@@ -1,66 +1,93 @@

-From 9ae5383c8a058587af04bae626082c1d41b0d87f Mon Sep 17 00:00:00 2001

-From: DheerajSShetty <dheerajs@vmware.com>

-Date: Mon, 26 Nov 2018 15:50:22 -0800

-Subject: [PATCH] VKE patch for k8s 1.10.11 (2bf7a01b)

+From 707e516775cae4844ec9671eb2b5e8c8a9f914f3 Mon Sep 17 00:00:00 2001

+From: Emil John <ejohn@vmware.com>

+Date: Fri, 11 Jan 2019 19:55:58 +0530

+Subject: [PATCH] VCP patch for K8s v1.10.12 (4b83a6d)

 ---

- api/swagger-spec/apps_v1alpha1.json                |  21 +

- api/swagger-spec/apps_v1beta1.json                 |  21 +

- api/swagger-spec/apps_v1beta2.json                 |  21 +

- api/swagger-spec/batch_v1.json                     |  21 +

- api/swagger-spec/batch_v1beta1.json                |  21 +

- api/swagger-spec/batch_v2alpha1.json               |  21 +

- api/swagger-spec/extensions_v1beta1.json           |  21 +

- api/swagger-spec/settings.k8s.io_v1alpha1.json     |  21 +

- api/swagger-spec/v1.json                           |  25 +

- cmd/kube-controller-manager/app/BUILD              |   1 +

- cmd/kube-controller-manager/app/plugins.go         |   4 +

- cmd/kubelet/app/BUILD                              |   1 +

- cmd/kubelet/app/plugins.go                         |   2 +

- pkg/apis/core/types.go                             |  14 +

- pkg/apis/core/validation/validation.go             |  25 +

- pkg/apis/extensions/types.go                       |   1 +

- pkg/cloudprovider/providers/BUILD                  |   2 +

- pkg/cloudprovider/providers/cascade/BUILD          |  56 ++

- pkg/cloudprovider/providers/cascade/OWNERS         |   3 +

- pkg/cloudprovider/providers/cascade/apitypes.go    | 230 +++++

- pkg/cloudprovider/providers/cascade/auth.go        | 145 ++++

- pkg/cloudprovider/providers/cascade/cascade.go     | 219 +++++

- .../providers/cascade/cascade_disks.go             | 253 ++++++

- .../providers/cascade/cascade_instances.go         | 125 +++

- .../providers/cascade/cascade_instances_test.go    |  44 +

- .../providers/cascade/cascade_loadbalancer.go      | 295 +++++++

- pkg/cloudprovider/providers/cascade/client.go      | 400 +++++++++

- pkg/cloudprovider/providers/cascade/oidcclient.go  | 297 +++++++

- pkg/cloudprovider/providers/cascade/restclient.go  | 262 ++++++

- pkg/cloudprovider/providers/cascade/tests_owed     |   5 +

- pkg/cloudprovider/providers/cascade/utils.go       |  29 +

- pkg/cloudprovider/providers/providers.go           |   1 +

- pkg/kubeapiserver/authorizer/config.go             |   7 +

- pkg/kubeapiserver/authorizer/modes/modes.go        |   3 +-

- pkg/kubeapiserver/options/plugins.go               |   3 +

- pkg/printers/internalversion/describe.go           |  11 +

- pkg/security/podsecuritypolicy/util/util.go        |   3 +

- pkg/volume/cascade_disk/BUILD                      |  43 +

- pkg/volume/cascade_disk/OWNERS                     |   2 +

- pkg/volume/cascade_disk/attacher.go                | 264 ++++++

- pkg/volume/cascade_disk/azure_disk_util.go         | 135 +++

- pkg/volume/cascade_disk/cascade_disk.go            | 399 +++++++++

- pkg/volume/cascade_disk/cascade_util.go            | 217 +++++

- .../admission/persistentvolume/label/admission.go  |  54 ++

- plugin/pkg/admission/vke/BUILD                     |  61 ++

- plugin/pkg/admission/vke/admission.go              | 628 ++++++++++++++

- plugin/pkg/admission/vke/admission_test.go         | 960 +++++++++++++++++++++

- plugin/pkg/auth/authorizer/vke/BUILD               |  40 +

- plugin/pkg/auth/authorizer/vke/OWNERS              |   2 +

- plugin/pkg/auth/authorizer/vke/vke_authorizer.go   | 123 +++

- .../pkg/auth/authorizer/vke/vke_authorizer_test.go | 230 +++++

- staging/src/k8s.io/api/core/v1/generated.pb.go     | 310 ++++++-

- staging/src/k8s.io/api/core/v1/types.go            |  24 +-

- 53 files changed, 6098 insertions(+), 28 deletions(-)

