This only changes tests to drop gopkg.in/check.v1, which helps our
dependency tree a little.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: edf0df348c217271f4ed7acee3b436c27e71df88
Updates k8s.io/kube-openapi across all staging modules and vendors the new
revision. Key changes upstream:
- builder/openapi.go, builder3/openapi.go: use common.EscapeJsonPointer()
when keying definition names into swagger.Definitions / spec.Components.Schemas,
fixing incorrect lookups for types whose names contain JSON-Pointer-reserved
characters (e.g. '/', '~').
- pkg/generators/apidefinitions/loader.go (new): LoadAPIVersion() reads an
apiversion.yaml from a source-tree directory and validates its TypeMeta,
providing a declarative way to describe API versions in-tree.
- pkg/generators/apidefinitions/types.go (new): APIVersion type that carries
the schemeGroupVersion / kindAPIVersion metadata consumed by the loader.
- pkg/generators/config.go, openapi.go, model_names.go: minor generator
improvements accompanying the apidefinitions loader addition.
- pkg/generators/rules/list_type_streaming_tags.go: streaming-tag rule fix.
- pkg/schemaconv/openapi.go, proto_models.go: schema conversion cleanups.
- pkg/validation/validate/result.go: validation result cleanup.
Previous version: v0.0.0-20260317180543-43fb72c5454a
New version: v0.0.0-20260502001324-b7f5293f4787
Kubernetes-commit: eaf347cecb168ee85fc77ffc9a5cda4eb99ce1ca
The v1.VolumeMount.MountPath doc claims the path must not contain
':', but the validator does not enforce this. The internal type in
pkg/apis/core/types.go carries no such constraint, and existing
TestValidateVolumeMounts success cases use mountPath values like "d:",
"F:", and "G:\mount".
This is a doc-only change. The validator is unchanged; the public doc
now matches what the validator actually accepts. Regenerated proto and
openapi snapshots to propagate the doc update.
Signed-off-by: Kimon N. <nkimon00@gmail.com>
Kubernetes-commit: 6691ecaf2f5ce3076f3c61eca5355cc99535d1bd
Bump go-openapi dependencies to latest versions:
- github.com/go-openapi/jsonpointer v0.21.0 → v0.22.4
- github.com/go-openapi/jsonreference v0.20.2 → v0.21.4
- github.com/go-openapi/swag v0.23.0 → v0.25.4
The new swag version has been restructured into a multi-module monorepo
with submodules (cmdutils, conv, fileutils, jsonname, jsonutils, loading,
mangling, netutils, stringutils, typeutils, yamlutils). As a result:
- mailru/easyjson and josharian/intern are no longer transitive deps
and have been removed from vendor
- go-openapi/jsonpointer and go-openapi/swag no longer reference
unwanted deps davecgh/go-spew, mailru/easyjson, or gopkg.in/yaml.v3
- Updated hack/unwanted-dependencies.json accordingly
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 693dc57f5753ce69f7d3f49f26bfefc9554e47e6
Fixes CVE-2026-33814 (golang/go#78476): HTTP/2 Transport hangs
indefinitely when a peer sends a SETTINGS frame with MaxFrameSize=0.
This is reachable from kube-apiserver's OIDC, admission webhook,
and aggregated API client paths.
Kubernetes-commit: 12a2470693d86f63f4614048ffdd43dc393dd7e0
When CEL expressions access non-existent map keys, add a helpful hint
suggesting optional chaining (.? followed by orValue()) or has() macro.
Kubernetes-commit: 5e2d5b9a621109bd89f2dbc4092e0123ab500c85
Introduce the ResourcePoolStatusRequest resource type in the
resource.k8s.io/v1alpha3 API group, gated behind the
DRAResourcePoolStatus feature gate. This includes external and internal
type definitions, protobuf/OpenAPI generated code, client-go typed
clients, informers, listers, apply configurations, deepcopy, defaults,
conversion, fuzzer, declarative validation tags, and API discovery
metadata.
Kubernetes-commit: 29601b8628ac8ea512960bc373511ae46888e502
Bump k8s.io/kube-openapi to pick up kubernetes/kube-openapi#579 which
moved the last ginkgo/gomega tests to stdlib testing and ran go mod
tidy, removing ginkgo/gomega from kube-openapi's go.mod.
This drops ginkgo/gomega as indirect deps from apimachinery. It also
prunes Masterminds/semver, google/pprof, and golang.org/x/tools from
client-go and other staging modules where they were only needed
through kube-openapi's ginkgo/gomega chain.
Contributes to kubernetes/kubernetes#127888
Kubernetes-commit: 56cd74d879f1ba11aadcff95326f17a1cc2c82ef
KEP-5732: Add SchedulingConstraints to PodGroup API and use them in TopologyPlacement plugin
Kubernetes-commit: 299ab0d68a9d70b3c39d63210de47ac01d18e74b
The "Failed to update lease optimistically, falling back to slow path"
message was logged at Error level, but this is expected behavior during
normal leader election when the optimistic update encounters a conflict.
The system gracefully falls back to the slow path (Get + Update), so
this is not a real error. Downgrade to V(2) Info to reduce log noise.
Kubernetes-commit: 04977a0ea4592bfaa70d5095a4cfe99dd4b847e1
Add plugin to generate placements based on scheduling constraints
Co-authored-by: Antoni Zawodny <zawodny@google.com>
Kubernetes-commit: d9da8c7c4a25cee553720737fdec07006e063da1
cri streaming option a hardcut - add new staging repositories `streaming` and `cri-streaming`
Kubernetes-commit: 2bd6c7fe3cb8663804dc6e7672ff01aeebc97274
* Drop WorkloadRef field and introduce SchedulingGroup field in Pod API
* Introduce v1alpha2 Workload and PodGroup APIs, drop v1alpha1 Workload API
Co-authored-by: yongruilin <yongrlin@outlook.com>
* Run hack/update-codegen.sh
* Adjust kube-scheduler code and integration tests to v1alpha2 API
* Drop v1alpha1 scheduling API group and run make update
---------
Co-authored-by: yongruilin <yongrlin@outlook.com>
Kubernetes-commit: 3f094dc228318b89f1fef313543b960e35ca6e3e
klog hasn't been updated in Kubernetes for a few releases. Several
enhancements have accumulated that are worth having.
Kubernetes-commit: 56e0565c113107bdea398b075aba5bdef43489ed
Update google.golang.org/protobuf to v1.36.12-0.20260120151049-f2248ac996af to prevent file size explosion in go 1.26
Kubernetes-commit: 77c013637cb40e1b5d2b26664dc7b297f1ff2693
When watch.Broadcaster.Shutdown() is called it drains all queued events
then calls closeAll(), which closes every watcher's result channel.
eventBroadcasterImpl.Shutdown() calls Broadcaster.Shutdown() first,
then calls the cancellation context's cancel() function. Between those
two steps there is a window in which the result channel is closed while
the cancellation context is still live.
Without the two-value channel receive the goroutine in StartEventWatcher
would spin on the already-closed channel: each select iteration
immediately receives the zero-value watch.Event, the type assertion
fails (nil interface, ok == false), and the loop continues burning CPU
until the select scheduler eventually picks the cancelationCtx.Done()
case.
Guard against this by reading the ok boolean from the channel receive:
case watchEvent, ok := <-watcher.ResultChan():
if !ok {
return
}
This is the correct and idiomatic Go pattern for a channel that may be
closed by its producer. Note that when this return path is taken the
broadcaster has already delivered every queued event (Broadcaster.Shutdown
blocks until the distribute loop exits before closeAll runs), so no
events are silently dropped.
Add a regression test (TestStartEventWatcherExitsOnDirectShutdown) that
creates a broadcaster without an external context so Shutdown() is
fully synchronous, starts a watcher, and verifies the goroutine exits
cleanly via goleak.VerifyNone.
Signed-off-by: Rajneesh180 <rajneeshrehsaan48@gmail.com>
Kubernetes-commit: 95c15b54069922b0a66c198a064577ea0a160694
[Declarative Validation] Bring `k8s:maxLength` tag in line with OpenAPI `maxLength` validation semantics
Kubernetes-commit: e08e598df07bc929679ef046418992a8205da18f
* Promote MutableCSINodeAllocatableCount to GA
Signed-off-by: Eddie Torres <torredil@amazon.com>
* Lock MutableCSINodeAllocatableCount feature gate to default
Signed-off-by: Eddie Torres <torredil@amazon.com>
---------
Signed-off-by: Eddie Torres <torredil@amazon.com>
Kubernetes-commit: 41bb4b6a8b4e0f15ab7ffcc6369c68bc599fb957
The change introduced in 59cd1d0b3bb378f40a639e21b615f4df1d4a5a14
causes PollUntilContextTimeout to call the condition function even when
the context is canceled already. This is unnecessary in our case and
only leads to one extra loop of processing and extra error messages.
This change makes the renew loop behave like it did before the change.
Kubernetes-commit: aa494f8174d745c3d9842f3d48272a3c2d6dcbcc
In practice, TimeAdded is managed by the API server. When admins used
DeviceTaintRule to simulate eviction, then change the effect to really evict,
it is useful to calculate tolerations based on the time when that second
update happened. Therefore the TimeAdded field gets bumped automatically
when changing the effect.
Kubernetes-commit: f28dc4139208e64fe2882cd44d548c25020f2e3a
The error returned from Until() is solely from context cancellation
which is expected behavior when the reflector is stopped. Logging
this as an error (or even at V(4)) creates unnecessary noise.
Kubernetes-commit: cc483208aa306b8c4078d4118cf78a10e58481ec
It's GA now. To regenerate the files I did:
make WHAT=cmd/kube-apiserver
make update
While we are there, remove the reference that the field is alpha.
Signed-off-by: Rodrigo Campos <rodrigo@amutable.com>
Kubernetes-commit: 8db51091e82490bccc0018763ba7e05ffb8ab458
This is just a sed to remove the old data from the text fixtures too.
While two files are clearly test data given that they include testdata
in their name, these two is not so obvious but are also test data:
* openapi/swagger-with-shared-parameters.json: is referenced in "staging/src/k8s.io/cli-runtime/pkg/resource/query_param_verifier_test.go",
in particular in this part: ´filepath.Join("..", "..", "artifacts", "openapi", "swagger-with-shared-parameters.json")´
* batch.k8s.io_v1.json: is in
`staging/src/k8s.io/kubectl/pkg/explain/v2/templates/plaintext_test.go`,
in a "//go:embed batch.k8s.io_v1.json".
Signed-off-by: Rodrigo Campos <rodrigo@amutable.com>
Kubernetes-commit: 8d0f80e4ed87658c0e05b9db0690927547be6ad5
Replace all imports of k8s.io/apimachinery/pkg/util/dump with
k8s.io/utils/dump across the repo. The apimachinery dump package
now contains deprecated wrapper functions that delegate to
k8s.io/utils/dump for backwards compatibility.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 550cc8645bedcc8b187e0ebeb52ead29d5631a32
Move backoff documentation comments to var block for better discoverability.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Kubernetes-commit: 33ebd41b2c1abdc03beabd9ccff3428a8fd46473
Passing a context to StartWithContext enables context-aware reflector
logging. This is the main remaining source of log spam (output to stderr
instead of per-test logger) in controller unit tests.
WaitForCacheSynceWithContext takes advantage of the new cache.WaitFor +
NamedHasSynced functionality to finish "immediately" (= no virtual time
passed) in a synctest bubble. While at it, the return type gets improved so
that a failure is easier to handle.
Kubernetes-commit: 5ff323de791df88880f6e065f5de4b445e5c90ed
The main advantage is that waiting on channels creates a causal relationship
between goroutines which is visible to synctest. When a controller in a
synctest bubble does a WaitFor in a test's background goroutine for the
controller, the test can use synctest.Wait to wait for completion of cache
sync, without requiring any test specific "has controller synced" API. Without
this, the test had to poll or otherwise wait for the controller.
The polling in WaitForCacheSync moved the virtual clock forward by a random
amount, depending on how often it had to check in wait.Poll. Now tests can be
written such that all events during a test happen at a predictable time. This
will be demonstrated in a separate commit for the
pkg/controller/devicetainteviction unit test.
The benefit for normal production is immediate continuation when the last
informer is synced (not really a problem, but still...) and more important,
nicer logging thanks to the names associated with the thing that is being
waited for. The caller decides whether logging is enabled or disabled and
describes what is being waited for (typically informer caches, but maybe also
event handlers or even something else entirely as long as it implements the
DoneChecker interface).
Before:
Waiting for caches to sync
Caches are synced
After:
Waiting for="cache and event handler sync"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.Pod"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.ResourceClaim"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.ResourceSlice"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.DeviceClass"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1alpha3.DeviceTaintRule"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.ResourceClaim + event handler k8s.io/kubernetes/pkg/controller/devicetainteviction.(*Controller).Run"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.Pod + event handler k8s.io/kubernetes/pkg/controller/devicetainteviction.(*Controller).Run"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1alpha3.DeviceTaintRule + event handler k8s.io/kubernetes/pkg/controller/devicetainteviction.(*Controller).Run"
Done waiting for="cache and event handler sync" instance="SharedIndexInformer *v1.ResourceSlice + event handler k8s.io/kubernetes/pkg/controller/devicetainteviction.(*Controller).Run"
The "SharedIndexInformer *v1.Pod" is also how this appears in metrics.
Kubernetes-commit: fdcbb6cba9a04c028b158bf66d505df7431f63fe
This improves logging and enables more informative waiting for cache sync in a
following commit. It addresses one klog.TODO in the Reflector.
The RealFIFOOptions and InformerOptions structs get extended the same way as
DeltaFIFOOptions before: a logger may be set, but it's not required. This is
not an API break.
That the name has to be passed separately is a bit annoying at first glance
because it could also be set directly on the logger through WithName, but
keeping it separate is better:
- name can be set without providing a logger
- name can be defaulted
- less code in the caller when passing through a logger and adding
the name only in the field
- last but not least, extracting the name is not supported in a portable
manner by logr
All in-tree references in production code get updated.
While at it, logging in the fifos gets updated to follow best practices: if
some code encounters an abnormal situation and then continues, it should use
utilruntime.HandleErrorWithLogger instead of normal error logging.
Existing "logger" fields get moved to the top because that is a more common
place for such a read-only field.
Kubernetes-commit: 45251e5f654e6c052659d110cd721f9fbe185191
NewSimpleClientset was marked as deprecated when NewClientset was
introduced. This has caused some confusion:
- Not all packages have NewClientset (https://github.com/kubernetes/kubernetes/issues/135980).
- Tests that work with NewSimpleClientset fail when
switched to NewClientset (https://github.com/kubernetes/kubernetes/issues/136327)
because of missing CRD support (https://github.com/kubernetes/kubernetes/issues/126850).
It doesn't seem burdensome to keep NewSimpleClientset around forever. Some unit
tests may even prefer to use it when they don't need server-side apply (less
overhead). Therefore there is no need to deprecate it.
This avoids churn in the eco system because contributors no longer create PRs
"because the linter complains about the usage of a deprecated function".
Kubernetes-commit: e80da21868059f789c90105a00481fa8cef169e1
The google/btree package is deprecated, so switch to the maintained
fork in k8s.io/utils/third_party/forked/golang/btree.
API differences:
- NewG -> New
- BTreeG[T] -> BTree[T]
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: a328ca88ad662119bbf129cd1107fabd8dd9f539
While time.Sleep is what the test needs, maybe an arbitrary hook invocation is
more acceptable in the production code because it is more general.
Kubernetes-commit: 2ec0305d728bf5ce8f8df314a18e71aa120a00cf
In the unlikely situation that sharedProcessor.distribute was triggered by a
resync before sharedProcessor.run had a chance to start the listeners, the
sharedProcessor deadlocked: sharedProcessor.distribute held a read/write lock
on listenersLock while being blocked on the write to the listener's
channel. The listeners who would have read from those weren't get started
because sharedProcessor.run was blocked trying to get a read lock for
listenersLock.
This gets fixed by releasing the read/write lock in sharedProcessor.distribute
while waiting for all listeners to be started. Because either all or no
listeners are started, the existing global listenersStarted boolean is
sufficient.
