Automatic merge from submit-queue (batch tested with PRs 47724, 49984, 49785, 49803, 49618)
Remove useless conversion-gen tags
To generate cross group conversions, `+k8s:conversion-gen` should be added in the way https://github.com/kubernetes/kubernetes/pull/49751 did. This PR removes the useless tags in pkg/apis/extensions/v1beta1/doc.go
Automatic merge from submit-queue (batch tested with PRs 47724, 49984, 49785, 49803, 49618)
Fix conflict about getPortByIp
**What this PR does / why we need it**:
Currently getPortByIp() get port of instance only based on IP.
If there are two instances in diffent network and the CIDR of
their subnet are same, getPortByIp() will be conflict.
My PR gets port based on IP and Name of instance.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fix#43909
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47724, 49984, 49785, 49803, 49618)
cmd/explain: make 'recursive' local var (not global)
**What this PR does / why we need it**:
Use a parameter instead of a global variable.
Spotted this while I was looking for our recursive directory walker.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: no-issue
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update admission control args in imagepolicy comment
Use '--admission-control-config-file' rather than
'--admission-controller-config-file'
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Added jdumars to OWNERS file for Azure cloud provider
**What this PR does / why we need it**:
This PR adds GitHub user jdumars as an approver to pkg/cloudprovider/providers/azure
Jaice Singer DuMars (me) is the program manager at Microsoft tasked with shepherding all upstream contributions from Microsoft into Kubernetes. With the volume of work, and the impending breakout of cloud provider code, this helps distribute the review and approval load more evenly.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
N/A
**Special notes for your reviewer**:
This was discussed with Brendan Burns prior to submitting the pre-approval.
**Release note**:
none
Automatic merge from submit-queue
Remove repeated reviewer's names
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Fix print type of podname
**What this PR does / why we need it**:
It is better to change it to %s. According to context and other prints of this file, pod name's print type are all %s, except this one.
Although it does not affect the result.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add a SUPPORT.md file for github
**What this PR does / why we need it**:
Github has recently added the ability to support a SUPPORT.md file that allows a project to point to support resources, similar to CONTRIBUTING.md
They support having SUPPORT.md in docs/ and .github but I figured it should be in root alongside CONTRIBUTING.md, but we can put it in one of those places if we want to keep the root clean.
See also:
https://help.github.com/articles/adding-support-resources-to-your-project/https://github.com/blog/2400-support-file-support
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes https://github.com/kubernetes/community/issues/830
Automatic merge from submit-queue
GCE: Fix lowercase value and alpha-missing annotation for ILB
**What this PR does / why we need it**:
Fixes#50426
Also explicitly sets an annotation as 'alpha'.
/assign @freehan @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Enable caching successful token authentication
Resolves#50472
To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication
```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Detect missing steps in edit testcases
If a testcase specifies extra steps that are not exercised, that should be a test failure
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Add UpdateContainerResources method to CRI
This is first step toward support for opinionated cpu pinning for certain guaranteed pods.
In order to do this, the kubelet needs to be able to dynamically update the cpuset at the container level, which is managed by the container runtime. Thus the kubelet needs a method to communicate over the CRI so the runtime can then modify the container cgroup.
This is used in the situation where a core is added or removed from the shared pool to become a exclusive core for a new G pod. The cpuset for all containers in the shared pool will need to be updated to add or remove that core.
Opening this up now so we can start discussion. The need for a change to the CRI might be unexpected.
@derekwaynecarr @vishh @ConnorDoyle
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Manage BUILD files using gazelle + kazel
**What this PR does / why we need it**: uses the upstream `gazelle` tool to manage go rules in BUILD files.
This is needed to support Bazel builds on Mac OS and Bazel cross compilation in general.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47558
**Special notes for your reviewer**:
It's probably easiest to review this commit-by-commit:
* bump to latest `rules_go` (for recent `cgo_library` and `gazelle` improvements)
* update `kazel` with recent compatibility fixes (https://github.com/kubernetes/repo-infra/pull/28, https://github.com/kubernetes/repo-infra/pull/27), update `hack` scripts to download/build `gazelle`, and then run both `gazelle` and `kazel`. (Additionally make `gazelle` skip things it shouldn't touch.)
* run `hack/update-bazel.sh` to autogenerate everything
* remove the old `cgo_genrule` rules - these are now part of `go_library`
* remove the `automanaged` tags from all go rules - `gazelle` doesn't use them, and it prevents an old version of `kazel/gazel` from messing with the rules
* remove the `licenses()` rules from everywhere but `third_party/` - we don't need them, and `gazelle` won't add them on new `BUILD` files it generates.
**Release note**:
```release-note
NONE
```
for review:
/assign @mikedanese @spxtr
for approval:
/assign @thockin
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Requeue DaemonSets if non-daemon pods were deleted.
