rebase: update kubernetes to v1.25.0

update kubernetes to latest v1.25.0 release. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2022-08-24 07:54:25 +05:30
parent f47839d73d
commit e3bf375035
645 changed files with 42507 additions and 9219 deletions
--- a/vendor/k8s.io/apiserver/pkg/admission/initializer/initializer.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/initializer/initializer.go
@ -29,6 +29,7 @@ type pluginInitializer struct {
 	externalInformers informers.SharedInformerFactory
 	authorizer        authorizer.Authorizer
 	featureGates      featuregate.FeatureGate
+	stopCh            <-chan struct{}
 }

 // New creates an instance of admission plugins initializer.
@ -39,19 +40,26 @@ func New(
 	extInformers informers.SharedInformerFactory,
 	authz authorizer.Authorizer,
 	featureGates featuregate.FeatureGate,
+	stopCh <-chan struct{},
 ) pluginInitializer {
 	return pluginInitializer{
 		externalClient:    extClientset,
 		externalInformers: extInformers,
 		authorizer:        authz,
 		featureGates:      featureGates,
+		stopCh:            stopCh,
 	}
 }

 // Initialize checks the initialization interfaces implemented by a plugin
 // and provide the appropriate initialization data
 func (i pluginInitializer) Initialize(plugin admission.Interface) {
-	// First tell the plugin about enabled features, so it can decide whether to start informers or not
+	// First tell the plugin about drained notification, so it can pass it to further initializations.
+	if wants, ok := plugin.(WantsDrainedNotification); ok {
+		wants.SetDrainedNotification(i.stopCh)
+	}
+
+	// Second tell the plugin about enabled features, so it can decide whether to start informers or not
 	if wants, ok := plugin.(WantsFeatures); ok {
 		wants.InspectFeatureGates(i.featureGates)
 	}
--- a/vendor/k8s.io/apiserver/pkg/admission/initializer/interfaces.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/initializer/interfaces.go
@ -49,12 +49,21 @@ type WantsQuotaConfiguration interface {
 	admission.InitializationValidator
 }

+// WantsDrainedNotification defines a function which sets the notification of where the apiserver
+// has already been drained for admission plugins that need it.
+// After receiving that notification, Admit/Validate calls won't be called anymore.
+type WantsDrainedNotification interface {
+	SetDrainedNotification(<-chan struct{})
+	admission.InitializationValidator
+}
+
 // WantsFeatureGate defines a function which passes the featureGates for inspection by an admission plugin.
 // Admission plugins should not hold a reference to the featureGates.  Instead, they should query a particular one
 // and assign it to a simple bool in the admission plugin struct.
-// func (a *admissionPlugin) InspectFeatureGates(features featuregate.FeatureGate){
-//     a.myFeatureIsOn = features.Enabled("my-feature")
-// }
+//
+//	func (a *admissionPlugin) InspectFeatureGates(features featuregate.FeatureGate){
+//	    a.myFeatureIsOn = features.Enabled("my-feature")
+//	}
 type WantsFeatures interface {
 	InspectFeatureGates(featuregate.FeatureGate)
 	admission.InitializationValidator
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/namespace/matcher.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/namespace/matcher.go
@ -45,7 +45,7 @@ func (m *Matcher) Validate() error {
 		errs = append(errs, fmt.Errorf("the namespace matcher requires a namespaceLister"))
 	}
 	if m.Client == nil {
-		errs = append(errs, fmt.Errorf("the namespace matcher requires a namespaceLister"))
+		errs = append(errs, fmt.Errorf("the namespace matcher requires a client"))
 	}
 	return utilerrors.NewAggregate(errs)
 }
--- a/vendor/k8s.io/apiserver/pkg/audit/request.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/request.go
@ -239,7 +239,7 @@ func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime

 	return &runtime.Unknown{
 		Raw:         buf.Bytes(),
-		ContentType: runtime.ContentTypeJSON,
+		ContentType: mediaType,
 	}, nil
 }

