Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
amend spec.PersistentVolume.Spec
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49284, 49555, 47639, 49526, 49724)
Add clusterroles for approving CSRs easily
**What this PR does / why we need it**:
Adds ClusterRoles for CSR approving. Currently consumers like kubeadm and GKE have to create these rules by themselves, but are doing it slightly differently which leads to sprawl. Instead, the ClusterRoles are created by core, and the actual bindings created by respective deployment method.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes https://github.com/kubernetes/kubernetes/issues/48191
**Special notes for your reviewer**:
**Release note**:
```release-note
The API Server now automatically creates RBAC ClusterRoles for CSR approving.
Each deployment method should bind users/groups to the ClusterRoles if they are using this feature.
```
cc @kubernetes/sig-auth-pr-reviews @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Add KMS plugin registry
Allows supporting KMS services as encryption providers using a plugin mechanism similar to admission plugins.
Simplifies #48574
Progresses #48522
@deads2k PTAL
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
conversion-gen: support recursive types
Currently, conversion-gen goes into an infinite recursion for recursive types. This fixes it to support recursive types.
Needed for #47263.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
Add support for `no_new_privs` via AllowPrivilegeEscalation
**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes#38417
Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.
Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.
Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.
**Release note**:
```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
improve detectability of deleted pods
**What this PR does / why we need it**:
Adds comment to `waitForPodTerminatedInNamespace` to better explain how it's implemented.
~~It improves pod deletion detection in the e2e framework as follows:~~
~~1. the `waitForPodTerminatedInNamespace` func looks for pod.Status.Phase == _PodFailed_ or _PodSucceeded_ since both values imply that all containers have terminated.~~
~~2. the `waitForPodTerminatedInNamespace` func also ignores the pod's Reason if the passed-in `reason` parm is "". Reason is not really relevant to the pod being deleted or not, but if the caller passes a non-blank `reason` then it will be lower-cased, de-blanked and compared to the pod's Reason (also lower-cased and de-blanked). The idea is to make Reason checking more flexible and to prevent a pod from being considered running when all of its containers have terminated just because of a Reason mis-match.~~
Releated to pr [49597](https://github.com/kubernetes/kubernetes/pull/49597) and issue [49529](https://github.com/kubernetes/kubernetes/issues/49529).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
remove the redundant err define
**What this PR does / why we need it**:
some place has define err ,like
class, err := volutil.GetClassForVolume(d.plugin.host.GetKubeClient(), d.spec)
so delete the err define!
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)
StatefulSet: Remove `initialized` annotation from apps/v1beta2.
The annotation was already removed from apps/v1beta1 in #49251, but this copy survived due to another concurrent PR.
ref #41605
This commit introduces the following updates and fixes:
- Enable scaleIO volume multip-mapping based on accessMode
- No longer uses "default" as default values for storagepool & protection domain
- validates capacity when capacity is zero
- Better naming for PV and volume
- make mount ro when accessModes contains ROM
Automatic merge from submit-queue
fix hack/local-up-cluster.sh apiserver not listening bug
**What this PR does / why we need it**:
This PR fix a potential bug int hack/local-up-cluster.sh and it helps developers to build local cluster properly
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fix#49728
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Reduce kubectl calls from O(#nodes) to O(1) in cluster logdump
Ref https://github.com/kubernetes/kubernetes/issues/48513
Each node's logexporter is made to write a file to a GCS directory on success (https://github.com/kubernetes/test-infra/pull/3782).
We now use that directory as a registry of successful nodes and get it through a single "gsutil ls" call. This:
- reduces the current waiting time for logexporter in 5k-node cluster from >1hr to <10s.
- eliminates dependency on `kubectl logs` calls which seem to be unreliable sometimes (e.g when kubelet (or apiserver) is down)
/cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek @fejta
After a volume is unmounted from pod and worker node,
cluster admin or external-provisioner might delete
the disk from storage, therefore block device on
the node should be cleaned up beforehand.
The photon volume plugin already has same functionality.
Fixes#49392
A couple of places in the code we allocate with make() but then use
append(), instead of copy() or direct assignment. This results in a
slice with len() zero elements at the front followed by the expected
data. The correct form for such usage is `make(struct, 0, len())`.