**What this PR does / why we need it**:
Requeue DaemonSets if no daemon pods were deleted.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46935
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
validate kube-apiserver options
**What this PR does / why we need it**:
Create Validate() or add more checks in existing Validate() for the following files:
* vendor/k8s.io/apiextensions-apiserver/pkg/cmd/server/start.go:80
* vendor/k8s.io/kube-aggregator/pkg/cmd/server/start.go:104
* vendor/k8s.io/sample-apiserver/pkg/cmd/server/start.go:82
* cmd/kube-apiserver/app/options/validation.go:49
**Which issue this PR fixes**:
fixes#50301
**Special notes for your reviewer**:
This PR follows #50135
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add a heap to client-go. Heap orders items with heap invariant ordering.
**What this PR does / why we need it**:
Heap is useful in implementing priority queues. Some components may need such ordering to process their highest priority objects first. Scheduler is going to be the first user of the heap. It will store pending pods ordered by their priority, so that the highest priority pods are popped first to be scheduled.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
ref/ #47604
ref/ #48646
@kubernetes/api-reviewers @kubernetes/sig-scheduling-pr-reviews @davidopp
/assign @caesarxuchao
Automatic merge from submit-queue
Simplify a command for unmounting mounted directories
**What this PR does / why we need it**:
This PR simplifies a command for unmounting mounted directories. It replaces `cat | awk | grep` by a single `awk` expression.
**Special notes for your reviewer**:
Link about useless cat/grep usage: http://porkmail.org/era/unix/award.html#grep
**Credit**:
I saw this code fragment in the Julia Evans (@jvns) [write up](https://jvns.ca/blog/2017/07/30/a-couple-useful-ideas-from-google/).
**Release note**:
```release-note
NONE
```
CC @simo5
Automatic merge from submit-queue
Task 2: Added toleration to DaemonSet pods for node condition taints
**What this PR does / why we need it**:
If TaintByCondition was enabled, added toleration to DaemonSet pods for node condition taints.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: part of #42001
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
remove the duplicate address of glusterfs
**What this PR does / why we need it**:
remove the duplicate endpoint address of glusterfs.
If there is no duplicate address of user config or the duplicate address is ok, we can remove the unused addr map.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
Typedef visitor to document parameters
adds a typedef to clarify the parameters of the visitor
updates the unit test to verify each namespace/name pair
Automatic merge from submit-queue
add fuzzer dir for each apigroup
Fixes https://github.com/kubernetes/kubernetes/issues/50081.
We should put fuzzer functions in each apigroups separately to make the code more modular instead of monolithic.
Automatic merge from submit-queue
code format in master_utils.go
**What this PR does / why we need it**:
code format
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #N/A
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
add some checks for fedration-apiserver options
**What this PR does / why we need it**:
I find there is a TODO, see https://github.com/kubernetes/kubernetes/blob/master/federation/cmd/federation-apiserver/app/options/validation.go#L30
This PR add some checks for fedration-apiserver options
@sttts
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Rewrite staging import verifier in Go
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
**What this PR does / why we need it**:
Maintaining Bash is nobody's idea of fun. The declarative config is infinitely easier to read, as well.
**Special notes for your reviewer**:
@sttts still trying to figure out the rules you have encoded in the shell script... very confusing. Please review the `kube-gen` specifically.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
move logs to kubectl/util
Move `pkg/util/logs` to `pkg/kubectl/util/logs` per https://github.com/kubernetes/kubernetes/issues/48209#issuecomment-311730681
This will make kubeadm, kubefed, gke-certificates-controller and e2e have dependency on kubectl, which should be fine.
partially addresses: kubernetes/community#598
```release-note
NONE
```
/assign @apelisse @monopole
Automatic merge from submit-queue
Remove deprecated ESIPP beta annotations
**What this PR does / why we need it**:
Remove deprecated ESIPP beta annotations.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50187
**Special notes for your reviewer**:
/assign @MrHohn
/sig network
**Release note**:
```release-note
Beta annotations `service.beta.kubernetes.io/external-traffic` and `service.beta.kubernetes.io/healthcheck-nodeport` have been removed. Please use fields `service.spec.externalTrafficPolicy` and `service.spec.healthCheckNodePort` instead.
```
Automatic merge from submit-queue
Added field CollisionCount to StatefulSetStatus
**What this PR does / why we need it**:
This PR added a new field `CollisionCount` into `StatefulSetStatus`, similarly in terms of both name and semantics to the existing `CollisionCount` field in `DaemonSetStatus`. The field will be used for collision avoidance when the `StatefulSet` controller creates name for the newest ControllerRevision, which will be done in another PR.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: #49909.
**Special notes for your reviewer**:
A second PR will include logic that actually uses the field for collision avoidance.
