Automatic merge from submit-queue
documentation for implementors of RESTCreateStrategy
**What this PR does / why we need it**:
Documentation useful for those implementing these methods.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: no issue.
**Special notes for your reviewer**:
I am implementing these for service broker, and gives me examples of what is done or should be done.
**Release note**:
-->
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46429, 46308, 46395, 45867, 45492)
Controller history
**What this PR does / why we need it**:
Implements the ControllerRevision API object and clientset to allow for the implementation of StatefulSet update and DaemonSet history
```release-note
ControllerRevision type added for StatefulSet and DaemonSet history.
```
Automatic merge from submit-queue (batch tested with PRs 46124, 46434, 46089, 45589, 46045)
Panic server on watch errors during etcd test
**What this PR does / why we need it**:
This change makes it so that errors during watch decoding panic the server during the etcd storage test. This allows us to catch coder errors related to storing incompatible types at the same location in etcd.
For example, https://github.com/kubernetes/kubernetes/pull/39164#discussion_r116619172 would have failed like so (instead of silently recording an error to the master log and passing the test):
```
I0518 14:39:32.413038 4654 storage_rbac.go:257] created rolebinding.rbac.authorization.k8s.io/system:controller:bootstrap-signer in kube-public
panic: v1beta1.NetworkPolicy is not suitable for converting to {{"networking.k8s.io" "__internal"} [{"networking.k8s.io" ""} {"networking.k8s.io" ""}]}
goroutine 799 [running]:
k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3.decodeObj(0x71146c0, 0xc420eb9d80, 0x7129340, 0x733cdf8, 0xc423708360, 0x118, 0x120, 0x86, 0x0, 0x0, ...)
/home/mkhan/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go:382 +0x115
k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3.(*watchChan).prepareObjs(0xc420958f60, 0xc422ee9ef0, 0xc42003c600, 0x8a3b9b, 0x70f36c0, 0xc4209585a0, 0x4583f0, 0xc4215d0f58)
/home/mkhan/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go:353 +0x2cd
k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3.(*watchChan).transform(0xc420958f60, 0xc422ee9ef0, 0x0)
/home/mkhan/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go:248 +0x4d
k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3.(*watchChan).processEvent(0xc420958f60, 0xc420132010)
/home/mkhan/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go:213 +0x122
created by k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3.(*watchChan).run
/home/mkhan/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go:116 +0xe9
exit status 2
FAIL k8s.io/kubernetes/test/integration/etcd 13.065s
Makefile:164: recipe for target 'test' failed
```
@liggitt PTAL
Signed-off-by: Monis Khan <mkhan@redhat.com>
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45518, 46127, 46146, 45932, 45003)
Fix bug in SMP test
Fixing a bug in strategic merge patch test.
before:
we check if customizedSort(input) == customizedSort(expected), which is always true
after:
we check if customizedSort(input) == expected
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45518, 46127, 46146, 45932, 45003)
Return MethodNotSupported when accessing unwatcheable resource with ?watch=true
Currently, if a RESTStorage does not implement Watch(), accessing the list endpoint with ?watch=true will call List, with ListOptions.Watch=true. It should return a MethodNotSupported error.
This change makes it so that errors during watch decoding panic the
server if it is in a test environment. This allows us to catch coder
errors related to storing incompatible types at the same location in
etcd.
Signed-off-by: Monis Khan <mkhan@redhat.com>
This is needed so that users of watch.Until may check for this
particular error instead of attempting to match the error string.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45269, 46219, 45966)
update gopass to fix format error
```
#kubectl get no
Please enter Username: admin
Please enter Password: ********
NAME STATUS AGE VERSION
127.0.0.1 Ready 28s v1.7.0-alpha.2.357+904b02075623d7-dirty
```
`godep update github.com/howeyc/gopass/` can fix it.
Automatic merge from submit-queue (batch tested with PRs 44774, 46266, 46248, 46403, 46430)
apiextensions: fix nil dereference during deletion
The returned condition was possibly nil and we dereferenced it.
Automatic merge from submit-queue (batch tested with PRs 44774, 46266, 46248, 46403, 46430)
kube-proxy: ratelimit runs of iptables by sync-period flags
This bounds how frequently iptables can be synced. It will be no more often than every 10 seconds and no less often than every 1 minute, by default.
@timothysc FYI
@dcbw @freehan FYI
Automatic merge from submit-queue (batch tested with PRs 45573, 46354, 46376, 46162, 46366)
Subresources are not included in apiserver prometheus metrics
Subresources are very often completely different code paths and errors
generated on those code paths are important to distinguish.
@kubernetes/sig-api-machinery-pr-reviews
```release-note
The Prometheus metrics for the kube-apiserver for tracking incoming API requests and latencies now return the `subresource` label for correctly attributing the type of API call.
