Bumping k8s dependencies to 1.13

2018-11-16 14:08:25 -08:00
parent 305407125c
commit b4c0b68ec7
8002 changed files with 884099 additions and 276228 deletions
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD
@@ -21,12 +21,11 @@ go_library(
    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
    deps = [
        "//pkg/api/legacyscheme:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
        "//pkg/cloudprovider/providers:go_default_library",
+        "//pkg/features:go_default_library",
        "//pkg/kubeapiserver/authenticator:go_default_library",
        "//pkg/kubeapiserver/authorizer:go_default_library",
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
-        "//pkg/kubeapiserver/server:go_default_library",
        "//plugin/pkg/admission/admit:go_default_library",
        "//plugin/pkg/admission/alwayspullimages:go_default_library",
        "//plugin/pkg/admission/antiaffinity:go_default_library",
@@ -53,23 +52,23 @@ go_library(
        "//plugin/pkg/admission/storage/persistentvolume/resize:go_default_library",
        "//plugin/pkg/admission/storage/storageclass/setdefault:go_default_library",
        "//plugin/pkg/admission/storage/storageobjectinuseprotection:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/initialization:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
+        "//staging/src/k8s.io/client-go/rest:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
-        "//vendor/github.com/pborman/uuid:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/initialization:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/flag:go_default_library",
-        "//vendor/k8s.io/client-go/informers:go_default_library",
-        "//vendor/k8s.io/client-go/rest:go_default_library",
    ],
 )

@@ -90,12 +89,17 @@ go_test(
    name = "go_default_test",
    srcs = [
        "admission_test.go",
+        "authentication_test.go",
        "authorization_test.go",
        "storage_versions_test.go",
    ],
    embed = [":go_default_library"],
    deps = [
+        "//pkg/kubeapiserver/authenticator:go_default_library",
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
    ],
 )
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
@@ -73,10 +73,11 @@ type PasswordFileAuthenticationOptions struct {
 }

 type ServiceAccountAuthenticationOptions struct {
-	KeyFiles     []string
-	Lookup       bool
-	Issuer       string
-	APIAudiences []string
+	KeyFiles      []string
+	Lookup        bool
+	Issuer        string
+	APIAudiences  []string
+	MaxExpiration time.Duration
 }

 type TokenFileAuthenticationOptions struct {
@@ -260,6 +261,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 		fs.StringSliceVar(&s.ServiceAccounts.APIAudiences, "service-account-api-audiences", s.ServiceAccounts.APIAudiences, ""+
 			"Identifiers of the API. The service account token authenticator will validate that "+
 			"tokens used against the API are bound to at least one of these audiences.")
+
+		fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+
+			"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+
+			"TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value.")
 	}

