Automatic merge from submit-queue
[Federation] Sleep for 2m (arbitrarily chosen) to let the underlying clusters to clean up all the resources they are holding.
cc @kubernetes/sig-cluster-federation @colhom @nikhiljindal
Ref: Issue #33388, Issue #28615, Issue #31624.
Automatic merge from submit-queue
move core storage out of master.go
Moves the core resource creation out of master.go and makes it more congruent to the other storages.
WIP because I haven't run tests yet, but I figured I'd see what breaks in the morning.
Automatic merge from submit-queue
add anytoken authenticator
Adds `--insecure-allow-any-token` as a flag to the API server to create an authenticator that will accept any bearer token and transform it into a user by parsing it out as `username/group1,group2,...`.
This gives an easy way to identify as a user and check permissions:
```bash
ALLOW_ANY_TOKEN=true hack/local-up-cluster.sh
kubectl config set-cluster local-kube --server=https://localhost:6443 --insecure-skip-tls-verify=true
kubectl config set-credentials david --token=david/group1
kubectl config set-context local --cluster=local-kube --user=david
kubectl config use-context local
```
@kubernetes/sig-auth
Automatic merge from submit-queue
Fixing local cluster up
hack: fix local-cluster-up advertise_address default value
Fixes: 9fc1d61
Signed-off-by: André Martins <aanm90@gmail.com>
ping @dims
Automatic merge from submit-queue
Allow anonymous API server access, decorate authenticated users with system:authenticated group
When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users
It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.
This PR:
* Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow`
* Decorates user.Info returned from configured authenticators with the group `system:authenticated`.
This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.
```release-note
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
Authenticated users are decorated with a 'system:authenticated' group.
NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
```
c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
Automatic merge from submit-queue
Remove glog added by mistake, start converting phase1+ TODOs to issues
**What this PR does / why we need it**:
Minor cleanup in `cmd/kubeadm/app/node/csr.go`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
use len(params["port"]) > 0 to replace port > 0
**What this PR does / why we need it**:
port also needs to be passed to server when port is negative or zero.
this is an omission of pr https://github.com/kubernetes/kubernetes/pull/29605
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Fixes in HPA: consider only running pods; proper denominator in avg.
Fixes in HPA: consider only running pods; proper denominator in avg request calculations.
Automatic merge from submit-queue
Support Access-Control-Expose-Headers in CORS Handler
Our typical HTTP Response has a "Date" Header, if we don't add an
additional http header "Access-Control-Expose-Headers: Date" then
the browser based clients cannot use the Date HTTP Header.
Fixes#33231
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
When CORS Handler is enabled, we now add a new HTTP header named "Access-Control-Expose-Headers" with a value of "Date". This allows the "Date" HTTP header to be accessed from XHR/JavaScript.
```
Automatic merge from submit-queue
add linebreak between resource groups
**Release note**:
```release-note
release-note-none
```
Printing multiple groups via `kubectl get all` can produce output that is
hard to read in cases where there are a lot of resource types to display
/ some resource types contain varying column amounts.
This patch adds a linebreak above each group of resources only when
there is more than one group to display, and always omitting the
linebreak above the first group. This makes for slightly improved
output.
Linebreaks are printed to stderr, and honor the `--no-headers` option.
**Before**
```
$ kubectl get all
NAME READY STATUS RESTARTS AGE
po/database-1-u9m9l 1/1 Running 3 5d
po/idling-echo-1-9fmz6 2/2 Running 8 5d
po/idling-echo-1-gzb0v 2/2 Running 4 5d
NAME DESIRED CURRENT READY AGE
rc/database-1 1 1 1 6d
rc/idling-echo-1 2 2 2 6d
NAME CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
svc/database 172.30.11.104 <none> 5434/TCP
6d
svc/frontend 172.30.196.217 <none> 5432/TCP
6d
svc/idling-echo 172.30.115.67 <none> 8675/TCP,3090/UDP
6d
svc/kubernetes 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP
6d
svc/mynodeport 172.30.81.254 <nodes> 8080/TCP
5d
svc/mynodeport1 172.30.198.193 <nodes> 8080/TCP
5d
svc/mynodeport2 172.30.149.48 <nodes> 8080/TCP
5d
svc/mynodeport3 172.30.195.235 <nodes> 8080/TCP
5d
```
**After**
```
$ kubectl get all
NAME READY STATUS RESTARTS AGE
po/database-1-u9m9l 1/1 Running 3 5d
po/idling-echo-1-9fmz6 2/2 Running 8 5d
po/idling-echo-1-gzb0v 2/2 Running 4 5d
NAME DESIRED CURRENT READY AGE
rc/database-1 1 1 1 6d
rc/idling-echo-1 2 2 2 6d
NAME CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
svc/database 172.30.11.104 <none> 5434/TCP
6d
svc/frontend 172.30.196.217 <none> 5432/TCP
6d
svc/idling-echo 172.30.115.67 <none> 8675/TCP,3090/UDP
6d
svc/kubernetes 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP
6d
svc/mynodeport 172.30.81.254 <nodes> 8080/TCP
5d
svc/mynodeport1 172.30.198.193 <nodes> 8080/TCP
5d
svc/mynodeport2 172.30.149.48 <nodes> 8080/TCP
5d
svc/mynodeport3 172.30.195.235 <nodes> 8080/TCP
5d
```
cc @fabianofranz @liggitt
Automatic merge from submit-queue
suggest use of `kube explain <resource>` in kube get output
**Release note**:
```release-note
release-note-none
```
This patch improves usability flow, making it easier for a user to
discover the command `kube explain <resource>` through `kube get` output.