--- a/vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go
@ -1,183 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package serviceaccount
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	v1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apiserver/pkg/authentication/user"
-	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
-
-	"k8s.io/klog/v2"
-)
-
-const (
-	ServiceAccountUsernamePrefix    = "system:serviceaccount:"
-	ServiceAccountUsernameSeparator = ":"
-	ServiceAccountGroupPrefix       = "system:serviceaccounts:"
-	AllServiceAccountsGroup         = "system:serviceaccounts"
-	// PodNameKey is the key used in a user's "extra" to specify the pod name of
-	// the authenticating request.
-	PodNameKey = "authentication.kubernetes.io/pod-name"
-	// PodUIDKey is the key used in a user's "extra" to specify the pod UID of
-	// the authenticating request.
-	PodUIDKey = "authentication.kubernetes.io/pod-uid"
-)
-
-// MakeUsername generates a username from the given namespace and ServiceAccount name.
-// The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
-func MakeUsername(namespace, name string) string {
-	return ServiceAccountUsernamePrefix + namespace + ServiceAccountUsernameSeparator + name
-}
-
-// MatchesUsername checks whether the provided username matches the namespace and name without
-// allocating. Use this when checking a service account namespace and name against a known string.
-func MatchesUsername(namespace, name string, username string) bool {
-	if !strings.HasPrefix(username, ServiceAccountUsernamePrefix) {
-		return false
-	}
-	username = username[len(ServiceAccountUsernamePrefix):]
-
-	if !strings.HasPrefix(username, namespace) {
-		return false
-	}
-	username = username[len(namespace):]
-
-	if !strings.HasPrefix(username, ServiceAccountUsernameSeparator) {
-		return false
-	}
-	username = username[len(ServiceAccountUsernameSeparator):]
-
-	return username == name
-}
-
-var invalidUsernameErr = fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name"))
-
-// SplitUsername returns the namespace and ServiceAccount name embedded in the given username,
-// or an error if the username is not a valid name produced by MakeUsername
-func SplitUsername(username string) (string, string, error) {
-	if !strings.HasPrefix(username, ServiceAccountUsernamePrefix) {
-		return "", "", invalidUsernameErr
-	}
-	trimmed := strings.TrimPrefix(username, ServiceAccountUsernamePrefix)
-	parts := strings.Split(trimmed, ServiceAccountUsernameSeparator)
-	if len(parts) != 2 {
-		return "", "", invalidUsernameErr
-	}
-	namespace, name := parts[0], parts[1]
-	if len(apimachineryvalidation.ValidateNamespaceName(namespace, false)) != 0 {
-		return "", "", invalidUsernameErr
-	}
-	if len(apimachineryvalidation.ValidateServiceAccountName(name, false)) != 0 {
-		return "", "", invalidUsernameErr
-	}
-	return namespace, name, nil
-}
-
-// MakeGroupNames generates service account group names for the given namespace
-func MakeGroupNames(namespace string) []string {
-	return []string{
-		AllServiceAccountsGroup,
-		MakeNamespaceGroupName(namespace),
-	}
-}
-
-// MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in
-func MakeNamespaceGroupName(namespace string) string {
-	return ServiceAccountGroupPrefix + namespace
-}
-
-// UserInfo returns a user.Info interface for the given namespace, service account name and UID
-func UserInfo(namespace, name, uid string) user.Info {
-	return (&ServiceAccountInfo{
-		Name:      name,
-		Namespace: namespace,
-		UID:       uid,
-	}).UserInfo()
-}
-
-type ServiceAccountInfo struct {
-	Name, Namespace, UID string
-	PodName, PodUID      string
-}
-
-func (sa *ServiceAccountInfo) UserInfo() user.Info {
-	info := &user.DefaultInfo{
-		Name:   MakeUsername(sa.Namespace, sa.Name),
-		UID:    sa.UID,
-		Groups: MakeGroupNames(sa.Namespace),
-	}
-	if sa.PodName != "" && sa.PodUID != "" {
-		info.Extra = map[string][]string{
-			PodNameKey: {sa.PodName},
-			PodUIDKey:  {sa.PodUID},
-		}
-	}
-	return info
-}
-
-// IsServiceAccountToken returns true if the secret is a valid api token for the service account
-func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool {
-	if secret.Type != v1.SecretTypeServiceAccountToken {
-		return false
-	}
-
-	name := secret.Annotations[v1.ServiceAccountNameKey]
-	uid := secret.Annotations[v1.ServiceAccountUIDKey]
-	if name != sa.Name {
-		// Name must match
-		return false
-	}
-	if len(uid) > 0 && uid != string(sa.UID) {
-		// If UID is specified, it must match
-		return false
-	}
-
-	return true
-}
-
-func GetOrCreateServiceAccount(coreClient v1core.CoreV1Interface, namespace, name string) (*v1.ServiceAccount, error) {
-	sa, err := coreClient.ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		return sa, nil
-	}
-	if !apierrors.IsNotFound(err) {
-		return nil, err
-	}
-
-	// Create the namespace if we can't verify it exists.
-	// Tolerate errors, since we don't know whether this component has namespace creation permissions.
-	if _, err := coreClient.Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{}); apierrors.IsNotFound(err) {
-		if _, err = coreClient.Namespaces().Create(context.TODO(), &v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}}, metav1.CreateOptions{}); err != nil && !apierrors.IsAlreadyExists(err) {
-			klog.Warningf("create non-exist namespace %s failed:%v", namespace, err)
-		}
-	}
-
-	// Create the service account
-	sa, err = coreClient.ServiceAccounts(namespace).Create(context.TODO(), &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: name}}, metav1.CreateOptions{})
-	if apierrors.IsAlreadyExists(err) {
-		// If we're racing to init and someone else already created it, re-fetch
-		return coreClient.ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	}
-	return sa, err
-}
--- a/vendor/k8s.io/apiserver/pkg/endpoints/request/auditid.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/request/auditid.go
@ -18,7 +18,6 @@ package request

