Automatic merge from submit-queue
kubeadm token discovery URL may not have valid input for url.Parse
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes https://github.com/kubernetes/kubeadm/issues/95
**Special notes for your reviewer**:
/cc @dgoodwin @luxas @mikedanese this is a WIP! Need a couple things:
* decide token separator, `.` or `:`
* define error handling in `token.go::37`
Automatic merge from submit-queue
kubeadm: change etcd data dir to match host path.
**What this PR does / why we need it**: Trivial change that adopts a well-known path for etcd data, following the `hostPath` defined.
**Which issue this PR fixes**: Fixes https://github.com/kubernetes/kubeadm/issues/80
**Special notes for your reviewer**:
/cc @luxas @kad
Automatic merge from submit-queue
Add unit tests for operation_executor
Add unit test for `Unmount operations should start in parallel for all volume plugins`
cc: @saad-ali
Automatic merge from submit-queue (batch tested with PRs 39311, 39226, 39445)
use debs to build k8s docker images
This puts the binaries in better paths and fixes compatibility issues.
Automatic merge from submit-queue (batch tested with PRs 39311, 39226, 39445)
Make kubectl proxy accept empty path
**What this PR does / why we need it**:
The kubectl proxy previously returned 403 Forbidden: Unauthorized when receiving a request from e.g. "curl localhost:8001" or "curl localhost:8001/". The previous DefaultPathAcceptRE regex was wrong as it assumed the path in this case would be "/" (but it is actually "").
After someone runs kubectl proxy and tries accessing it with curl, they will probably just try hitting localhost:8001 (which returns an "Unauthorized" response) instead of say localhost:8001/api (which returns a proper response from the API server). Also, whoever previously modified the DefaultPathAcceptRE regex was obviously expecting the regex to accept requests for localhost:8001/
```release-note
fix issue with kubectl proxy so that it will proxy an empty path - e.g. http://localhost:8001
```
Automatic merge from submit-queue (batch tested with PRs 36229, 39450)
Bugfix on kubeadm join with non-token discovery.
Without this change, using a non-token discovery mechanism during a join triggers a nil pointer panic (instead of an error message about not being implemented yet).
CC @mikedanese
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 36229, 39450)
Bump etcd to 3.0.14 and switch to v3 API in etcd.
Ref #20504
**Release note**:
```release-note
Switch default etcd version to 3.0.14.
Switch default storage backend flag in apiserver to `etcd3` mode.
```
Automatic merge from submit-queue (batch tested with PRs 39408, 38981)
Remove RBAC UserAll
* Removes special handling of User * subjects in rolebinding matching evaluation
* Converts v1alpha1 rolebindings to `User *` subjects to `Group system:authenticated` subjects for backwards compatibility
```release-note
RBAC's special handling of the User subject named "*" in RoleBinding and ClusterRoleBinding objects is being deprecated and will be removed in v1beta1. Existing v1alpha1 role bindings to User "*" will be converted to the group "system:authenticated". To match unauthenticated requests, RBAC role bindings must explicitly bind to the group "system:unauthenticated".
```
Without this change, using a non-token discovery mechanism during a join
triggers a nil pointer panic (instead of an error message about not
being implemented yet).
Automatic merge from submit-queue
Ensure invalid token returns 401 error, not 403
fixes#39267
If a user attempts to use a bearer token, and the token is rejected, the authenticator should return an error. This distinguishes requests that did not provide a bearer token (and are unauthenticated without error) from ones that attempted to, and failed.
Automatic merge from submit-queue
snip links from genericapiserver to api/validation
We had a trip dependency on `pkg/api/validation` through `pkg/api/rest` which is used for RESTStorage. This splits the generic validation required for a genericapiserver out from the rest of validation. For now, functions still delegate.
@sttts
Automatic merge from submit-queue
Adding test-federation-cmd.sh to test kubectl with federation apiserver
There are 2 parts to the PR:
* Adding ability to run kubectl tests for a subset of resources.
* Adding test-federation-cmd.sh that runs kubectl tests for resources that are supported by federation-apiserver.
cc @kubernetes/sig-federation @kubernetes/sig-api-machinery
```release-note
Adding kubectl tests for federation
```
Automatic merge from submit-queue
Start moving genericapiserver to staging
This moves `pkg/auth/user` to `staging/k8s.io/genericapiserver/pkg/authentication/user`. I'll open a separate pull into the upstream gengo to support using `import-boss` on vendored folders to support staging.