+ api/swagger-spec/apps_v1alpha1.json           |  21 +

+ api/swagger-spec/apps_v1beta1.json            |  21 +

+ api/swagger-spec/apps_v1beta2.json            |  21 +

+ api/swagger-spec/batch_v1.json                |  21 +

+ api/swagger-spec/batch_v1beta1.json           |  21 +

+ api/swagger-spec/batch_v2alpha1.json          |  21 +

+ api/swagger-spec/extensions_v1beta1.json      |  21 +

+ .../settings.k8s.io_v1alpha1.json             |  21 +

+ api/swagger-spec/v1.json                      |  25 +

+ cmd/kube-controller-manager/app/BUILD         |   1 +

+ cmd/kube-controller-manager/app/plugins.go    |   4 +

+ cmd/kubelet/app/BUILD                         |   1 +

+ cmd/kubelet/app/plugins.go                    |   2 +

+ pkg/apis/core/types.go                        |  14 +

+ pkg/apis/core/validation/validation.go        |  77 +-

+ pkg/apis/extensions/types.go                  |   1 +

+ pkg/cloudprovider/providers/BUILD             |   2 +

+ pkg/cloudprovider/providers/cascade/BUILD     |  56 +

+ pkg/cloudprovider/providers/cascade/OWNERS    |   3 +

+ .../providers/cascade/apitypes.go             | 230 ++++

+ pkg/cloudprovider/providers/cascade/auth.go   | 145 +++

+ .../providers/cascade/cascade.go              | 219 ++++

+ .../providers/cascade/cascade_disks.go        | 253 +++++

+ .../providers/cascade/cascade_instances.go    | 125 +++

+ .../cascade/cascade_instances_test.go         |  44 +

+ .../providers/cascade/cascade_loadbalancer.go | 295 ++++++

+ pkg/cloudprovider/providers/cascade/client.go | 400 +++++++

+ .../providers/cascade/oidcclient.go           | 297 ++++++

+ .../providers/cascade/restclient.go           | 262 +++++

+ .../providers/cascade/tests_owed              |   5 +

+ pkg/cloudprovider/providers/cascade/utils.go  |  29 +

+ pkg/cloudprovider/providers/providers.go      |   1 +

+ pkg/kubeapiserver/authorizer/config.go        |   7 +

+ pkg/kubeapiserver/authorizer/modes/modes.go   |   3 +-

+ pkg/kubeapiserver/options/plugins.go          |   3 +

+ pkg/printers/internalversion/describe.go      |  11 +

+ pkg/security/podsecuritypolicy/util/util.go   |   3 +

+ pkg/volume/cascade_disk/BUILD                 |  43 +

+ pkg/volume/cascade_disk/OWNERS                |   2 +

+ pkg/volume/cascade_disk/attacher.go           | 264 +++++

+ pkg/volume/cascade_disk/azure_disk_util.go    | 135 +++

+ pkg/volume/cascade_disk/cascade_disk.go       | 399 +++++++

+ pkg/volume/cascade_disk/cascade_util.go       | 217 ++++

+ .../persistentvolume/label/admission.go       |  54 +

+ plugin/pkg/admission/vke/BUILD                |  61 ++

+ plugin/pkg/admission/vke/admission.go         | 661 ++++++++++++

+ plugin/pkg/admission/vke/admission_test.go    | 995 ++++++++++++++++++

+ plugin/pkg/auth/authorizer/vke/BUILD          |  40 +

+ plugin/pkg/auth/authorizer/vke/OWNERS         |   2 +

+ .../pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++

+ .../authorizer/vke/vke_authorizer_test.go     | 230 ++++

+ .../src/k8s.io/api/core/v1/generated.pb.go    | 310 +++++-

+ staging/src/k8s.io/api/core/v1/types.go       |  24 +-

+ 53 files changed, 6210 insertions(+), 36 deletions(-)

+ create mode 100644 pkg/cloudprovider/providers/cascade/BUILD

+ create mode 100644 pkg/cloudprovider/providers/cascade/OWNERS

+ create mode 100644 pkg/cloudprovider/providers/cascade/apitypes.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/auth.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_disks.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_instances.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_instances_test.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/client.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/oidcclient.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/restclient.go

+ create mode 100644 pkg/cloudprovider/providers/cascade/tests_owed

+ create mode 100644 pkg/cloudprovider/providers/cascade/utils.go

+ create mode 100644 pkg/volume/cascade_disk/BUILD

+ create mode 100644 pkg/volume/cascade_disk/OWNERS

+ create mode 100644 pkg/volume/cascade_disk/attacher.go

+ create mode 100644 pkg/volume/cascade_disk/azure_disk_util.go

+ create mode 100644 pkg/volume/cascade_disk/cascade_disk.go

+ create mode 100644 pkg/volume/cascade_disk/cascade_util.go

+ create mode 100644 plugin/pkg/admission/vke/BUILD

+ create mode 100644 plugin/pkg/admission/vke/admission.go

+ create mode 100644 plugin/pkg/admission/vke/admission_test.go

+ create mode 100644 plugin/pkg/auth/authorizer/vke/BUILD

+ create mode 100644 plugin/pkg/auth/authorizer/vke/OWNERS

+ create mode 100644 plugin/pkg/auth/authorizer/vke/vke_authorizer.go

+ create mode 100644 plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go

 diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json

-index 6f54662..0ce6f3f 100644

+index 6f546623de..0ce6f3f2fc 100644

 --- a/api/swagger-spec/apps_v1alpha1.json

 +++ b/api/swagger-spec/apps_v1alpha1.json

 @@ -1459,6 +1459,10 @@

@@ -99,7 +126,7 @@ index 6f54662..0ce6f3f 100644

      "id": "v1.Container",

      "description": "A single application container that you want to run within a pod.",

 diff --git a/api/swagger-spec/apps_v1beta1.json b/api/swagger-spec/apps_v1beta1.json

-index f2aa27c..0780075 100644

+index f2aa27c64d..0780075c2a 100644

 --- a/api/swagger-spec/apps_v1beta1.json

 +++ b/api/swagger-spec/apps_v1beta1.json

 @@ -4483,6 +4483,10 @@

@@ -138,7 +165,7 @@ index f2aa27c..0780075 100644

      "id": "v1.ProjectedVolumeSource",

      "description": "Represents a projected volume source",

 diff --git a/api/swagger-spec/apps_v1beta2.json b/api/swagger-spec/apps_v1beta2.json