 import (
 	"context"
-	"net/http"

 	"k8s.io/apimachinery/pkg/types"
 )
@ -45,12 +44,12 @@ func AuditIDFrom(ctx context.Context) (types.UID, bool) {
 	return auditID, ok
 }

-// GetAuditIDTruncated returns the audit ID (truncated) associated with a request.
+// GetAuditIDTruncated returns the audit ID (truncated) from the request context.
 // If the length of the Audit-ID value exceeds the limit, we truncate it to keep
 // the first N (maxAuditIDLength) characters.
 // This is intended to be used in logging only.
-func GetAuditIDTruncated(req *http.Request) string {
-	auditID, ok := AuditIDFrom(req.Context())
+func GetAuditIDTruncated(ctx context.Context) string {
+	auditID, ok := AuditIDFrom(ctx)
 	if !ok {
 		return ""
 	}
--- a/vendor/k8s.io/apiserver/pkg/features/kube_features.go
+++ b/vendor/k8s.io/apiserver/pkg/features/kube_features.go
@ -28,24 +28,12 @@ const (
 	//
 	// // owner: @username
 	// // alpha: v1.4
-	// MyFeature() bool
-
-	// owner: @tallclair
-	// alpha: v1.7
-	// beta: v1.8
-	// GA: v1.12
+	// MyFeature featuregate.Feature = "MyFeature"
 	//
-	// AdvancedAuditing enables a much more general API auditing pipeline, which includes support for
-	// pluggable output backends and an audit policy specifying how different requests should be
-	// audited.
-	AdvancedAuditing featuregate.Feature = "AdvancedAuditing"
-
-	// owner: @ilackams
-	// alpha: v1.7
-	// beta: v1.16
-	//
-	// Enables compression of REST responses (GET and LIST only)
-	APIResponseCompression featuregate.Feature = "APIResponseCompression"
+	// Feature gates should be listed in alphabetical, case-sensitive
+	// (upper before any lower case character) order. This reduces the risk
+	// of code conflicts because changes are more likely to be scattered
+	// across the file.

