From 87f1102ee92a0a37bc6ffaba0d2b68a6689f980d Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Mon, 1 Aug 2022 18:18:02 +0000 Subject: [PATCH 01/13] Copying over credentialprovider v1beta1 packages to v1 --- staging/src/k8s.io/kubelet/config/v1/doc.go | 21 + .../src/k8s.io/kubelet/config/v1/register.go | 45 + .../k8s.io/kubelet/config/v1/register_test.go | 36 + staging/src/k8s.io/kubelet/config/v1/types.go | 967 ++++++++++++++++++ .../config/v1/zz_generated.deepcopy.go | 605 +++++++++++ .../pkg/apis/credentialprovider/v1/doc.go | 22 + .../apis/credentialprovider/v1/register.go | 46 + .../pkg/apis/credentialprovider/v1/types.go | 117 +++ .../v1/zz_generated.conversion.go | 137 +++ .../v1/zz_generated.deepcopy.go | 105 ++ .../v1/zz_generated.defaults.go | 33 + 11 files changed, 2134 insertions(+) create mode 100644 staging/src/k8s.io/kubelet/config/v1/doc.go create mode 100644 staging/src/k8s.io/kubelet/config/v1/register.go create mode 100644 staging/src/k8s.io/kubelet/config/v1/register_test.go create mode 100644 staging/src/k8s.io/kubelet/config/v1/types.go create mode 100644 staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go create mode 100644 staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go create mode 100644 staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go create mode 100644 staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go create mode 100644 staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go create mode 100644 staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go create mode 100644 staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go diff --git a/staging/src/k8s.io/kubelet/config/v1/doc.go b/staging/src/k8s.io/kubelet/config/v1/doc.go new file mode 100644 index 00000000000..5644377d6c8 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:openapi-gen=true +// +groupName=kubelet.config.k8s.io + +package v1beta1 // import "k8s.io/kubelet/config/v1beta1" diff --git a/staging/src/k8s.io/kubelet/config/v1/register.go b/staging/src/k8s.io/kubelet/config/v1/register.go new file mode 100644 index 00000000000..22bdfbb4cba --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name used in this package +const GroupName = "kubelet.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} + +var ( + // SchemeBuilder is the scheme builder with scheme init functions to run for this API package + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // AddToScheme is a global function that registers this API group & version to a scheme + AddToScheme = SchemeBuilder.AddToScheme +) + +// addKnownTypes registers known types to the given scheme +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &KubeletConfiguration{}, + &SerializedNodeConfigSource{}, + &CredentialProviderConfig{}, + ) + return nil +} diff --git a/staging/src/k8s.io/kubelet/config/v1/register_test.go b/staging/src/k8s.io/kubelet/config/v1/register_test.go new file mode 100644 index 00000000000..7e45b544602 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/register_test.go @@ -0,0 +1,36 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "testing" + + componentconfigtesting "k8s.io/component-base/config/testing" +) + +func TestComponentConfigSetup(t *testing.T) { + pkginfo := &componentconfigtesting.ComponentConfigPackage{ + ComponentName: "kubelet", + GroupName: GroupName, + SchemeGroupVersion: SchemeGroupVersion, + AddToScheme: AddToScheme, + } + + if err := componentconfigtesting.VerifyExternalTypePackage(pkginfo); err != nil { + t.Fatal(err) + } +} diff --git a/staging/src/k8s.io/kubelet/config/v1/types.go b/staging/src/k8s.io/kubelet/config/v1/types.go new file mode 100644 index 00000000000..2504f2aa253 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/types.go @@ -0,0 +1,967 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + logsapi "k8s.io/component-base/logs/api/v1" +) + +// HairpinMode denotes how the kubelet should configure networking to handle +// hairpin packets. +type HairpinMode string + +// Enum settings for different ways to handle hairpin packets. +const ( + // Set the hairpin flag on the veth of containers in the respective + // container runtime. + HairpinVeth = "hairpin-veth" + // Make the container bridge promiscuous. This