-index 7d92e2b..c050ee8 100644

+index 7d92e2bf52..c050ee8473 100644

 --- a/api/swagger-spec/apps_v1beta2.json

 +++ b/api/swagger-spec/apps_v1beta2.json

 @@ -6849,6 +6849,10 @@

@@ -177,7 +204,7 @@ index 7d92e2b..c050ee8 100644

      "id": "v1.ProjectedVolumeSource",

      "description": "Represents a projected volume source",

 diff --git a/api/swagger-spec/batch_v1.json b/api/swagger-spec/batch_v1.json

-index e57104a..c3aa722 100644

+index e57104a996..c3aa722033 100644

 --- a/api/swagger-spec/batch_v1.json

 +++ b/api/swagger-spec/batch_v1.json

 @@ -1823,6 +1823,10 @@

@@ -216,7 +243,7 @@ index e57104a..c3aa722 100644

      "id": "v1.ProjectedVolumeSource",

      "description": "Represents a projected volume source",

 diff --git a/api/swagger-spec/batch_v1beta1.json b/api/swagger-spec/batch_v1beta1.json

-index 67b49f7..11f30a5 100644

+index 67b49f7b46..11f30a5aa4 100644

 --- a/api/swagger-spec/batch_v1beta1.json

 +++ b/api/swagger-spec/batch_v1beta1.json

 @@ -1878,6 +1878,10 @@

@@ -255,7 +282,7 @@ index 67b49f7..11f30a5 100644

      "id": "v1.ProjectedVolumeSource",

      "description": "Represents a projected volume source",

 diff --git a/api/swagger-spec/batch_v2alpha1.json b/api/swagger-spec/batch_v2alpha1.json

-index 8616a87..2e1a8f7 100644

+index 8616a875c1..2e1a8f7782 100644

 --- a/api/swagger-spec/batch_v2alpha1.json

 +++ b/api/swagger-spec/batch_v2alpha1.json

 @@ -1893,6 +1893,10 @@

@@ -294,7 +321,7 @@ index 8616a87..2e1a8f7 100644

      "id": "v1.Container",

      "description": "A single application container that you want to run within a pod.",

 diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json

-index 76e3253..b79ca7a 100644

+index 76e32530dc..b79ca7acb4 100644

 --- a/api/swagger-spec/extensions_v1beta1.json

 +++ b/api/swagger-spec/extensions_v1beta1.json

 @@ -7506,6 +7506,10 @@

@@ -333,7 +360,7 @@ index 76e3253..b79ca7a 100644

      "id": "v1.ProjectedVolumeSource",

      "description": "Represents a projected volume source",

 diff --git a/api/swagger-spec/settings.k8s.io_v1alpha1.json b/api/swagger-spec/settings.k8s.io_v1alpha1.json

-index fa66976..5108c61 100644

+index fa66976a67..5108c61ab4 100644

 --- a/api/swagger-spec/settings.k8s.io_v1alpha1.json

 +++ b/api/swagger-spec/settings.k8s.io_v1alpha1.json

 @@ -1676,6 +1676,10 @@

@@ -372,7 +399,7 @@ index fa66976..5108c61 100644

      "id": "v1.ProjectedVolumeSource",

      "description": "Represents a projected volume source",

 diff --git a/api/swagger-spec/v1.json b/api/swagger-spec/v1.json

-index d3b6ea7..662614f 100644

+index d3b6ea7daf..662614f97c 100644

 --- a/api/swagger-spec/v1.json

 +++ b/api/swagger-spec/v1.json

 @@ -19310,6 +19310,10 @@

@@ -422,7 +449,7 @@ index d3b6ea7..662614f 100644

      }

     },

 diff --git a/cmd/kube-controller-manager/app/BUILD b/cmd/kube-controller-manager/app/BUILD

-index a3f98b1..3410214 100644

+index b5af7c5626..08c34f6138 100644

 --- a/cmd/kube-controller-manager/app/BUILD

 +++ b/cmd/kube-controller-manager/app/BUILD

 @@ -88,6 +88,7 @@ go_library(

@@ -434,7 +461,7 @@ index a3f98b1..3410214 100644

          "//pkg/volume/csi:go_default_library",

          "//pkg/volume/fc:go_default_library",

 diff --git a/cmd/kube-controller-manager/app/plugins.go b/cmd/kube-controller-manager/app/plugins.go

-index 42034d5..e729785 100644

+index 42034d5c6d..e729785006 100644

 --- a/cmd/kube-controller-manager/app/plugins.go

 +++ b/cmd/kube-controller-manager/app/plugins.go

 @@ -34,6 +34,7 @@ import (

@@ -470,7 +497,7 @@ index 42034d5..e729785 100644

  	return allPlugins

  }

 diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD

-index cbfb90f..6264d0c 100644

+index cbfb90ff13..6264d0ce53 100644

 --- a/cmd/kubelet/app/BUILD

 +++ b/cmd/kubelet/app/BUILD

 @@ -117,6 +117,7 @@ go_library(

@@ -482,7 +509,7 @@ index cbfb90f..6264d0c 100644

          "//pkg/volume/cinder:go_default_library",

          "//pkg/volume/configmap:go_default_library",

 diff --git a/cmd/kubelet/app/plugins.go b/cmd/kubelet/app/plugins.go

-index ef41bb8..c9806f7 100644

+index ef41bb8e90..c9806f7f75 100644

 --- a/cmd/kubelet/app/plugins.go

 +++ b/cmd/kubelet/app/plugins.go

 @@ -32,6 +32,7 @@ import (

@@ -502,7 +529,7 @@ index ef41bb8..c9806f7 100644

  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)

  	}

 diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go

-index 7f37e3d..fc792ee 100644

+index 7f37e3d989..fc792ee119 100644

 --- a/pkg/apis/core/types.go

 +++ b/pkg/apis/core/types.go

 @@ -316,6 +316,8 @@ type VolumeSource struct {

@@ -541,7 +568,7 @@ index 7f37e3d..fc792ee 100644

  //

  // The contents of the target ConfigMap's Data field will be presented in a

 diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go

-index 8d12dad..8bd89c6 100644

+index f7bc992d0d..8bd89c67e0 100644

 --- a/pkg/apis/core/validation/validation.go

 +++ b/pkg/apis/core/validation/validation.go

 @@ -664,6 +664,14 @@ func validateVolumeSource(source *core.VolumeSource, fldPath *field.Path, volNam

@@ -590,8 +617,107 @@ index 8d12dad..8bd89c6 100644

  	if numVolumes == 0 {

  		allErrs = append(allErrs, field.Required(specPath, "must specify a volume type"))

  	}

+@@ -4764,16 +4789,50 @@ func ValidateNamespaceFinalizeUpdate(newNamespace, oldNamespace *core.Namespace)

+ 	return allErrs

+ }

+ 

++// Construct lookup map of old subset IPs to NodeNames.