The TestListenerResyncPeriods tests now runs twice, with and without the
artificial delay. It gets converted to a synctest, so it executes quickly
despite the time.Sleep calls and timing is deterministic. The enhanced log
output confirms that with the delay, the initial sync completes later:
=== RUN TestListenerResyncPeriods
shared_informer_test.go:236: 0s: listener3: handle: pod1
shared_informer_test.go:236: 0s: listener3: handle: pod2
shared_informer_test.go:236: 0s: listener1: handle: pod1
shared_informer_test.go:236: 0s: listener1: handle: pod2
shared_informer_test.go:236: 0s: listener2: handle: pod1
shared_informer_test.go:236: 0s: listener2: handle: pod2
shared_informer_test.go:236: 2s: listener2: handle: pod1
shared_informer_test.go:236: 2s: listener2: handle: pod2
shared_informer_test.go:236: 3s: listener3: handle: pod1
shared_informer_test.go:236: 3s: listener3: handle: pod2
--- PASS: TestListenerResyncPeriods (0.00s)
=== RUN TestListenerResyncPeriodsDelayed
shared_informer_test.go:236: 1s: listener1: handle: pod1
shared_informer_test.go:236: 1s: listener1: handle: pod2
shared_informer_test.go:236: 1s: listener2: handle: pod1
shared_informer_test.go:236: 1s: listener2: handle: pod2
shared_informer_test.go:236: 1s: listener3: handle: pod1
shared_informer_test.go:236: 1s: listener3: handle: pod2
shared_informer_test.go:236: 2s: listener2: handle: pod1
shared_informer_test.go:236: 2s: listener2: handle: pod2
shared_informer_test.go:236: 3s: listener3: handle: pod1
shared_informer_test.go:236: 3s: listener3: handle: pod2
--- PASS: TestListenerResyncPeriodsDelayed (0.00s)
Kubernetes-commit: e6ef79b2f6bb05205652e4fe48ffa523d9e3a1ec
The event handler must receive both object (the initial one from List, the
newer one from Watch) and it must be considered synced.
Kubernetes-commit: 359aff0552ed3b60d544158e5edf33d28492f01a
56448506075c3db1d added support for List+Watch to a fake client-go instance.
However, that support was not quite working yet as seen when analyzing a test
flake:
- List returned early when there were no objects, without adding the
ResourceVersion. The ResourceVersion should have been "0" instead.
- When encountering "" as ResourceVersion, Watch didn't deliver
any objects. That was meant to preserve compatibility with clients
which don't expect objects from a Watch, but the right semantic of
"" is "Start at most recent", which includes delivering existing
objects.
Tests which meddle with the List implementation via a reactor (like
clustertrustbundlepublisher) have to be aware that Watch now may
return objects when given an empty ResourceVersion.
Kubernetes-commit: 6bfa727bee264f5d7e4471066c1b48a28d0c1929
Latest release of both. The CurrentTreeConstructionNodeReport fix
is needed before being able to use it in the E2E framework.
Kubernetes-commit: f8a0c80ed81711f6add7a765d22b56d2d41ac522
We need to lock on observedTime reads to avoid races, before we were
only locking to read the observed record.
Use a RW lock since there are much more reads that writes.
Kubernetes-commit: d5ac0e408a0a1e50197e1b599b9b8b2e505bfe46
Quite a lot of unit tests set up informers with a fake client, do
informerFactory.WaitForCacheSync, then create or modify objects. Such tests
suffered from a race: because the fake client only delivered objects to the
watch after the watch has been created, creating an object too early caused
that object to not get delivered to the informer.
Usually the timing worked out okay because WaitForCacheSync typically slept a
bit while polling, giving the Watch call time to complete, but this race has
also gone wrong occasionally. Now with WaitForCacheSync returning more promptly
without polling (work in progress), the race goes wrong more often.
Instead of working around this in unit tests it's better to improve the fake
client such that List+Watch works reliably, regardless of the timing. The fake
client has traditionally not touched ResourceVersion in stored objects and
doing so now might break unit tests, so the added support for ResourceVersion
is intentionally limited to List+Watch.
The test simulates "real" usage of informers. It runs in a synctest bubble and
completes quickly:
go test -v .
=== RUN TestListAndWatch
listandwatch_test.go:67: I0101 01:00:00.000000] Listed configMaps="&ConfigMapList{ListMeta:{ 1 <nil>},Items:[]ConfigMap{ConfigMap{ObjectMeta:{cm1 default 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},Data:map[string]string{},BinaryData:map[string][]byte{},Immutable:nil,},},}" err=null
listandwatch_test.go:79: I0101 01:00:00.000000] Delaying Watch...
listandwatch_test.go:90: I0101 01:00:00.100000] Caches synced
listandwatch_test.go:107: I0101 01:00:00.100000] Created second ConfigMap
listandwatch_test.go:81: I0101 01:00:00.100000] Continuing Watch...
--- PASS: TestListAndWatch (0.00s)
PASS
ok k8s.io/client-go/testing/internal 0.009s
Some users of the fake client need to be updated to avoid test failures:
- ListMeta comparisons have to be updated.
- Optional: pass ListOptions into tracker.Watch. It's optional because
the implementation behaves as before when options are missing,
but the List+Watch race fix only works when options are passed.
Kubernetes-commit: 56448506075c3db1d16b5bbf0c581b833a4646f1
This uses the new generic fixed ring implementation in k8s.io/utils.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 3653ae2b9a7768da89e47ef84d503ae9cf0b910b
This fixes some issues found in Kubernetes (data race in ginkgo CLI, gomega
formatting) and helps with diagnosing OOM killing in CI jobs (exit status of
processes).
The modified gomega formatting shows up in some of the output tests for the E2E
framework. They get updated accordingly.
Kubernetes-commit: db841afdbb193ea7d612472c7cc4c7b3f58eb676
Embed proper interface in TransformingStore to ensure DeltaFIFO and RealFIFO are implementing it
Kubernetes-commit: 04e8064bccebd04981ee0094457550c9de4f92e3
Update leaderelection package to use contextual logging variants:
- Replace wait.JitterUntil with wait.JitterUntilWithContext
- Replace wait.Until with wait.UntilWithContext
This enables proper contextual logging support as part of the
structured logging migration.
Ref #126379
Kubernetes-commit: c5b64ebf2ef8619fb96c35f3a613b1b945ebe0f2
Add support for 'profile=nopeer' in Accept headers to allow clients
to opt out of peer-aggregated discovery and request local-only results.
Updates discovery client to set appropriate Accept headers based on
whether peer-aggregated discovery is desired.
Part of KEP-4020: Unknown Version Interoperability Proxy
Kubernetes-commit: 6a07342d37a762230209e362d383e1fbfc325b51
Remove reference to internal types in kuberc types
* Remove unserialized types from public APIs
Also remove defaulting
* Don't do conversion gen for plugin policy types
Because the plugin policy types are explicitly allowed to be empty, they
should not affect conversion. The autogenerated conversion functions for
the `Preference` type will leave those fields empty.
* Remove defaulting tests
Comments and simplifications (h/t jordan liggitt)
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Kubernetes-commit: fab280950dabfefabe6a8578b7a76372a9b21874
Signed-off-by: Min Jin <minkimzz@amazon.com>
Update staging/src/k8s.io/client-go/tools/cache/the_real_fifo.go
optimizing fifo loop
Co-authored-by: Marek Siarkowicz <marek.siarkowicz@protonmail.com>
Signed-off-by: Min Jin <minkimzz@amazon.com>
refactoring PopBatch to accept []Delta
Signed-off-by: Min Jin <minkimzz@amazon.com>
Kubernetes-commit: 611b4c1408f529de4d4e94e6dd33be2ed1df9276
so that their enablement can be consistent with emulated version.
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Kubernetes-commit: d4c6e0bfd04a9efb1ddb33afdcaa49eb8695d8e5
Specifically the new AddTreeConstructionNodeArgsTransformer and SpecPriority in
Ginkgo will be useful.
Gomega gets updated to keep up-to-date.
Kubernetes-commit: 6034321603be95409028f0173e0c372515008dbb
client-go/tools/cache/test: wrap the LW with toListWatcherWithUnSupportedWatchListSemantics
Kubernetes-commit: ad13a96a1fa97c5516ab198df738e6ca13ee4290
client-go/tools/watch/test: wrap the LW with toListWatcherWithUnSupportedWatchListSemantics
Kubernetes-commit: f1989437f8b4c7725e8c603d6c29693b89298f37
This is a collection of updating several unversioned modules. Those updates are
eventually going to reach Kubernetes, doing them together now makes PRs for
future major updates smaller.
Kubernetes-commit: 5993782d6537bab9edf95590c123f96ea39ca185
returns a ListerWatcher that knows whether the provided client explicitly
does NOT support the WatchList semantics. This allows Reflectors
to adapt their behavior based on client capabilities.
Kubernetes-commit: 3b93755c0c07ce898f1c2a3924adef6c3143f247
[126379] [client-go] chore: use WithContext functions inside old functions to remove code duplication
Kubernetes-commit: 81059575f6c97e5e73729c8df5a7172190a10950
- Deprecate IsDNS1123SubdomainCaseless to avoid caseless validation issues.
- Warn when ResourceSlice driver names contain uppercase characters.
- Clarify driver names must be DNS subdomains and use only lowercase letters.
- Update tests, staging code, and OpenAPI spec to reflect the changes.
Kubernetes-commit: b40b67b9cfff1fdd6a1177372bdb545c5d2b6bbb
This raises the number of allowed taints per device to 16 by lowering
the number of allowed devices to 64 per ResourceSlice if (and only if!)
taints are used.
"effect: None" and DeviceTaintRule status with conditions get added
to support giving feedback to admins.
Instead of merely adding the new effect value, this also changes validation of
the enum so that unknown values are valid if they were already stored. This
will simplify adding new effects in the future because validation won't fail
for them after a downgrade. Consumers must treat them like this new None
effect, i.e. ignore them.
Kubernetes-commit: fee14ffca2099b2d7a0bfc5761691b363eac4de1
updating to include initialization in func
Update store to use sets.Set
updating tests to use sets.New instead of sets.NewString
update store_test
update index_test
update controller_test file
update delta_fifo file
update expiration_cache_fakes file
update index_test file
update thread_safe_store file
update events_cache file
update thread_safe_store_test
update expiration_cache_test
small refactor of for loop
unexport the Index type -> index
Kubernetes-commit: c08b9ab3b5c78023e46ce03fde894b24533c68ef
mockery has introduced breaking changes and switched to a v3 branch,
this migrates to that, mostly using the built-in migration tool. Mocks
are now generated in single files per package, except in packages
containing mocks for multiple interface packages (in
pkg/kubelet/container/testing).
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 81cec6df1d0b6393ff25195aa3be65e79d341197
The call to `fmt.Sprintf` does virtually the same as concatenating the
strings, but incurs in minor overhead from having to call a function,
and performs an additional allocation.
I've made a small benchmark for this and when run against current
`master` and this branch, the results are significant for this
function:
goos: darwin
goarch: arm64
pkg: k8s.io/client-go/transport
cpu: Apple M1 Pro
│ bart.base.log │ bart.concat.log │
│ sec/op │ sec/op vs base │
BearerAuthRoundTripper-10 361.3n ± 31% 295.5n ± 11% -18.21% (p=0.000 n=20)
│ bart.base.log │ bart.concat.log │
│ B/op │ B/op vs base │
BearerAuthRoundTripper-10 768.0 ± 0% 752.0 ± 0% -2.08% (p=0.000 n=20)
│ bart.base.log │ bart.concat.log │
│ allocs/op │ allocs/op vs base │
BearerAuthRoundTripper-10 6.000 ± 0% 5.000 ± 0% -16.67% (p=0.000 n=20)
Considering this method is likely used in many installations, the
gains, while small, adds up to bigger savings
Kubernetes-commit: 92a0e422df2d0d36c25f0b5c829c571b93250600
This brings a few fixes, drops github.com/pkg/errors (as a direct
dependency), and bumps many transitive dependencies. The
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp bump to
v0.61.0 breaks "k8s.io/kubernetes/test/integration/apiserver: tracing"
consistently, so it's held back for now.
github.com/containerd/containerd/api pulls in gopkg.in/yaml.v3 so that
needs to be added to the exceptions in unwanted-dependencies.json.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 684473af6232a5d68a5585837837d1a96f009414
fix: Update unit test to catch actual nil Labels case and fix functionality to handle nil Labels
Kubernetes-commit: 7c7fd78793c8974f22fcc6d7d58f263d987b238e
* cache: do not allocate chan for nothing
The explicit purpose of this channel is to never be closed and nothing
to be sent down on it. Hence, there's no need to allocate a channel - a
nil channel has exactly the desired behaviour.
Additionally, this is more relevant now that testing/synctest gets
unhappy when goroutines are blocked on reading on channels which are
created outside of the synctest bubble. Since this is a package var, that's
hard to avoid when using this package. Synctest is fine with nil
channels though.
Reported-by: Jussi Maki <jussi@isovalent.com>
Signed-off-by: David Bimmler <david.bimmler@isovalent.com>
* handlers: do not allocate chan for nothing
Nil chan has the desired semantics already, and this breaks
testing/synctest because the channel is allocated outside of the bubble.
Signed-off-by: David Bimmler <david.bimmler@isovalent.com>
---------
Signed-off-by: David Bimmler <david.bimmler@isovalent.com>
Kubernetes-commit: 52b7d035f9655d0c6ebeaaafd60add99700bb468
Fix kubectl writing current-context to the wrong kubeconfig file when using multiple kubeconfig files.
Kubernetes-commit: 1df4ac52719da02bbd625e77ac69b81663bbc4d8
This allows consumers of term to not pull in dependencies on
github.com/gorilla/websocket and github.com/moby/spdystream.
Kubernetes-commit: 640dabd58b04b72f646ed85947cb8b407b36dc08
* client-go: Replace depracted ErrWaitTimeout with recommended method
* Fix UT and Integration tests
* IT test
Kubernetes-commit: ffe306d67958297202e9492ea644b42c0e7e694d
* Add FileKeyRef field and struct to the Pod API
* Add the implementation code in the kubelet.
* Add validation code
* Add basic functionality e2e tests
* add codes for drop disabled pod fields
* update go.mod
Kubernetes-commit: 6f3b6b91f08585727784620285f990782901572f
This TestMain() is equivalent to not having any TestMain() at all.
This is the only such instance in whole repo.
Kubernetes-commit: 7e5aafcb164db5135a4d18ee4661c8813f2cc908
Calling os.Exit() skipped the
`defer os.RemoveAll(tmp)`
above and thus dangling files & dirs would appear in their $TMPDIR.
Since go1.15 we can safely remove os.Exit() from TestMain() function.
As this exact issue was common enough so that go1.15 changed[1] the API of
TestMain to no longer require os.Exit to be called.
Reproducer:
$ (cd staging/src/k8s.io/client-go; go test ./tools/clientcmd)
$ ls -d /tmp/testkubeconfig*
/tmp/testkubeconfig1015943687
[1]: https://go-review.googlesource.com/c/go/+/219639
Kubernetes-commit: 457df1cf9817e29381609fbf2d85854a6b6a52ac
Prevent the failure of releasing the lock by updating the resource version in case of the resource conflict
Kubernetes-commit: 793191529651ab5c9e49914f19e9bdf85d412218
[client-go #1415] Use transformer from provided store within internal stores in reflector to limit memory usage bursts
Kubernetes-commit: 3f0a1c6c7f02f33649e58996408b1501fce3c0ee
Prior to this patch, this fails because the skipnonappliedfieldmanager
uses the `objectcreater` (aka `*runtime.Scheme`) to create a new object
for which it never sets the GVK. In the case of
`*unstructured.Unstructured`, the GVK can not be derived from the object
itself so the operation would subsequently fail [here][0] with an
```
Object 'Kind' is missing in 'unstructured object has no kind'
```
error. Fix this by explicitly setting the GVK in case of unstructured.
[0]: 02eb7d424a/staging/src/k8s.io/apimachinery/pkg/util/managedfields/internal/structuredmerge.go (L98)
Kubernetes-commit: dbdd6a3b4358d91a064de9c0f01d3050e606d553
The v1alpha3 version is still needed for DeviceTaintRule, but the rest of the
types and most structs became obsolete in v1.32 when we introduced v1beta1 and
bumped the storage version to v1beta1.
Removing them now simplifies adding new features because new fields don't need
to be added to these obsolete types. This could have been done already in 1.33,
but wasn't to minimize disrupting on-going work.
Kubernetes-commit: 10de6780cf6b24d5115e508606334b81d6634ba6
This raises awareness so that developers hopefully get it right without having to
learn about it from compile errors. It also explains that creating a PR to
fix the naming is not desired.
Kubernetes-commit: f40892f4813f29fc305d59073d2464a1fd7d6fe5
This removes a dependency from generated applyconfigurations to a testing
package. To do this, the type converter in the testing package has been
moved out to the apimachinery package and the utilities the converter
depend on have been reorganized.
Kubernetes-commit: 4821604f83a6f4764497879b666087ba7cb05060
Normal execution always started to trigger this after adding more logging in
the E2E framework's exec_util.go:
I0506 21:23:56.781188 6341 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
That the "should fall back" implementation gets called when there is no error
and thus no reason to even consider falling back is odd. Now the execute
implementation checks for nil first.
