Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Dynamic client supports subresources
**What this PR does / why we need it**:
Allows `resource.name` to be a subresource which contains `"/"` in db2977fb11/staging/src/k8s.io/client-go/dynamic/client.go (L143)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#49588
**Special notes for your reviewer**:
The change is backward compatible.
**Release note**:
```release-note
NONE
```
/sig api-machinery
Kubernetes-commit: f33e0b33f49676bb0be6a410ab98eecd3602bd0a
Automatic merge from submit-queue (batch tested with PRs 59832, 59825). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unused DeltaFIFO compressor argument to NewDeltaFIFO
Nobody uses it; the one or two older users from 1.4/1.5 timeframe
were removed for 1.6. It's also poorly understood and the sole
example is in the testcases, and it's pretty incomplete.
If anyone really wants compression, they can revert this PR.
Earlier pull was https://github.com/kubernetes/kubernetes/pull/43475 which was blocked on some downstream users, which have now removed their usage of the compressor.
@ncdc @deads2k
```release-note
NONE
```
Kubernetes-commit: 5f7b530d87a426348ac7c8fa27f8079fd9445d70
Automatic merge from submit-queue (batch tested with PRs 59489, 59716). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add AzureDisk support for vmss nodes
**What this PR does / why we need it**:
This PR adds AzureDisk support for vmss nodes. Changes include
- Upgrade vmss API to 2017-12-01
- Upgrade vmss clients with new version API
- Abstract AzureDisk operations for vmss and vmas
- Added AzureDisk support for vmss
- Unit tests and fake clients fix
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#43287
**Special notes for your reviewer**:
~~Depending on #59652 (the first two commits are from #59652).~~
**Release note**:
```release-note
Add AzureDisk support for vmss nodes
```
Kubernetes-commit: d89e64110aa47d557a4b133c40b38de1b41ef7f7
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix a race condition in SharedInformer
**What this PR does / why we need it**:
This fixes a race condition that can occur in the `sharedIndexInformer`
**Which issue(s) this PR fixes**:
Fixes#59822
**Release note**:
```release-note
Fixed a race condition in k8s.io/client-go/tools/cache.SharedInformer that could violate the sequential delivery guarantee and cause panics on shutdown.
```
Kubernetes-commit: 6590ea6d5d50700d34255b1e037b2702ad26b7fc
This prevents a race condition where the sharedIndexInformer was
causeing the processorListener's run and pop method to be started
twice. That violated the SharedInformer's interface guarantee of
sequential delivery and also caused panics on shutdown.
Kubernetes-commit: 3c36d9e373d8e272ad303f359d040621edeb999e
Looks like we end up with the following changes:
1a43566306cb8cebad8cae85c67b15b3c254f316 - Prevent Recursive BuildRequestBody
debc1adf8e41fb5c5b7e2021a1be0b4d0c78318a - Networking v2: Create Floating IP with Subnet
1db95d798aa72ec12a6e60e40749cea56073d2fb - Compute v2: Add unit tests for Ephemeral field
0b8b348f5ad19aa4513ad9f8ad24f766a6623ad9 - compute: flavors: add Ephemeral attribute
8a6dfa8264e8b64523272c7a205e5f08bb6c118f - Compute v2: Flavor Access Remove (#688)
35ab3f13f69349f99ba8b9c9c36a7031ae2963dd - Flavor Extra Spec Update
800a4c0d57fbe8403b0bb6f13a8340c8fc990ad5 - Flavor Extra Spec Delete
be3fd7845c1928cbc5bbe289f2e39f5dec2e7278 - Flavor Extra Specs Create
c2cafb46bb409768f420742757949fd05fb1d704 - Flavor Extra Specs: List / Get (#686)
7b1b87753c31d4900587840774a019bbfa770698 - Compute v2: Flavor Access Add (#687)
1a43566306cb8cebad8cae85c67b15b3c254f316 - Prevent Recursive BuildRequestBody
debc1adf8e41fb5c5b7e2021a1be0b4d0c78318a - Networking v2: Create Floating IP with Subnet
The full set of changes between the old and new SHA are here:
8e59687aa4...6da026c32e
Kubernetes-commit: 375360312aa70595c3174f81f3320eb511aaf8f1
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix all the typos across the project
**What this PR does / why we need it**:
There are lots of typos across the project. We should avoid small PRs on fixing those annoying typos, which is time-consuming and low efficient.