will force it to accept + // hairpin packets, even if the flag isn't set on ports of the bridge. + PromiscuousBridge = "promiscuous-bridge" + // Neither of the above. If the kubelet is started in this hairpin mode + // and kube-proxy is running in iptables mode, hairpin packets will be + // dropped by the container bridge. + HairpinNone = "none" +) + +// ResourceChangeDetectionStrategy denotes a mode in which internal +// managers (secret, configmap) are discovering object changes. +type ResourceChangeDetectionStrategy string + +// Enum settings for different strategies of kubelet managers. +const ( + // GetChangeDetectionStrategy is a mode in which kubelet fetches + // necessary objects directly from apiserver. + GetChangeDetectionStrategy ResourceChangeDetectionStrategy = "Get" + // TTLCacheChangeDetectionStrategy is a mode in which kubelet uses + // ttl cache for object directly fetched from apiserver. + TTLCacheChangeDetectionStrategy ResourceChangeDetectionStrategy = "Cache" + // WatchChangeDetectionStrategy is a mode in which kubelet uses + // watches to observe changes to objects that are in its interest. + WatchChangeDetectionStrategy ResourceChangeDetectionStrategy = "Watch" + // RestrictedTopologyManagerPolicy is a mode in which kubelet only allows + // pods with optimal NUMA node alignment for requested resources + RestrictedTopologyManagerPolicy = "restricted" + // BestEffortTopologyManagerPolicy is a mode in which kubelet will favour + // pods with NUMA alignment of CPU and device resources. + BestEffortTopologyManagerPolicy = "best-effort" + // NoneTopologyManagerPolicy is a mode in which kubelet has no knowledge + // of NUMA alignment of a pod's CPU and device resources. + NoneTopologyManagerPolicy = "none" + // SingleNumaNodeTopologyManagerPolicy is a mode in which kubelet only allows + // pods with a single NUMA alignment of CPU and device resources. + SingleNumaNodeTopologyManagerPolicy = "single-numa-node" + // ContainerTopologyManagerScope represents that + // topology policy is applied on a per-container basis. + ContainerTopologyManagerScope = "container" + // PodTopologyManagerScope represents that + // topology policy is applied on a per-pod basis. + PodTopologyManagerScope = "pod" + // NoneMemoryManagerPolicy is a memory manager none policy, under the none policy + // the memory manager will not pin containers memory of guaranteed pods + NoneMemoryManagerPolicy = "None" + // StaticMemoryManagerPolicy is a memory manager static policy, under the static policy + // the memory manager will try to pin containers memory of guaranteed pods to the smallest + // possible sub-set of NUMA nodes + StaticMemoryManagerPolicy = "Static" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// KubeletConfiguration contains the configuration for the Kubelet +type KubeletConfiguration struct { + metav1.TypeMeta `json:",inline"` + + // enableServer enables Kubelet's secured server. + // Note: Kubelet's insecure port is controlled by the readOnlyPort option. + // Default: true + EnableServer *bool `json:"enableServer,omitempty"` + // staticPodPath is the path to the directory containing local (static) pods to + // run, or the path to a single static pod file. + // Default: "" + // +optional + StaticPodPath string `json:"staticPodPath,omitempty"` + // syncFrequency is the max period between synchronizing running + // containers and config. + // Default: "1m" + // +optional + SyncFrequency metav1.Duration `json:"syncFrequency,omitempty"` + // fileCheckFrequency is the duration between checking config files for + // new data. + // Default: "20s" + // +optional + FileCheckFrequency metav1.Duration `json:"fileCheckFrequency,omitempty"` + // httpCheckFrequency is the duration between checking http for new data. + // Default: "20s" + // +optional + HTTPCheckFrequency metav1.Duration `json:"httpCheckFrequency,omitempty"` + // staticPodURL is the URL for accessing static pods to run. + // Default: "" + // +optional + StaticPodURL string `json:"staticPodURL,omitempty"` + // staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL. + // Default: nil + // +optional + StaticPodURLHeader map[string][]string `json:"staticPodURLHeader,omitempty"` + // address is the IP