Automatic merge from submit-queue (batch tested with PRs 40303, 40316)
kubeadm: Fix up the apiserver kubelet client cert
**What this PR does / why we need it**:
I didn't notice that the apiserver serving cert was _only_ a server cert, not both a server and client cert in https://github.com/kubernetes/kubernetes/pull/40292.
This PR fixes that misconception and generates a dedicated client cert for apiserver -> kubelet communication and harmonizes the `ca.crt` path to `/etc/kubernetes/pki/ca.crt` on both master and node.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
```console
$ systemctl cat kubelet
# /lib/systemd/system/kubelet.service
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/
[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--kubeconfig=/etc/kubernetes/kubelet.conf **--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt** --require-kubeconfig=true"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_EXTRA_ARGS
$ curl -k https://localhost:10250/containerLogs/kube-system/weave-net-arm64-4t2xv/weave
Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
$ curl --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key -k https://localhost:10250/containerLogs/kube-system/weave-net-arm64-4t2xv/weave
[Works!!]
```
**Release note**:
```release-note
NONE
```
@liggitt @deads2k
Automatic merge from submit-queue (batch tested with PRs 40303, 40316)
Reactivate golint in staging
Run golint against staging with `staging/src/k8s.io/client-go/pkg` as the only exception. While doing this reset `hack/.linted_packages` which collected a lot of cruft. We now enforce that gone packages are removed.
Automatic merge from submit-queue
Allow fieldSelectors to match arbitrary values
Field selectors are intended to be able to match arbitrary data for specific field names. Because of how field selectors are parsed, data containing `,` characters is not possible to match today, and data containing leading `=` characters requires using the `==` operator to ensure the leading `=` is preserved.
This PR adds the ability to escape/unescape those special characters in field selector values so they can be parsed unambiguously
Process for escaping arbitrary data in field selector values (`fields.EscapeValue` helper provided):
1. Prefix literal `\` characters with a `\`
2. Prefix `,` characters with a `\`
3. Prefix `=` characters with a `\`
When unescaping a field selector value (`fields.UnescapeValue` helper provided), the following escape sequences are honored:
- `\\` -> `\`
- `\,` -> `,`
- `\=` -> `=`
Any other instances of `\` result in a parse error
Any unescaped instances of `,` and `=` in field selector values result in a parse error
Compatibility:
- `,` and `=` characters are currently unusable in fieldSelector values, so the `\,` and `\=` escape sequences have no compatibility impact
- `\\` changes from being interpreted as `\\` to `\`, and any other uses of `\` result in errors (this is mostly theoretical; I couldn't find any field-selector-enabled fields which is currently using field selectors to match `\` values)
```
Field selectors may now match values containing the characters `,` `=` or `\` by escaping them with a `\` character.
```
Automatic merge from submit-queue
Optional configmaps and secrets
Allow configmaps and secrets for environment variables and volume sources to be optional
Implements approved proposal c9f881b7bb
Release note:
```release-note
Volumes and environment variables populated from ConfigMap and Secret objects can now tolerate the named source object or specific keys being missing, by adding `optional: true` to the volume or environment variable source specifications.
```
Automatic merge from submit-queue (batch tested with PRs 40328, 40057)
Allows kubectl create -f to filter by selector.
From #32544.
The underlying `seletor` infrastructrue was implemented by #32599. The test is basically copy-paste of the corresponding test for `kubectl apply -f -l`.
```release-note
kubectl create now accepts the label selector flag for filtering objects to create
```
Automatic merge from submit-queue
Move ListOptions into meta
metav1.ListOptions is moving to k8s.io/apimachinery/pkg/apis/meta/v1. The internal version will be reserved for server use (clients will use metav1), and all references changed.
Also, all references to the Namespace* constants are being moved to point to metav1.
OpenStack Heat templates create Kubernetes nodes with invalid
hostnames. Capital letters are not allowed in the hostnames:
Unable to register node "kubernetes-node-6s8OizYe" with API server: Node "kubernetes-node-6s8OizYe" is invalid: metadata.name: Invalid value: "kubernetes-node-6s8OizYe": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')
This patch prevents Heat generating hostnames that contain
capital letters.
Move over only the conversions that are needed, create a new scheme that
is private to meta and only accessible via ParameterCodec. Move half of
pkg/util/labels/.readonly to pkg/apis/meta/v1/labels.go
The previous option was not serializable, and was used in questionable
scenarios to represent what we also use Everything() for. The individual
context needs to make the decision about everything vs nothing (and
nothing has no real concept in our API today) so this seems safe.