**Release note**:
```release-note
Added field CollisionCount to StatefulSetStatus in both apps/v1beta1 and apps/v1beta2
```
Automatic merge from submit-queue
add newline for unimplemented RequiredDuringSchedulingRequiredDuringExecution
**What this PR does / why we need it**:
Unimplemented `RequiredDuringSchedulingRequiredDuringExecution` should not be treated as comments of `RequiredDuringSchedulingIgnoredDuringExecution`
* [pkg/api/types.go#L1937](https://github.com/kubernetes/kubernetes/blob/master/pkg/api/types.go#L1937)
* [staging/src/k8s.io/api/core/v1/types.go#L2155](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/core/v1/types.go#L2155)
> // NOT YET IMPLEMENTED. TODO: Uncomment field once it is implemented.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:fixes #50483
**Special notes for your reviewer**:
* Add an empty line to separate them.
/cc @aveshagarwal @bsalamat @gyliu513 @k82cn @timothysc
**Release note**:
```release-note
None
```
Automatic merge from submit-queue
FC volume plugin: Support WWID for volume identifier
**What this PR does / why we need it**:
This PR adds World Wide Identifier (WWID) parameter to FCVolumeSource as an unique volume identifier.
**Which issue this PR fixes**: fixes#48639
**Special notes for your reviewer**:
/cc @rootfs @jsafrane @msau42
**Release note**:
```
FC volume plugin: Support WWID for volume identifier
```
Automatic merge from submit-queue
Migrate to controller references helpers in meta/v1
**What this PR does / why we need it**:
This is a follow up for #48319 that migrates all method usages to new methods in meta/v1.
**Special notes for your reviewer**:
Looking at each commit individually might be easier.
**Release note**:
```release-note
NONE
```
/sig api-machinery
/kind cleanup
Automatic merge from submit-queue
Fix my incorrect username
My mistake - used goog username rather than github.
Again, this is for kubectl extraction, currently blocked by need for many approvers in, e.g. #48580#48581#47011, etc.
Automatic merge from submit-queue
kubeadm: enhanced TLS validation for token-based discovery in `kubeadm join`
**What this PR does / why we need it**:
This PR implements enhanced TLS validation for `kubeadm join` when using token-based TLS discovery. Without this enhancement, `kubeadm join` has some less-than-ideal security properties. Specifically, in the case where a bootstrap token is compromised, the attacker can impersonate the API server to newly bootstrapping clients ([more discussion in the design proposal](https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a)).
The gist of this enhancement is to support public key pinning in the style of [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4). When bootstrapping, `kubeadm` can now be configured with a whitelist of root CA public keys. It can then validate that the cluster it connects to is operated by the owner of one of those public keys.
These public key hashes are short enough that the entire `kubeadm join` command can still be copy-pasted relatively easily (not as easily as before, but ~160 characters). Using a public key hash rather than a hash over the entire certificate allows certificates to be reissued with updated expirations without invalidating existing key pins.
This change adds two new command line flags (and associated config parameters):
- **`--discovery-token-ca-cert-hash sha256:<hash>`:**
Validates that the cluster root CA has a public key fingerprint that matches one of the specified values. If this flag is not passed when token-based discovery is being used, a warning is printed. This warning will become an error in 1.9.
- **`--discovery-token-unsafe-skip-ca-verification`:**
Disables the warning message when no keys are pinned. In 1.9, this flag will be required _unless_ `--discovery-token-unsafe-skip-ca-verification` is used.
This is fully backwards compatible and client side (kubeadm) only. It will be a breaking change when the flag becomes required in v1.9.
This validation is done after and in addition to the existing bootstrap token signing/MAC mechanism.
#### Example from `kubeadm init`:
```
$ kubeadm init
[...]
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token a66ae0.1f8a5ed9a210e187 192.168.42.10:6443 --discovery-token-ca-cert-hash sha256:547c102383c0f26387b961b4e9b8f842dc07c074c8316f238dbcf5563fc3ac35
```
#### Example from `kubeadm join`:
```
$ kubeadm join --token a66ae0.1f8a5ed9a210e187 192.168.42.10:6443 --discovery-token-ca-cert-hash sha256:547c102383c0f26387b961b4e9b8f842dc07c074c8316f238dbcf5563fc3ac35
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "192.168.42.10:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.42.10:6443"
[discovery] Requesting info from "https://192.168.42.10:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "192.168.42.10:6443"
[discovery] Successfully established connection with API Server "192.168.42.10:6443"
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
```
**Which issue this PR fixes**:
ref https://github.com/kubernetes/features/issues/130
fixes: https://github.com/kubernetes/kubeadm/issues/365
**Special notes for your reviewer**:
This was proposed and discussed briefly by SIG-cluster-lifecycle and SIG-auth. The design proposal is [in Google Docs](https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a).
There is a documentation change needed to explain the security properties of `kubeadm join` with and without `--discovery-token-ca-cert-hash`. This page should be linked by to by the warning message when you don't pass either of the new flags (I have it pointing [here](https://kubernetes.io/docs/admin/kubeadm/#kubeadm-join) for now, which I think will be the right place). I will follow up with this documentation shortly.
**Release note**:
```release-note
kubeadm: added enhanced TLS validation for token-based discovery in `kubeadm join` using a new `--discovery-token-ca-cert-hash` flag.
```
/cc @luxas @jbeda @ericchiang