 	// owner: @smarterclayton
 	// alpha: v1.8
@ -55,54 +43,6 @@ const (
 	// all at once.
 	APIListChunking featuregate.Feature = "APIListChunking"

-	// owner: @apelisse
-	// alpha: v1.12
-	// beta: v1.13
-	// stable: v1.18
-	//
-	// Allow requests to be processed but not stored, so that
-	// validation, merging, mutation can be tested without
-	// committing.
-	DryRun featuregate.Feature = "DryRun"
-
-	// owner: @caesarxuchao
-	// alpha: v1.15
-	// beta: v1.16
-	//
-	// Allow apiservers to show a count of remaining items in the response
-	// to a chunking list request.
-	RemainingItemCount featuregate.Feature = "RemainingItemCount"
-
-	// owner: @apelisse, @lavalamp
-	// alpha: v1.14
-	// beta: v1.16
-	// stable: v1.22
-	//
-	// Server-side apply. Merging happens on the server.
-	ServerSideApply featuregate.Feature = "ServerSideApply"
-
-	// owner: @caesarxuchao
-	// alpha: v1.14
-	// beta: v1.15
-	//
-	// Allow apiservers to expose the storage version hash in the discovery
-	// document.
-	StorageVersionHash featuregate.Feature = "StorageVersionHash"
-
-	// owner: @caesarxuchao @roycaihw
-	// alpha: v1.20
-	//
-	// Enable the storage version API.
-	StorageVersionAPI featuregate.Feature = "StorageVersionAPI"
-
-	// owner: @wojtek-t
-	// alpha: v1.15
-	// beta: v1.16
-	// GA: v1.17
-	//
-	// Enables support for watch bookmark events.
-	WatchBookmark featuregate.Feature = "WatchBookmark"
-
 	// owner: @MikeSpreitzer @yue9944882
 	// alpha: v1.18
 	// beta: v1.20
@ -112,29 +52,12 @@ const (
 	// was not really implemented before 1.18.
 	APIPriorityAndFairness featuregate.Feature = "APIPriorityAndFairness"

-	// owner: @wojtek-t
-	// alpha: v1.16
-	// beta: v1.20
-	// GA: v1.24
+	// owner: @ilackams
+	// alpha: v1.7
+	// beta: v1.16
 	//
-	// Deprecates and removes SelfLink from ObjectMeta and ListMeta.
-	RemoveSelfLink featuregate.Feature = "RemoveSelfLink"
-
-	// owner: @shaloulcy, @wojtek-t
-	// alpha: v1.18
-	// beta: v1.19
-	// GA: v1.20
-	//
-	// Allows label and field based indexes in apiserver watch cache to accelerate list operations.
-	SelectorIndex featuregate.Feature = "SelectorIndex"
-
-	// owner: @wojtek-t
-	// alpha: v1.20
-	// beta: v1.21
-	// GA: v1.24
-	//
-	// Allows for updating watchcache resource version with progress notify events.
-	EfficientWatchResumption featuregate.Feature = "EfficientWatchResumption"
+	// Enables compression of REST responses (GET and LIST only)
+	APIResponseCompression featuregate.Feature = "APIResponseCompression"

 	// owner: @roycaihw
 	// alpha: v1.20
@ -148,6 +71,49 @@ const (
 	// Add support for distributed tracing in the API Server
 	APIServerTracing featuregate.Feature = "APIServerTracing"