 	if s.TokenFile != nil {
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication_test.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication_test.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
+)
+
+func TestAuthenticationValidate(t *testing.T) {
+	testCases := []struct {
+		name      string
+		testOIDC  *OIDCAuthenticationOptions
+		testSA    *ServiceAccountAuthenticationOptions
+		expectErr string
+	}{
+		{
+			name: "test when OIDC and ServiceAccounts are nil",
+		},
+		{
+			name: "test when OIDC and ServiceAccounts are valid",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				Issuer: "http://foo.bar.com",
+			},
+		},
+		{
+			name: "test when OIDC is invalid",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				Issuer: "http://foo.bar.com",
+			},
+			expectErr: "oidc-issuer-url and oidc-client-id should be specified together",
+		},
+		{
+			name: "test when ServiceAccount is invalid",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+				ClientID:      "testClientID",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				Issuer: "http://[::1]:namedport",
+			},
+			expectErr: "service-account-issuer contained a ':' but was not a valid URL",
+		},
+	}
+
+	for _, testcase := range testCases {
+		t.Run(testcase.name, func(t *testing.T) {
+			options := NewBuiltInAuthenticationOptions()
+			options.OIDC = testcase.testOIDC
+			options.ServiceAccounts = testcase.testSA
+
+			errs := options.Validate()
+			if len(errs) > 0 && !strings.Contains(utilerrors.NewAggregate(errs).Error(), testcase.expectErr) {
+				t.Errorf("Got err: %v, Expected err: %s", errs, testcase.expectErr)
+			}
+
+			if len(errs) == 0 && len(testcase.expectErr) != 0 {
+				t.Errorf("Got err nil, Expected err: %s", testcase.expectErr)
+			}
+		})
+	}
+}
+
+func TestToAuthenticationConfig(t *testing.T) {
+	testOptions := &BuiltInAuthenticationOptions{
+		Anonymous: &AnonymousAuthenticationOptions{
+			Allow: false,
+		},
+		ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{
+			ClientCA: "/client-ca",
+		},
+		WebHook: &WebHookAuthenticationOptions{
+			CacheTTL:   180000000000,
+			ConfigFile: "/token-webhook-config",
+		},
+		BootstrapToken: &BootstrapTokenAuthenticationOptions{
+			Enable: false,
+		},
+		OIDC: &OIDCAuthenticationOptions{
+			CAFile:        "/testCAFile",
+			UsernameClaim: "sub",
+			SigningAlgs:   []string{"RS256"},
+			IssuerURL:     "testIssuerURL",
+			ClientID:      "testClientID",
+		},
+		PasswordFile: &PasswordFileAuthenticationOptions{
+			BasicAuthFile: "/testBasicAuthFile",
+		},
+		RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
+			UsernameHeaders:     []string{"x-remote-user"},
+			GroupHeaders:        []string{"x-remote-group"},
+			ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+			ClientCAFile:        "/testClientCAFile",
+			AllowedNames:        []string{"kube-aggregator"},
+		},
+		ServiceAccounts: &ServiceAccountAuthenticationOptions{
+			Lookup: true,
+			Issuer: "http://foo.bar.com",
+		},
+		TokenFile: &TokenFileAuthenticationOptions{
+			TokenFile: "/testTokenFile",
+		},
+		TokenSuccessCacheTTL: 10 * time.Second,
+		TokenFailureCacheTTL: 0,
+	}
+
+	expectConfig := authenticator.AuthenticatorConfig{
+		Anonymous:                   false,
+		BasicAuthFile:               "/testBasicAuthFile",
+		BootstrapToken:              false,
+		ClientCAFile:                "/client-ca",
+		TokenAuthFile:               "/testTokenFile",
+		OIDCIssuerURL:               "testIssuerURL",
+		OIDCClientID:                "testClientID",
+		OIDCCAFile:                  "/testCAFile",
+		OIDCUsernameClaim:           "sub",
+		OIDCSigningAlgs:             []string{"RS256"},
+		ServiceAccountLookup:        true,
+		ServiceAccountIssuer:        "http://foo.bar.com",
+		WebhookTokenAuthnConfigFile: "/token-webhook-config",
+		WebhookTokenAuthnCacheTTL:   180000000000,
+
+		TokenSuccessCacheTTL: 10 * time.Second,
+		TokenFailureCacheTTL: 0,
+
+		RequestHeaderConfig: &authenticatorfactory.RequestHeaderConfig{
+			UsernameHeaders:     []string{"x-remote-user"},
+			GroupHeaders:        []string{"x-remote-group"},
+			ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+			ClientCA:            "/testClientCAFile",
+			AllowedClientNames:  []string{"kube-aggregator"},
+		},
+	}
+
+	resultConfig := testOptions.ToAuthenticationConfig()
+	if !reflect.DeepEqual(resultConfig, expectConfig) {
+		t.Errorf("Got AuthenticationConfig: %v, Expected AuthenticationConfig: %v", resultConfig, expectConfig)
+	}
+}
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go
@@ -25,7 +25,6 @@ import (

 	"k8s.io/apimachinery/pkg/util/sets"
 	versionedinformers "k8s.io/client-go/informers"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
@@ -110,14 +109,13 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
 }

-func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
+func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
 	return authorizer.AuthorizationConfig{
 		AuthorizationModes:          s.Modes,
 		PolicyFile:                  s.PolicyFile,
 		WebhookConfigFile:           s.WebhookConfigFile,
 		WebhookCacheAuthorizedTTL:   s.WebhookCacheAuthorizedTTL,
 		WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
-		InformerFactory:             informerFactory,
 		VersionedInformerFactory:    versionedInformerFactory,
 	}
 }
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/plugins.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/plugins.go
@@ -57,6 +57,8 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
 	mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
 	validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
 )