##### After
```
$ kube get
You must specify the type of resource to get. Valid resource types include:
* componentstatuses (aka 'cs')
* configmaps (aka 'cm')
* daemonsets (aka 'ds')
* deployments (aka 'deploy')
* events (aka 'ev')
* endpoints (aka 'ep')
* horizontalpodautoscalers (aka 'hpa')
* ingress (aka 'ing')
* jobs
* limitranges (aka 'limits')
* nodes (aka 'no')
* namespaces (aka 'ns')
* petsets (alpha feature, may be unstable)
* pods (aka 'po')
* persistentvolumes (aka 'pv')
* persistentvolumeclaims (aka 'pvc')
* quota
* resourcequotas (aka 'quota')
* replicasets (aka 'rs')
* replicationcontrollers (aka 'rc')
* secrets
* serviceaccounts (aka 'sa')
* services (aka 'svc')
error: Required resource not specified.
Use "kubectl explain <resource>" for a detailed description of that resource (e.g. kubectl explain pods).
See 'kubectl get -h' for help and examples.
```
Automatic merge from submit-queue
Change minion to node
Continuation of #1111
I tried to keep this PR down to just a simple search-n-replace to keep
things simple. I may have gone too far in some spots but its easy to
roll those back if needed - just let me know.
I avoided renaming `contrib/mesos/pkg/minion` because there's already
a `contrib/mesos/pkg/node` dir and fixing that will require a bit of work
due to a circular import chain that pops up. So I'm saving that for a
follow-on PR.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Automatic merge from submit-queue
Rewrite summary e2e test to check metric sanity
Take two, forked from https://github.com/kubernetes/kubernetes/pull/28195
Adds a test library that extends the ginkgo matchers to check nested data structures. Then uses the new matcher library to thoroughly check the validity of every field in the summary metrics API. This approach is more flexible than the previous approach since it allows for different tests per-field, and is easier to add case-by-case exceptions. It also places the lower & upper bounds side-by-side, making the test much easier to read & reason about.
Most fields are expected to be within some bounds. This is not intended to be a performance test, so metric bounds are very loose. Rather, I'm looking to check that the values are sane to catch bugs like #27194Fixes#23411, https://github.com/kubernetes/kubernetes/issues/31989
/cc @kubernetes/sig-node
Automatic merge from submit-queue
kubeadm: default to using a private range for service subnet
We are currently using a subnet that is reserved for ISPs. Private network administrators don't control this space. Default to a subnet that private network administrators do control.
@errordeveloper @kubernetes/sig-cluster-lifecycle
Automatic merge from submit-queue
Pod creation moved outside of docker manager tests
**What this PR does / why we need it**:
It cleans up docker manager tests a little.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: related to #31550
**Special notes for your reviewer**:
I don't claim that working on this issue is finished, I cleaned up the tests just a bit
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix package name bug
Fix https://github.com/kubernetes/client-go/issues/4#issuecomment-250061886
The copy.sh used to accidentally rewrite package name. This PR fixes that. It also picked up other changes in the code base to the staging area.
@mqliang
Automatic merge from submit-queue
docs/networking: update IPv6 support section
Update the state of IPv6 support. Docker now supports IPv6, but network plugins and internal data structures are the main pain points now.
Automatic merge from submit-queue
CRI: Add more docs abount pod sandbox config in CreateContainerRequest.
Makes it clear that the config will not change during the pod lifecycle.
The field is only for convenience.
Automatic merge from submit-queue
Make the restart test restart the nodes without a mig rolling update.
This is one approach to fix#33113. I switched from using a mig rolling-update to just pushing the reset button on the nodes and then waiting for their boot IDs to change.
Our typical HTTP Response has a "Date" Header, if we don't add an
additional http header "Access-Control-Expose-Headers: Date" then
the browser based clients cannot use the Date HTTP Header.
Fixes#33231
Automatic merge from submit-queue
Store RequestInfo in Context instead of RequestInfoResolver dependency injection
**Depends on https://github.com/kubernetes/kubernetes/pull/33478**
The `RequestInfoResolver` is used in the proxy handler and in the authorization code. It is passed through half of the apiserver code base to be available at those locations. This PR uses the context instead, which is our natural dependency injection mechanism in the handlers.
`RequestInfo` and all tooling around is moved to `pkg/apiserver/request` temporarily to avoid dependency cycles. This is necessary as long as `pkg/apiserver` implements the proxy and other handlers. Those might move to `pkg/apiserver/handlers` probably later.
Automatic merge from submit-queue
kubeadm: add OWNERS file
I'm picking @luxas @errordeveloper and me as the initial code reviewers. Happy to add others