+	// owner: @tallclair
+	// alpha: v1.7
+	// beta: v1.8
+	// GA: v1.12
+	//
+	// AdvancedAuditing enables a much more general API auditing pipeline, which includes support for
+	// pluggable output backends and an audit policy specifying how different requests should be
+	// audited.
+	AdvancedAuditing featuregate.Feature = "AdvancedAuditing"
+
+	// owner: @cici37
+	// kep: http://kep.k8s.io/2876
+	// alpha: v1.23
+	// beta: v1.25
+	//
+	// Enables expression validation for Custom Resource
+	CustomResourceValidationExpressions featuregate.Feature = "CustomResourceValidationExpressions"
+
+	// owner: @apelisse
+	// alpha: v1.12
+	// beta: v1.13
+	// stable: v1.18
+	//
+	// Allow requests to be processed but not stored, so that
+	// validation, merging, mutation can be tested without
+	// committing.
+	DryRun featuregate.Feature = "DryRun"
+
+	// owner: @wojtek-t
+	// alpha: v1.20
+	// beta: v1.21
+	// GA: v1.24
+	//
+	// Allows for updating watchcache resource version with progress notify events.
+	EfficientWatchResumption featuregate.Feature = "EfficientWatchResumption"
+
+	// owner: @aramase
+	// kep: http://kep.k8s.io/3299
+	// alpha: v1.25
+	//
+	// Enables KMS v2 API for encryption at rest.
+	KMSv2 featuregate.Feature = "KMSv2"
+
 	// owner: @jiahuif
 	// kep: http://kep.k8s.io/2887
 	// alpha: v1.23
@ -157,13 +123,6 @@ const (
 	// in the spec returned from kube-apiserver.
 	OpenAPIEnums featuregate.Feature = "OpenAPIEnums"

-	// owner: @cici37
-	// kep: http://kep.k8s.io/2876
-	// alpha: v1.23
-	//
-	// Enables expression validation for Custom Resource
-	CustomResourceValidationExpressions featuregate.Feature = "CustomResourceValidationExpressions"
-
 	// owner: @jefftree
 	// kep: http://kep.k8s.io/2896
 	// alpha: v1.23
@ -172,12 +131,59 @@ const (
 	// Enables kubernetes to publish OpenAPI v3
 	OpenAPIV3 featuregate.Feature = "OpenAPIV3"

+	// owner: @caesarxuchao
+	// alpha: v1.15
+	// beta: v1.16
+	//
+	// Allow apiservers to show a count of remaining items in the response
+	// to a chunking list request.
+	RemainingItemCount featuregate.Feature = "RemainingItemCount"
+
+	// owner: @wojtek-t
+	// alpha: v1.16
+	// beta: v1.20
+	// GA: v1.24
+	//
+	// Deprecates and removes SelfLink from ObjectMeta and ListMeta.
+	RemoveSelfLink featuregate.Feature = "RemoveSelfLink"
+
+	// owner: @apelisse, @lavalamp
+	// alpha: v1.14
+	// beta: v1.16
+	// stable: v1.22
+	//
+	// Server-side apply. Merging happens on the server.
+	ServerSideApply featuregate.Feature = "ServerSideApply"
+
 	// owner: @kevindelgado
 	// kep: http://kep.k8s.io/2885
 	// alpha: v1.23
+	// beta: v1.24
 	//
 	// Enables server-side field validation.
 	ServerSideFieldValidation featuregate.Feature = "ServerSideFieldValidation"
+
+	// owner: @caesarxuchao @roycaihw
+	// alpha: v1.20
+	//
+	// Enable the storage version API.
+	StorageVersionAPI featuregate.Feature = "StorageVersionAPI"
+
+	// owner: @caesarxuchao
+	// alpha: v1.14
+	// beta: v1.15
+	//
+	// Allow apiservers to expose the storage version hash in the discovery
+	// document.
+	StorageVersionHash featuregate.Feature = "StorageVersionHash"
+
+	// owner: @wojtek-t
+	// alpha: v1.15
+	// beta: v1.16
+	// GA: v1.17
+	//
+	// Enables support for watch bookmark events.
+	WatchBookmark featuregate.Feature = "WatchBookmark"
 )

