kube-apiserver: add a bootstrap token authenticator for TLS bootstrapping
Follows up on https://github.com/kubernetes/kubernetes/pull/36101
Still needs:
* More tests.
* To be hooked up to the API server.
- Do I have to do that in a separate PR after k8s.io/apiserver is synced?
* Docs (kubernetes.io PR).
* Figure out caching strategy.
* Release notes.
cc @kubernetes/sig-auth-api-reviews @liggitt @luxas @jbeda
```release-notes
Added a new secret type "bootstrap.kubernetes.io/token" for dynamically creating TLS bootstrapping bearer tokens.
```
Automatic merge from submit-queue (batch tested with PRs 41146, 41486, 41482, 41538, 41784)
Added `kubectl create clusterrole` command.
Added `kubectl create clusterrole` command.
Fixed part of #39596
**Special notes for your reviewer**:
@deads2k, please help to review this patch, thanks
**Release note**:
```
Added one new command `kubectl create clusterrole` to help user create a single ClusterRole from command line.
```
Automatic merge from submit-queue
add godep manifest files to staging repos
The staging repos should have manifests that match the godeps of kube so we know what they build against. We don't need the actual vendored code, since a sync script on the other side needs to find the correct level of other staging directories and thus requires its own `godep restore && go get && godep save` cycle.
@sttts ptal
@lavalamp @caesarxuchao client-go needs a lot of unwinding to do something similar, but the idea is that you can run an acyclic path to get this updated by copying the types and dependencies with `go list`, then generate the clients, then generate this manifest. Then in your sync script you can pull the proper levels and finish the actual vendoring.
Automatic merge from submit-queue (batch tested with PRs 41349, 41532, 41256, 41587, 41657)
Lint fixes for the master and worker Python code.
**What this PR does / why we need it**: lint fixes for the python code.
**Which issue this PR fixes** none
**Special notes for your reviewer**: This is lint fixes for the Juju python code.
**Release note**:
```release-note
NONE
```
Please consider these changes so we can pass flake8 lint tests in our build process.
Automatic merge from submit-queue (batch tested with PRs 41709, 41685, 41754, 41759, 37237)
Projected volume plugin
This is a WIP volume driver implementation as noted in the commit for https://github.com/kubernetes/kubernetes/pull/35313.
Automatic merge from submit-queue (batch tested with PRs 41756, 36344, 34259, 40843, 41526)
add swagger ui in local cluster
use `ENABLE_SWAGGER_UI=true hack/local-up-cluster.sh`
Automatic merge from submit-queue (batch tested with PRs 41421, 41440, 36765, 41722)
ResourceQuota ability to support default limited resources
Add support for the ability to configure the quota system to identify specific resources that are limited by default. A limited resource means its consumption is denied absent a covering quota. This is in contrast to the current behavior where consumption is unlimited absent a covering quota. Intended use case is to allow operators to restrict consumption of high-cost resources by default.
Example configuration:
**admission-control-config-file.yaml**
```
apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- name: "ResourceQuota"
configuration:
apiVersion: resourcequota.admission.k8s.io/v1alpha1
kind: Configuration
limitedResources:
- resource: pods
matchContains:
- pods
- requests.cpu
- resource: persistentvolumeclaims
matchContains:
- .storageclass.storage.k8s.io/requests.storage
```
In the above configuration, if a namespace lacked a quota for any of the following:
* cpu
* any pvc associated with particular storage class
The attempt to consume the resource is denied with a message stating the user has insufficient quota for the matching resources.
```
$ kubectl create -f pvc-gold.yaml
Error from server: error when creating "pvc-gold.yaml": insufficient quota to consume: gold.storageclass.storage.k8s.io/requests.storage
$ kubectl create quota quota --hard=gold.storageclass.storage.k8s.io/requests.storage=10Gi
$ kubectl create -f pvc-gold.yaml
... created
```
Automatic merge from submit-queue (batch tested with PRs 41421, 41440, 36765, 41722)
local-up-cluster, allow debug option to kubelet
**What this PR does / why we need it**: Allows for kubelet to start in debug mode.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Defaulting client certs owner to current user if not speicified
**What this PR does / why we need it**:
Defaulting client certs owner to current user if not speicified.
**Which issue this PR fixes**
Fixes#41560.
**Release note**:
```release-note
NONE
```
cc/ @sttts @liggitt
Automatic merge from submit-queue (batch tested with PRs 39373, 41585, 41617, 41707, 39958)
Owners file related changes for kubectl and docs contributors
- adding a command to kubectl updates the root .generated_docs file requiring root level approval: move .generated_docs under docs/
- run hack/update-generated-docs.sh so the docs are up to date
- add kubectl contributors to test/OWNERS and test/fixtures/pkg/kubectl/OWNERS so they can approve kubectl e2e test changes
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41043, 39058, 41021, 41603, 41414)
add defaultTolerationSeconds admission controller
**What this PR does / why we need it**:
Splited from #34825, add a new admission-controller that
1. adds toleration (with tolerationSeconds = 300) for taint `notReady:NoExecute` to every pod that does not already have a toleration for that taint, and
2. adds toleration (with tolerationSeconds = 300) for taint `unreachable:NoExecute` to every pod that does not already have a toleration for that taint.
**Which issue this PR fixes**:
Related issue: #1574
Related PR: #34825
**Special notes for your reviewer**:
**Release note**:
```release-note
add defaultTolerationSeconds admission controller
```
Automatic merge from submit-queue (batch tested with PRs 41043, 39058, 41021, 41603, 41414)
kubeadm: Make a separate util package for kubeconfig logic
**What this PR does / why we need it**:
There are a lot of packages that need to consume kubeconfig logic, so it should be in a central place.
Having it in `kubeadmutil` is suboptimal, because then it get mixed with everything else.
This splits that logic out to a generic place so it then also can be consumed in https://github.com/kubernetes/kubernetes/pull/41417, from where it's broken out.
- Move {admin,kubelet}.conf out as constants
- Make a separate util package for kubeconfig logic
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