```
Automatic merge from submit-queue (batch tested with PRs 45913, 46065, 46352, 46363, 46373)
Update audit API with missing pieces
Follow-up to https://github.com/kubernetes/kubernetes/pull/45315 to resolve pending decisions & issues, including:
- Audit ID format
- Identifying audit event "stage"
- Request/Response object format (resolve conversion issue)
- Add a subresource field to the `ObjectReference`
For https://github.com/kubernetes/features/issues/22
~~TODO: Add generated code once we've reached consensus on the types.~~
/cc @deads2k @ihmccreery @sttts @soltysh @ericchiang
Automatic merge from submit-queue (batch tested with PRs 46299, 46309, 46311, 46303, 46150)
Fix in-cluster kubectl --namespace override
**What this PR does / why we need it**:
Before this change, if the config was empty, ConfirmUsable() would
return an "invalid configuration" error instead of examining and
honoring the value of the --namespace flag. This change looks at the
overrides first, and returns the overridden value if it exists before
attempting to check if the config is usable. This is most applicable to
in-cluster clients, where they don't have a kubeconfig but they do have
a token and can use KUBERNETES_SERVICE_HOST/_PORT.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
The --namespace flag is now honored for in-cluster clients that have an empty configuration.
```
@kubernetes/sig-api-machinery-pr-reviews @fabianofranz @liggitt @deads2k @smarterclayton @caesarxuchao @soltysh
Automatic merge from submit-queue
/pkg/client/listers: fix some typo
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
oidc client plugin: reduce round trips and fix scopes requested
This PR attempts to simplify the OpenID Connect client plugin to
reduce round trips. The steps taken by the client are now:
* If ID Token isn't expired:
* Do nothing.
* If ID Token is expired:
* Query /.well-known discovery URL to find token_endpoint.
* Use an OAuth2 client and refresh token to request new ID token.
This avoids the previous pattern of always initializing a client,
which would hit the /.well-known endpoint several times.
The client no longer does token validation since the server already
does this. As a result, this code no longer imports
github.com/coreos/go-oidc, instead just using golang.org/x/oauth2
for refreshing.
Overall reduction in tests because we're not verify as many things
on the client side. For example, we're no longer validating the
id_token signature (again, because it's being done on the server
side).
This has been manually tested against dex, and I hope to continue
to test this over the 1.7 release cycle.
cc @mlbiam @frodenas @curtisallen @jsloyer @rithujohn191 @philips @kubernetes/sig-auth-pr-reviews
```release-note
NONE
```
Updates https://github.com/kubernetes/kubernetes/issues/42654
Closes https://github.com/kubernetes/kubernetes/issues/37875
Closes https://github.com/kubernetes/kubernetes/issues/37874
This changes the event aggregation behavior so that, when multiple events are
deduplicated, the aggregated event includes the message of the latest related
event.
This fixes an issue where the original event expires due to TTL, and the
aggregate event doesn't contain any useful message.
All registry.Store objects already set a non-nil DeleteStrategy.
This change ensures that all future objects do so as well.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Automatic merge from submit-queue
Add test for cross namespace watch and list
**What this PR does / why we need it**: Add more integration test for kube-apiextensions-server
**Which issue this PR fixes** : fixes https://github.com/kubernetes/kubernetes/issues/45511
**Special notes for your reviewer**: The client with cluster scope also works, but it seems to be trivial
@deads2k
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312)
Append X-Forwarded-For in proxy handler
Append the request sender's IP to the `X-Forwarded-For` header chain when proxying requests. This is important for audit logging (https://github.com/kubernetes/features/issues/22) in order to capture the client IP (specifically in the case of federation or kube-aggregator).
/cc @liggitt @deads2k @ericchiang @ihmccreery @soltysh
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312)
Remove kubectl's dependence on pkg/api/helper
**What this PR does / why we need it**:
Remove kubectl's dependence on pkg/api/helper, as part of
broader effort to isolate kubectl from the rest of k8s.
In this case, the code becomes private to kubectl; nobody else uses it.
**Which issue this PR fixes**
Part of a series of PRs to address kubernetes/community#598
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
remove init blocks from all admission plugins
**What this PR does / why we need it**:
removes init blocks from all admission plugins
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46149, 45897, 46293, 46296, 46194)
Use storage instead of REST for the CRD finalizer
**What this PR does / why we need it**:
Switch the custom resource definition finalizer controller to use
storage instead of a REST client, because a client could incorrectly try
to delete ThirdPartyResources whose names happen to collide with the
CustomResource instances.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Before this change, if the config was empty, ConfirmUsable() would
return an "invalid configuration" error instead of examining and
honoring the value of the --namespace flag. This change looks at the
overrides first, and returns the overridden value if it exists before
attempting to check if the config is usable. This is most applicable to
in-cluster clients, where they don't have a kubeconfig but they do have
a token and can use KUBERNETES_SERVICE_HOST/_PORT.
Switch the custom resource definition finalizer controller to use
storage instead of a REST client, because a client could incorrectly try
to delete ThirdPartyResources whose names happen to collide with the
CustomResource instances.
Automatic merge from submit-queue (batch tested with PRs 45587, 46286)
PDB Max Unavailable Field
Completes https://github.com/kubernetes/features/issues/285
```release-note
Adds a MaxUnavailable field to PodDisruptionBudget
```
Individual commits are self-contained; Last commit can be ignored because it is autogenerated code.
cc @kubernetes/sig-apps-api-reviews @kubernetes/sig-apps-pr-reviews