I found these by running:
```
$ git grep -EI -A7 'make\([^,]*, len\(' | grep 'append(' -B7 | grep -v vendor
```
And then manually looking through the results. I'm sure something better
could exist.
Re-introduce a default glog vmodule flag to the integration test setup.
The default was removed in d08dfb9 because it was hard-coded and
prevented local override. This commit makes the default overridable.
Automatic merge from submit-queue
Enable node authorizer in local-up-cluster
Fixes#49822
Enables the Node authorization mode to ensure the kubelet credential we create has permission to do kubelet-related things. Matches the default authorizers in gce/gke and CI clusters.
Related to the deprecation of the automatic binding of the `system:nodes` group to the `system:node` role on new deployments (https://github.com/kubernetes/kubernetes/pull/49638)
```release-note
`hack/local-up-cluster.sh` now enables the Node authorizer by default. Authorization modes can be overridden with the `AUTHORIZATION_MODE` environment variable, and the `ENABLE_RBAC` environment variable is no longer used.
```
Automatic merge from submit-queue
fix invalid issue link in api conversion
**What this PR does / why we need it**:
When working on #49336, found invalid link `https://github.com/kubernetes/kubernetextensionsssues/39865`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @janetkuo
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 49533, 49264)
Add test items for pdb describe
**What this PR does / why we need it**:
Add test items for pdb describe
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
ref: #49362
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49533, 49264)
rename stop.go to delete.go to avoid confusion
**What this PR does / why we need it**:
Refer to [comments](https://github.com/kubernetes/kubernetes/pull/46784#issuecomment-317582927) from @foxish and @janetkuo
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
xref #46784
**Special notes for your reviewer**:
/cc @janetkuo @foxish
**Release note**:
```release-note
rename stop.go file to delete.go to avoid confusion
```
Automatic merge from submit-queue
Adding option to set the federation api server port if nodeport is set
**What this PR does / why we need it**: Kubefed will deploy the respected services and then it will do a health check. Prior to this patch if the user selects the nodeport a random port is opened. In environments where firewalls are in place this random port selection will cause the health check to fail. With this patch we enable users to designate a specific port, after for example opening it on their firewall.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46021
**Special notes for your reviewer**:
**Release note**:
```
Kubefed init allows for setting port in Nodeport configuration
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Add ext4 and xfs tests to GCE PD basic mount tests
**What this PR does / why we need it**:
Add ext4 and xfs to basic GCE PD mount tests.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49511
**Special notes for your reviewer**:
**Release note**:
/release-note-none
/sig storage
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Lowercases hostname for kubeadm cert slice
**What this PR does / why we need it**:
Previously, unit tests on master were failing due to this error:
```
--- FAIL: TestSubCmdApiServerFlags (0.99s)
certs_test.go:149: APIserverCert.DNSNames[0] is danehans-m-c1kp instead of DANEHANS-M-C1KP
```
The PR fixes the TestSubCmdApiServerFlags test, which uses the OS hostname to compare the apiserver serving cert and fails if the OS hostname is in caps.
**Which issue this PR fixes**: fixes # https://github.com/kubernetes/kubeadm/issues/361
**Special notes for your reviewer**:
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Enable garbage collection of custom resources
Enhance the garbage collector to periodically refresh the resources it monitors (via discovery) to enable custom resource definition GC (addressing #44507 and reverting #47432).
This is a replacement for #46000.
/cc @lavalamp @deads2k @sttts @caesarxuchao
/ref https://github.com/kubernetes/kubernetes/pull/48065
```release-note
The garbage collector now supports custom APIs added via CustomeResourceDefinition or aggregated apiservers. Note that the garbage collector controller refreshes periodically, so there is a latency between when the API is added and when the garbage collector starts to manage it.
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Add a support for GKE regional clusters in e2e tests.
**What this PR does / why we need it**:
Add a support for GKE regional clusters in e2e tests.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Use the core client with version
**What this PR does / why we need it**:
Replace the **deprecated** `clientSet.Core()` with `clientSet.CoreV1()`.
**Which issue this PR fixes**: fixes#49535
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