This is the same approach taken also in the portforward code:
b35c5c0a30/staging/src/k8s.io/client-go/tools/portforward/fallback_dialer.go (L52)
Kubernetes-commit: 35870c480d64a8ae35c0e5839cc40b0115b7328a
Promoted feature-gate `VolumeAttributesClass` to GA (on by default)
Signed-off-by: carlory <baofa.fan@daocloud.io>
Kubernetes-commit: 94bf8fc8a9d1d6c989eddad07996be0ca4dd3448
This is what happens when writing back a OIDC refresh token:
- plugin/pkg/client/auth/oidc/oidc.go:282
Calls `Persist` to save the new refresh token.
- tools/clientcmd/config.go:372
Calls `ModifyConfig` to save the config.
- tools/clientcmd/config.go:167
Calls `configAccess.GetLoadingPrecedence()` to get the files
listed from the `KUBECONFIG` environment variable.
- tools/clientcmd/loader.go:334
If the `ConfigAccess` was a `ClientConfigLoadingRules`, it
directly returns the `Precedence` slice from its `rules`
field.
THE PROBLEM:
The slice can be modified by the caller, unintentionally
changing the value of the `ClientConfigLoadingRules`'
`Precedence` field.
- tools/clientcmd/config.go:170
Then proceeds to in-place sort the slice returned by the
`ConfigAccess`. This is the same slice (by identity)
as the `ClientConfigLoadingRules`' `Precedence` field,
destroying its intended order.
- tools/clientcmd/config.go:179
Calls `configAccess.GetStartingConfig` to read the original
config so it can be compared with the new config.
- tools/clientcmd/loader.go:339
Calls `NewNonInteractiveDeferredLoadingClientConfig` with
itself as a parameter.
CONSEQUENCE:
At this point, its the `Precedence` has been
unintentionally sorted. When it loads the
config again, it gives precedence to whichever
file comes first in ascending alphabetical order.
- tools/clientcmd/config.go:192
If the file returned by `GetStartingConfig` has a
different `current-context` than the new config,
it calls `writeCurrentContext` to update the first
kubeconfig file in the `KUBECONFIG` environment
variable.
- tools/clientcmd/config.go:403
Calls `configAccess.GetDefaultFilename` to find the
destination kubeconfig file.
- tools/clientcmd/loader.go:358
Iterates through the kubeconfig files returned by
`GetLoadingPreferences` to find the first file
that exists.
CONSEQUENCE:
With the slice being sorted earlier, the files
returned by this call of `GetLoadingPreferences`
will be sorted alphabetically, rather than by
their intended order.
Kubernetes-commit: ffa084f81129ea685b176a282921c4d54906c539
- Add a new VeryShortWatchError struct for error matching, returned
by `handleAnyWatch`, up through `Reflector.ListAndWatch`.
- Update test expectations to match exact errors.
Kubernetes-commit: 6eff9db0f10db72f2c64390e106a80621d136439
Change:
- refactor Reflector.ListAndWatch and Reflector.watch to always call
watcher.Stop.
- refactor Reflector.handleAnyWatch to always call watcher.Stop,
EXCEPT when exitOnWatchListBookmarkReceived &&
watchListBookmarkReceived.
- Update unit tests with these new expectations.
Effect:
- ensures watcher.Stop is always called at least once
- avoids deadlocks in watcher implementations when watcher.Watch is
called, but watcher.Stop is never called.
Note: It's impossible to guarantee that Stop will only be called once.
So watch.Interface implementations must tollerate Stop being called
multiple times.
Kubernetes-commit: 3e609ecf6e945bf4562bddfc563fde9a4c3d0d90
API approvers review new fields and need permissions to approve the
files generated from those new fields
Kubernetes-commit: 691398c8563f12db07505df7c05211e93145689a
In controller-runtime it is generally not expected to do any sort of
scheme registration if unstructured.Unstructured is used. To make this
work in the fakeclient, the fakeclient will register unstructured to
scheme if the scheme doesn't recognize the GVK.
This currently doesn't work with the `ManagedFieldsObjectTracker` as it
never reloads the scheme. This change makes it reload the scheme in an
inefficient but simple manner, which should be good enough for unit
tests.
Kubernetes-commit: 1cd71cbb14ecfd0ec6c5e8a57db6be00ecb8a4d1
Update to latest cadvisor @ v0.52.1 and new opencontainer/cgroups and drops opencontainers/runc
Kubernetes-commit: 0eaee48ecb8669dc65bfdf9a3583326ab88fc39d
[FG:PodObservedGenerationTracking] Kubelet sets pod `status.observedGeneration` when updating the pod status
Kubernetes-commit: 2effa5e3cf92af7dbcff87822b3293354823f567
This fixes variable passed as error reason upon websocker message read failure.
Previously a wrong variable was passed resulting in returning failure with nil error reason.
Kubernetes-commit: e1d3aaf8612c490fae965272a304d74fccf7e294
The event Object is created from the referenced Object name, however,
there is no guarantee that the name from the referenced Object will be a
valid Event Name.
For those Objects with name not valid for an Event, generate a new valid
name using an UUID.
Kubernetes-commit: ee36b817df06f84ce1a48ef4d65ed559c3775404
Consumers of the kubernetes golang API and clients must use
k8s.io/api,apimachinery,client-go. This is also require to download all
the necessary dependencies.
The apimachinery code contains a testing util for proxies that is used
in client-go and in the kubectl e2e. Since the tests on e2e require
ginkgo and we want to ensure this testing library is not used in
production, we cast the interface to match one of those libraries, but
the problem is that this forces consumers of apimachinery to also
download the ginkgo library.
Since NewHTTPProxyHandler receives a testing.TB interface, there is no
need to cast the interface, if someone wants to use it by implementing a
testing interface it is already aware of the risks.
Kubernetes-commit: af3b9e613d3b76b826369153760a069aabb4cf7f
The ability to automatically stop on context cancellation was new functionality
that adds complexity and wasn't really used in Kubernetes. If someone wants
this, they can add it outside of the function.
A *WithLogger variant avoids the complexity and is consistent with
NewStreamWatcherWithLogger over in apimachinery.
Kubernetes-commit: 1a8d8c9b4a33daf9330434e1ad544ef3571722a3
cache.ErrRequeue advertised itself as a way to requeue failures on a
FIFO, but it suffers the same problems as AddIfNotPresent. If we do
requeue an item at the end, we'll move the informer back in time. If we
requeue at the beginning we'll simply wedge FIFO.
We didn't find examples in the wild, but by removing the error type
those impacted will get a compile error and get to decide what action is
most appropriate for their failure. Most of the time, proceeding to the
next item is best.
Kubernetes-commit: 238c32a1d9b2c72d648193fa8642a53a2884975f
Logically a cache.Queue.AddIfNotPresent means that the informer can move
back in time since an older item is placed after newer items. The
alternative of placing errors at the head of the queue leads to
indefinite memory growth and repeated failures on retry.
Luckily this behavior was behind RetryOnError, which was always set to
false and impossible for normal users to set to true. By removing the
function and setting, impacted users (none found in a github search)
will get a compile failure.
Kubernetes-commit: 8e77ac000131019d5aa49c19aa1f477f6dac4d59
The API for the package already had a context, so all that was missing was to
extract and use the logger from that.
Kubernetes-commit: 1620b2707623036f5133cf8045da89411d2c4345
NewTypedDelayingQueueWithConfig spawns a goroutine, but apparently shutdown is
already handled somehow. Therefore only the option to set a logger gets added
to the Config struct.
The problem then becomes that developers might forget to set that
logger. logcheck can't detect that. For now, all in-tree users get updated
immediately.
Kubernetes-commit: f20eb2e7c16a9b28e69fd0bba2000e7166d68f29
mark_new_version.sh (actually mark-new-version.sh) has been removed. And we are
not creating vX.Y tags. We are using ldflags -X now.
Kubernetes-commit: 0f0f9d01c0db8906989616ccc1ef04175035ddf9
For compatibility reasons, the old functions without the ctx parameter still
get generated, now with context.Background instead of context.TODO. In practice
that code won't be used by the client-go reflector code because it prefers
the *WithContext functions, but it cannot be ruled out that some other code
only supports the old fields.
Kubernetes-commit: 8cc74e8a266e1042be1c60adfa3091852036f48a
The Lister and Watcher interfaces only supported methods without context, but
were typically implemented with client-go API calls which need a context. New
interfaces get added using the same approach as in
https://github.com/kubernetes/kubernetes/pull/129109.
Kubernetes-commit: 6688adae142e37114d9dfa8d94cd1d8a91fbcc13
The client-go feature gates implementation logs information about feature
states at V(1). Changing that would imply changing the Enabled method, which is
very intrusive because there are many callers which are not expected to log and
thus don't have access to a contextual logger.
The code is not active in Kubernetes components, those use the clientAdapter to
make client-go use the normal feature gate implementation, which doesn't log
anything. Therefore the code doesn't get changed and only annotated so that
logcheck won't complain.
Kubernetes-commit: ee9d998d6e0c89bcf2b39fc011bfbc916060d451
The client-go feature gates implementation logs information about feature
states at V(1). Changing that would imply changing the Enabled method, which is
very intrusive because there are many callers which are not expected to log and
thus don't have access to a contextual logger.
The code is not active in Kubernetes components, those use the clientAdapter to
make client-go use the normal feature gate implementation, which doesn't log
anything. Therefore the code doesn't get changed and only annotated so that
logcheck won't complain.
Kubernetes-commit: e47b186e6ba3cbc9c732409ef9037e883ea80da1
No API changes are needed. In one case, a context is passed in via the
http.Request. In others there is simply no need to change the calls.
Kubernetes-commit: 4f241c04af7a86970aeab0a3e0198df807a04b86
The API for the package already had a context, so all that was missing was to
extract and use the logger from that.
Kubernetes-commit: 0690af4710a5b322163564d82b95b90417ae3644
For NewManager, the Config struct gets changed (not extended!) so that the
caller can provide a logger instead of just a logging function. Breaking the
API was chosen because it avoids having to maintain two different log calls in
various places (one for printf-style logging, one for structured logging).
RequestCertificateWithContext is an extension. It enables getting rid of
context.TODO calls.
NewFileStoreWithLogger also is an extension.
Kubernetes-commit: f9051901cee8d8ff4aed3db27ff495a706f1a487
The only log output is for error messages which should normally not occur. It's
also likely that users expect to see exactly those messages, so it's better to
not touch them.
Kubernetes-commit: 8701f481ff6e24257021f07afcec67df2aef27dc
The only log output is for error messages which should normally not occur. It's
also likely that users expect to see exactly those messages, so it's better to
not touch them.
Kubernetes-commit: 1ec1248a6555be7ca7a0827061cdd3ef162f6c45
When debugging, it helps to keep output from different connections
separate. This can be done with contextual logging and using different loggers
for each connection.
Cancellation is handled separately for requests. Therefore the new APIs only
add support for passing a logger instance.
Kubernetes-commit: dfdf07bb531aa8a397f3c74e5eec851130325971
The main purpose is to replace context.TODO with a context provided by the
caller. A secondary purpose is to enable contextual logging.
Modifying the existing interfaces and APIs would have a big impact on the
ecosystem. This is a no-go. Instead, the following approach was taken:
- All interfaces get duplicated in a *WithContext variant where the methods
also have a *WithContext suffix and the ctx parameter. All methods are
treated this way except for obvious local get methods (like RESTClient)
because it cannot be ruled out entirely that some implementation may
need a context.
- Implementations of these interfaces implement both method variants
which is possible because the method names are different.
The old methods are implemented as thin wrappers around the updated
code which is now the body of the new methods or shared helpers.
In some cases there is additional overhead (type checks, potentially
additional allocations) when using the old methods.
- To*WithContext helpers bridge from the old to the new interfaces. They
try a type cast first. Because the in-tree implementations implement
both, they can be used directly. For other implementations wrappers
are used.
- All old APIs and interfaces are marked as deprecated. There is no
intent to ever remove them, but consumers should be made aware
that there are now better alternatives. Implementations also
get marked this way even if nothing ever calls them directly
because it shows which code, at least theoretically, could get
removed.
- Existing unit tests do not get updated to the new APIs. This gives
us unit test coverage of the old and new API because the old
APIs call the new ones.
- In-tree consumers will be updated in follow-up PRs. This is likely
to be a longer process. Because of the deprecation comment,
`hack/golangci-lint.sh -n` can be used to find code which needs
to be updated.
Kubernetes-commit: 025b844bcabe0212c4dd56395ee18481602d7c65
I wasn't entirely sure whether this should return a value or a pointer to
satisfy the interface. Both works, so I benchmarked it elsewhere (REST
mapper). Mem allocs are the same (one alloc/call), but returning a value is 10%
slower when calling one method.
What I then benchmarked is whether pointer vs value receiver in the wrapper
makes a difference. Converting from value receiver (what I had before) to
pointer receiver reduced call overhead by 6%. That's because with a value
receiver, Go has to auto-generate a variant with pointer receiver and calls the
value receiver through that.
That can be seen in a debugger (call stack) and when setting breakpoints:
(dlv) b restMapperWrapper.KindForWithContext
Command failed: Location "restMapperWrapper.KindForWithContext" ambiguous: k8s.io/apimachinery/pkg/api/meta.restMapperWrapper.KindForWithContext, k8s.io/apimachinery/pkg/api/meta.(*restMapperWrapper).KindForWithContext…
Conventional wisdom is to define types with value receiver because those can be
called also on unmutable instances, making them more flexible.
But for types which will only ever be used via a pointer, I think pointer
receiver is better for the reasons above (small performance difference, easier
to debug).
Kubernetes-commit: b21dcbcaa1ccf4995bf486afc37dc0321c5bdf0b
The revised logging emits one log entry at the start of
round-tripping ("Request") and another at the end ("Response"). This avoids the
risk that related output gets interleaved by other output.
No API changes are necessary. A contextual logger is picked up from the context
of the request that is being handled. The verbosity level of that logger is
checked to determine what is supposed to be logged. This enables reducing log
details on a by-request basis by storing a `logger.V(1)` in the context of the
request.
As before, logging only gets injected into request processing at -v6 or higher,
so normally there is no additional overhead.
Kubernetes-commit: a85f489b28d3b0ef82dffb267b6145c73c2d0e33
* `client-go`: transform `watchErrorStream` to wrap the underlying error
This PR transforms the `client-go`'s `watchErrorStream` to wrap the error instead of transforming it into a single string. This enables clients to use `errors.Is/As/Unwrap` with the errors that come out of `StreamWithContext`
Fixes https://github.com/kubernetes/kubernetes/issues/129763
* adjust unit tests
Kubernetes-commit: 067012f5844b7390e7279f575342ae0536f80520
Storing a context and making sure that it never gets canceled also has
overhead. We might as well just do the klog.FromContext when constructing
the Result and store the logger for later use.
Kubernetes-commit: b7386467c8df686e935c477eac26049a80de789b
The BackoffManager interface sleeps without considering the caller's context,
i.e. cancellation is not supported. This alone is reason enough to deprecate it
and to replace it with an interface that supports a context parameter.
The other reason is that contextual logging needs that parameter.
Kubernetes-commit: b15a1943d51adfb8c5e0185d58d25e038c3d6ade
The default handler now uses contextual logging. Instead of
warnings.go:106] warning 1
it now logs the caller of client-go and uses structured, contextual
logging
main.go:100] "Warning" message="warning 1"
Users of client-go have the choice whether the handler that they provide uses
the traditional API (no API break!) or contextual logging.
Kubernetes-commit: 48fb886325fce4b16e4067caadb7bcd3044d460f
The last dependency pulling in the tips of go-difflib and go-spew has
reverted to the last release of both projects, so k/k can revert to
the releases too. As can be seen from the contents of vendor, this
doesn't result in any actual change in the code.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 3986472b3c7202716f92e586ccfaa4b4fe573dc5
The test relied on a 100ms sleep to ensure that controller was done. If that
race was lost, one goroutine was intentionally prevented from completing by
locking a mutex permanently. A TODO was left about detecting that.
Adding goroutine leak checking in
https://github.com/kubernetes/kubernetes/pull/126387 revealed that this race
indeed sometimes is lost because the goroutine
leaked (https://github.com/kubernetes/kubernetes/issues/129400).
Waiting for controller shutdown instead of relying on timing should fix this.
Kubernetes-commit: 8e1403563a60f3b7a258e3bbb64b5c3a7f6548fb
The methods NewFakeClock were using a testing dependency as a parameter,
to avoid breaking compatibility and to remove this dependency, just use
the clock.Clock interface.
If we have to do it again most probable we have chosen other pattern and
for sure other names, but now is too late.
Kubernetes-commit: 5c283cbb453acac9869b49020f6f999796360729
Only the v1 API should be in use. The v1beta1 API therefore doesn't get updated
and doesn't need the context.TODO anymore.