 // AllOrderedPlugins is the list of all the plugins in order.
@@ -139,5 +141,9 @@ func DefaultOffAdmissionPlugins() sets.String {
 		resourcequota.PluginName,            //ResourceQuota
 	)

+	if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
+		defaultOnPlugins.Insert(podpriority.PluginName) //PodPriority
+	}
+
 	return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
 }
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/serving.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/serving.go
@@ -20,41 +20,47 @@ package options
 import (
 	"fmt"
 	"net"
-	"strconv"
-
-	"github.com/pborman/uuid"
-	"github.com/spf13/pflag"

 	utilnet "k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
 )

 // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
 // "normal" API servers running on the platform
 func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
-	return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
+	o := genericoptions.SecureServingOptions{
 		BindAddress: net.ParseIP("0.0.0.0"),
 		BindPort:    6443,
+		Required:    true,
 		ServerCert: genericoptions.GeneratableKeyCert{
 			PairName:      "apiserver",
 			CertDirectory: "/var/run/kubernetes",
 		},
-	})
+	}
+	return o.WithLoopback()
+}
+
+// NewInsecureServingOptions gives default values for the kube-apiserver.
+// TODO: switch insecure serving off by default
+func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
+	o := genericoptions.DeprecatedInsecureServingOptions{
+		BindAddress: net.ParseIP("127.0.0.1"),
+		BindPort:    8080,
+	}
+	return o.WithLoopback()
 }

 // DefaultAdvertiseAddress sets the field AdvertiseAddress if
 // unset. The field will be set based on the SecureServingOptions. If
 // the SecureServingOptions is not present, DefaultExternalAddress
 // will fall back to the insecure ServingOptions.
-func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
+func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
 	if insecure == nil {
 		return nil
 	}

 	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
-		hostIP, err := insecure.DefaultExternalAddress()
+		hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
 		if err != nil {
 			return fmt.Errorf("unable to find suitable network address.error='%v'. "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
@@ -64,76 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec

 	return nil
 }
-
-// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-type InsecureServingOptions struct {
-	BindAddress net.IP
-	BindPort    int
-}
-
-// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-func NewInsecureServingOptions() *InsecureServingOptions {
-	return &InsecureServingOptions{
-		BindAddress: net.ParseIP("127.0.0.1"),
-		BindPort:    8080,
-	}
-}
-
-func (s InsecureServingOptions) Validate() []error {
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65535 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
-	}
-
-	return errors
-}
-
-func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
-	return utilnet.ChooseBindAddress(s.BindAddress)
-}
-
-func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
-		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
-	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-bind-address").Hidden = false
-
-	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
-		"The port on which to serve unsecured, unauthenticated access. It is assumed "+
-		"that firewall rules are set up such that this port is not reachable from outside of "+
-		"the cluster and that port 443 on the cluster's public address is proxied to this "+
-		"port. This is performed by nginx in the default setup. Set to zero to disable.")
-	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-port").Hidden = false
-}
-
-// TODO: remove it until kops stop using `--address`
-func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
-		"DEPRECATED: see --insecure-bind-address instead.")
-	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
-
-	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
-	fs.MarkDeprecated("port", "see --insecure-port instead.")
-}
-
-func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
-	if s.BindPort <= 0 {
-		return nil, nil
-	}
-
-	ret := &kubeserver.InsecureServingInfo{
-		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
-	}
-
-	var err error
-	privilegedLoopbackToken := uuid.NewRandom().String()
-	if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
-		return nil, err
-	}
-
-	return ret, nil
-}
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions.go
@@ -17,14 +17,12 @@ limitations under the License.
 package options

 import (
+	"sort"
 	"strings"

+	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
-
-	"sort"
-
-	"github.com/spf13/pflag"
 )

 const (
@@ -105,6 +103,11 @@ func (s *StorageSerializationOptions) AddFlags(fs *pflag.FlagSet) {
 		"You only need to pass the groups you wish to change from the defaults. "+
 		"It defaults to a list of preferred versions of all known groups.")

+	fs.MarkDeprecated("storage-versions", ""+
+		"Please omit this flag to ensure the default storage versions are used ."+
+		"Otherwise the cluster is not safe to upgrade to a version newer than 1.12. "+
+		"This flag will be removed in 1.13.")
+
 }

 // ToPreferredVersionString returns the preferred versions of all registered