 func init() {
@ -188,23 +194,41 @@ func init() {
 // To add a new feature, define a key for it above and add it here. The features will be
 // available throughout Kubernetes binaries.
 var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
-	AdvancedAuditing:                    {Default: true, PreRelease: featuregate.GA},
-	APIResponseCompression:              {Default: true, PreRelease: featuregate.Beta},
-	APIListChunking:                     {Default: true, PreRelease: featuregate.Beta},
-	DryRun:                              {Default: true, PreRelease: featuregate.GA},
-	RemainingItemCount:                  {Default: true, PreRelease: featuregate.Beta},
-	ServerSideApply:                     {Default: true, PreRelease: featuregate.GA},
-	StorageVersionHash:                  {Default: true, PreRelease: featuregate.Beta},
-	StorageVersionAPI:                   {Default: false, PreRelease: featuregate.Alpha},
-	WatchBookmark:                       {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	APIPriorityAndFairness:              {Default: true, PreRelease: featuregate.Beta},
-	RemoveSelfLink:                      {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	SelectorIndex:                       {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	EfficientWatchResumption:            {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	APIServerIdentity:                   {Default: false, PreRelease: featuregate.Alpha},
-	APIServerTracing:                    {Default: false, PreRelease: featuregate.Alpha},
-	OpenAPIEnums:                        {Default: true, PreRelease: featuregate.Beta},
-	CustomResourceValidationExpressions: {Default: false, PreRelease: featuregate.Alpha},
-	OpenAPIV3:                           {Default: true, PreRelease: featuregate.Beta},
-	ServerSideFieldValidation:           {Default: false, PreRelease: featuregate.Alpha},
+	APIListChunking: {Default: true, PreRelease: featuregate.Beta},
+
+	APIPriorityAndFairness: {Default: true, PreRelease: featuregate.Beta},
+
+	APIResponseCompression: {Default: true, PreRelease: featuregate.Beta},
+
+	APIServerIdentity: {Default: false, PreRelease: featuregate.Alpha},
+
+	APIServerTracing: {Default: false, PreRelease: featuregate.Alpha},
+
+	AdvancedAuditing: {Default: true, PreRelease: featuregate.GA},
+
+	CustomResourceValidationExpressions: {Default: true, PreRelease: featuregate.Beta},
+
+	DryRun: {Default: true, PreRelease: featuregate.GA},
+
+	EfficientWatchResumption: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
+
+	KMSv2: {Default: false, PreRelease: featuregate.Alpha},
+
+	OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
+
+	OpenAPIV3: {Default: true, PreRelease: featuregate.Beta},
+
+	RemainingItemCount: {Default: true, PreRelease: featuregate.Beta},
+
+	RemoveSelfLink: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
+
+	ServerSideApply: {Default: true, PreRelease: featuregate.GA},
+
+	ServerSideFieldValidation: {Default: true, PreRelease: featuregate.Beta},
+
+	StorageVersionAPI: {Default: false, PreRelease: featuregate.Alpha},
+
+	StorageVersionHash: {Default: true, PreRelease: featuregate.Beta},
+
+	WatchBookmark: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 }
--- a/vendor/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go
+++ b/vendor/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go
@ -30,6 +30,7 @@ import (
 	"time"

 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"

 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/apis/apiserver"
@ -157,7 +158,11 @@ func (g *grpcProxier) proxy(ctx context.Context, addr string) (net.Conn, error)
 type proxyServerConnector interface {
 	// connect establishes connection to the proxy server, and returns a
 	// proxier based on the connection.
-	connect() (proxier, error)
+	//
+	// The provided Context must be non-nil. The context is used for connecting to the proxy only.
+	// If the context expires before the connection is complete, an error is returned.
+	// Once successfully connected to the proxy, any expiration of the context will not affect the connection.
+	connect(context.Context) (proxier, error)
 }

 type tcpHTTPConnectConnector struct {
@ -165,8 +170,11 @@ type tcpHTTPConnectConnector struct {
 	tlsConfig    *tls.Config
 }