Kubernetes-commit: f1834f06f4f7de8c6a5a70138cf08f8ca804f5c2
The "// import <path>" comment has been superseded by Go modules.
We don't have to remove them, but doing so has some advantages:
- They are used inconsistently, which is confusing.
- We can then also remove the (currently broken) hack/update-vanity-imports.sh.
- Last but not least, it would be a first step towards avoiding the k8s.io domain.
This commit was generated with
sed -i -e 's;^package \(.*\) // import.*;package \1;' $(git grep -l '^package.*// import' | grep -v 'vendor/')
Everything was included, except for
package labels // import k8s.io/kubernetes/pkg/util/labels
because that package is marked as "read-only".
Kubernetes-commit: 8a908e0c0bd96a3455edf7e3b5f5af90564e65b0
Given the ongoing work on generifying client-go, it might make sense
for me to be a reviewer (at least to keep better track of changes
being made before they go in).
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 3d069b2a8a6a635434331f96b79e44bc7c98f29c
"Real" clients use objectWithMeta to enforce support for meta.Object;
strictly speaking, fakes don't need this, but it's best to align them
with the real clients to ensure that fakes don't end up allowing types
that can't be used with the real clients.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 736e5560ba6b21247c21f8ed12007e1d6d5fec1a
This adds a generic implementation of a fake clientset, and uses it to
replace the template code in generated fake clientsets for the default
methods. The templates are preserved as-is (or as close as they can
be) for use in extensions, whether for resources or subresources.
Fake clientsets with no extensions are reduced to their main getter,
their specific struct, and their constructor. All method
implementations are provided by the generic implementation. The
dedicated struct is preserved to allow extensions and expansions to be
defined where necessary.
Instead of handling the variants (with/without list, apply) with a
complex sequence of if statements, build up an index into an array
containing the various declarations.
Similarly, instead of calling different action constructors for
namespaced and non-namespaced clientsets, assume the current behaviour
of non-namespaced action creation (equivalent to creating a namespaced
action with an empty namespace) and document that assumption in the
action implementation.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: b0ce65df9b74d4dc72050840d5ad067596d7b822
KEP-4603: Maintain current 10 minute recovery threshold for container backoff regardless of changes to the maximum duration
Kubernetes-commit: ab30adcbae57fc498cb876979e232b422468af9a
With the ClientsAllowCBOR client-go feature gate enabled, a 415 response to a CBOR-encoded REST
causes all subsequent requests from the client to fall back to a JSON request encoding. This
mechanism had only worked as intended when CBOR was explicitly configured in the
ClientContentConfig. When both ClientsAllowCBOR and ClientsPreferCBOR are enabled, an
unconfigured (empty) content type defaults to CBOR instead of JSON. Both ways of configuring a
client to use the CBOR request encoding are now subject to the same fallback mechanism.
Kubernetes-commit: a77f4c7ba2e761461daaf115a38903fc91916dd6
Integration testing has to this point relied on patching serving codecs for built-in APIs. The
test-only patching is removed and replaced by feature gated checks at runtime.
Kubernetes-commit: 439d2f7b4028638b3d8d9261bb046c3ba8d9bfcb
The media type application/cbor describes exactly one encoded item. As a new (to Kubernetes) format
with no existing clients, streaming/watch responses will use the application/cbor-seq media
type. CBOR watch responses conform to the specification of CBOR Sequences and are encoded as the
concatenation of zero or more items with no additional framing.
Kubernetes-commit: 504f14998e920ca8837b3310094b3da11c62a070
This commit introduces:
1. Cleanups in port-forwarding error handling code, which ensures that
we only compare lowercased text always.
2. E2E verifying that when a pod is removed a port-forward is stopped.
Signed-off-by: Maciej Szulik <soltysh@gmail.com>
Kubernetes-commit: 0b1617ccefbc6ea61c0e7c2b0b4052703f11c51c
This enables a future extension where capacity of a single device gets consumed
by different claims. The semantic without any additional fields is the same as
before: a capacity cannot be split up and is only an attribute of a device.
Because its semantically the same as before, two-way conversion to v1alpha3 is
possible.
Kubernetes-commit: 81fd64256c9cfca47385997e06a694bf98bfb799
For alpha, there is one apiserver feature gate and two client-go feature gates controlling
CBOR. They were initially wired to separate test-only feature gate instances in order to prevent
them from being configurable at runtime via command-line flags or environment variables (for
client-go feature gates outside of Kubernetes components). All of the integration tests required by
the KEP as alpha criteria have been implemented. This adds the feature gates to the usual feature
gate instances and removes the temporary code to support separate test-only feature gate instances.
Kubernetes-commit: 072dfcb416fd4e1ddab0a89ac4faf519e268bc96
chore(leader-election): modify leader-election comment to OnStoppedLeading callback is always called when the LeaderElector exits, even if it did not start leading.
Kubernetes-commit: 1a7326902fa07b85e07de458dd2d4d4d99057d87
Using the "normal" logic for a feature gated field simplifies the
implementation of the feature gate.
There is one (entirely theoretic!) problem with updating from 1.31: if a claim
was allocated in 1.31 with admin access, the status field was not set because
it didn't exist yet. If a driver now follows the current definition of "unset =
off", then it will not grant admin access even though it should. This is
theoretic because drivers are starting to support admin access with 1.32, so
there shouldn't be any claim where this problem could occur.
Kubernetes-commit: 4419568259590c35f1dab69aabec3d740944a51d
If a client is configured to encode request bodies to CBOR, but the server does not support CBOR,
the server will respond with HTTP 415 (Unsupported Media Type). By feeding this response back to the
RESTClient, subsequent requests can fall back to JSON, which is assumed to be acceptable.
Kubernetes-commit: 1745dfdd154b1a838765e70b81c861c644bfcffe
Drivers need to know that because admin access may also grant additional
permissions. The allocator needs to ignore such results when determining which
devices are considered as allocated.
In both cases it is conceptually cleaner to not rely on the content of the
ClaimSpec.
Kubernetes-commit: f3fef01e79a75ebc4c327afb7d05d6fd350e08fa
As with the apiserver feature gate for CBOR as a serving and storage encoding, the client feature
gates for CBOR are being initially added through a test-only feature gate instance that is not wired
to environment variables or to command-line flags and is intended only to be enabled
programmatically from integration tests. The test-only instance will be removed as part of alpha
graduation and replaced by conventional client feature gating.
Kubernetes-commit: ea13190d8bd3a4bb3e82055b529aa7599ae5c6e1
This removes the DRAControlPlaneController feature gate, the fields controlled
by it (claim.spec.controller, claim.status.deallocationRequested,
claim.status.allocation.controller, class.spec.suitableNodes), the
PodSchedulingContext type, and all code related to the feature.
The feature gets removed because there is no path towards beta and GA and DRA
with "structured parameters" should be able to replace it.
Kubernetes-commit: f84eb5ecf894fa0fc4e0d05da52ef51d4cd723d9
The context is used for cancellation and to support contextual logging.
In most cases, alternative *WithContext APIs get added, except for
NewIntegerResourceVersionMutationCache where code searches indicate that the
API is not used downstream.
An API break around SharedInformer couldn't be avoided because the
alternative (keeping the interface unchanged and adding a second one with
the new method) would have been worse. controller-runtime needs to be updated
because it implements that interface in a test package. Downstream consumers of
controller-runtime will work unless they use those test package.
Converting Kubernetes to use the other new alternatives will follow. In the
meantime, usage of the new alternatives cannot be enforced via logcheck
yet (see https://github.com/kubernetes/kubernetes/issues/126379 for the
process).
Passing context through and checking it for cancellation is tricky for event
handlers. A better approach is to map the context cancellation to the normal
removal of an event handler via a helper goroutine. Thanks to the new
HandleErrorWithLogr and HandleCrashWithLogr, remembering the logger is
sufficient for handling problems at runtime.
Kubernetes-commit: 4638ba971661497b147906b8977ae206c9dd6e44
Several tests leaked goroutines. All of those get fixed where possible
without API changes. Goleak is used to prevent regressions.
One new test specifically covers shutdown of an informer and its event
handlers.
Kubernetes-commit: 0ba43734b4c8998b4aaeb1fa2bec8dee609fa50a
With this change, we can typically avoid an extra heap allocation when
calling AddAfter with a positive duration (which causes the creation of
a waitFor object). This is because workqueues are typically used with
string keys, and casting a string (or more generally, non-pointer types)
to an `interface{}` will cause an heap escape / allocation.
Ater this change, there is no longer any usage of `type t interface{}`,
which was creating some confusion after the switch to generics in the
workqueue package.
Co-authored-by: Quan Tian <quan.tian@broadcom.com>
Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Kubernetes-commit: 53ddffb55709857fec6bddbd5ca4ca1b03f7da97
I frequently find myself in the situation of not remembering which of
QPS/Burst I have to set. This change adds a small go doc to clarify
that.
Kubernetes-commit: cd1645ff2c195fbb353cfabcbc36e3c3b883c3c5
The workqueue implementation was recently updated to be strongly typed,
using Go generics. However the metrics implementation was not updated,
and continued using interface{}. This translated to unnecessary memory
allocations when invoking the queueMetrics interface methods to track
queue operation. We can avoid these extra heap allocations by using
generics for the metrics implementation as well.
Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Kubernetes-commit: 1aec7568e111f5855121e3afacacf431e5f95948
The azure and gcp plugins no longer do anything other than point to
the corresponding external credential plugins. Client code should no
longer try to load them, so they should be removed from the examples.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 4531c6de760ec42941d9f509103f1b29c88bfae0
It was added for compatibility reason but ended up getting a `config`
argument by accident, resulting in not actually being compatible, this
change fixes that.
Kubernetes-commit: 6933c1bc229c196e9c71061e19a0cdc76adb1dbc
The goal is to increase confidence that a change to the dynamic client does not unintentionally
introduce subtle changes to objects returned by dynamic clients in existing programs.
Kubernetes-commit: c8b1037a58ab6ddc3a8b237938eca2f6336abb73
Logging in rest.Request.Body cannot be made context-aware without an API
change. Such a change is complicated if done in a backwards-compatible
fashion (must change lots of callers in Kubernetes) and prohibitive if not (all
callers of Body would have to pass a context).
Instead, logging of the request body gets moved into the functions which send
the request. This is a change of behavior, but it is limited to log levels >= 8
and thus should have no impact in production.
A request which gets sent multiple times will also log the body multiple
times. This might even be a good thing because it serves as reminder what is
being sent when it is being sent.
While at it, stack backtracing gets enhanced so that the caller of the REST API
is logged and tests for the new behavior get added.
Kubernetes-commit: 57f9b7c7a2412865e7817dbf7638881b00ac9721
I am moving myself to emeritus as I am now firmly on the end-user side
of things.
Signed-off-by: Andy Goldstein <andy.goldstein@gmail.com>
Kubernetes-commit: 3ab816dcabf37acda33c665ab5aa85f1f6163bc1
These are long gone, removed in 2016:
* AuthPath removal: https://github.com/kubernetes/kubernetes/pull/29216
* Flag removal: https://github.com/kubernetes/kubernetes/pull/40048
This removes the remnants from clientcmd, mostly in the comments
describing how the configuration is loaded.
Since getServerIdentificationPartialConfig can no longer fail (it
copies fields from one struct to another), this drops the error
return, along with the error handling in the caller.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 8a8238ba7f850241de9c5cc4b22fa1a6b6a19480
This change renames NewTypedDelayingQueue to NewTypedDelayingQueue to
stay consistent with the naming scheme in the package. A
NewTypedDelayingQueue constructor is kept for backwards compatibility
but marked as deprecated.
Kubernetes-commit: 45da5dc30ecf0ba4c4b44befd96b8617278c496b
This commit refactors the `renew` function in the leader election package to replace
the deprecated `wait.PollImmediateUntil` with `wait.PollUntilContextTimeout`.
This change simplifies the context handling by removing the need for an additional
timeout context and its cancellation.
The previous implementation created a timeout context for each retry period,
which added unnecessary complexity. The new implementation directly passes the parent
context to the retry function, ensuring that the timeout is handled within `PollUntilContextTimeout`.
This change also ensures that the context passed to `tryAcquireOrRenew` and
`tryCoordinatedRenew` is consistent, improving the readability and maintainability of the code.
Kubernetes-commit: 3d2f498aa31cb2e90bcfc372b7930aed0604fbef
I was workinng on updating a dependency, and noticed that running
hack/update-vendor.sh resulted in a diff. Comitting the result
as a PR.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Kubernetes-commit: aeb607443dd9b8ee378ee10209e9b446256f3ee2
The Error method of the error returned from Request.Watch was "unknown"
even the server returned clear message in the Status struct. It was
because Request.Watch used the Result's err member directly, which is an
unstructured error from the response which the Result object may use if
the caller did not return a structured error.
The patch fixes it by calling the Result's Error method instead, which
returns the structured error when it's present.
It also removes the wrong expectation about events.
Kubernetes-commit: 596c5696c64023808af164284263647d795b0ac2
This makes the Stop method idempotent so that if Stop is called multiple
times, it does not cause a panic due to closing a closed channel.
Signed-off-by: mprahl <mprahl@users.noreply.github.com>
Kubernetes-commit: a54ba917be42c941edf1a0359dced04e1a5e1d6f
When the client does not have permission to watch a resource, the
RetryWatcher continuously retried. In this case, it's better to send an
error and stop retrying to let the caller handle this case since this is
not a transient error that can be recovered without user intervention.
This is particularly helpful in applications that leverage a user
provided service account and the application needs to notify the user to
set the correct permissions for the service account.
This also accounts for invalid credentials from the watch client.
Signed-off-by: mprahl <mprahl@users.noreply.github.com>
Kubernetes-commit: db2218d16e3fb2a30b21ffa0f307beb515d8394b
This is a complete revamp of the original API. Some of the key
differences:
- refocused on structured parameters and allocating devices
- support for constraints across devices
- support for allocating "all" or a fixed amount
of similar devices in a single request
- no class for ResourceClaims, instead individual
device requests are associated with a mandatory
DeviceClass
For the sake of simplicity, optional basic types (ints, strings) where the null
value is the default are represented as values in the API types. This makes Go
code simpler because it doesn't have to check for nil (consumers) and values
can be set directly (producers). The effect is that in protobuf, these fields
always get encoded because `opt` only has an effect for pointers.
The roundtrip test data for v1.29.0 and v1.30.0 changes because of the new
"request" field. This is considered acceptable because the entire `claims`
field in the pod spec is still alpha.
The implementation is complete enough to bring up the apiserver.
Adapting other components follows.
Kubernetes-commit: 91d7882e867da25ae8014f679db32b20e35e89b4
Now all claims are shareable up to the limit imposed by the size of the
"reserverFor" array.
This is one of the agreed simplifications for 1.31.
Kubernetes-commit: 8a629b9f150c1042e2918043e6012a4f22742b19
As agreed in https://github.com/kubernetes/enhancements/pull/4709, immediate
allocation is one of those features which can be removed because it makes no
sense for structured parameters and the justification for classic DRA is weak.
Kubernetes-commit: de5742ae83c8d77268a7caf5f3b1f418c4a13a84
This is in preparation for revamping the resource.k8s.io completely. Because
there will be no support for transitioning from v1alpha2 to v1alpha3, the
roundtrip test data for that API in 1.29 and 1.30 gets removed.
Repeating the version in the import name of the API packages is not really
required. It was done for a while to support simpler grepping for usage of
alpha APIs, but there are better ways for that now. So during this transition,
"resourceapi" gets used instead of "resourcev1alpha3" and the version gets
dropped from informer and lister imports. The advantage is that the next bump
to v1beta1 will affect fewer source code lines.
Only source code where the version really matters (like API registration)
retains the versioned import.
Kubernetes-commit: b51d68bb87ba4fa47eb760f8a5e0baf9cf7f5b53
This allows different actors to force ownership of it without having to
explicitly unset the other field.
Kubernetes-commit: 7313990f61881c676c1f5d68365144a1d77cced3
Adding the required Kubernetes API so that the kubelet can start using
it. This patch also adds the corresponding alpha feature gate as
outlined in KEP 4639.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Kubernetes-commit: f7ca3131e0922563a561134b4ed9eed8d2bdd2c4
KEP-3619: don't capitalize comment in K8S API
KEP-3619: fix typos and grammatical ones in K8s API
KEP-3619: rephrase NodeFeatures, NodeHandlerFeatures in K8s API
Kubernetes-commit: 5d75660dc11ff443ebab2551aed8e56a54cc218d
This update dropped the otelgrpc → cloud.google.com/go/compute dependency,
among others. This dropped out because genproto cleaned up it's dependencies
on google cloud libraries, and otel updated - details in #113366.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Co-Authored-By: David Ashpole <dashpole@google.com>
Kubernetes-commit: ff7942be83ed0c0aaa8c258e8e2b9965d383935c
This makes the API nicer:
resourceClaims:
- name: with-template
resourceClaimTemplateName: test-inline-claim-template
- name: with-claim
resourceClaimName: test-shared-claim
Previously, this was:
resourceClaims:
- name: with-template
source:
resourceClaimTemplateName: test-inline-claim-template
- name: with-claim
source:
resourceClaimName: test-shared-claim
A more long-term benefit is that other, future alternatives
might not make sense under the "source" umbrella.
