Explicitly disable dry run for connect

[jennybuckley]

What this PR does / why we need it:
It isn't clear whether or not dry run would work on connect. I think we should explicitly disable it so no one can try to dry run a connect request and accidentally open a connection.

Release note:

kube-apiserver: setting a `dryRun` query parameter on a CONNECT request will now cause the request to be rejected, consistent with behavior of other mutating API requests. Examples of CONNECT APIs are the `nodes/proxy`, `services/proxy`, `pods/proxy`, `pods/exec`, and `pods/attach` subresources. Note that this prevents sending a `dryRun` parameter to backends via `{nodes,services,pods}/proxy` subresources.

[neolit123]

@kubernetes/sig-api-machinery-pr-reviews

[yue9944882]

Hi @jennybuckley , if we were to forbid dryRun requests for all verbs, why not do this via an HTTP handler filter. 😃

[jennybuckley]

Thanks for reviewing this! The reason is that we plan on enabling it for some verbs in the future, depending on whether or not the dry run feature is enabled. Also, some verbs, like GET, don't make any change in the cluster, so dry running a get is equivalent to just running the get normally, so we don't need to fail if the client sends the dry run flag.

[liggitt]

cc @kubernetes/api-reviewers
for implications of ?dryRun handling on proxy subresources

[liggitt]

I'm definitely in favor of this for pods/exec, pods/attach, pods/portforward, etc.

Query parameters on proxy subresources were previously opaque to the apiserver. Which seems more appropriate for the proxy subresources:

• make the apiserver responsible for dryRun semantics (which means it has to reject for now until there's a way to know if backend can honor it)
• continue treating the query parameters as opaque and pass everything through?

[lavalamp]

I think I'd like to err on the side of rejecting all dryRun requests to these escape hatches. It is just code, we can relax the rules if someone comes up with a compelling use case. Right now dry run requests don't succeed for anything, so I think it's fine if they continue to not succeed here.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jennybuckley, lavalamp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiserver/OWNERS [lavalamp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all

Tests are more than 96 hours old. Re-running tests.

[jennybuckley]

/retest

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 66512, 66946, 66083). If you want to cherry-pick this change to another branch, please follow the instructions here.

[niklun]

@lavalamp I hope I've made the use case clear for passing query parameters through in a service/proxy call in issue #82402? Why would you want to prevent sending a dryRun parameter to a service? I honestly don't understand why kubernetes should care about anything after /proxy/ in the request. 😃