++func updateEpAddrToNodeNameMap(ipToNodeName map[string]string, addresses []core.EndpointAddress) {

++	for n := range addresses {

++		if addresses[n].NodeName == nil {

++			continue

++		}

++		ipToNodeName[addresses[n].IP] = *addresses[n].NodeName

++	}

++}

++

++// Build a map across all subsets of IP -> NodeName

++func buildEndpointAddressNodeNameMap(subsets []core.EndpointSubset) map[string]string {

++	ipToNodeName := make(map[string]string)

++	for i := range subsets {

++		updateEpAddrToNodeNameMap(ipToNodeName, subsets[i].Addresses)

++		updateEpAddrToNodeNameMap(ipToNodeName, subsets[i].NotReadyAddresses)

++	}

++	return ipToNodeName

++}

++

++func validateEpAddrNodeNameTransition(addr *core.EndpointAddress, ipToNodeName map[string]string, fldPath *field.Path) field.ErrorList {

++	errList := field.ErrorList{}

++	existingNodeName, found := ipToNodeName[addr.IP]

++	if !found {

++		return errList

++	}

++	if addr.NodeName == nil || *addr.NodeName == existingNodeName {

++		return errList

++	}

++	// NodeName entry found for this endpoint IP, but user is attempting to change NodeName

++	return append(errList, field.Forbidden(fldPath, fmt.Sprintf("Cannot change NodeName for %s to %s", addr.IP, *addr.NodeName)))

++}

++

+ // ValidateEndpoints tests if required fields are set.

+ func ValidateEndpoints(endpoints *core.Endpoints) field.ErrorList {

+ 	allErrs := ValidateObjectMeta(&endpoints.ObjectMeta, true, ValidateEndpointsName, field.NewPath("metadata"))

+ 	allErrs = append(allErrs, ValidateEndpointsSpecificAnnotations(endpoints.Annotations, field.NewPath("annotations"))...)

+-	allErrs = append(allErrs, validateEndpointSubsets(endpoints.Subsets, field.NewPath("subsets"))...)

++	allErrs = append(allErrs, validateEndpointSubsets(endpoints.Subsets, []core.EndpointSubset{}, field.NewPath("subsets"))...)

+ 	return allErrs

+ }

+ 

+-func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path) field.ErrorList {

++func validateEndpointSubsets(subsets []core.EndpointSubset, oldSubsets []core.EndpointSubset, fldPath *field.Path) field.ErrorList {

+ 	allErrs := field.ErrorList{}

++	ipToNodeName := buildEndpointAddressNodeNameMap(oldSubsets)

+ 	for i := range subsets {

+ 		ss := &subsets[i]

+ 		idxPath := fldPath.Index(i)

+@@ -4784,10 +4843,10 @@ func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path)

+ 			allErrs = append(allErrs, field.Required(idxPath, "must specify `addresses` or `notReadyAddresses`"))

+ 		}

+ 		for addr := range ss.Addresses {

+-			allErrs = append(allErrs, validateEndpointAddress(&ss.Addresses[addr], idxPath.Child("addresses").Index(addr))...)

++			allErrs = append(allErrs, validateEndpointAddress(&ss.Addresses[addr], idxPath.Child("addresses").Index(addr), ipToNodeName)...)

+ 		}

+ 		for addr := range ss.NotReadyAddresses {

+-			allErrs = append(allErrs, validateEndpointAddress(&ss.NotReadyAddresses[addr], idxPath.Child("notReadyAddresses").Index(addr))...)

++			allErrs = append(allErrs, validateEndpointAddress(&ss.NotReadyAddresses[addr], idxPath.Child("notReadyAddresses").Index(addr), ipToNodeName)...)

+ 		}

+ 		for port := range ss.Ports {

+ 			allErrs = append(allErrs, validateEndpointPort(&ss.Ports[port], len(ss.Ports) > 1, idxPath.Child("ports").Index(port))...)

+@@ -4797,7 +4856,7 @@ func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path)

+ 	return allErrs

+ }

+ 

+-func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path) field.ErrorList {

++func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path, ipToNodeName map[string]string) field.ErrorList {

+ 	allErrs := field.ErrorList{}

+ 	for _, msg := range validation.IsValidIP(address.IP) {

+ 		allErrs = append(allErrs, field.Invalid(fldPath.Child("ip"), address.IP, msg))

+@@ -4811,6 +4870,10 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path)

+ 			allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))

+ 		}

+ 	}

++	allErrs = append(allErrs, validateEpAddrNodeNameTransition(address, ipToNodeName, fldPath.Child("nodeName"))...)

++	if len(allErrs) > 0 {

++		return allErrs

++	}

+ 	allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)

+ 	return allErrs

+ }

+@@ -4860,11 +4923,9 @@ func validateEndpointPort(port *core.EndpointPort, requireName bool, fldPath *fi

+ }

+ 

+ // ValidateEndpointsUpdate tests to make sure an endpoints update can be applied.

+-// NodeName changes are allowed during update to accommodate the case where nodeIP or PodCIDR is reused.

