Fresh dep ensure

vendor/k8s.io/kubernetes/cluster/gce/addons/loadbalancing/cloud-provider-binding.yaml

@@ -3,12 +3,12 @@ kind: RoleBinding
 metadata:
   labels:
     addonmanager.kubernetes.io/mode: Reconcile
-  name: cloud-provider
+  name: gce:cloud-provider
   namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: cloud-provider
+  name: gce:cloud-provider
 subjects:
 - kind: ServiceAccount
   name: cloud-provider
@@ -19,11 +19,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     addonmanager.kubernetes.io/mode: Reconcile
-  name: cloud-provider
+  name: gce:cloud-provider
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cloud-provider
+  name: gce:cloud-provider
 subjects:
 - kind: ServiceAccount
   name: cloud-provider

vendor/k8s.io/kubernetes/cluster/gce/addons/loadbalancing/cloud-provider-role.yaml

@@ -3,7 +3,7 @@ kind: Role
 metadata:
   labels:
     addonmanager.kubernetes.io/mode: Reconcile
-  name: cloud-provider
+  name: gce:cloud-provider
   namespace: kube-system
 rules:
 - apiGroups:
@@ -23,7 +23,51 @@ kind: ClusterRole
 metadata:
   labels:
     addonmanager.kubernetes.io/mode: Reconcile
-  name: cloud-provider
+  name: gce:cloud-provider
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+  name: cloud-provider
+  namespace: kube-system
+  annotations:
+    kubernetes.io/deprecation: 'cloud-provider role is DEPRECATED in the
+      concern of potential collisions and will be removed in 1.16. Do not use
+      this role.'
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+  name: cloud-provider
+  annotations:
+    kubernetes.io/deprecation: 'cloud-provider clusterrole is DEPRECATED in the
+      concern of potential collisions and will be removed in 1.16. Do not use
+      this role.'
 rules:
 - apiGroups:
   - ""

vendor/k8s.io/kubernetes/cluster/gce/addons/node-termination-handler/README

@@ -0,0 +1,4 @@
+# GCE Node Termination Handler
+
+This addon deploys [GCE Node Termination Handler](https://github.com/GoogleCloudPlatform/k8s-node-termination-handler) on to kubernetes clusters on GCP.
+It is meant to help translate GCE VM termination notifications into kubernetes graceful terminations.

vendor/k8s.io/kubernetes/cluster/gce/addons/node-termination-handler/daemonset.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: node-termination-handler
+  namespace: kube-system
+  name: node-termination-handler
+spec:
+  selector:
+    matchLabels:
+      k8s-app: node-termination-handler
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: node-termination-handler
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      priorityClassName: system-node-critical
+      # Necessary to reboot node
+      hostPID: true
+      affinity:
+        nodeAffinity:
+          # Restrict to GPU nodes or preemptible nodes
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: cloud.google.com/gke-accelerator
+                    operator: Exists
+              - matchExpressions:
+                  - key: cloud.google.com/gke-preemptible
+                    operator: Exists
+      volumes:
+        - name: klet-service-account
+          hostPath:
+            path: /var/lib/kubelet
+        - name: klet-ca-crt
+          hostPath:
+            path: /etc/srv/kubernetes
+      tolerations:
+        # Run regardless of any existing taints.
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      containers:
+        - image: k8s.gcr.io/gke-node-termination-handler@sha256:e08ca863a547754fa7b75064bdad04f04cbef86c7b0a181ecc7304e747623181
+          name: node-termination-handler
+          command: ["./node-termination-handler"]
+          args: ["--logtostderr", "--exclude-pods=$(POD_NAME):$(POD_NAMESPACE)", "-v=10", "--kubeconfig=/var/lib/kubelet/kubeconfig", "--annotation=cloud.google.com/impending-node-termination"]
+          securityContext:
+            capabilities:
+              # Necessary to reboot node
+              add: ["SYS_BOOT"]
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          resources:
+            limits:
+              cpu: 50m
+              memory: 30Mi
+          volumeMounts:
+            - name: klet-service-account
+              mountPath: /var/lib/kubelet
+            - name: klet-ca-crt
+              mountPath: /etc/srv/kubernetes

vendor/k8s.io/kubernetes/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml

@@ -15,6 +15,7 @@ spec:
   volumes:
   - 'nfs'
   - 'secret'   # Required for service account credentials.
+  - 'projected'
   hostNetwork: false
   hostIPC: false
   hostPID: false

vendor/k8s.io/kubernetes/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml

@@ -19,10 +19,27 @@ metadata:
 spec:
   privileged: false
   allowPrivilegeEscalation: false
+  # The docker default set of capabilities
+  allowedCapabilities:
+  - SETPCAP
+  - MKNOD
+  - AUDIT_WRITE
+  - CHOWN
+  - NET_RAW
+  - DAC_OVERRIDE
+  - FOWNER
+  - FSETID
+  - KILL
+  - SETGID
+  - SETUID
+  - NET_BIND_SERVICE
+  - SYS_CHROOT
+  - SETFCAP
   volumes:
   - 'emptyDir'
   - 'configMap'
   - 'secret'
+  - 'projected'
   hostNetwork: false
   hostIPC: false
   hostPID: false