address for the Kubelet to serve on (set to 0.0.0.0 + // for all interfaces). + // Default: "0.0.0.0" + // +optional + Address string `json:"address,omitempty"` + // port is the port for the Kubelet to serve on. + // The port number must be between 1 and 65535, inclusive. + // Default: 10250 + // +optional + Port int32 `json:"port,omitempty"` + // readOnlyPort is the read-only port for the Kubelet to serve on with + // no authentication/authorization. + // The port number must be between 1 and 65535, inclusive. + // Setting this field to 0 disables the read-only service. + // Default: 0 (disabled) + // +optional + ReadOnlyPort int32 `json:"readOnlyPort,omitempty"` + // tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, + // if any, concatenated after server cert). If tlsCertFile and + // tlsPrivateKeyFile are not provided, a self-signed certificate + // and key are generated for the public address and saved to the directory + // passed to the Kubelet's --cert-dir flag. + // Default: "" + // +optional + TLSCertFile string `json:"tlsCertFile,omitempty"` + // tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile. + // Default: "" + // +optional + TLSPrivateKeyFile string `json:"tlsPrivateKeyFile,omitempty"` + // tlsCipherSuites is the list of allowed cipher suites for the server. + // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + // Default: nil + // +optional + TLSCipherSuites []string `json:"tlsCipherSuites,omitempty"` + // tlsMinVersion is the minimum TLS version supported. + // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + // Default: "" + // +optional + TLSMinVersion string `json:"tlsMinVersion,omitempty"` + // rotateCertificates enables client certificate rotation. The Kubelet will request a + // new certificate from the certificates.k8s.io API. This requires an approver to approve the + // certificate signing requests. + // Default: false + // +optional + RotateCertificates bool `json:"rotateCertificates,omitempty"` + // serverTLSBootstrap enables server certificate bootstrap. Instead of self + // signing a serving certificate, the Kubelet will request a certificate from + // the 'certificates.k8s.io' API. This requires an approver to approve the + // certificate signing requests (CSR). The RotateKubeletServerCertificate feature + // must be enabled when setting this field. + // Default: false + // +optional + ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"` + // authentication specifies how requests to the Kubelet's server are authenticated. + // Defaults: + // anonymous: + // enabled: false + // webhook: + // enabled: true + // cacheTTL: "2m" + // +optional + Authentication KubeletAuthentication `json:"authentication"` + // authorization specifies how requests to the Kubelet's server are authorized. + // Defaults: + // mode: Webhook + // webhook: + // cacheAuthorizedTTL: "5m" + // cacheUnauthorizedTTL: "30s" + // +optional + Authorization KubeletAuthorization `json:"authorization"` + // registryPullQPS is the limit of registry pulls per second. + // The value must not be a negative number. + // Setting it to 0 means no limit. + // Default: 5 + // +optional + RegistryPullQPS *int32 `json:"registryPullQPS,omitempty"` + // registryBurst is the maximum size of bursty pulls, temporarily allows + // pulls to burst to this number, while still not exceeding registryPullQPS. + // The value must not be a negative number. + // Only used if registryPullQPS is greater than 0. + // Default: 10 + // +optional + RegistryBurst int32 `json:"registryBurst,omitempty"` + // eventRecordQPS is the maximum event creations per second. If 0, there + // is no limit enforced. The value cannot be a negative number. + // Default: 5 + // +optional + EventRecordQPS *int32 `json:"eventRecordQPS,omitempty"` + // eventBurst is the maximum size of a burst of event creations, temporarily + // allows event creations to burst to this number, while still not exceeding + // eventRecordQPS. This field canot be a negative number and it is only used + // when eventRecordQPS > 0. + // Default: 10 + // +optional + EventBurst int32 `json:"eventBurst,omitempty"` + // enableDebuggingHandlers enables server endpoints for log access + // and local running of containers and