This PR does fix all the typos across the project currently. And with #59463, typos could be avoided when a new PR gets merged.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/sig testing
/area test-infra
/sig release
/cc @ixdy
/assign @fejta
**Release note**:
```release-note
None
```
Kubernetes-commit: 317853c90c674920bfbbdac54fe66092ddc9f15f
Automatic merge from submit-queue (batch tested with PRs 59276, 51042, 58973, 59377, 59472). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow passing request-timeout from NewRequest all the way down
**What this PR does / why we need it**:
Currently if you pass `--request-timeout` it's not passed all the way down to the actual request object. There's a separate field on the `Request` object that allows setting that timeout, but it's not taken from that flag.
@smarterclayton @deads2k ptal, this is coming from https://github.com/openshift/origin/pull/13701
Kubernetes-commit: 1f6251444b7dad7f5d924acbfb366541f2a6fb99
Automatic merge from submit-queue (batch tested with PRs 59158, 38320, 59059, 55516, 59357). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Promote v1alpha1 meta to v1beta1
No code changes, just renames. We can discuss if there are any field / naming changes here or in a follow-up
Parent #58536Fixes#53224
Prereq to #55637
@kubernetes/sig-api-machinery-pr-reviews @deads2k
```release-note
The `meta.k8s.io/v1alpha1` objects for retrieving tabular responses from the server (`Table`) or fetching just the `ObjectMeta` for an object (as `PartialObjectMetadata`) are now beta as part of `meta.k8s.io/v1beta1`. Clients may request alternate representations of normal Kubernetes objects by passing an `Accept` header like `application/json;as=Table;g=meta.k8s.io;v=v1beta1` or `application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1`. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their `Accept` header like `application/json` - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response.
```
Kubernetes-commit: 9ee71b720ed2300d6298bb936d0a7873b5ecf2ac
Currently, core/v1 is in the end of the discovery order.
Since core/v1 is special, it should be in the beginning.
Kubernetes-commit: 45950fdb750d7ac12cec3b9ef3487baa99a40401
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix some typos
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Kubernetes-commit: c6e581ff42bff91337565836834b76a1601be936
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
doc: fix typo in client-go
**What this PR does / why we need it**:
Fix typo in package client-go.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes-commit: c047b8dbc1d3ad93ceadb865cd4ecc3a07231a7d
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix(doc): irregular descriptive docs
**What this PR does / why we need it**:
Fixes documentations.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Kubernetes-commit: c52192f33bf83638aee5ef055d7efca887af1a5c
Otherwise, the certificate store will return nil the first time a store
cert is accessed. When background rotation is being used, prevents the
client from being nil.
Kubernetes-commit: b81f4745546340f08abd3f877c585aac9581d0f0
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add V1beta1 VolumeAttachment API
**What this PR does / why we need it**:
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58461
**Special notes for your reviewer**:
**Release note**:
```release-note
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
```
Kubernetes-commit: 8363129ee6da255ca9fe5c7d62596a3a19378abb
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Only rotate certificates in the background
Change the Kubelet to not block until the first certs have rotated (we didn't act on it anyway) and fall back to the bootstrap cert if the most recent rotated cert is expired on startup.
The certificate manager originally had a "block on startup" rotation behavior to ensure at least one rotation happened on startup. However, since rotation may not succeed within the first time window the code was changed to simply print the error rather than return it. This meant that the blocking rotation has no purpose - it cannot cause the kubelet to fail, and it *does* block the kubelet from starting static pods before the api server becomes available.
The current block behavior causes a bootstrapped kubelet that is also set to run static pods to wait several minutes before actually launching the static pods, which means self-hosted masters using static pods have a pointless delay on startup.
Since blocking rotation has no benefit and can't actually fail startup, this commit removes the blocking behavior and simplifies the code at the same time. The goroutine for rotation now completely owns the deadline, the shouldRotate() method is removed, and the method that sets rotationDeadline now returns it. We also explicitly guard against a negative sleep interval and omit the message.