After we agree this is the correct approach and see everything build, I'll start moving other packages over which don't have k8s.io/kubernetes deps.
@kubernetes/sig-api-machinery-misc @lavalamp
@sttts @caesarxuchao ptal
Automatic merge from submit-queue
pkg/labels: fix the godoc for Parse()
previously the formatting was broken for labels.Parse() function. I
fixed the spacing so it will format correctly for the generated go docs.
There was also a dangling "]" at the end of the first line so i deleted
it.
**What this PR does / why we need it**:
This fixes a formatting issue with the generated go documentation.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
make discovery static when extensions/thirdpartyresources is not enabled
this should be a bug fix, if `extensions/thirdpartyresources` is enabled, the result of `Discovery().ServerPreferredNamespacedResources` will be dynamic then, so we are making the `discoverResourcesFn` static only when the `extensions/thirdpartyresources` is not enabled.
Automatic merge from submit-queue
add some specifications on the top command
**What this PR does / why we need it**:
the top command is available when heapster works fine on the server, but the specifications doesn't mention about this. So I added some specifications here.
Automatic merge from submit-queue (batch tested with PRs 38084, 39306)
Small improve for GetContainerOOMScoreAdjust
In `GetContainerOOMScoreAdjust`, make logic more clear for the case `oomScoreAdjust >= besteffortOOMScoreAdj`. If `besteffortOOMScoreAdj` is defined to another value(e.g. 996), suppose `oomScoreAdjust` is 999, the function will return 998(which equals 999 - 1) instead of 995(996 -1).
Automatic merge from submit-queue
Fix comment and optimize code
**What this PR does / why we need it**:
Fix comment and optimize code.
Thanks.
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Remove jobs that do not exist from active list of CronJob
**What this PR does / why we need it**: This PR modifies the controller for CronJob to remove from the active job list any job that does not exist anymore, to avoid staying blocked in active state forever. See #37957.
**Which issue this PR fixes**: fixes#37957
**Special notes for your reviewer**:
**Release note**:
```
```
Automatic merge from submit-queue (batch tested with PRs 39405, 39371)
hack/local-up-cluster.sh: fix typo in error message
This commit fixes typo in error message and also removes stale comment from `hack/local-up-cluster.sh`.
Automatic merge from submit-queue (batch tested with PRs 36087, 39405)
federation-apiserver doesn't needs cluster-ip range
This option has been removed from genericserver options
and it is not being used by federation-apiserver anyways.
Fixes - #39388
Automatic merge from submit-queue
oidc auth-n plugin: enforce email_verified claim
This change causes the OpenID Connect authenticator to start
enforcing the 'email_verified' claim.
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
If the OIDC authenticator uses the 'email' claim as a user's username
and the 'email_verified' is not set to `true`, reject that authentication attempt.
cc @erictune @kubernetes/sig-auth @mlbiam
```release-note
When using OIDC authentication and specifying --oidc-username-claim=email, an `"email_verified":true` claim must be returned from the identity provider.
```
Automatic merge from submit-queue (batch tested with PRs 38433, 36245)
Allow pods to define multiple environment variables from a whole ConfigMap
Allow environment variables to be populated from ConfigMaps
- ConfigMaps represent an entire set of EnvVars
- EnvVars can override ConfigMaps
fixes#26299
Automatic merge from submit-queue (batch tested with PRs 38433, 36245)
Remove needless env var in OpenStack provider
**What this PR does / why we need it**:
If we use openstack provider to set up k8s cluster using kube-up script,
`TENANT_ID` environment variable is needed.
But to configure `TENANT_ID` is very annoying because this value is not static by each env.
This patch uses `TENANT_NAME` instead of `TENANT_ID`
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Since `TENANT_NAME` is unique if we use keystone v2 api,
so `TENANT_ID` is not needed if `TENANT_NAME` is provided
to configure OpenStack provider.
And also to set `TENANT_ID` is annoying to develop, because
`TENANT_ID` is not static by each environment.
This patch remove dependency of `TENANT_ID` and simply use
`TENANT_NAME`.
Automatic merge from submit-queue
add rules not allow message when authorize failed
old result:
```
# ./cluster/kubectl.sh --token=/test get po
Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "<nil>" (get pods)
```
new result:
```
# ./cluster/kubectl.sh --token=/test get po
Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "rules not allow" (get pods)
```
test.yaml
```
kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: test
rules:
- apiGroups: ["*"]
verbs: ["create"]
resources: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admin-resource-binding
subjects:
- kind: Group
name: test
roleRef:
kind: Role
name: test
```