commands, including the exec, + // attach, logs, and portforward features. + // Default: true + // +optional + EnableDebuggingHandlers *bool `json:"enableDebuggingHandlers,omitempty"` + // enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. + // Default: false + // +optional + EnableContentionProfiling bool `json:"enableContentionProfiling,omitempty"` + // healthzPort is the port of the localhost healthz endpoint (set to 0 to disable). + // A valid number is between 1 and 65535. + // Default: 10248 + // +optional + HealthzPort *int32 `json:"healthzPort,omitempty"` + // healthzBindAddress is the IP address for the healthz server to serve on. + // Default: "127.0.0.1" + // +optional + HealthzBindAddress string `json:"healthzBindAddress,omitempty"` + // oomScoreAdj is The oom-score-adj value for kubelet process. Values + // must be within the range [-1000, 1000]. + // Default: -999 + // +optional + OOMScoreAdj *int32 `json:"oomScoreAdj,omitempty"` + // clusterDomain is the DNS domain for this cluster. If set, kubelet will + // configure all containers to search this domain in addition to the + // host's search domains. + // Default: "" + // +optional + ClusterDomain string `json:"clusterDomain,omitempty"` + // clusterDNS is a list of IP addresses for the cluster DNS server. If set, + // kubelet will configure all containers to use this for DNS resolution + // instead of the host's DNS servers. + // Default: nil + // +optional + ClusterDNS []string `json:"clusterDNS,omitempty"` + // streamingConnectionIdleTimeout is the maximum time a streaming connection + // can be idle before the connection is automatically closed. + // Default: "4h" + // +optional + StreamingConnectionIdleTimeout metav1.Duration `json:"streamingConnectionIdleTimeout,omitempty"` + // nodeStatusUpdateFrequency is the frequency that kubelet computes node + // status. If node lease feature is not enabled, it is also the frequency that + // kubelet posts node status to master. + // Note: When node lease feature is not enabled, be cautious when changing the + // constant, it must work with nodeMonitorGracePeriod in nodecontroller. + // Default: "10s" + // +optional + NodeStatusUpdateFrequency metav1.Duration `json:"nodeStatusUpdateFrequency,omitempty"` + // nodeStatusReportFrequency is the frequency that kubelet posts node + // status to master if node status does not change. Kubelet will ignore this + // frequency and post node status immediately if any change is detected. It is + // only used when node lease feature is enabled. nodeStatusReportFrequency's + // default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, + // nodeStatusReportFrequency's default value will be set to + // nodeStatusUpdateFrequency for backward compatibility. + // Default: "5m" + // +optional + NodeStatusReportFrequency metav1.Duration `json:"nodeStatusReportFrequency,omitempty"` + // nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease. + // NodeLease provides an indicator of node health by having the Kubelet create and + // periodically renew a lease, named after the node, in the kube-node-lease namespace. + // If the lease expires, the node can be considered unhealthy. + // The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal + // interval may be set based on the lease duration. + // The field value must be greater than 0. + // Default: 40 + // +optional + NodeLeaseDurationSeconds int32 `json:"nodeLeaseDurationSeconds,omitempty"` + // imageMinimumGCAge is the minimum age for an unused image before it is + // garbage collected. + // Default: "2m" + // +optional + ImageMinimumGCAge metav1.Duration `json:"imageMinimumGCAge,omitempty"` + // imageGCHighThresholdPercent is the percent of disk usage after which + // image garbage collection is always run. The percent is calculated by + // dividing this field value by 100, so this field must be between 0 and + // 100, inclusive. When specified, the value must be greater than + // imageGCLowThresholdPercent. + // Default: 85 + // +optional + ImageGCHighThresholdPercent *int32 `json:"imageGCHighThresholdPercent,omitempty"` + // imageGCLowThresholdPercent is the percent of disk usage before which + // image garbage collection is never run. Lowest disk usage to garbage + // collect to. The percent is calculated by dividing this field value by 100, + // so the field value must be between 0 and 100, inclusive. When specified, the + // value must be less than imageGCHighThresholdPercent. + // Default: 80 + // +optional + ImageGCLowThresholdPercent *int32 `json:"imageGCLowThresholdPercent,omitempty"` + // volumeStatsAggPeriod is the frequency for calculating and caching volume + // disk usage for all pods. + // Default: "1m" + // +optional + VolumeStatsAggPeriod metav1.Duration `json:"volumeStatsAggPeriod,omitempty"` + // kubeletCgroups is the absolute name of cgroups to isolate the kubelet in + // Default: "" + // +optional + KubeletCgroups string `json:"kubeletCgroups,omitempty"` + // systemCgroups is absolute name of cgroups in which to place + // all non-kernel processes that are not already in a container. Empty + // for no container. Rolling back the flag requires a reboot. + // The cgroupRoot must be specified if this field is not empty. + // Default: "" + // +optional + SystemCgroups string `json:"systemCgroups,omitempty"` + // cgroupRoot is the root cgroup to use for pods. This is handled by the + // container runtime on a best effort basis. + // +optional + CgroupRoot string `json:"cgroupRoot,omitempty"` + // cgroupsPerQOS enable QoS based CGroup hierarchy: top level CGroups for QoS classes + // and all Burstable and BestEffort Pods are brought up under their specific top level + // QoS CGroup. + // Default: true + // +optional + CgroupsPerQOS *bool `json:"cgroupsPerQOS,omitempty"` + // cgroupDriver is the driver kubelet uses to manipulate CGroups on the host (cgroupfs + // or systemd). + // Default: "cgroupfs" + // +optional + CgroupDriver string `json:"cgroupDriver,omitempty"` + // cpuManagerPolicy is the name of the policy to use. + // Requires the CPUManager feature gate to be enabled. + // Default: "None" + // +optional + CPUManagerPolicy string `json:"cpuManagerPolicy,omitempty"` + // cpuManagerPolicyOptions is a set of key=value which allows to set extra options + // to fine tune the behaviour of the cpu manager policies. + // Requires both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled. + // Default: nil + // +optional + CPUManagerPolicyOptions map[string]string `json:"cpuManagerPolicyOptions,omitempty"` + // cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager. + // Requires the CPUManager feature gate to be enabled. + // Default: "10s" + // +optional + CPUManagerReconcilePeriod metav1.Duration `json:"cpuManagerReconcilePeriod,omitempty"` + // memoryManagerPolicy is the name of the policy to use by memory manager. + // Requires the MemoryManager feature gate to be enabled. + // Default: "none" + // +optional + MemoryManagerPolicy string `json:"memoryManagerPolicy,omitempty"` + // topologyManagerPolicy is the name of the topology manager policy to use. + // Valid values include: + // + // - `restricted`: kubelet only allows pods with optimal NUMA node alignment for + // requested resources; + // - `best-effort`: kubelet will favor pods with NUMA alignment of CPU and device + // resources; + // - `none`: kubelet has no knowledge of NUMA alignment of a pod's CPU and device resources. + // - `single-numa-node`: kubelet only allows pods with a single NUMA alignment + // of CPU and device resources. + // + // Policies other than "none" require the TopologyManager feature gate to be enabled. + // Default: "none" + // +optional + TopologyManagerPolicy string `json:"topologyManagerPolicy,omitempty"` + // topologyManagerScope represents the scope of topology hint generation + // that topology manager requests and hint providers generate. Valid values include: + // + // - `container`: topology policy is applied on a per-container basis. + // - `pod`: topology policy is applied on a per-pod basis. + // + // "pod" scope requires the TopologyManager feature gate to be enabled. + // Default: "container" + // +optional + TopologyManagerScope string `json:"topologyManagerScope,omitempty"` + // qosReserved is a set of resource name to percentage pairs that specify + // the minimum percentage of a resource reserved for exclusive use by the + // guaranteed QoS tier. + // Currently supported resources: "memory" + // Requires