+-// An existing endpoint ip will have a different nodeName if this happens.

+ func ValidateEndpointsUpdate(newEndpoints, oldEndpoints *core.Endpoints) field.ErrorList {

+ 	allErrs := ValidateObjectMetaUpdate(&newEndpoints.ObjectMeta, &oldEndpoints.ObjectMeta, field.NewPath("metadata"))

+-	allErrs = append(allErrs, validateEndpointSubsets(newEndpoints.Subsets, field.NewPath("subsets"))...)

++	allErrs = append(allErrs, validateEndpointSubsets(newEndpoints.Subsets, oldEndpoints.Subsets, field.NewPath("subsets"))...)

+ 	allErrs = append(allErrs, ValidateEndpointsSpecificAnnotations(newEndpoints.Annotations, field.NewPath("annotations"))...)

+ 	return allErrs

+ }

 diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go

-index e369728..a5406ab 100644

+index e36972846b..a5406ab60a 100644

 --- a/pkg/apis/extensions/types.go

 +++ b/pkg/apis/extensions/types.go

 @@ -925,6 +925,7 @@ var (

@@ -603,7 +729,7 @@ index e369728..a5406ab 100644

  )

 diff --git a/pkg/cloudprovider/providers/BUILD b/pkg/cloudprovider/providers/BUILD

-index aeccfa1..4313576 100644

+index aeccfa1e5b..4313576203 100644

 --- a/pkg/cloudprovider/providers/BUILD

 +++ b/pkg/cloudprovider/providers/BUILD

 @@ -12,6 +12,7 @@ go_library(

@@ -624,7 +750,7 @@ index aeccfa1..4313576 100644

          "//pkg/cloudprovider/providers/gce:all-srcs",

 diff --git a/pkg/cloudprovider/providers/cascade/BUILD b/pkg/cloudprovider/providers/cascade/BUILD

 new file mode 100644

-index 0000000..4089166

+index 0000000000..4089166732

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/BUILD

 @@ -0,0 +1,56 @@

@@ -686,7 +812,7 @@ index 0000000..4089166

 +)

 diff --git a/pkg/cloudprovider/providers/cascade/OWNERS b/pkg/cloudprovider/providers/cascade/OWNERS

 new file mode 100644

-index 0000000..70efc9d

+index 0000000000..70efc9dc1c

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/OWNERS

 @@ -0,0 +1,3 @@

@@ -695,7 +821,7 @@ index 0000000..70efc9d

 +- ysheng

 diff --git a/pkg/cloudprovider/providers/cascade/apitypes.go b/pkg/cloudprovider/providers/cascade/apitypes.go

 new file mode 100644

-index 0000000..d437394

+index 0000000000..d437394462

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/apitypes.go

 @@ -0,0 +1,230 @@

@@ -931,7 +1057,7 @@ index 0000000..d437394

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/auth.go b/pkg/cloudprovider/providers/cascade/auth.go

 new file mode 100644

-index 0000000..fc92377

+index 0000000000..fc9237767f

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/auth.go

 @@ -0,0 +1,145 @@

@@ -1083,7 +1209,7 @@ index 0000000..fc92377

 \ No newline at end of file

 diff --git a/pkg/cloudprovider/providers/cascade/cascade.go b/pkg/cloudprovider/providers/cascade/cascade.go

 new file mode 100644

-index 0000000..b9fafb9

+index 0000000000..b9fafb92e1

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/cascade.go

 @@ -0,0 +1,219 @@

@@ -1308,7 +1434,7 @@ index 0000000..b9fafb9

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/cascade_disks.go b/pkg/cloudprovider/providers/cascade/cascade_disks.go

 new file mode 100644

-index 0000000..e889a28

+index 0000000000..e889a28951

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/cascade_disks.go

 @@ -0,0 +1,253 @@

@@ -1567,7 +1693,7 @@ index 0000000..e889a28

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/cascade_instances.go b/pkg/cloudprovider/providers/cascade/cascade_instances.go

 new file mode 100644

-index 0000000..957378b

+index 0000000000..957378bf0a

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/cascade_instances.go

 @@ -0,0 +1,125 @@

@@ -1698,7 +1824,7 @@ index 0000000..957378b

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/cascade_instances_test.go b/pkg/cloudprovider/providers/cascade/cascade_instances_test.go

 new file mode 100644

-index 0000000..8fb314d

+index 0000000000..8fb314def1

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/cascade_instances_test.go

 @@ -0,0 +1,44 @@

@@ -1748,7 +1874,7 @@ index 0000000..8fb314d

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go b/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go

 new file mode 100644

-index 0000000..c2a62c2

+index 0000000000..c2a62c2ff7

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go

 @@ -0,0 +1,295 @@

@@ -2049,7 +2175,7 @@ index 0000000..c2a62c2

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/client.go b/pkg/cloudprovider/providers/cascade/client.go

 new file mode 100644

-index 0000000..400e377

+index 0000000000..400e3777d0

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/client.go

 @@ -0,0 +1,400 @@

@@ -2455,7 +2581,7 @@ index 0000000..400e377

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/oidcclient.go b/pkg/cloudprovider/providers/cascade/oidcclient.go

 new file mode 100644

-index 0000000..6a71cc1

+index 0000000000..6a71cc184f

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/oidcclient.go

 @@ -0,0 +1,297 @@

@@ -2758,7 +2884,7 @@ index 0000000..6a71cc1

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/restclient.go b/pkg/cloudprovider/providers/cascade/restclient.go

 new file mode 100644

-index 0000000..71d8d1c

+index 0000000000..71d8d1c164

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/restclient.go

 @@ -0,0 +1,262 @@

@@ -3026,7 +3152,7 @@ index 0000000..71d8d1c

 +}

 diff --git a/pkg/cloudprovider/providers/cascade/tests_owed b/pkg/cloudprovider/providers/cascade/tests_owed