-func (t *tcpHTTPConnectConnector) connect() (proxier, error) {
-	conn, err := tls.Dial("tcp", t.proxyAddress, t.tlsConfig)
+func (t *tcpHTTPConnectConnector) connect(ctx context.Context) (proxier, error) {
+	d := tls.Dialer{
+		Config: t.tlsConfig,
+	}
+	conn, err := d.DialContext(ctx, "tcp", t.proxyAddress)
 	if err != nil {
 		return nil, err
 	}
@ -177,8 +185,9 @@ type udsHTTPConnectConnector struct {
 	udsName string
 }

-func (u *udsHTTPConnectConnector) connect() (proxier, error) {
-	conn, err := net.Dial("unix", u.udsName)
+func (u *udsHTTPConnectConnector) connect(ctx context.Context) (proxier, error) {
+	var d net.Dialer
+	conn, err := d.DialContext(ctx, "unix", u.udsName)
 	if err != nil {
 		return nil, err
 	}
@ -189,18 +198,25 @@ type udsGRPCConnector struct {
 	udsName string
 }

-func (u *udsGRPCConnector) connect() (proxier, error) {
+// connect establishes a connection to a proxy over gRPC.
+// TODO At the moment, it does not use the provided context.
+func (u *udsGRPCConnector) connect(_ context.Context) (proxier, error) {
 	udsName := u.udsName
-	dialOption := grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) {
-		c, err := net.Dial("unix", udsName)
+	dialOption := grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+		var d net.Dialer
+		c, err := d.DialContext(ctx, "unix", udsName)
 		if err != nil {
 			klog.Errorf("failed to create connection to uds name %s, error: %v", udsName, err)
 		}
 		return c, err
 	})

-	ctx := context.TODO()
-	tunnel, err := client.CreateSingleUseGrpcTunnel(ctx, udsName, dialOption, grpc.WithInsecure())
+	// CreateSingleUseGrpcTunnel() unfortunately couples dial and connection contexts. Because of that,
+	// we cannot use ctx just for dialing and control the connection lifetime separately.
+	// See https://github.com/kubernetes-sigs/apiserver-network-proxy/issues/357.
+	tunnelCtx := context.TODO()
+	tunnel, err := client.CreateSingleUseGrpcTunnel(tunnelCtx, udsName, dialOption,
+		grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		return nil, err
 	}
@ -226,7 +242,7 @@ func (d *dialerCreator) createDialer() utilnet.DialFunc {
 		trace := utiltrace.New(fmt.Sprintf("Proxy via %s protocol over %s", d.options.protocol, d.options.transport), utiltrace.Field{Key: "address", Value: addr})
 		defer trace.LogIfLong(500 * time.Millisecond)
 		start := egressmetrics.Metrics.Clock().Now()
-		proxier, err := d.connector.connect()
+		proxier, err := d.connector.connect(ctx)
 		if err != nil {
 			egressmetrics.Metrics.ObserveDialFailure(d.options.protocol, d.options.transport, egressmetrics.StageConnect)
 			return nil, err
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/authentication.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/authentication.go
@ -35,7 +35,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	"k8s.io/component-base/traces"
+	tracing "k8s.io/component-base/tracing"
 )