This is a breaking change. It's justified because DRA is still
alpha and will have several other API breaks in 1.31.
Kubernetes-commit: bde9b64cdfbbbb185593c20fea84cdced631ffd6
This adds a generic implementation of a clientset, and uses it to
replace the template code in generated clientsets for the default
methods. The templates are preserved as-is (or as close as they can
be) for use in extensions, whether for resources or subresources.
Clientsets with no extensions are reduced to their main getter, their
interface, their specific struct, and their constructor. All method
implementations are provided by the generic implementation. The
dedicated interface is preserved so that each clientset can have its
own set of methods, and the dedicated struct is preserved to allow
extensions and expansions to be defined where necessary.
Instead of handling the variants (with/without namespace, list, apply)
with a complex sequence of if statements, build up an index into an
array containing the various declarations.
The namespaced/non-namespaced distinction matters in the code
templates, but not in the methods themselves, so drop all the
non-namespaced variants and pass in "" explicitly.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 3734f5bf9b6ce1e9cf2385f4e4453b32d8f35ab1
- Extract watchWithResync to simplify ListAndWatch
- Wrap watchHandler with two variants, one for WatchList and one for
just Watch.
- Replace a bool pointer arg with a bool arg and bool return, to
improve readability.
- Use errors.Is to satisfy the linter
- Use %w to wrap the store.Replace error, to allow unwrapping.
Kubernetes-commit: 65fc1bb463c85a4c85e619bf7acac9503e23a253
The watch.Interface design is hard to change, because it would break
most client-go users that perform watches. So instead of changing the
interface to be more user friendly, this change updates the method
comments to explain the different responsibilities of the consumer
(client user) and the producer (interface implementer).
Kubernetes-commit: 1f35231a1d4f7b8586a7ec589c799729eeb4f7c4
This library release makes a number of behaviors configurable in ways that are required for CBOR
support in Kubernetes.
Kubernetes-commit: c4279660cad039bc15495311cf7863640b6308f9
client-go/consistencydetector: refactor TestCheckListFromCacheDataConsistencyIfRequestedInternalHappyPath to work with unstructured data
Kubernetes-commit: 51f89c3b2d114fea99d3a0e8401c639f39e27877
client-go/consistencydetector: refactor TestDataConsistencyChecker to work with unstructured data
Kubernetes-commit: 96815d6dc8de717579484ffef88f74063dfd40ca
- Switch to using the ProxyWatcher to validate the dance between
closing the stop channel and closing the result channel.
- Use the new clientfeaturestesting.SetFeatureDuringTest to test with
the WatchListClient enabled and disabled. These should result in
almost the exact same output events from the informer
(list ordering not garenteed), but with different input events
recieved from the apiserver.
Kubernetes-commit: 28e3a728e5e6fe651d7a17839d33ce42204c0b4e
- Add tests to confirm that Stop is always called.
- Add TODOs to show were Stop is not currently being called
(to fix in a future PR)
Kubernetes-commit: ab5aa4762fd5206d0dbd8412d7c6f3b76533a122
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
Kubernetes-commit: 552fd7e85084b4cbd3ae8e81ff13433e28dc8327
The previous attempt to fix this in
6aa779f4ed (diff-efa2cd1347df22ace5a516ea794152d00ef2a079db135c81787ed920ecb73658)
didn't address the root cause (or perhaps created it, not sure): the goroutine
must not be started if watch creation failed.
Instead, the error gets logged (as before) and an empty watch gets returned to
the caller (new). This is necessary because the function doesn't have an error
return value and changing that now would be disruptive. The empty watch is
valid and usable, so callers won't crash when they calls Stop.
This showed up recently in failed unit tests, probably because test
cancellation makes this error more likely:
"Unable start event watcher (will not retry!)" err="broadcaster already
stopped" logger="TestGarbageCollectorConstruction leaked goroutine"
The logger value and a preceding warning show that this occurs after test
completion.
Kubernetes-commit: 080432c46a7a49c3abf86d7fc5f2a5d7abc92239
client-go/util/consistencydetector: improve validation of list parameters (RV, ListOptions)
Kubernetes-commit: bc8ec4f9aaaeee7de285c0207bd8eb793ecf3307
client-go/consistency-detector: change the signature of checkWatchListConsistencyIfRequested
Kubernetes-commit: f5d62f738a686ddc6221a85374113af80790129e
Ginkgo v2.18.0 allows tweaking the output so that
it's easier to follow while a job runs in
Prow (https://github.com/onsi/ginkgo/issues/1347). Using this in
hack/ginkgo-e2e.sh will follow in a separate commit.
Gomega gets bumped to the latest release to keep it up-to-date.
Ginkgo v1.19.0 adds support for --label-filter with labels that represent
sets (like our Feature:<Foo>).
Kubernetes-commit: 37e2dd6857084a172ef5210caee1fefa8dd8159a
Implementing custom marshaling on several API types for CBOR makes the upstream CBOR library an
indirect dependency of several staging modules.
Kubernetes-commit: d7cccf3e792ad08d9ab2e7aac394f8e6ddcf3466
Constructing a Broadcaster already starts a watch which runs in the
background. Shutdown must be called to avoid leaking the goroutine. Providing
a context was supposed to remove the need to call Shutdown, but that did not
actually work because the logic for "must check for cancellation" was
accidentally inverted.
While at it, structured log output also gets tested together with checking for
goroutine leaks.
Kubernetes-commit: ff779f1cb56cf896405e52f7923188b99b88bb00
the signature of the method was tightly connected to the reflector,
making it difficult to use for anything other than a reflector.
this simple refactor makes the method more generic.
Kubernetes-commit: 83c7542abc8c542c01ecb67376f134b2071c5304
This change makes us use the generic workqueue throughout the project in
order to improve type safety and readability of the code.
Kubernetes-commit: 6d0ac8c561a7ac66c21e4ee7bd1976c2ecedbf32
Hang when canceling leader election information.
Occasionally, two leaders may run simultaneously.
Kubernetes-commit: b6b46a0e00682517d2ca7b7e9c2706b8e407e52e
In particular, document that ListAllByNamespace delegates to ListAll
if no namespace is specified.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 54e899317ef46e3b70827cacee244717022db0ad
This change adds a generic version of the various workqueue types while
retaining compatibility for the existing exported symbols and constructors.
The generic variants are prefixed with `Typed` and the existing ones are
marked as deprecated to nudge people to transition without breaking
them.
Kubernetes-commit: 0c7370bb851c15825d30a516722139ccccca0cfc
When renaming NodeResourceSlice to ResourceSlice, the embedded
[Node]ResourceModel also should have been renamed.
Kubernetes-commit: a0add8d2c7578cd9f94fc302d6212f9f7d16175b
The runtime classes are apiserver's concept, while the handlers are kubelet's concept.
For NodeStatus, it makes more sense to return the latter ones here.
This commit modifies the following files:
- pkg/apis/core/types.go
- staging/src/k8s.io/api/core/v1/types.go
- pkg/kubelet/nodestatus/setters.go
- pkg/kubelet/kubelet_node_status.go
- pkg/registry/core/node/strategy.go
- test/e2e_node/mount_rro_linux_test.go
Other changes were auto-generated by running `make update`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Kubernetes-commit: 1dc05009fe7f4e1d139b0c8394683edb54f8d082
This commit modifies the following files:
- pkg/apis/core/types.go
- staging/src/k8s.io/api/core/v1/types.go
Other changes were auto-generated by running `make update`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Kubernetes-commit: d940886d0a4ee9aa8a7ca075fee175b002baf883
The default queue implementation is mostly FIFO and it is not
exchangeable unless we implement the whole `workqueue.Interface` which
is less desirable as we have to duplicate a lot of code. There was one
attempt done in [kubernetes/kubernetes#109349][1] which tried to
implement a priority queue. That is really useful and [knative/pkg][2]
implemented something called two-lane-queue. While two lane queue is
great, but isn't perfect since a full slow queue can still slow down
items in fast queue.
This change proposes a swappable queue implementation while not adding
extra maintenance effort in kubernetes community. We are happy to
maintain our own queue implementation (similar to two-lane-queue) in
downstream.
[1]: https://github.com/kubernetes/kubernetes/pull/109349
[2]: https://github.com/knative/pkg/blob/main/controller/two_lane_queue.go
Kubernetes-commit: 87b4279e07349b3c68f16f69a349a02bddd12f25
The canonical import for json-patch v4 is
gopkg.in/evanphx/json-patch.v4 (see
https://github.com/evanphx/json-patch/blob/master/README.md#get-it for
reference).
Using the v4-specific path should also reduce the risk of unwanted v5
upgrade attempts, because they won't be offered as automated upgrades
by dependency upgrade management tools, and they won't happen through
indirect dependencies (see
https://github.com/kubernetes/kubernetes/pull/120327 for context).
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 5300466a5c8988b479a151ceb77f49dd00065c83
This adds a generic implementation of a lister, and uses it to replace
the template code in generated listers. The corresponding templates
are no longer used and are removed.
Listers are reduced to their interfaces (non-namespaced and namespaced
if appropriate), their specific structs, and their constructors. All
method implementations are provided by the generic implementation. The
dedicated interface is preserved so that each lister can have its own
set of methods (e.g. the method returning the namespaced lister if
appropriate), and the dedicated struct is preserved to allow
expansions to be defined where necessary.
The external interface is unchanged and doesn't expose generics.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 2e9adcd14aae27394238291fa08fb603bf2f3e77
While currently those objects only get published by the kubelet for node-local
resources, this could change once we also support network-attached
resources. Dropping the "Node" prefix enables such a future extension.
The NodeName in ResourceSlice and StructuredResourceHandle then becomes
optional. The kubelet still needs to provide one and it must match its own node
name, otherwise it doesn't have permission to access ResourceSlice objects.
Kubernetes-commit: 0b6a0d686a060b5d5ff92cea931aacd4eba85adb
This adds support for semantic version comparison to the CEL support in the
"named resources" structured parameter model. For example, it can be used to
check that an instance supports a certain API level.
To minimize the risk, the new "semver" type is only defined in the CEL
environment for DRA expressions, not in the base library. See
https://github.com/kubernetes/kubernetes/pull/123664 for a PR which
adds it to the base library.
Validation of semver strings is done with the regular expression from
semver.org. The actual evaluation at runtime then uses semver/v4.
Kubernetes-commit: 42ee56f093133402ed860d4c5f54b049041386c9
Like the current device plugin interface, a DRA driver using this model
announces a list of resource instances. In contrast to device plugins, this
list is made available to the scheduler together with attributes that can be
used to select suitable instances when they are not all alike.
Because this is the first structured parameter model, some checks that
previously were not possible, in particular "is one structured parameter field
set", now gets enabled. Adding another structured parameter model will be
similar.
The applyconfigs code generator assumes that all types in an API are defined in
a single package. If it wasn't for that, it would be possible to place the
"named resources" types in separate packages, which makes their names in the Go
code more natural and provides an indication of their stability level because
the package name could include a version.
Kubernetes-commit: d4d5ade7f5be047472f8d9572c7f01f142951a2d
* support for the managed-by label in Job
* Use managedBy field instead of managed-by label
* Additional review remarks
* Review remarks 2
* review remarks 3
* Skip cleanup of finalizers for job with custom managedBy
* Drop the performance optimization
* imrpove logs
Kubernetes-commit: e568a77a931a1cf4239a4a5fa43e2b05bad3abdf
NodeResourceSlice will be used by kubelet to publish resource information on
behalf of DRA drivers on the node. NodeName and DriverName in
NodeResourceSlice must be immutable. This simplifies tracking the different
objects because what they are for cannot change after creation.
The new field in ResourceClass tells scheduler and autoscaler that they are
expected to handle allocation.
ResourceClaimParameters and ResourceClassParameters are new types for telling
in-tree components how to handle claims.
Kubernetes-commit: 39bbcedbcae84bf716923b3f9464968ca70b42e7
Because of how the previous 100+ commits were done, so changes snuck
thru that properly belong in earlier commits but it's not really
possible to do that without a lot of effort.
We agreed it was OK to "spackle" these cracks with a final commit.
Kubernetes-commit: 21715e6bbd19c932576ff268843d8ead3edb05e4
If, for whatever reason, the context was context.Background(), the additional
goroutine was started and then got stuck forever because
context.Background().Done() is a nil channel. Found when indirectly
instantiating a broadcaster with such a context:
found unexpected goroutines:
[Goroutine 9106 in state chan receive (nil chan), with k8s.io/kubernetes/vendor/k8s.io/client-go/tools/record.NewBroadcaster.func1 on top of the stack:
goroutine 9106 [chan receive (nil chan)]:
k8s.io/kubernetes/vendor/k8s.io/client-go/tools/record.NewBroadcaster.func1()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/record/event.go:206 +0x2c
created by k8s.io/kubernetes/vendor/k8s.io/client-go/tools/record.NewBroadcaster in goroutine 8957
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/record/event.go:205 +0x1a5
This can be fixed by checking for a nil channel.
Another problem also gets addressed: if Shutdown was called without canceling
the context, the goroutine also didn't stop. Now it waits for the cancelation
context and thus terminates in both cases.
Kubernetes-commit: eed6e29a5b8cfaa20fbc426541d9c74105d430ee
until #115478(use streaming against the etcd storage)
is resolved the cacher need a way to disable the streaming.
Kubernetes-commit: 41e706600aea7468f486150d951d3b8948ce89d5
The main reason for updating is support for reporting the cause of context
cancellation: Ginkgo provides that information when canceling a context and
Gomega polling code includes that when generating a failure message.
Kubernetes-commit: 18f0af1f000f95749ca1ea075d62ca89e86bb7da
ReplaceFeatureGates logs a warning when the default env var
implementation has been already used.
Such a situation indicates a potential ordering issue and usually is unwanted.
Kubernetes-commit: 04bbd3481f70825eea54b4b154a04d2496dcf652
This PR add a feature gates mechanisim to client-go
as described in https://docs.google.com/document/d/1g9BGCRw-7ucUxO6OtCWbb3lfzUGA_uU9178wLdXAIfs
In particular:
- Adds a default feature gate implementation based on environment variables.
- Adds a set of methods for reading, overwriting the default implementation, and adding features to an external registry.
Co-authored-by: deads2k <deads@redhat.com>
Co-authored-by: Ben Luddy <bluddy@redhat.com>
Kubernetes-commit: d74c57d4f592d20a992afb54b1ee64f56215210e
Bumping tools to include the fix for a nil pointer
deref error in go/types. See golang/go#64812
for more details.
This fix is needed for when we bump to go1.22.
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Kubernetes-commit: a8da4202c0ac785d57b545e6e310fd754888b50e
27a68aee3a4834 introduced context support. In order to use that
also with NewEventBroadcasterAdapter, a variant of the call is needed to allow
the caller to specify the context.
The `logcheck:context` comment ensures that code which is meant to be
contextual uses the new call.
Kubernetes-commit: f8e25eff926c640c86daa46222bfaf8d625e75d7
This commit defines the ClusterTrustBundlePEM projected volume types.
These types have been renamed from the KEP (PEMTrustAnchors) in order to
leave open the possibility of a similar projection drawing from a
yet-to-exist namespaced-scoped TrustBundle object, which came up during
KEP discussion.
* Add the projection field to internal and v1 APIs.
* Add validation to ensure that usages of the project must specify a
name and path.
* Add TODO covering admission control to forbid mirror pods from using
the projection.
Part of KEP-3257.
Kubernetes-commit: ecfdc8fda55923c18708488ec1561a4fcf9f3e33
Dropping a newline at the end of the message when using klog calls is an
intentional improvement (https://github.com/kubernetes/klog/pull/378)
Kubernetes-commit: 878d037d3ba8fc4f11bf45a6cf5a66301ba89d82
KEP-2593 proposed to expand the existing node-ipam controller
to be configurable via a ClusterCIDR objects, however, there
were reasonable doubts on the SIG about the feature and after
several months of dicussions we decided to not move forward
with the KEP intree, hence, we are going to remove the existing
code, that is still in alpha.
https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ
Change-Id: Ieaf2007b0b23c296cde333247bfb672441fe6dfc
Kubernetes-commit: c2d473f0d438cedab2f1831d23457d24961e0f4e
* Add warning handler callback function in shortcut expander
Currently, errors in client-go are propagated back to the callers via
function returns. However, there is no elegant way for just warning users.
