Automatic merge from submit-queue (batch tested with PRs 55938, 56055, 53385, 55796, 55922). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apiextensions: fix object keys in fuzzer to exclude escape characters
Jsoniter in ConfigFastest mode does not support escape characters in object keys. Hence, we have to fix this after the fuzzer chose invalid keys.
This might be only an intermediate fix if we decide to accept arbitrary object keys again. But for now, with the choice of `ConfigFastest` (f1258b01aa/feature_config.go (L66)) this change is necessary.
Automatic merge from submit-queue (batch tested with PRs 55938, 56055, 53385, 55796, 55922). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission: make admission metrics compositional
Metrics emission of admission plugins and the admission chain can be implemented compositionally, i.e. completely independently from the chain logic. This PR does that, moves the whole metrics code into a sub-package to contain complexity. The plumbing logic for the emitted metrics finally is cleanly done in the apiserver bootstrapping code, instead of being totally interleaved with the core admission logic.
Ratio:
- considerably less complexity
- admission plugins are compositional, including the chain. We cannot assume that there is only one chain at the outside of the admission plugin structure. Downstream projects might have more complex admission chains, i.e. multiple chain object nested.
- addition of metrics is plumbing and should be in the apiserver plumbing code. This makes it much easier to reason about the security critical admission chain.
Follow-up of #55183 and based on #55919.
Automatic merge from submit-queue (batch tested with PRs 54811, 54292, 56103). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update the validating webhook plugin to implement the ValidatingInterface
ref: kubernetes/features#492
This makes sure the validating admission webhook runs in the validation phase.
Automatic merge from submit-queue (batch tested with PRs 54811, 54292, 56103). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
ResourceQuota support for Hugepages
**What this PR does / why we need it**:
Hugepage resourceQuota support
**Which issue this PR fixes**
fixes#53672 ResourceQuota part
**Special notes for your reviewer**:
What I'm concerned most is the change in quota evaluator:
Rather than add check especially for resource hugage, I would prefer add a check list, that could be easily extended by adding corresponding prefix into the list (As far as I know, pluginResources will also support ResourceQuota in later versions)
@derekwaynecarr What's your opinion?
/cc @derekwaynecarr
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 54824, 55911, 55730, 55979, 55961). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add detail to flag help
**What this PR does / why we need it**:
The admission control flag is impossible to understand.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Ref #https://github.com/kubernetes/features/issues/492
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Stop using VersionedObject in resource.Builder, use unstructured
Remove the need for kubectl callers to distinguish between unstructured and versioned / type aware builders. The factory should create a single builder than can be set to return unstructured objects. Callers can then use one of the new helpers on `resource.Info` to convert the objects into the desired form - `Internal()` for printers, `Typed()` for external versions, and `Unstructured()` to ensure the object is in the right state. Leverages the new scheme support for unstructured conversion so that higher level callers can perform best effort conversion (get typed versions if you have them, otherwise use default behavior).
`get.go` demonstrates this by removing the previous logic that depended on the underlying scheme. Other commands are updated to be consistent.
Includes #55650 and #55647.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix potential unexpected object mutation that can lead to data races
**What this PR does / why we need it**:
In #51526 I introduced an optimization - do a deep copy instead of to and from JSON roundtrip to convert anything that implements `runtime.Unstructured`. I just discovered that the method that is used there `UnstructuredContent()` in both `Unstructured` and `UnstructuredList` may mutate the original object.
2008750398/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured.go (L87-L92)7c10cbc642/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured_list.go (L58-L75)
This is problematic because previously (before #51526) there was no mutation and because this is unexpected and may lead to data races - it is bad behaviour to mutate original object when you just want a copy of it.
This PR fixes the issue.
Without the fix the tests I've added are failing because when comparison is done original object is not the same:
```
converter_test.go:154: Object changed, diff:
object.Object[items]:
a: []interface {}{}
b: <nil>
converter_test.go:154: Object changed, diff:
object.Object[items]:
a: []interface {}{map[string]interface {}{"kind":"Pod"}}
b: <nil>
```
However the underlying issue is not fixed here - `UnstructuredContent()` is brittle and dangerous. Method name does not imply that it mutates data when you call it. And godoc does not mention that either:
509df603b1/staging/src/k8s.io/apimachinery/pkg/runtime/interfaces.go (L233-L249)
Something needs to be done about it IMO.
Also `UnstructuredContent()` implementation in `UnstructuredList` does not implement the behaviour required by godoc in `runtime.Unstructured`.
**Release note**:
```release-note
NONE
```
/kind bug
/sig api-machinery
/assign @sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow constructing spdy executor from existing transports
If you already have an existing transport, it is not always possible to reconstruct a client config from it.