 new file mode 100644

-index 0000000..dff5ab1

+index 0000000000..dff5ab1dcd

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/tests_owed

 @@ -0,0 +1,5 @@

@@ -3037,7 +3163,7 @@ index 0000000..dff5ab1

 +

 diff --git a/pkg/cloudprovider/providers/cascade/utils.go b/pkg/cloudprovider/providers/cascade/utils.go

 new file mode 100644

-index 0000000..8ecde98

+index 0000000000..8ecde989c5

 --- /dev/null

 +++ b/pkg/cloudprovider/providers/cascade/utils.go

 @@ -0,0 +1,29 @@

@@ -3072,7 +3198,7 @@ index 0000000..8ecde98

 +}

 \ No newline at end of file

 diff --git a/pkg/cloudprovider/providers/providers.go b/pkg/cloudprovider/providers/providers.go

-index 7de9ca9..6d8a1d2 100644

+index 7de9ca9a41..6d8a1d2226 100644

 --- a/pkg/cloudprovider/providers/providers.go

 +++ b/pkg/cloudprovider/providers/providers.go

 @@ -20,6 +20,7 @@ import (

@@ -3084,7 +3210,7 @@ index 7de9ca9..6d8a1d2 100644

  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/gce"

  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/openstack"

 diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go

-index 30661bc..4743432 100644

+index 30661bc14f..4743432d4f 100644

 --- a/pkg/kubeapiserver/authorizer/config.go

 +++ b/pkg/kubeapiserver/authorizer/config.go

 @@ -33,6 +33,7 @@ import (

@@ -3109,7 +3235,7 @@ index 30661bc..4743432 100644

  			alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()

  			authorizers = append(authorizers, alwaysAllowAuthorizer)

 diff --git a/pkg/kubeapiserver/authorizer/modes/modes.go b/pkg/kubeapiserver/authorizer/modes/modes.go

-index 54d0a62..73a763f 100644

+index 54d0a62770..73a763ff14 100644

 --- a/pkg/kubeapiserver/authorizer/modes/modes.go

 +++ b/pkg/kubeapiserver/authorizer/modes/modes.go

 @@ -25,9 +25,10 @@ const (

@@ -3125,7 +3251,7 @@ index 54d0a62..73a763f 100644

  // IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver

  func IsValidAuthorizationMode(authzMode string) bool {

 diff --git a/pkg/kubeapiserver/options/plugins.go b/pkg/kubeapiserver/options/plugins.go

-index 75095b2..0914847 100644

+index 75095b20d1..0914847d7a 100644

 --- a/pkg/kubeapiserver/options/plugins.go

 +++ b/pkg/kubeapiserver/options/plugins.go

 @@ -58,6 +58,7 @@ import (

@@ -3153,7 +3279,7 @@ index 75095b2..0914847 100644

  // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.

 diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go

-index 318148d..bd26dc6 100644

+index 318148dfa1..bd26dc6179 100644

 --- a/pkg/printers/internalversion/describe.go

 +++ b/pkg/printers/internalversion/describe.go

 @@ -754,6 +754,8 @@ func describeVolumes(volumes []api.Volume, w PrefixWriter, space string) {

@@ -3189,7 +3315,7 @@ index 318148d..bd26dc6 100644

  			w.Write(LEVEL_1, "<unknown>\n")

  		}

 diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go

-index d581f50..bfd21b1 100644

+index d581f5012a..bfd21b19a2 100644

 --- a/pkg/security/podsecuritypolicy/util/util.go

 +++ b/pkg/security/podsecuritypolicy/util/util.go

 @@ -68,6 +68,7 @@ func GetAllFSTypesAsSet() sets.String {

@@ -3211,7 +3337,7 @@ index d581f50..bfd21b1 100644

  	return "", fmt.Errorf("unknown volume type for volume: %#v", v)

 diff --git a/pkg/volume/cascade_disk/BUILD b/pkg/volume/cascade_disk/BUILD

 new file mode 100644

-index 0000000..3386612

+index 0000000000..3386612450

 --- /dev/null

 +++ b/pkg/volume/cascade_disk/BUILD

 @@ -0,0 +1,43 @@

@@ -3260,7 +3386,7 @@ index 0000000..3386612

 +)

 diff --git a/pkg/volume/cascade_disk/OWNERS b/pkg/volume/cascade_disk/OWNERS

 new file mode 100644

-index 0000000..c3a4ed7

+index 0000000000..c3a4ed77dc

 --- /dev/null

 +++ b/pkg/volume/cascade_disk/OWNERS

 @@ -0,0 +1,2 @@

@@ -3268,7 +3394,7 @@ index 0000000..c3a4ed7

 +- ashokc

 diff --git a/pkg/volume/cascade_disk/attacher.go b/pkg/volume/cascade_disk/attacher.go

 new file mode 100644

-index 0000000..c19c37c

+index 0000000000..c19c37c965

 --- /dev/null

 +++ b/pkg/volume/cascade_disk/attacher.go

 @@ -0,0 +1,264 @@

@@ -3538,7 +3664,7 @@ index 0000000..c19c37c

 +}

 diff --git a/pkg/volume/cascade_disk/azure_disk_util.go b/pkg/volume/cascade_disk/azure_disk_util.go

 new file mode 100644

-index 0000000..7f9812f

+index 0000000000..7f9812f767

 --- /dev/null

 +++ b/pkg/volume/cascade_disk/azure_disk_util.go

 @@ -0,0 +1,135 @@

@@ -3679,7 +3805,7 @@ index 0000000..7f9812f

 +}

 diff --git a/pkg/volume/cascade_disk/cascade_disk.go b/pkg/volume/cascade_disk/cascade_disk.go