For example, when user wants to get a resource with it's short name format
and if there are multiple resources belonging to this short name, we need to
warn user about this ambugity which one is picked and which ones are discarded.
Not only to overcome this particular case mentioned above, but also propose a
way for the possible warnings in the future, this commit adds a warningHandler
callback function in shortcutExpander.
* Add warningPrinter functionality in ConfigFlags
ConfigFlags has neither warning user in a standardized
format functionality nor passing warning callback functions to other upper level
libraries such as client-go.
This commit adds an ability that user can set warningPrinters
according to their IOStreams and this warningPrinters will be used
to raise possible warnings happening not only in cli-runtime but
also in client-go.
* Pass warning callback function in ConfigFlags to shortcutExpander
This commit passes warning callback function to print possible
warnings happened in shortcut expander to warn user in a
standardized format.
* Add integration test for CRDs having ambiguous short names
This commit adds integration test to assure that warning message
related to this ambiguity is printed when resources are being retrieved via their short name
representations in cases where multiple resources have same
short names.
This integration test also ensures that the logic behind which resource
will be selected hasn't been changed which may cause disperancies in
clusters.
* Remove defaultConfigFlag global variable
* Move default config flags initialization into function
* Skip warning for versions of same group/resource
* Run update-vendor
* Warn only once when there are multiple versions registered for ambiguous resource
* Apply gocritic review
* Add multi-resource multi-version ambiguity unit test
Kubernetes-commit: a504aed54d028dbc8ea2508142c94d309f5f1ec6
checkWatchListConsistencyIfRequested performs a data consistency check only when
the KUBE_WATCHLIST_INCONSISTENCY_DETECTOR environment variable was set during a binary startup.
The consistency check is meant to be enforced only in the CI, not in production.
The check ensures that data retrieved by the watch-list api call
is exactly the same as data received by the standard list api call.
Note that this function will panic when data inconsistency is detected.
This is intentional because we want to catch it in the CI.
Kubernetes-commit: b31e7793d0d873a71c90caf8455556aa905cf88d
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Kubernetes-commit: fc7c951d5a5b8b75dfa105e3bea7bbddaf4c792e
Besides simply staying up-to-date, ginkgo v2.13.0 adds a `PreviewSpecs` which
will be used for introspection of the E2E test suites.
Kubernetes-commit: 79355caa565cc34e8726c427562c9f109ebe0e34
originally we honored only apierrors.IsInvalid
but decided to fallback on every error
because it is better to make progress than deadlocking
Kubernetes-commit: 4b3915017950a114124a88c5d308bd8bfb9ec48e
Because the EventBroadcaster code now has a a context, changing the EventSink
interface so that the methods accepts a context instead of using context.TODO
becomes possible.
Kubernetes-commit: 5dc540ff57eed5d0e6bc8476f95fe03b7a983cf5
Using StartRecordingToSinkWithContext instead of StartRecordingToSink and
StartLogging instead of StartStructuredLogging has several advantages:
- Spawned goroutines no longer get stuck for extended periods of
time during shutdown when passing in a context that gets canceled.
- Log output can be directed towards a specific logger instead of the global
default, for example one which writes to a testing.T instance.
- The new methods return an error when something went wrong instead of
merely recording the error.
That last point is the reason for deprecating the old methods instead of merely
adding new alternatives.
Setting a context when constructing an EventBroadcaster makes calling Shutdown
optional. It can also be used to specify the logger.
Both EventRecorder interfaces in tools/events and tools/record now have a
WithLogger helper. Using that method is optional, but recommended to support
contextual logging properly. Without it, errors that occur while emitting an
event are not associated with the caller.
Kubernetes-commit: 27a68aee3a48340f7c14235f7fc24aa69aaeb8f6
After 12 months as reviewer, constantly reviewing and contributing
to client-go, I think is fair to move to the next ladder.
Change-Id: I49e579dcefcd39c6f0b29400c90467df00719cca
Kubernetes-commit: cc77b97c5e9cc9f778016b9d260c66bf7b277448
This uses the generic ptr.To in k8s.io/utils to replace functions and
code constructs which only serve to return pointers to intstr
values. Other uses of the deprecated pointer package are updated in
modified files.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: aa89e6dc978bf88653d893284248039b776aed54
The "set" list type was chosen because it seemed appropriate (no duplicates!)
but that made tracking of managed fields more expensive (each entry in the list
is tracked, not the entire field) and for no good reason (one client is
responsible for the entire list).
Therefore the type gets changed to "atomic". Server-side-apply has not been
used in the past and PodSchedulingContext objects are short-lived and still in
alpha, so the any potential compatibility issues should be minor.
The scheduling throughput in scheduler_perf increases:
name old SchedulingThroughput/Average new SchedulingThroughput/Average
PerfScheduling/SchedulingWithResourceClaimTemplate/2000pods_100nodes-36 18.8 ± 8% 24.0 ±37%
PerfScheduling/SchedulingWithMultipleResourceClaims/2000pods_100nodes-36 13.7 ±81% 18.5 ±40%
Kubernetes-commit: 5567f288e745db05d88fc60e15915f8b0d1f6c4b
The Service Account Token link in the readme is broken and refers to a page that no longer exists.
In this PR I updated the correct link in the readme
Kubernetes-commit: 279a663f948337da156f544b74e41928ad66f9ef
This reverts commit 890a6c8f70d2e0f45b3692d34a6df1ecb6d8335b, reversing
changes made to 4f60a8d493ab9571eb328b9d98da477a50bc7446.
Kubernetes-commit: 0d90d1ffa5e87dfc4d3098da7f281351c7ff1972
Client-side extract calls depend on `managedFields`, which might not be
available. Therefore they should not be used in production code.
They are okay in test files (because the API has to be tested), in the
generated code (because the various type specific APIs still need to be
provided) and in unstructured.go (same reason).
Kubernetes-commit: 4bc9434f99d9a87dd5b63e738b6b1b16693f10e4
It turned out that there were lots of unnecessary accessor functions being called locking and unlocking the cond which are not needed because Wait() automatically unlocks and locks the cond for us and best practice says we should run it in a for checking for the condition (so this is what I have done).
Kubernetes-commit: 2b12df56b0be93bc2cac7c5a66342c0ffaa72311
Proactively bump to v0.12.0 to avoid v0.10.0 and v0.11.0, which contain
a regression added by commit
82780d606d.
This commit was later reverted in v0.12.0.
Generated with:
hack/pin-dependency.sh golang.org/x/net v0.12.0 && hack/update-vendor.sh
Kubernetes-commit: d9bd413f991958492602c4bf51c43d6edca0e5cd
Also add support for metadata informer factory to use SharedInformerOption
Signed-off-by: Eric Lin <exlin@google.com>
Kubernetes-commit: 9c4651bd0479b84f5e5913649207476717f3f13e
* client-go: add DNS resolver latency metrics
* client-go: add locking to DNS latency metrics
* client-go: add locking for whole DNSStart and DNSDone
Signed-off-by: Vu Dinh <vudinh@outlook.com>
* Fix a mismatched ctx on the request
Signed-off-by: Vu Dinh <vudinh@outlook.com>
* Clean up request code and fix comments
Signed-off-by: Vu Dinh <vudinh@outlook.com>
---------
Signed-off-by: Vu Dinh <vudinh@outlook.com>
Co-authored-by: Vu Dinh <vudinh@outlook.com>
Kubernetes-commit: 1c7e87cff27aa009488a9d55342220e223d5c146
When running kubeadm / installing k8s early during boot,
the CA certificate can be generated before time is synchronised
and time is jumped backward.
Make notBefore 1 hour in the past to accept small clock jump.
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Kubernetes-commit: e1735b9863777ff11ac35434e047c38dcce4b4f3
T.Setenv ensures that the environment is returned to its prior state
when the test ends. It also panics when called from a parallel test to
prevent racy test interdependencies.
Kubernetes-commit: ac5ce5cbce7ddb6ffeff755d1cf670afadb8e1fb
* Add warning log callback in client-go loading rules
This provides a way to consumers use their own custom warning
mechanisms instead default klog warning.
* Use typed error instead plain string
* Fix interface change in unit test
Kubernetes-commit: 2ea6896f90c8b757d8a247d393b9a13fff2dab58
Before, we've used two separate backoff managers for List and Watch
calls, now they share single backoff manager.
Kubernetes-commit: 337728b02559dec8a613fdef174f732da9cae310
Ensure that the lock identity is not empty. This can cause unexpected issues during leader election.
Kubernetes-commit: 5519b89a28eeea5a5b134092242aff770fcc07eb
`SetWatchErrorHandler` claims it will fail if Run() has already started.
But if they are called concurrently, it will actually trigger a data
race.
With this PR:
```
62702 runs so far, 0 failures (100.00% pass rate). 59.152682ms avg, 189.068387ms max, 26.623785ms min
```
Without this PR:
```
5012 runs so far, 38 failures (99.25% pass rate). 58.675502ms avg, 186.018084ms max, 29.468104ms min
```
Kubernetes-commit: 35d2431b3a89c5bd693846952e9d27ce4e3a0754
Allows creating a typeconverter from a client (i.e. by taking the data
of the client and formatting it so that one can create a type
converter).
Kubernetes-commit: 45853e20ae5c33d144939495650bb5cc49e1134c
Add two new metrics to monitor the client-go logic that
generate http.Transports for the clients.
- rest_client_transport_cache_entries is a gauge metrics
with the number of existin entries in the internal cache
- rest_client_transport_create_calls_total is a counter
that increments each time a new transport is created, storing
the result of the operation needed to generate it: hit, miss
or uncacheable
Change-Id: I2d8bde25281153d8f8e8faa249385edde3c1cb39
Kubernetes-commit: 3f3e1d507d081528ce8081f0daf4446d8a3b9bc0
* update serial number to a valid non-zero number in ca certificate
* fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
Kubernetes-commit: e865b30abd0a862697ff1d2526ea8897ee98a523
This was making my eyes bleed as I read over code.
I used the following in vim. I made them up on the fly, but they seemed
to pass manual inspection.
:g/},\n\s*{$/s//}, {/
:w
:g/{$\n\s*{$/s//{{/
:w
:g/^\(\s*\)},\n\1},$/s//}},/
:w
:g/^\(\s*\)},$\n\1}$/s//}}/
:w
Kubernetes-commit: d55b67b349021b6c46fc6ce78f2a36bd4217145f
T.Setenv ensures that the environment is returned to its prior state
when the test ends. It also panics when called from a parallel test to
prevent racy test interdependencies.
Kubernetes-commit: 89467ad3e9b051515fa9632a7373d6ef01723256
Steps:
1) Manualy update go.mod with new version string
2) ./hack/update-vendor.sh
3) Fixup go.sum with new package hash
4) ./hack/update-vendor.sh
Kubernetes-commit: 9f46cbc6fa475c420af3ccd654d4e59606375836
Currently, openapiv3 discovery uses requestURI to discover resources.
However, that does not work when the rest endpoint contains prefixes
(e.g. `http://localhost/test-endpoint/`).
Because requestURI overwrites prefixes also in rest endpoint
(e.g. `http://localhost/openapiv3/apis/apps/v1`).
Since `absPath` keeps the prefixes in the rest endpoint,
this PR changes to absPath instead requestURI.
Kubernetes-commit: d94c733ee2bfaedd9a1c45d58fbd56c99403c94d
A few notes about the change:
1. I need to initialize the fileclient once, in an init function, so I
don't have access to `testing.T` yet.
2. I want to be able to configure the openapi files that I use
3. We already have a "cache" client that wraps another client, we don't
need to re-implement caching here, one can just do:
`cache.NewClient(openapitest.NewFileClient("some/path"))` to do a cached
client. Or initialize it in an init/global var.
Since there is still some value to use the embedded file, make an
alternative constructor while using fs.FS interface to be able to
manipulate both virtual and disk-based filesystems.
Kubernetes-commit: 29503fd8d45bc2c9438e92936bf4111162529b40
This touches cases where FromInt() is used on numeric constants, or
values which are already int32s, or int variables which are defined
close by and can be changed to int32s with little impact.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 94410ee8078971b8894e5c400ce3fc79f02bc510
Create events are forbidden in terminating namespaces, use info
instead of error to log the failed event.
Signed-off-by: Sunil Shivanand <sunil.shivanand@statnett.no>
Kubernetes-commit: 7a6d58001b7d824f92601fd246b3aad9fbb9c583
* Add custom match conditions for CEL admission
This PR is based off of, and dependent on the following PR:
https://github.com/kubernetes/kubernetes/pull/116261
Signed-off-by: Max Smythe <smythe@google.com>
* run `make update`
Signed-off-by: Max Smythe <smythe@google.com>
* Fix unit tests
Signed-off-by: Max Smythe <smythe@google.com>
* Fix unit tests
Signed-off-by: Max Smythe <smythe@google.com>
* Update compatibility test data
Signed-off-by: Max Smythe <smythe@google.com>
* Revert "Update compatibility test data"
This reverts commit 312ba7f9e74e0ec4a7ac1f07bf575479c608af28.
* Allow params during validation; make match conditions optional
Signed-off-by: Max Smythe <smythe@google.com>
* Add conditional ignoring of matcher CEL expression validation on update
Signed-off-by: Max Smythe <smythe@google.com>
* Run codegen
Signed-off-by: Max Smythe <smythe@google.com>
* Add more validation tests
Signed-off-by: Max Smythe <smythe@google.com>
* Short-circuit CEL matcher when no matchers specified
Signed-off-by: Max Smythe <smythe@google.com>
* Run codegen
Signed-off-by: Max Smythe <smythe@google.com>
* Address review comments
Signed-off-by: Max Smythe <smythe@google.com>
---------
Signed-off-by: Max Smythe <smythe@google.com>
Kubernetes-commit: e5fd204c33e90a7e8f5a0ee70242f1296a5ec7af
* api changes adding match conditions
* feature gate and registry strategy to drop fields
* matchConditions logic for admission webhooks
* feedback
* update test
* import order
* bears.com
* update fail policy ignore behavior
* update docs and matcher to hold fail policy as non-pointer
* update matcher error aggregation, fix early fail failpolicy ignore, update docs
* final cleanup
* openapi gen
Kubernetes-commit: 5e5b3029f3bbfc93c3569f07ad300a5c6057fc58
They contain some nice-to-have improvements (for example, better printing of
errors with gomega/format.Object) but nothing that is critical right now.
"go mod tidy" was run manually in
staging/src/k8s.io/kms/internal/plugins/mock (https://github.com/kubernetes/kubernetes/pull/116613
not merged yet).
Kubernetes-commit: fe59e091eb3331db54cff2351f16eabfe0cb681d
The structure of the error is changing, and we don't guarantee
reflect.DeepEqual(...) will remain true for ErrWaitTimeout currently.
Kubernetes-commit: 8d4004bbc77d012642db97e09238f4f65a926bca
Without this change, sometimes leaked goroutines were reported for
test/integration/scheduler_perf. The one that caused the cleanup to get delayed
was this one:
goleak.go:50: found unexpected goroutines:
[Goroutine 2704 in state chan receive, 2 minutes, with k8s.io/client-go/tools/cache.(*Reflector).watch on top of the stack:
goroutine 2704 [chan receive, 2 minutes]:
k8s.io/client-go/tools/cache.(*Reflector).watch(0xc00453f590, {0x0, 0x0}, 0x1f?, 0xc00a128080?)
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/cache/reflector.go:388 +0x5b3
k8s.io/client-go/tools/cache.(*Reflector).ListAndWatch(0xc00453f590, 0xc006e94900)
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/cache/reflector.go:324 +0x3bd
k8s.io/client-go/tools/cache.(*Reflector).Run.func1()
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/cache/reflector.go:279 +0x45
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc007aafee0)
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:157 +0x49
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc003e18150?, {0x75e37c0, 0xc00389c280}, 0x1, 0xc006e94900)
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:158 +0xcf
k8s.io/client-go/tools/cache.(*Reflector).Run(0xc00453f590, 0xc006e94900)
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/cache/reflector.go:278 +0x257
k8s.io/apimachinery/pkg/util/wait.(*Group).StartWithChannel.func1()
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:58 +0x3f
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1()
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:75 +0x74
created by k8s.io/apimachinery/pkg/util/wait.(*Group).Start
/nvme/gopath/src/k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:73 +0xe5
watch() was stuck in an exponential backoff timeout. Logging confirmed that:
I0309 21:14:21.756149 1572727 reflector.go:387] k8s.io/client-go/informers/factory.go:150: watch of *v1.PersistentVolumeClaim returned Get "https://127.0.0.1:38269/api/v1/persistentvolumeclaims?allowWatchBookmarks=true&resourceVersion=1&timeout=7m47s&timeoutSeconds=467&watch=true": dial tcp 127.0.0.1:38269: connect: connection refused - backing off
Kubernetes-commit: b4751a52d53d4acc6a5ce3e796938c9a12f81fcb
The comment on ConfigMapsLeasesResourceLock begins with the wrong name: EndpointsLeasesResourceLock.
