Automatic merge from submit-queue (batch tested with PRs 49115, 47480)
Adds IPv6 test cases for kubeadm certs.
**What this PR does / why we need it**:
Adds IPv6 test cases in support of kubeadm certificate and validation functionality. It's needed to ensure test cases cover IPv6 related networking scenarios.
**Which issue this PR fixes**
This PR is in support of Issue #1443
**Special notes for your reviewer**:
Additional PR's will follow to ensure kubeadm supports IPv6.
**Release note**:
```NONE
```
Automatic merge from submit-queue
Adds IPv6 test case to kubeadm bootstrap
**What this PR does / why we need it**:
Adds IPv6 test cases in support of kubeadm bootstrap functionality. It's needed to ensure test cases cover IPv6 related networking scenarios.
**Which issue this PR fixes**
This PR is in support of Issue #1443 and Issue #47666
**Special notes for your reviewer**:
Additional PR's will follow to ensure kubeadm fully supports IPv6.
**Release note**:
```NONE
```
/area ipv6
Automatic merge from submit-queue (batch tested with PRs 50198, 49051, 48432)
move KubeletConfiguration out of componentconfig API group
I'm splitting #44252 into more manageable steps. This step moves the types and updates references.
To reviewers: the most important changes are the removals from pkg/apis/componentconfig and additions to pkg/kubelet/apis/kubeletconfig. Almost everything else is an import or name update.
I have one unanswered question: Should I create a whole new api scheme for Kubelet APIs rather than register e.g. a kubeletconfig group with the default runtime.Scheme instance? This feels like the right thing, as the Kubelet should be exposing its own API, but there's a big fat warning not to do this in `pkg/api/register.go`. Can anyone answer this?
Automatic merge from submit-queue (batch tested with PRs 50626, 50683, 50679, 50684, 50460)
kubeadm: Centralize client create-or-update logic in one package
**What this PR does / why we need it**:
Moves all Create-or-Update logic into one package instead of duplicating that logic all around in the codebase.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR depends on https://github.com/kubernetes/kubernetes/pull/50214.
Note that commit 2 is the only one that needs reviewing.
This PR is required for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrade)
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @mattmoyer @fabriziopandini
Automatic merge from submit-queue
Add Priority admission controller
**What this PR does / why we need it**: Add Priority admission controller. This admission controller checks creation and update of PriorityClasses. It also resolves a PriorityClass name of a pod to its integer value.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Add Priority admission controller for monitoring and resolving PriorityClasses.
```
ref/ #47604
ref/ #48646
Automatic merge from submit-queue
kubeadm: Implementing the controlplane phase
**What this PR does / why we need it:**
This contains implementation of controlplane phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage.
The original proposal for this activity can be found [here](https://github.com/kubernetes/kubeadm/pull/156/files) and related comments.
Kubeadm phase implementation checklist is defined [here](https://github.com/kubernetes/kubeadm/issues/267)
Common implementation guidelines and principles for all phases are defined [here](https://docs.google.com/document/d/1VQMyFIVMfRGQPP3oCUpfjiWtOr3pLxp4g7cP-hXQFXc/edit?usp=sharing)
This PR implements:
- [x] kubeadm phase controlplane: wip by @fabriziopandini
- [x] kubeadm phase controlplane all
- [x] kubeadm phase controlplane etcd
- [x] kubeadm phase controlplane apiserver
- [x] kubeadm phase controlplane scheduler
- [x] kubeadm phase controlplane controller-manager
**Which issue this PR fixes:**
https://github.com/kubernetes/kubeadm/issues/349
**Special notes for your reviewer:**
This PR implements the same approach of #49419, thus minimising rework/impacts on existing codebase.
Automatic merge from submit-queue (batch tested with PRs 49129, 50436, 50417, 50553, 47587)
Revert "Remove old node role label that is not used by kubeadm"
Revert the commit that removed printing of node roles from kubectl.
It sounds like we also need to update the labels we inspect, as these were previously removed. But starting with a clean revert.
Issue #49124
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49904, 50484, 50214)
Refactor addons into multiple packages
**What this PR does / why we need it**:
https://github.com/kubernetes/kubeadm/issues/348
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubeadm/issues/348
This change allows kubectl to be built on MacOS machines using
`bazel build //cmd/kubectl`.
Mac OS X doesn't support static binaries because it does not have a
stable syscall API. Userspace binaries are expected to dynamically
link against libcrt instead.
https://developer.apple.com/library/content/qa/qa1118/_index.html
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Enable caching successful token authentication
Resolves#50472
To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication
```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
Automatic merge from submit-queue
Simplify a command for unmounting mounted directories
**What this PR does / why we need it**:
This PR simplifies a command for unmounting mounted directories. It replaces `cat | awk | grep` by a single `awk` expression.
**Special notes for your reviewer**:
Link about useless cat/grep usage: http://porkmail.org/era/unix/award.html#grep
**Credit**:
I saw this code fragment in the Julia Evans (@jvns) [write up](https://jvns.ca/blog/2017/07/30/a-couple-useful-ideas-from-google/).
**Release note**:
```release-note
NONE
```
CC @simo5
Automatic merge from submit-queue
Rewrite staging import verifier in Go
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
**What this PR does / why we need it**:
Maintaining Bash is nobody's idea of fun. The declarative config is infinitely easier to read, as well.
**Special notes for your reviewer**:
@sttts still trying to figure out the rules you have encoded in the shell script... very confusing. Please review the `kube-gen` specifically.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
move logs to kubectl/util
Move `pkg/util/logs` to `pkg/kubectl/util/logs` per https://github.com/kubernetes/kubernetes/issues/48209#issuecomment-311730681
This will make kubeadm, kubefed, gke-certificates-controller and e2e have dependency on kubectl, which should be fine.
partially addresses: kubernetes/community#598
```release-note
NONE
```
/assign @apelisse @monopole
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.
The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.
This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.
This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
This change adds a `k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin` package which implements x509 public key pinning in the style of RFC7469. This is the public key hash format used by the new `kubeadm join --discovery-token-ca-cert-hash` flag.
Hashes are namespaced with a short type, with "sha256" being the only currently-supported format. Type "sha256" is a hex-encoded SHA-256 hash over the Subject Public Key Info (SPKI) object in DER-encoded ASN.1.
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582)
Improve GC discovery sync performance
Improve GC discovery sync performance by only syncing when discovered
resource diffs are detected. Before, the GC worker pool was shut down
and monitors resynced unconditionally every sync period, leading to
significant processing delays causing test flakes where otherwise
reasonable GC timeouts were being exceeded.
Related to https://github.com/kubernetes/kubernetes/issues/49966.
/cc @kubernetes/sig-api-machinery-bugs
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582)
Add rbac.authorization.k8s.io/v1
xref https://github.com/kubernetes/features/issues/2
Promotes the rbac.authorization.k8s.io/v1beta1 API to v1 with no changes
```release-note
The `rbac.authorization.k8s.io/v1beta1` API has been promoted to `rbac.authorization.k8s.io/v1` with no changes.
The `rbac.authorization.k8s.io/v1alpha1` version is deprecated and will be removed in a future release.
```