 // AuthenticationInfoResolverWrapper can be used to inject Dial function to the
@ -47,7 +47,7 @@ func NewDefaultAuthenticationInfoResolverWrapper(
 	proxyTransport *http.Transport,
 	egressSelector *egressselector.EgressSelector,
 	kubeapiserverClientConfig *rest.Config,
-	tp *trace.TracerProvider) AuthenticationInfoResolverWrapper {
+	tp trace.TracerProvider) AuthenticationInfoResolverWrapper {

 	webhookAuthResolverWrapper := func(delegate AuthenticationInfoResolver) AuthenticationInfoResolver {
 		return &AuthenticationInfoResolverDelegator{
@ -60,7 +60,7 @@ func NewDefaultAuthenticationInfoResolverWrapper(
 					return nil, err
 				}
 				if feature.DefaultFeatureGate.Enabled(features.APIServerTracing) {
-					ret.Wrap(traces.WrapperFor(tp))
+					ret.Wrap(tracing.WrapperFor(tp))
 				}

 				if egressSelector != nil {
@ -85,7 +85,7 @@ func NewDefaultAuthenticationInfoResolverWrapper(
 					return nil, err
 				}
 				if feature.DefaultFeatureGate.Enabled(features.APIServerTracing) {
-					ret.Wrap(traces.WrapperFor(tp))
+					ret.Wrap(tracing.WrapperFor(tp))
 				}

 				if egressSelector != nil {
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/serviceresolver.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/serviceresolver.go
@ -38,7 +38,8 @@ func NewDefaultServiceResolver() ServiceResolver {
 // note that the name, namespace, and port are required and by default all
 // created addresses use HTTPS scheme.
 // for example:
-//  name=ross namespace=andromeda resolves to https://ross.andromeda.svc:443
+//
+//	name=ross namespace=andromeda resolves to https://ross.andromeda.svc:443
 func (sr defaultServiceResolver) ResolveEndpoint(namespace, name string, port int32) (*url.URL, error) {
 	if len(name) == 0 || len(namespace) == 0 || port == 0 {
 		return nil, errors.New("cannot resolve an empty service name or namespace or port")
--- a/vendor/k8s.io/apiserver/pkg/util/x509metrics/server_cert_deprecations.go
+++ b/vendor/k8s.io/apiserver/pkg/util/x509metrics/server_cert_deprecations.go
@ -75,17 +75,17 @@ func (c *counterRaiser) IncreaseMetricsCounter(req *http.Request) {
 // NewDeprecatedCertificateRoundTripperWrapperConstructor returns a RoundTripper wrapper that's usable within ClientConfig.Wrap.
 //
 // It increases the `missingSAN` counter whenever:
-// 1. we get a x509.HostnameError with string `x509: certificate relies on legacy Common Name field`
-//    which indicates an error caused by the deprecation of Common Name field when veryfing remote
-//    hostname
-// 2. the server certificate in response contains no SAN. This indicates that this binary run
-//    with the GODEBUG=x509ignoreCN=0 in env
+//  1. we get a x509.HostnameError with string `x509: certificate relies on legacy Common Name field`
+//     which indicates an error caused by the deprecation of Common Name field when veryfing remote
+//     hostname
+//  2. the server certificate in response contains no SAN. This indicates that this binary run
+//     with the GODEBUG=x509ignoreCN=0 in env
 //
 // It increases the `sha1` counter whenever:
-// 1. we get a x509.InsecureAlgorithmError with string `SHA1`
-//    which indicates an error caused by an insecure SHA1 signature
-// 2. the server certificate in response contains a SHA1WithRSA or ECDSAWithSHA1 signature.
-//    This indicates that this binary run with the GODEBUG=x509sha1=1 in env
+//  1. we get a x509.InsecureAlgorithmError with string `SHA1`
+//     which indicates an error caused by an insecure SHA1 signature
+//  2. the server certificate in response contains a SHA1WithRSA or ECDSAWithSHA1 signature.
+//     This indicates that this binary run with the GODEBUG=x509sha1=1 in env
 func NewDeprecatedCertificateRoundTripperWrapperConstructor(missingSAN, sha1 *metrics.Counter) func(rt http.RoundTripper) http.RoundTripper {
 	return func(rt http.RoundTripper) http.RoundTripper {
 		return &x509DeprecatedCertificateMetricsRTWrapper{