Should have no impact on bootstrapping except the removal of a long delay on startup before static pods start.
The other change is that an expired certificate from the cert manager is *not* considered a valid cert, which triggers an immediate rotation. This causes the cert manager to fall back to the original bootstrap certificate until a new certificate is issued. This allows the bootstrap certificate on masters to be "higher powered" and allow the node to function prior to initial approval, which means someone configuring the masters with a pre-generated client cert can be guaranteed that the kubelet will be able to communicate to report self-hosted static pod status, even if the first client rotation hasn't happened. This makes master self-hosting more predictable for static configuration environments.
```release-note
When using client or server certificate rotation, the Kubelet will no longer wait until the initial rotation succeeds or fails before starting static pods. This makes running self-hosted masters with rotation more predictable.
```
Kubernetes-commit: 06472a054a69c0aa0c7cb29697c334704feeb5eb
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
client-go: Fix broken TCP6 listen for port forwarding
**What this PR does / why we need it**:
The IPV6 loopback address `::1` is enclosed in square brackets twice,
which cause a failure to listen on the TCP6 port.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix an issue where port forwarding doesn't forward local TCP6 ports to the pod
```
/area ipv6
/sig cli
Kubernetes-commit: a241087f9966deef6175a370da060f9623e92d94
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove dead prefix field
The `Prefix` field was never used.
Kubernetes-commit: 946b1f023ffc8dc1c0f713f4cc75206252c1e197
The certificate manager originally had a "block on startup" rotation
behavior to ensure at least one rotation happened on startup. However,
since rotation may not succeed within the first time window the code was
changed to simply print the error rather than return it. This meant that
the blocking rotation has no purpose - it cannot cause the kubelet to
fail, and it *does* block the kubelet from starting static pods before
the api server becomes available.
The current block behavior causes a bootstrapped kubelet that is also
set to run static pods to wait several minutes before actually launching
the static pods, which means self-hosted masters using static pods have
a pointless delay on startup.
Since blocking rotation has no benefit and can't actually fail startup,
this commit removes the blocking behavior and simplifies the code at the
same time. The goroutine for rotation now completely owns the deadline,
the shouldRotate() method is removed, and the method that sets
rotationDeadline now returns it. We also explicitly guard against a
negative sleep interval and omit the message.
Should have no impact on bootstrapping except the removal of a long
delay on startup before static pods start.
Also add a guard condition where if the current cert in the store is
expired, we fall back to the bootstrap cert initially (we use the
bootstrap cert to communicate with the server). This is consistent with
when we don't have a cert yet.
Kubernetes-commit: 44493de195d89ec43cc7246af921e626e0002c16
Automatic merge from submit-queue (batch tested with PRs 58903, 58141, 58900). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
auth/gcp: configurable scopes for gcp default credentials
**What this PR does / why we need it**:
- add `config.scopes` field comma-separated scope URLs, to be used with Google
Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
- users now should be able to set a gserviceaccount key in GOOGLE_APPLICATION_CREDENTIALS
env, craft a kubeconfig file with GKE master IP+CA cert and should be able to authenticate
to GKE in headless mode _without requiring gcloud_ CLI, and they can now use the
email address of the gserviceaccount in RBAC role bindings and _not use Google Cloud IAM at all._
- gcp default scopes now include userinfo.email scope, so authenticating to GKE
using gserviceaccount keys can now be done without gcloud as well.
- since userinfo.email scope is now a default, users who have existing RBAC bindings
that use numeric uniqueID of the gserviceaccount will be broken (this behavior was
never documented/guaranteed). from now on email address of the service account
should be used as the subject in RBAC Role Bindings.
**Release note**:
```release-note
Google Cloud Service Account email addresses can now be used in RBAC
Role bindings since the default scopes now include the "userinfo.email"
scope. This is a breaking change if the numeric uniqueIDs of the Google
service accounts were being used in RBAC role bindings. The behavior
can be overridden by explicitly specifying the scope values as
comma-separated string in the "users[*].config.scopes" field in the
KUBECONFIG file.
```
/assign @cjcullen
/sig gcp
Kubernetes-commit: 6ef0514bd94e184f51960f0545095f0fae4964b4
