Automatic merge from submit-queue (batch tested with PRs 48036, 48022)
apiextensions-apiserver: fix build
Can't build CRD due to this bug. This PR will fix it.
Automatic merge from submit-queue (batch tested with PRs 46425, 47975)
make proto time precision match json
json readers/writers see second precision, but protobuf readers/writers seen nanosecond precision. This means that a json client can read and write and accidentally mutate fields as seen by protobuf clients.
This makes the precision consistent.
@kubernetes/sig-api-machinery-misc @smarterclayton
```release-note
Update protobuf time serialization for a one second granularity
```
Automatic merge from submit-queue
Removes alpha feature gate for affinity annotations.
**What this PR does / why we need it**:
In 1.5 we added a backstop to support alpha affinity annotations. This PR removes that support in favor of the Beta fields per discussions.
It also serves as a precursor to some of the component config work that @ncdc has done around @mikedanese design proposal.
xref: https://github.com/kubernetes/kubernetes/pull/41617
**Special notes for your reviewer**:
**Release note**:
```
Removes alpha feature gate for pod affinity annotations.
```
/cc @kubernetes/sig-scheduling-pr-reviews @kubernetes/sig-cluster-lifecycle-misc
Automatic merge from submit-queue (batch tested with PRs 47650, 47936, 47939, 47986, 48006)
External dependency of k8s.io/api
Fix https://github.com/kubernetes/kubernetes/issues/48007
It's unfortunate that k8s.io/api has external dependencies.
Most of the dependencies are introduced by "k8s.io/apimachinery/pkg/util/intstr" and ugorji.
Automatic merge from submit-queue
Add token authentication method for websocket browser clients
Closes#47967
Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)
This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`
1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`
This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.
For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
"wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
[
"base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
"base64.binary.k8s.io"
]
);
```
This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```
Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```
Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)
```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
Automatic merge from submit-queue
include object fieldpath in event key
Fixes https://github.com/kubernetes/kubernetes/issues/47692#47462 exposed a bug where `getEventKey()` only keys on event fields that are common at the pod level. Events generated by different containers in the same pod will yield identical event keys. This results in events with the same message from different containers in a pod being aggregated in error.
This wasn't a problem before as the event message contained container specific information and thus didn't produce the same event key.
@derekwaynecarr @dhilipkumars @dchen1107
Automatic merge from submit-queue (batch tested with PRs 47883, 47179, 46966, 47982, 47945)
add level for print flags
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
It's ugly to print all flags whenever.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes#47932
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47883, 47179, 46966, 47982, 47945)
Add feature gating to REST Compression
**What this PR does / why we need it**: Adds feature gating to opt out of REST API compression
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46963
**Special notes for your reviewer**: This PR is a fix / addendum to #45666
**Release note**:
```release-note
```
Automatic merge from submit-queue
Lower etcd compacted loglevel
Fixes#47941
When we run apiserver, it will consistently produce logs like:
> I0620 15:27:44.627978 2765 compact.go:159] etcd: compacted rev (7825), endpoints ([http://127.0.0.1:2379])
I0620 15:32:44.632311 2765 compact.go:159] etcd: compacted rev (8193), endpoints ([http://127.0.0.1:2379])
I0620 15:37:44.643658 2765 compact.go:159] etcd: compacted rev (8552), endpoints ([http://127.0.0.1:2379])
...
which does not mean much overall, we may change the loglevel and lower the frequency.
**Release note**:
-->
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46151, 47602, 47507, 46203, 47471)
rebase gophercloud to support HTTP status 300 in pagination, so listingng Cinder v1/v2 API versions won't break
**What this PR does / why we need it**:
Since Cinder block v1/v2 support lands in 1.7, we have to ensure Cinder block api list won't fail due to https://github.com/gophercloud/gophercloud/pull/384.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47651
**Special notes for your reviewer**:
@anguslees @NickrenREN
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix link to apiextensions client-go example
Fixes link to client-go example for apiextensions-apiserver.
Fixing #47211.
**Special notes for your reviewer**:
When I run `hack/update-staging-client-go.sh`, I get this error:
```
!!! Error in staging/copy.sh:132
Error in staging/copy.sh:132. 'git commit -q -m "Snapshot" > /dev/null' exited with status 1
Call stack:
1: staging/copy.sh:132 main(...)
Exiting with status 1
```
What am I missing here?
/cc @caesarxuchao @sttts
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
fix HostAliases' json keys to be hostAlias instead of hostMapping to reflect actual feature name
**What this PR does / why we need it**: a rename was introduce during the middle of #44641 to change from `hostMappings` to `hostAliases`. the Go structs were updated, but I neglected to update the json keys. They should be in sync.
**Special notes for your reviewer**: I messed up. This is an API change. I hope this is still ok to be in the 1.7 release.
**Release note**:
```release-note
HostAliases is now parsed with `hostAliases` json keys to be in line with the feature's name.
```
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert 44714 manually
#44714 broke backward compatibility for old swagger spec that kubectl still uses. The decision on #47448 was to revert this change but the change was not automatically revertible. Here I semi-manually remove all references to UnixUserID and UnixGroupID and updated generated files accordingly.
Please wait for tests to pass then review that as there may still be tests that are failing.
Fixes#47448
Adding release note just because the original PR has a release note. If possible, we should remove both release notes as they cancel each other.
**Release note**: (removed by caesarxuchao)
UnixUserID and UnixGroupID is reverted back as int64 to keep backward compatibility.
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert "Merge pull request #43946 from jhorwit2/jah/host-path-psp"
fixes#47863
This reverts commit b5eadb5d6b, reversing
changes made to 1889d654f5.
**What this PR does / why we need it**:
Revert whitelist host paths in psp due to API concerns. Please refer to https://github.com/kubernetes/kubernetes/pull/47811 for the concerns.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @liggitt @ericchiang @smarterclayton
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Fix rawextension decoding in update
Fixes https://github.com/kubernetes/kubernetes/issues/47842
The `Create` handler was correctly decoding into the internal version, but the `Update` handler was not.
Top-level objects were not affected, because the type of the `New()` object returned by the rest handler governs the destination group/version/kind.
If a field within the object is of type `RawExtension`, and converts to a `runtime.Object` field in the internal object, the `runtime.Object` field provides no information about the desired group/version/kind, so the decoder's groupversioner governs.
This would manifest as the resthandler's Update function being given an internal top-level object with it's runtime.Object field containing an external object.
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Clear auth config when gcp app default credentials fail
**What this PR does / why we need it**:
Specific use case is when utilizing multiple gcp accounts, the user may provide credentials for the wrong account.
This change ensures the incorrect credentials are not cached in auth config, and logs an appropriate message.
**Which issue this PR fixes** : fixes#38075
**Special notes for your reviewer**:
**Release note**:
```release-note
Tokens retrieved from Google Cloud with application default credentials will not be cached if the client fails authorization
```
Automatic merge from submit-queue (batch tested with PRs 46604, 47634)
Added example for status errors in go client
This PR adds status error handling examples to the go client examples, for both in-cluster and out-of-cluster usage. Fixes https://github.com/kubernetes/client-go/issues/163