 new file mode 100644

-index 0000000..d07e83b

+index 0000000000..d07e83b3d3

 --- /dev/null

 +++ b/pkg/volume/cascade_disk/cascade_disk.go

 @@ -0,0 +1,399 @@

@@ -4084,7 +4210,7 @@ index 0000000..d07e83b

 +}

 diff --git a/pkg/volume/cascade_disk/cascade_util.go b/pkg/volume/cascade_disk/cascade_util.go

 new file mode 100644

-index 0000000..5ad0bc9

+index 0000000000..5ad0bc9316

 --- /dev/null

 +++ b/pkg/volume/cascade_disk/cascade_util.go

 @@ -0,0 +1,217 @@

@@ -4306,7 +4432,7 @@ index 0000000..5ad0bc9

 +	return "", err

 +}

 diff --git a/plugin/pkg/admission/persistentvolume/label/admission.go b/plugin/pkg/admission/persistentvolume/label/admission.go

-index 819adae..3d55589 100644

+index 819adae192..3d55589c89 100644

 --- a/plugin/pkg/admission/persistentvolume/label/admission.go

 +++ b/plugin/pkg/admission/persistentvolume/label/admission.go

 @@ -27,6 +27,7 @@ import (

@@ -4390,7 +4516,7 @@ index 819adae..3d55589 100644

 +}

 diff --git a/plugin/pkg/admission/vke/BUILD b/plugin/pkg/admission/vke/BUILD

 new file mode 100644

-index 0000000..97c0856

+index 0000000000..97c0856d39

 --- /dev/null

 +++ b/plugin/pkg/admission/vke/BUILD

 @@ -0,0 +1,61 @@

@@ -4458,10 +4584,10 @@ index 0000000..97c0856

 \ No newline at end of file

 diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go

 new file mode 100644

-index 0000000..5434f7d

+index 0000000000..a3ac097295

 --- /dev/null

 +++ b/plugin/pkg/admission/vke/admission.go

-@@ -0,0 +1,628 @@

+@@ -0,0 +1,661 @@

 +package vke

 +

 +import (

@@ -4515,6 +4641,7 @@ index 0000000..5434f7d

 +	strategyFactory podsecuritypolicy.StrategyFactory

 +	privilegedGroup string

 +	clusterID       string

++	privilegedMode  bool

 +}

 +

 +// vmwareAdmissionControllerConfig holds config data for VMwareAdmissionController.

@@ -4579,6 +4706,8 @@ index 0000000..5434f7d

 +		err = validateClusterRoles(a)

 +	case rbac.Resource("clusterrolebindings"):

 +		err = validateClusterRoleBindings(a)

++	case api.Resource("persistentvolumes"):

++		err = validatePersistentVolumes(vac, a)

 +	}

 +

 +	return err

@@ -4606,9 +4735,11 @@ index 0000000..5434f7d

 +	}

 +

 +	// Load PSP from file. If it fails, use default.

++	privilegedMode := true

 +	psp := getPSPFromFile(config.VMwareAdmissionController.PodSecurityPolicyFile)

 +	if psp == nil {

 +		psp = getDefaultPSP()

++		privilegedMode = false

 +	}

 +

 +	return &vmwareAdmissionController{

@@ -4616,6 +4747,7 @@ index 0000000..5434f7d

 +		strategyFactory: podsecuritypolicy.NewSimpleStrategyFactory(),

 +		privilegedGroup: config.VMwareAdmissionController.PrivilegedGroup,

 +		clusterID:       config.VMwareAdmissionController.ClusterID,

++		privilegedMode:  privilegedMode,

 +	}, nil

 +}

 +

@@ -4923,6 +5055,33 @@ index 0000000..5434f7d

 +	return checkReservedPrefix(clusterRoleBinding.Name, a)

 +}

 +

++func validatePersistentVolumes(vac *vmwareAdmissionController, a admission.Attributes) error {

++	// If the operation is not a Create operation, we allow. This is because Create is the only operation which can be

++	// used to create a new PV of type hostPath to get access to the host file system. All the other operations

++	// including Update cannot be used to gain access to host file system.

++	if a.GetOperation() != admission.Create {

++		return nil

++	}

++

++	pv, ok := a.GetObject().(*api.PersistentVolume)

++	// If we cannot get the PV object, fail.

++	if !ok {

++		return admission.NewForbidden(a,

++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))

++	}

++

++	// If we are running in non-privileged mode, then fail if the PV is of type hostPath. We want to do this to prevent

++	// access to host file system on a non-privileged cluster.

++	if !vac.privilegedMode {

++		if pv.Spec.HostPath != nil {

++			return admission.NewForbidden(a,

++				fmt.Errorf("%s validation failed: cannot create a PersistentVolume of type hostPath", PluginName))

++		}

++	}

++

++	return nil

++}

++

 +func validatePods(vac *vmwareAdmissionController, a admission.Attributes) error {

 +	// If the request is acting on a sub resource of a pod then allow it. This request is not directly coming to a pod,

 +	// but to a sub-resource like pods/foo/status. So, this does not have to be blocked.