Kubernetes-commit: a50c9db09ba4d22328088887d2fd00b61b36e6c4
Since the behavior is now changed, and the old behavior leaked objects,
this adds a new comment about how Replace works.
Signed-off-by: Odin Ugedal <ougedal@palantir.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Kubernetes-commit: 27f4bcae5c52a3bb88141f940ec23d907a15cde5
This is useful to both reduce the code complexity, and to ensure clients
get the "newest" version of an object known when its deleted. This is
all best-effort, but for clients it makes more sense giving them the
newest object they observed rather than an old one.
This is especially useful when an object is recreated. eg.
Object A with key K is in the KnownObjects store;
- DELETE delta for A is queued with key K
- CREATE delta for B is queued with key K
- Replace without any object with key K in it.
In this situation its better to create a DELETE delta with
DeletedFinalStateUnknown with B (with this patch), than it is to give
the client an DeletedFinalStateUnknown with A (without this patch).
Signed-off-by: Odin Ugedal <ougedal@palantir.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Kubernetes-commit: 7bcc3e00fc28b2548886d04639a2e352ab37fb55
This fixes an issue where a relist could result in a DELETED delta
with an object wrapped in a DeletedFinalStateUnknown object; and then on
the next relist, it would wrap that object inside another
DeletedFinalStateUnknown, leaving the user with a "double" layer
of DeletedFinalStateUnknown's.
Signed-off-by: Odin Ugedal <ougedal@palantir.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Kubernetes-commit: 0bf0546d9f75d92c801e81c9f7adf040bba64102
Requests can accumulate errors with no obvious indication, e.g. if
their primary purpose is to construct a URL: URL() itself doesn't
return an error if r.err is non-nil.
Instead of changing URL() to return an error, which has quite a large
impact, add an Error() function and indicate on URL() that it should
be checked.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: f69c1c47463ff70ad61adf6f38c4d5b7373e9d0a
This fixes a race condition when a "short lived" object
is created and the create event is still present on the queue
when a relist replaces the state. Previously that would lead in the
object being leaked.
The way this could happen is roughly;
1. new Object is added O, agent gets CREATED event for it
2. watch is terminated, and the agent runs a new list, L
3. CREATE event for O is still on the queue to be processed.
4. informer replaces the old data in store with L, and O is not in L
- Since O is not in the store, and not in the list L, no DELETED event
is queued
5. CREATE event for O is still on the queue to be processed.
6. CREATE event for O is processed
7. O is <leaked>; its present in the cache but not in k8s.
With this patch, on step 4. above it would create a DELETED event
ensuring that the object will be removed.
Signed-off-by: Odin Ugedal <ougedal@palantir.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Kubernetes-commit: 25d77218acdac2f793071add9ea878b08c7d328b
When Shutdown was called, delivery of each pending event would still be retried
12 times with a delay of ~10s between each retry. In apiserver integration
tests that caused the goroutine to linger long after the corresponding
apiserver of the test was shut down.
Kubernetes-commit: 15b01af9c18a0840d71e2bb7dff4d8c29b158aad
This improves performance of the text formatting and ktesting.
Because ktesting no longer buffers messages by default, one unit
test needs to ask for that explicitly.
Kubernetes-commit: 961819a4d09488e20931103e0c36d2bed588fdcb
The kube-apiserver validation expects the Count of an EventSeries to be
at least 2, otherwise it rejects the Event. There was is discrepancy
between the client and the server since the client was iniatizing an
EventSeries to a count of 1.
According to the original KEP, the first event emitted should have an
EventSeries set to nil and the second isomorphic event should have an
EventSeries with a count of 2. Thus, we should matcht the behavior
define by the KEP and update the client.
Also, as an effort to make the old clients compatible with the servers,
we should allow Events with an EventSeries count of 1 to prevent any
unexpected rejections.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
Kubernetes-commit: d00364902bda05eed4f7f02051ab81f7be55f8a9
The path module has a few different functions:
Clean, Split, Join, Ext, Dir, Base, IsAbs. These functions do not
take into account the OS-specific path separator, meaning that they
won't behave as intended on Windows.
For example, Dir is supposed to return all but the last element of the
path. For the path "C:\some\dir\somewhere", it is supposed to return
"C:\some\dir\", however, it returns ".".
Instead of these functions, the ones in filepath should be used instead.
Kubernetes-commit: 856bb5c8f266f5276f1a576f47be622d7cb384e7
This creates go.work and enables Go Workspaces. This is a file that
includes info on k/k and all the staging modules.
This depends on go 1.22 and setting FORCE_HOST_GO=true (for kube
scripts, which try to be hermetic).
Make this part of the normal update/verify sequence.
The top-level go.work file contains no replace statements. Instead, the
replace statements in the individual go.mod files are used. For this to
work, replace statements in the individual go.mod files have to be
consistent.
hack/tools has different dependencies and can't be in the main
workspace, so this adds a go.work just for that. Without this, go tries
to consider all deps in all modules and pick one that works for all.
This is problematic because there are so many of them that it is
difficult to manage.
Likewise for k8s.io/code-generator/examples and
k8s.io/kms/internal/plugins/_mock - add trivial go.work files.
For example k/k depends on an older version of a lib that gloangci-lint
needs (transitively) and it breaks.
This also updates vendor (needed to make go happy), and removes
vendor'ed symlinks. This breaks a LOT of our build tools, which will be
fixed subsequently.
Result: `go` commands work across modules:
Before:
```
$ go list ./pkg/proxy/iptables/ ./staging/src/k8s.io/api/core/v1/
main module (k8s.io/kubernetes) does not contain package k8s.io/kubernetes/staging/src/k8s.io/api/core/v1
$ go build ./pkg/proxy/iptables/ ./staging/src/k8s.io/api
main module (k8s.io/kubernetes) does not contain package k8s.io/kubernetes/staging/src/k8s.io/api
$ go test ./pkg/proxy/iptables/ ./staging/src/k8s.io/api
main module (k8s.io/kubernetes) does not contain package k8s.io/kubernetes/staging/src/k8s.io/api
```
After:
```
$ go list ./pkg/proxy/iptables/ ./staging/src/k8s.io/api/core/v1/
k8s.io/kubernetes/pkg/proxy/iptables
k8s.io/api/core/v1
$ go build ./pkg/proxy/iptables/ ./staging/src/k8s.io/api
$ go test ./pkg/proxy/iptables/ ./staging/src/k8s.io/api
ok k8s.io/kubernetes/pkg/proxy/iptables 0.360s
ok k8s.io/api 2.302s
```
Result: `make` fails:
```
$ make
go version go1.22rc1 linux/amd64
+++ [0106 12:11:03] Building go targets for linux/amd64
k8s.io/kubernetes/cmd/kube-proxy (static)
k8s.io/kubernetes/cmd/kube-apiserver (static)
k8s.io/kubernetes/cmd/kube-controller-manager (static)
k8s.io/kubernetes/cmd/kubelet (non-static)
k8s.io/kubernetes/cmd/kubeadm (static)
k8s.io/kubernetes/cmd/kube-scheduler (static)
k8s.io/component-base/logs/kube-log-runner (static)
k8s.io/kube-aggregator (static)
k8s.io/apiextensions-apiserver (static)
k8s.io/kubernetes/cluster/gce/gci/mounter (static)
k8s.io/kubernetes/cmd/kubectl (static)
k8s.io/kubernetes/cmd/kubectl-convert (static)
github.com/onsi/ginkgo/v2/ginkgo (non-static)
k8s.io/kubernetes/test/e2e/e2e.test (test)
k8s.io/kubernetes/test/conformance/image/go-runner (non-static)
k8s.io/kubernetes/cmd/kubemark (static)
github.com/onsi/ginkgo/v2/ginkgo (non-static)
k8s.io/kubernetes/test/e2e_node/e2e_node.test (test)
test/e2e/e2e.go:35:2: cannot find package "k8s.io/api/apps/v1" in any of:
/home/thockin/src/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/k8s.io/api/apps/v1 (vendor tree)
/home/thockin/src/kubernetes/_output/local/.gimme/versions/go1.22rc1.linux.amd64/src/k8s.io/api/apps/v1 (from $GOROOT)
/home/thockin/src/kubernetes/_output/local/go/src/k8s.io/api/apps/v1 (from $GOPATH)
... more ...
... more ...
... more ...
!!! [0106 12:13:41] Call tree:
!!! [0106 12:13:41] 1: /home/thockin/src/kubernetes/hack/lib/golang.sh:948 kube::golang::build_binaries_for_platform(...)
!!! [0106 12:13:41] 2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [0106 12:13:41] Call tree:
!!! [0106 12:13:41] 1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [0106 12:13:41] Call tree:
!!! [0106 12:13:41] 1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
make: *** [Makefile:96: all] Error 1
```
Again, this requires go 1.22 (e.g. gotip), as go 1.21.x does not have
`go work vendor` support.
TO REPEAT:
( \
./hack/update-go-workspace.sh; \
./hack/update-vendor.sh; \
./hack/update-go-workspace.sh; \
)
Kubernetes-commit: 65b841c077e0d3282d28b9199aec72d23d045104
This fixes the following warning (error?) in the apiserver:
E0126 18:10:38.665239 16370 fieldmanager.go:210] "[SHOULD NOT HAPPEN] failed to update managedFields" err="failed to convert new object (test/claim-84; resource.k8s.io/v1alpha1, Kind=ResourceClaim) to smd typed: .status.reservedFor: element 0: associative list without keys has an element that's a map type" VersionKind="/, Kind=" namespace="test" name="claim-84"
The root cause is the same as in e50e8a0c919c0e02dc9a0ffaebb685d5348027b4:
nothing in Kubernetes outright complains about a list of items where the item
type is comparable in Go, but not a simple type. This nonetheless isn't
supposed to be done in the API and can causes problems elsewhere.
For the ReservedFor field, everything seems to work okay except for the
warning. However, it's better to follow conventions and use a map. This is
possible in this case because UID is guaranteed to be a unique key.
Validation is now stricter than before, which is a good thing: previously,
two entries with the same UID were allowed as long as some other field was
different, which wasn't a situation that should have been allowed.
Kubernetes-commit: 508cd60760567b3832da748140e3cf782c1b8695
If gomega.Eventually/Consistently run into a situation where it observes some
state of e.g. a pod which does not satisfy the condition and then further
polling fails with API server errors, gomega will report both the most recent
pod state and API error instead of just the API error.
Kubernetes-commit: aa1279b5eb79177f5351368d8d9159982b1bfb5e
These are not regenerated by any input. The OWNERS files were the last
things left for these 2 directories
Kubernetes-commit: dc88f34ce30eb98285f7f30e391b135e842cdbc2
It seems valuable to be able to provide hand-written docs for these
first-level directories, and if don't want them, the generated doc.go
files are not actually very helpful.
This commit also adds new doc.go files for client-go listers/ and
informers/.
Kubernetes-commit: 95bf7b0afe9dd6a0f00125b1d290514a23e778e2
While refactoring the backoff manager to simplify and unify the code
in wait a race condition was encountered in
TestSharedInformerWatchDisruption. The new implementation failed
because the fake clock was not propagated to the backoff managers
when the reflector was used in a controller. After ensuring the
mangaers, reflector, controller, and informer shared the same
clock the test needed was updated to avoid the race condition by
advancing the fake clock and adding real sleeps to wait for
asynchronous propagation of the various goroutines in the controller.
Due to the deep structure of informers it is difficult to inject
hooks to avoid having to perform sleeps. At a minimum the FakeClock
interface should allow a caller to determine the number of waiting
timers (to avoid the first sleep).
Kubernetes-commit: 91b3a81fbd916713afe215f7d701950e13a02869
Add a "lazy" type to track when an update is needed. It uses a nested
locking technique to avoid extra evaluation calls.
Kubernetes-commit: 5a1091d88d95bd1dd5c27f2c72cee4ecb4219dda
Bumping version to include changes that
better handle TLS errors. Bump nescessary
to prepare for when the version of Go is
bumped to 1.20
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Kubernetes-commit: 8b064fa4be71b5f1b498fabb5caade3c57f5d434
Update isomorphic event definition in the events/v1 client to match aggregation logic from core/v1
Kubernetes-commit: f56c79398e3c58b4f5a9c7e6a1f4d64248ef1b83
The new ginkgo release adds sorting of specs. This was triggered by
the observation that parallel test execution of Kubernetes E2E tests
sometimes ran the same spec twice and (presumably) other specs not at all
because spec order was random due to iteration over a map.
Sorting should avoid that problem.
Kubernetes-commit: baf832d80d798d53ceb7d4de3a39330c6eda5c6a
Currently, watch package embeds context deadlineexceeded error
in it's own error using `%v`, as can be seen in here;
`fmt.Errorf("UntilWithSync: unable to sync caches: %v", ctx.Err())`
However, consumers of this function can not use
`errors.Is(err, context.DeadlineExceeded)` due this `%v`.
To let consumers can distinguish context deadlineexceeded errors,
this PR changes error embedding format to `%w`.
Kubernetes-commit: 6b7c365f8f6d50280c2dab171efdd4b93d964f32
Fake discovery should return an error if an error-returning reactor was prepended.
This is relevant e.g. for unit tests which test a function which relies
on discovery to check if an API Server is available.
Matches existing behavior of other fake types, for example fake_namespace.
Adds unit test coverage as well.
Kubernetes-commit: b47748103a53c0fe5ba1ddc950662ffc9bd9ed0f
Currently, when the remote connection is unexpected closed, forward() prints an error message saying "lost connection to pod" via runtime.HandleError, but then it returns nil for the error.
This prevents the caller from being able to handle this error differently.
This commit changes forward() to return the "lost connection to pod" error so that it can be handled by the caller.
Making this change enables kubectl port-forward to exit with code 1, instead of 0, which is the expected behavior for a command that has failed.
Kubernetes-commit: a9f04103854893056237a09250ad3335867b0391
When attempting to record a new Event and a new Serie on the apiserver
at the same time, the patch of the Serie might happen before the Event
is actually created. In that case, we handle the error and try to create
the Event. But the Event might be created during that period of time and
it is treated as an error today. So in order to handle that scenario, we
need to retry when a Create call for a Serie results in an AlreadyExist
error.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
Kubernetes-commit: 2f83117bcfe30ad3ada7f1ca66f4b885a1d5df25
There was a data race in the recordToSink function that caused changes
to the events cache to be overriden if events were emitted
simultaneously via Eventf calls.
The race lies in the fact that when recording an Event, there might be
multiple calls updating the cache simultaneously. The lock period is
optimized so that after updating the cache with the new Event, the lock
is unlocked until the Event is recorded on the apiserver side and then
the cache is locked again to be updated with the new value returned by
the apiserver.
The are a few problem with the approach:
1. If two identical Events are emitted successively the changes of the
second Event will override the first one. In code the following
happen:
1. Eventf(ev1)
2. Eventf(ev2)
3. Lock cache
4. Set cache[getKey(ev1)] = &ev1
5. Unlock cache
6. Lock cache
7. Update cache[getKey(ev2)] = &ev1 + Series{Count: 1}
8. Unlock cache
9. Start attempting to record the first event &ev1 on the apiserver side.
This can be mitigated by recording a copy of the Event stored in
cache instead of reusing the pointer from the cache.
2. When the Event has been recorded on the apiserver the cache is
updated again with the value of the Event returned by the server.
This update will override any changes made to the cache entry when
attempting to record the new Event since the cache was unlocked at
that time. This might lead to some inconsistencies when dealing with
EventSeries since the count may be overriden or the client might even
try to record the first isomorphic Event multiple time.
This could be mitigated with a lock that has a larger scope, but we
shouldn't want to reflect Event returned by the apiserver in the
cache in the first place since mutation could mess with the
aggregation by either allowing users to manipulate values to update
a different cache entry or even having two cache entries for the same
Events.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
Kubernetes-commit: 55ec09d377274b4a6107fe0b7a061ad408fe05a7
* Add tracker types and tests
* Modify ResourceEventHandler interface's OnAdd member
* Add additional ResourceEventHandlerDetailedFuncs struct
* Fix SharedInformer to let users track HasSynced for their handlers
* Fix in-tree controllers which weren't computing HasSynced correctly
* Deprecate the cache.Pop function
Kubernetes-commit: 8100efc7b3122ad119ee8fa4bbbedef3b90f2e0d
There should only be one source of truth for the API group's name and
version.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes-commit: e13198ec6f52c4a6405388e90053954dc7656a31
Ginkgo v2.5.0 adds support for a "timeline": a full description of what happened
while a specific test ran, including failures, timeouts, and log output.