Allow constructing a spdy executor, given a connection/upgrade transport
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55963, 55790, 55670, 55931). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admission/webhook: move webhook initializer into plugin
Follow-up of https://github.com/kubernetes/kubernetes/pull/55132.
Non-generic plugin intitializers should go into the admission plugin itself. No need leak that into the generic apiserver. Keeping them contained in the webhook package makes it easier (it was already possible) for extension apiservers to provide one, but we don't need to leak it into the generic plugin initializer.
Delays the error until the first call and then preserves it for others.
More closely matches the intent of the Object() calls. Loaders are now
lazy and don't need to return errors directly.
Sets the stage for collapsing unstructured and structured builders
together.
Automatic merge from submit-queue (batch tested with PRs 55757, 55741, 55817, 55834, 51530). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor iSCSI PV spec to use SecretReference
**What this PR does / why we need it**:
Use SecretReference in iSCSI PV spec
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes-incubator/external-storage/issues/321
**Special notes for your reviewer**:
@liggitt
**Release note**:
```release-note
iSCSI Persistent Volume Sources can now reference CHAP Secrets in namespaces other than the namespace of the bound Persistent Volume Claim
```
Automatic merge from submit-queue (batch tested with PRs 55757, 55741, 55817, 55834, 51530). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Clarify ExternalNames are hostnames
Updates the documentation for ExternalName to clarify
that they adhere RFC-1123 hostname and are not DNS names.
Fixes#52266
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 55841, 55948, 55945). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
conversion-gen: check for nil pkg in getManualConversionFunctions
**What this PR does / why we need it**:
Following https://github.com/kubernetes/kubernetes/pull/54394, this PR performs a check in getManualConversionFunctions for packages that are not found and prints a warning instead of panicking.
This should improve the UX of conversion-gen, and is also a narrower change than that proposed in #54394, so hopefully can be cherry picked into the release-1.8 etc. branches.
This would allow users to use conversion-gen via the generate-internal-groups.sh script without having to make a second call that 'blanks out' `--extra-peer-dirs`.
/cc @sttts
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 54837, 55970, 55912, 55898, 52977). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix protobuf generation for empty struct
Currently, we are not able to generate protobuf for empty structs. This PR fixes proto generation for empty structs. (Example: `type Foo struct{}`)
Needed for https://github.com/kubernetes/kubernetes/pull/55168.
**Release note**:
```release-note
NONE
```
/assign @sttts
Automatic merge from submit-queue (batch tested with PRs 50457, 55558, 53483, 55731, 52842). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
VolumeMode and VolumeDevice api
**What this PR does / why we need it:**
Adds volumeType api to PV and PVC for local block support based on this proposal (https://github.com/kubernetes/community/pull/805) and this feature issue: https://github.com/kubernetes/features/issues/351
**Special notes for your reviewer:**
There are other PR changes coming, this just simply creates the api fields
#53385 - binding logic changes dependent on this change
**Release note:**
NONE
Notes will be added in subsequents PR with the volume plugin changes, CRI, etc...
cc @msau42 @liggitt @jsafrane @mtanino @saad-ali @erinboyd
Automatic merge from submit-queue (batch tested with PRs 55642, 55897, 55835, 55496, 55313). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Table printers and server generation should always copy ListMeta
Tables should be a mapping from lists, so if the incoming object has these add them to the table. Paging over server side tables was broken without this. Add tests on the generic creater and on the resttest compatibility.
@deads2k
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move unstructured conversion into pkg/runtime
Scheme conversion should support unstructured conversion natively to
allow going from unstructured to typed and back. It is not a higher
level responsibility to do that conversion because the scheme is the
only one who knows what types it supports.
@liggitt @kubernetes/sig-cli-api-reviews I am going to make Scheme support unstructured in ConvertToVersion and Convert, which means resource.Builder and the CLI can get simpler for all existing use cases where versioned and unstructured need to coexist.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding mutating webhook admission plugin
Ref #https://github.com/kubernetes/features/issues/492
I made a change to the API to plumb the `Patch` into the response. I'll rebase onto the actual API once https://github.com/kubernetes/kubernetes/pull/55829 is merged.
We should update the release notes to point to the user docs when we have any.
```release-note
Added mutation supports to admission webhooks.
```
TODO:
- [ ] update test image to v6 after #55829 is merged
- [ ] rename the GenericAdmissionWebhook to ValidatingAdmissionWebhook
- [ ] reduce json marshal/unmarshal roundtrip: https://github.com/kubernetes/kubernetes/pull/54892#discussion_r151336838
- [ ] move the matching function to a common package that validating and mutating webhooks can both import.
- [ ] handle namespace GET failure gracefully for fail open webhook?