@@ -5092,10 +5251,10 @@ index 0000000..5434f7d

 +}

 diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go

 new file mode 100644

-index 0000000..689a22d

+index 0000000000..1842253290

 --- /dev/null

 +++ b/plugin/pkg/admission/vke/admission_test.go

-@@ -0,0 +1,960 @@

+@@ -0,0 +1,995 @@

 +package vke

 +

 +import (

@@ -5788,6 +5947,23 @@ index 0000000..689a22d

 +			userInfo:           newTestUserBuilder().withGroup(systemWorkerGroup).build(),

 +			shouldPassValidate: false,

 +		},

++		"denied: regular lightwave user creates a PV of type hostPath": {

++			operation:          kadmission.Create,

++			resource:           "persistentvolumes",

++			namespace:          "",

++			name:               "test-pv",

++			object:             getHostPathPV(),

++			userInfo:           newTestUserBuilder().build(),

++			shouldPassValidate: false,

++		},

++		"allowed: regular lightwave user deletes a PV": {

++			operation:          kadmission.Delete,

++			resource:           "persistentvolumes",

++			namespace:          "",

++			name:               "test-pv",

++			userInfo:           newTestUserBuilder().build(),

++			shouldPassValidate: true,

++		},

 +	}

 +	for k, v := range tests {

 +		testResourceValidation(k, v.operation, v.resource, v.subresource, v.name, v.namespace, v.userInfo, v.object,

@@ -6056,9 +6232,27 @@ index 0000000..689a22d

 +	n.node.Spec.Taints = taints

 +	return n

 +}

++

++func getHostPathPV() *kapi.PersistentVolume {

++	return &kapi.PersistentVolume{

++		ObjectMeta: metav1.ObjectMeta{

++			Name:        "test-pv",

++			Namespace:   "",

++			Annotations: nil,

++		},

++		Spec: kapi.PersistentVolumeSpec{

++			StorageClassName: "manual",

++			PersistentVolumeSource: kapi.PersistentVolumeSource{

++				HostPath: &kapi.HostPathVolumeSource{

++					Path: "/",

++				},

++			},

++		},

++	}

++}

 diff --git a/plugin/pkg/auth/authorizer/vke/BUILD b/plugin/pkg/auth/authorizer/vke/BUILD

 new file mode 100644

-index 0000000..4b984f1

+index 0000000000..4b984f14ec

 --- /dev/null

 +++ b/plugin/pkg/auth/authorizer/vke/BUILD

 @@ -0,0 +1,40 @@

@@ -6104,7 +6298,7 @@ index 0000000..4b984f1

 +)

 diff --git a/plugin/pkg/auth/authorizer/vke/OWNERS b/plugin/pkg/auth/authorizer/vke/OWNERS

 new file mode 100644

-index 0000000..c3a4ed7

+index 0000000000..c3a4ed77dc

 --- /dev/null

 +++ b/plugin/pkg/auth/authorizer/vke/OWNERS

 @@ -0,0 +1,2 @@

@@ -6112,7 +6306,7 @@ index 0000000..c3a4ed7

 +- ashokc

 diff --git a/plugin/pkg/auth/authorizer/vke/vke_authorizer.go b/plugin/pkg/auth/authorizer/vke/vke_authorizer.go

 new file mode 100644

-index 0000000..5f3103b

+index 0000000000..5f3103b0af

 --- /dev/null

 +++ b/plugin/pkg/auth/authorizer/vke/vke_authorizer.go

 @@ -0,0 +1,123 @@

@@ -6241,7 +6435,7 @@ index 0000000..5f3103b

 +}

 diff --git a/plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go b/plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go

 new file mode 100644

-index 0000000..6aba9ec

+index 0000000000..6aba9ecec9

 --- /dev/null

 +++ b/plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go

 @@ -0,0 +1,230 @@

@@ -6476,7 +6670,7 @@ index 0000000..6aba9ec

 +	}

 +}

 diff --git a/staging/src/k8s.io/api/core/v1/generated.pb.go b/staging/src/k8s.io/api/core/v1/generated.pb.go

-index 85c7b63..b97b2f1 100644

+index 85c7b634b3..b97b2f1b5e 100644

 --- a/staging/src/k8s.io/api/core/v1/generated.pb.go

 +++ b/staging/src/k8s.io/api/core/v1/generated.pb.go

 @@ -35,6 +35,7 @@ limitations under the License.

@@ -6979,7 +7173,7 @@ index 85c7b63..b97b2f1 100644

  			iNdEx = preIndex

  			skippy, err := skipGenerated(dAtA[iNdEx:])

 diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go

-index 36f4567..7b280cd 100644

+index 36f456702e..7b280cd460 100644

 --- a/staging/src/k8s.io/api/core/v1/types.go

 +++ b/staging/src/k8s.io/api/core/v1/types.go

 @@ -333,9 +333,9 @@ type VolumeSource struct {

@@ -7044,5 +7238,5 @@ index 36f4567..7b280cd 100644

  //

  // The contents of the target ConfigMap's Data field will be presented in a

 -- 

-2.7.4

+2.19.1

@@ -1,11 +1,11 @@

 Summary:        Kubernetes cluster management

 Name:           kubernetes

-Version:        1.10.11

+Version:        1.10.12

 Release:        1%{?dist}

 License:        ASL 2.0

 URL:            https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz

 Source0:        kubernetes-%{version}.tar.gz

-%define sha1    kubernetes-%{version}.tar.gz=84b2678a1c06ad6095a078d5d5fed9f5a4e7328a

+%define sha1    kubernetes-%{version}.tar.gz=5e80f668554193e2593734dfd3bc1a7e843a5718

 Source1:        https://github.com/kubernetes/contrib/archive/contrib-0.7.0.tar.gz

 %define sha1    contrib-0.7.0=47a744da3b396f07114e518226b6313ef4b2203c

 Patch0:         k8s-1.10-vke.patch

@@ -207,6 +207,8 @@ fi

 /opt/vmware/kubernetes/windows/amd64/kubectl.exe

 %changelog

+*   Wed Jan 01 2019 Emil John <ejohn@vmware.com> 1.10.12-1

+-   Update to k8s version 1.10.12 with PKS-Cloud patch (4b83a6d)

 *   Mon Nov 26 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.11-1

 -   Update to k8s version 1.10.11 with PKS-Cloud patch 2bf7a01b

 *   Thu Oct 04 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.8-1