Ginkgo v2.6.0 adds ReportBeforeSuite which we need for
https://github.com/kubernetes/kubernetes/issues/114313.
Kubernetes-commit: f3ef4004317c1a12d84021be29dd5f92badc8eff
Update the definition of an isomorphic event in the events/v1 client to
match the aggregation logic that was already present in the core/v1
implementation.
The note field was omitted even though the message was used in the core
API aggregation because we didn't reach consensus.
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
Kubernetes-commit: 21f2f746abc1a5a1b3193274401f5728e19cc26f
remove allowOmittingUsageKeyEncipherment as it is always true
Signed-off-by: Paco Xu <paco.xu@daocloud.io>
Kubernetes-commit: 160f015ef4affe903f98e74cf42b40fceef15cb9
The error result of `d.downloadAPIs()` is set in `aerr`,
not `err`.
This prevents a nil-ptr dereference of apiGroups in the next step.
Signed-off-by: Abhijit Hoskeri <abhijithoskeri@gmail.com>
Kubernetes-commit: 450ba4f50638ad9ee4d287a762a8530c64e89ebd
* Add RedactSecrets function
* Move RedactSecrets method to existing RawBytesData case
* Update TestRedactSecrets to use new pattern of os.CreateTemp()
Kubernetes-commit: e721272d10dd6c4d85ff613182ba0eaddcec9272
rather than modify the object directly, this function provides a JSONPATCH that should be sent to the server to upgrade its managed fields.
Kubernetes-commit: 4e4d748c06e2c2dfec7608f96237c4b0a42540c9
adds unneccessary complexity. also discussed in SIG CLI meeting to keep annotation around for a while longer
Kubernetes-commit: 0c055eae3c9eaea26574743f0623d6b0e9e3d6b4
Gomega adds support for formatting extensions and StopTrying in matchers.
Ginkgo enhances DeferCleanup.
This also triggered an update of other dependencies.
Kubernetes-commit: e6ad2f2f23449c9d24606b864c4737dc66a7427e
No particular benefit and no relevant changes, it's just to stay up-to-date and
to avoid having to pull that in when merging
https://github.com/kubernetes/kubernetes/pull/111023 which indirectly depends
on the newer release.
Kubernetes-commit: 9b93cc663a102b6e36f07eecc7b6e32225f39295
All other clients:
- expose a New() method that takes a rest.Interface
- expose their RESTClient()
- return pointers to the type, not instances of an interface that the
type implements
For code that is generic over all Kubernetes clients, and for general
developer experience, it's best to make sure that this client adheres to
these common practices.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes-commit: 74af6f1e7d9057bfcb64f4d875063c14041937e5
It's clear that client-sets contain many versions of one group, so this
comment just seems to be out-dated.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes-commit: 588f016c3bc04ea2da85d7077643677028a8cb1b
5 years after third party resources were removed, we're probably just confusing readers with this reference.
Kubernetes-commit: d21fc6e762276747e3306cfaf27b0ce1201071c2
Mark remotecommand.Executor as deprecated and related modifications.
Handle crash when streamer.stream panics
Add a test to verify if stream is closed after connection being closed
Remove blank line and update waiting time to 1s to avoid test flakes in CI.
Refine the tests of StreamExecutor according to comments.
Remove the comment of context controlling the negotiation progress and misc.
Signed-off-by: arkbriar <arkbriar@gmail.com>
Kubernetes-commit: 42808c8343671e6783ba4c901dcd619bed648c3d
Add an annotation that can be added to the exampleType passed to
NewReflector to indicate the expected type for the Reflector. This is
useful for types such as unstuctured.Unstructured, which, when used with
a dynamic informer, do not have their TypeMeta filled in.
Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
Kubernetes-commit: 474fc8c5234000bce666a6b02f7ffbb295ef135f
SharedInformerFactory starts goroutines in Start and those can be stopped by
closing the stop channel. However, there was no API that waits for the
goroutines.
This is a problem for unit testing. A test has to return while the informers
are still running, which may get flagged by tools like
https://github.com/uber-go/goleak or by klog/ktesting when those informers
lead to log output.
While at it, more documentation gets added to address
https://github.com/kubernetes/kubernetes/issues/65036.
Kubernetes-commit: e89d1d47e8365cad31600b17dab662d3c8a359dd
Ginkgo v2.1.6 adds ginkgo.SuppressProgressReporting which is needed
to suppress too verbose output each time the ReportAfterEach of the custom
progress reporter is invoked.
Kubernetes-commit: 311144fb3e61dabdbcd48d164dc80716b5ba5a73
The lock acquired by tryAcquireOrRenew is released when the leader ends
leadership. However, due to the cancellation of the context, the lock may
be set as an empty lock, so the Update cannot be run normally, resulting
in a failure to release the lock.
Signed-off-by: jackzhang <x_jackzhang@qq.com>
Kubernetes-commit: 8690ff6264cceb38bd81dec99bb8affcc40286a9
This change updates the transport.Config .Dial and .TLS.GetCert fields
to use a struct wrapper. This indirection via a pointer allows the
functions to be compared and thus makes them valid to use as map keys.
This change is then leveraged by the existing global exec auth and TLS
config caches to return the same authenticator and TLS config even when
distinct but identical rest configs were used to create distinct
clientsets.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 831d95b6a021c2767effe85e461309cb6a0fdcec
for correctness. technically shouldnt be an issue since restarting a stopped processor is not supported
Kubernetes-commit: 3a81341cfa6f7e2ca1b9bfc195c567dcdfaa4dea
The functionality provided by the finalURLTemplate is still used by
certain external projects to track the request latency for requests
performed to kube-apiserver.
Using a template of the URL, instead of the URL itself, prevents the
explosion of label cardinality in exposed metrics since it aggregates
the URLs in a way that common URLs requests are reported as being the
same.
This reverts commit bebf5a608f68523fc430a44f6db26b16022dc862.
Signed-off-by: André Martins <aanm90@gmail.com>
Kubernetes-commit: f8f190cdd2fa76296f8b1b019ac77128b5d40b79
To be able to write more precise unit tests in the future
Change-Id: I8f45947dfacca501acd856849bd978fad0f735cd
Kubernetes-commit: dad8454ebb87ba7af897537db6d34033127bbfef
This is a little more computationally expensive but reduces the
likelihood of a potentially malicious cache collision.
Signed-off-by: Nic Cope <nicc@rk0n.org>
Kubernetes-commit: c5957c284e1d23bdadc98fbbe2bb481fc1f345d4
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
This helps avoid (potentially malicious) collisions when reading and
writing cache data.
Signed-off-by: Nic Cope <nicc@rk0n.org>
Kubernetes-commit: 288a17fd337c65cb5aea44e44ecb74e9cb8088f5
It is used to request that a pod runs in a unique user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
Kubernetes-commit: 9e9b23fd3ca6c0c58ee401b18a65422c0564bec0
Part of the API discovery cache uses an HTTP RoundTripper that
transparently caches responses to disk. The upstream implementation of
the disk cache is hard coded to call Sync() on every file it writes.
This has noticably poor performance on modern Macs, which ask their disk
controllers to flush all the way to persistant storage because Go uses
the `F_FULLFSYNC` fnctl. Apple recommends minimizing this behaviour in
order to avoid degrading performance and increasing disk wear.
The content of the discovery cache is not critical; it is indeed just a
cache and can be recreated by hitting the API servers' discovery
endpoints. This commit replaces upstream httpcache's diskcache
implementation with a similar implementation that can use CRC-32
checksums to detect corrupted cache entries at read-time. When such an
entry is detected (e.g. because it was only partially flushed to
permanent storage before the host lost power) the cache will report a
miss. This causes httpcache to fall back to its underlying HTTP
transport (i.e. the real API server) and re-cache the resulting value.
Apart from adding CRC-32 checksums and avoiding calling fsync this
implementation differs from upstream httpcache's diskcache package in
that it uses FNV-32a hashes rather than MD5 hashes of cache keys in
order to generate filenames.
Signed-off-by: Nic Cope <nicc@rk0n.org>
Kubernetes-commit: 7a2c6a432f9e8db8b84abe5607843429f8bff417
This benchmark is intended to demonstrate a performance improvement
gained by removing fsyncs. Refer to the below issue for more detail.
https://github.com/kubernetes/kubernetes/issues/110753
Signed-off-by: Nic Cope <nicc@rk0n.org>
Kubernetes-commit: eace46906512b99c23ad9635edc2ea055363a602
This makes ktesting more resilient against logging from leaked goroutines,
which is a problem that came up in kubelet node shutdown
tests (https://github.com/kubernetes/kubernetes/issues/110854).
Kubernetes-commit: 3581e308835c69b11b2c9437db44073129e0e2bf
This will help us to get rid of `Ginkgo` v1 dep.
Signed-off-by: Dave Chen <dave.chen@arm.com>
Kubernetes-commit: 597071af17377f5ab4de03804b0d8b41f73fe7ce
The main practical advantage is that klog.Fatal no longer dumps the backtrace
of all goroutines.
Kubernetes-commit: f05e327ca611c23469ef41310d1d59b384cedc27
This type should never have been shared between Service and Ingress.
The `ports` field is unfortunate, but it is needed to stay compatible.
Kubernetes-commit: 0153bfad16102e42d0b0dbb56742d0a6626e4180
To be able to implement controllers that are dynamically deciding
on which resources to watch, it is required to get rid of
dedicated watches and event handlers again. This requires the
possibility to remove event handlers from SharedIndexInformers again.
Stopping an informer is not sufficient, because there might
be multiple controllers in a controller manager that independently
decide which resources to watch.
Unfortunately the ResourceEventHandler interface encourages to use
value objects for handlers (like the ResourceEventHandlerFuncs
struct, that uses value receivers to implement the interface).
Go does not support comparison of function pointers and therefore
the comparison of such structs is not possible, also. To be able
to remove all kinds of handlers and to solve the problem of
multi-registrations of handlers a registration handle is introduced.
It is returned when adding a handler and can later be used to remove
the registration again. This handle directly stores the created
listener to simplify the deletion.
Kubernetes-commit: 7436af3302088c979b431856c432b95dd230f847
This fix allows Reflector/Informer callers to detect API errors using the standard Go errors.As unwrapping methods used by the apimachinery helper methods. Combined with a custom WatchErrorHandler, this can be used to stop an informer that encounters specific errors, like resource not found or forbidden.
Kubernetes-commit: 9ace604b63045ebbb066cab5e8508b51d0900a05
The updated zapr is more resilient against MarshalLog crashing. Not a known
problem in Kubernetes, though.
Kubernetes-commit: 3e6974e0ba67a8f598e7bc4ccedfdab928935551
Currenlty an event recorder can send an event to a
broadcaster that is already stopped, resulting
in a panic. This ensures the broadcaster holds
a lock while it is shutting down and then forces
any senders to drop queued events following
broadcaster shutdown.
It also updates the Action, ActionOrDrop, Watch,
and WatchWithPrefix functions to return an error
in the case where data is sent on the closed bradcaster
channel rather than panicing.
Lastly it updates unit tests to ensure the fix works correctly
fixes: https://github.com/kubernetes/kubernetes/issues/108518
Signed-off-by: Andrew Stoycos <astoycos@redhat.com>
Kubernetes-commit: 6aa779f4ed3d3acdad2f2bf17fb27e11e23aabe4
> ⚠️ **This is an automatically published [staged repository](https://git.k8s.io/kubernetes/staging#external-repository-staging-area) for Kubernetes**.
> Contributions, including issues and pull requests, should be made to the main Kubernetes repository: [https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes).
> This repository is read-only for importing, and not used for direct contributions.
> See [CONTRIBUTING.md](./CONTRIBUTING.md) for more details.
# client-go
Go clients for talking to a [kubernetes](http://kubernetes.io/) cluster.
@@ -75,14 +80,14 @@ We will backport bugfixes--but not new features--into older versions of
// CEL expressions have access to the types needed to create JSON patches and objects:
//
// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
// integer, array, map or object. If set, the 'path' and 'from' fields must be set to a
// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
// function may be used to escape path keys containing '/' and '~'.
// - 'Object' - CEL type of the resource object.
// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
//
// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
//
// - 'object' - The object from the incoming request. The value is null for DELETE requests.
// - 'oldObject' - The existing object. The value is null for CREATE requests.
// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
// For example, a variable named 'foo' can be accessed as 'variables.foo'.
// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
// request resource.
//
// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
// as well as:
//
// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).
//
// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
// Required.
Expression*string`json:"expression,omitempty"`
}
// JSONPatchApplyConfiguration constructs a declarative configuration of the JSONPatch type for use with
// apply.
funcJSONPatch()*JSONPatchApplyConfiguration{
return&JSONPatchApplyConfiguration{}
}
// WithExpression sets the Expression field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Expression field is set to the value of the last call.
// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
// If the referenced resource does not exist, this binding is considered invalid and will be ignored
// Required.
PolicyName*string`json:"policyName,omitempty"`
// paramRef specifies the parameter resource used to configure the admission control policy.
// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
// MutatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use with
// ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
// with apply.
//
// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
// policyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
// If the referenced resource does not exist, this binding is considered invalid and will be ignored
// Required.
PolicyName*string`json:"policyName,omitempty"`
// paramRef specifies the parameter resource used to configure the admission control policy.
// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
// matchResources declares what resources match this binding and will be validated by it.
// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
// If this is unset, all resources matched by the policy are validated by this binding
// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
// ValidatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use with
// CEL expressions have access to the types needed to create JSON patches and objects:
//
// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
// integer, array, map or object. If set, the 'path' and 'from' fields must be set to a
// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
// function may be used to escape path keys containing '/' and '~'.
// - 'Object' - CEL type of the resource object.
// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
//
// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
//
// - 'object' - The object from the incoming request. The value is null for DELETE requests.
// - 'oldObject' - The existing object. The value is null for CREATE requests.
// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
// For example, a variable named 'foo' can be accessed as 'variables.foo'.
// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
// request resource.
//
// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
// as well as:
//
// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).
//
// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
// Required.
Expression*string`json:"expression,omitempty"`
}
// JSONPatchApplyConfiguration constructs a declarative configuration of the JSONPatch type for use with
// apply.
funcJSONPatch()*JSONPatchApplyConfiguration{
return&JSONPatchApplyConfiguration{}
}
// WithExpression sets the Expression field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Expression field is set to the value of the last call.
// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
// If the referenced resource does not exist, this binding is considered invalid and will be ignored
// Required.
PolicyName*string`json:"policyName,omitempty"`
// paramRef specifies the parameter resource used to configure the admission control policy.
// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
// MutatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use with
// ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
// with apply.
//
// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
// policyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
// If the referenced resource does not exist, this binding is considered invalid and will be ignored
// Required.
PolicyName*string`json:"policyName,omitempty"`
// paramRef specifies the parameter resource used to configure the admission control policy.
// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
// matchResources declares what resources match this binding and will be validated by it.
// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
// If this is unset, all resources matched by the policy are validated by this binding
// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
// ValidatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use with
// CEL expressions have access to the types needed to create JSON patches and objects:
//
// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
// integer, array, map or object. If set, the 'path' and 'from' fields must be set to a
// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
// function may be used to escape path keys containing '/' and '~'.
// - 'Object' - CEL type of the resource object.
// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
//
// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
//
// - 'object' - The object from the incoming request. The value is null for DELETE requests.
// - 'oldObject' - The existing object. The value is null for CREATE requests.
// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
// For example, a variable named 'foo' can be accessed as 'variables.foo'.
// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
// request resource.
//
// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
// as well as:
//
// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).
//
// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
// Required.
Expression*string`json:"expression,omitempty"`
}
// JSONPatchApplyConfiguration constructs a declarative configuration of the JSONPatch type for use with
// apply.
funcJSONPatch()*JSONPatchApplyConfiguration{
return&JSONPatchApplyConfiguration{}
}
// WithExpression sets the Expression field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Expression field is set to the value of the last call.
// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
// If the referenced resource does not exist, this binding is considered invalid and will be ignored
// Required.
PolicyName*string`json:"policyName,omitempty"`
// paramRef specifies the parameter resource used to configure the admission control policy.
// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
// MutatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use with
// ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
// with apply.
//
// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
// policyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
// If the referenced resource does not exist, this binding is considered invalid and will be ignored
// Required.
PolicyName*string`json:"policyName,omitempty"`
// paramRef specifies the parameter resource used to configure the admission control policy.
// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
// matchResources declares what resources match this binding and will be validated by it.
// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
// If this is unset, all resources matched by the policy are validated by this binding
// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
// ValidatingAdmissionPolicyBindingSpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use with
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