the QOSReserved feature gate to be enabled. + // Default: nil + // +optional + QOSReserved map[string]string `json:"qosReserved,omitempty"` + // runtimeRequestTimeout is the timeout for all runtime requests except long running + // requests - pull, logs, exec and attach. + // Default: "2m" + // +optional + RuntimeRequestTimeout metav1.Duration `json:"runtimeRequestTimeout,omitempty"` + // hairpinMode specifies how the Kubelet should configure the container + // bridge for hairpin packets. + // Setting this flag allows endpoints in a Service to loadbalance back to + // themselves if they should try to access their own Service. Values: + // + // - "promiscuous-bridge": make the container bridge promiscuous. + // - "hairpin-veth": set the hairpin flag on container veth interfaces. + // - "none": do nothing. + // + // Generally, one must set `--hairpin-mode=hairpin-veth to` achieve hairpin NAT, + // because promiscuous-bridge assumes the existence of a container bridge named cbr0. + // Default: "promiscuous-bridge" + // +optional + HairpinMode string `json:"hairpinMode,omitempty"` + // maxPods is the maximum number of Pods that can run on this Kubelet. + // The value must be a non-negative integer. + // Default: 110 + // +optional + MaxPods int32 `json:"maxPods,omitempty"` + // podCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. + // In cluster mode, this is obtained from the control plane. + // Default: "" + // +optional + PodCIDR string `json:"podCIDR,omitempty"` + // podPidsLimit is the maximum number of PIDs in any pod. + // Default: -1 + // +optional + PodPidsLimit *int64 `json:"podPidsLimit,omitempty"` + // resolvConf is the resolver configuration file used as the basis + // for the container DNS resolution configuration. + // If set to the empty string, will override the default and effectively disable DNS lookups. + // Default: "/etc/resolv.conf" + // +optional + ResolverConfig *string `json:"resolvConf,omitempty"` + // runOnce causes the Kubelet to check the API server once for pods, + // run those in addition to the pods specified by static pod files, and exit. + // Default: false + // +optional + RunOnce bool `json:"runOnce,omitempty"` + // cpuCFSQuota enables CPU CFS quota enforcement for containers that + // specify CPU limits. + // Default: true + // +optional + CPUCFSQuota *bool `json:"cpuCFSQuota,omitempty"` + // cpuCFSQuotaPeriod is the CPU CFS quota period value, `cpu.cfs_period_us`. + // The value must be between 1 us and 1 second, inclusive. + // Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled. + // Default: "100ms" + // +optional + CPUCFSQuotaPeriod *metav1.Duration `json:"cpuCFSQuotaPeriod,omitempty"` + // nodeStatusMaxImages caps the number of images reported in Node.status.images. + // The value must be greater than -2. + // Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. + // Default: 50 + // +optional + NodeStatusMaxImages *int32 `json:"nodeStatusMaxImages,omitempty"` + // maxOpenFiles is Number of files that can be opened by Kubelet process. + // The value must be a non-negative number. + // Default: 1000000 + // +optional + MaxOpenFiles int64 `json:"maxOpenFiles,omitempty"` + // contentType is contentType of requests sent to apiserver. + // Default: "application/vnd.kubernetes.protobuf" + // +optional + ContentType string `json:"contentType,omitempty"` + // kubeAPIQPS is the QPS to use while talking with kubernetes apiserver. + // Default: 5 + // +optional + KubeAPIQPS *int32 `json:"kubeAPIQPS,omitempty"` + // kubeAPIBurst is the burst to allow while talking with kubernetes API server. + // This field cannot be a negative number. + // Default: 10 + // +optional + KubeAPIBurst int32 `json:"kubeAPIBurst,omitempty"` + // serializeImagePulls when enabled, tells the Kubelet to pull images one + // at a time. We recommend *not* changing the default value on nodes that + // run docker daemon with version < 1.9 or an Aufs storage backend. + // Issue #10959 has more details. + // Default: true + // +optional + SerializeImagePulls *bool `json:"serializeImagePulls,omitempty"` + // evictionHard is a map of signal names to quantities that defines hard eviction + // thresholds. For example: `{"memory.available": "300Mi"}`. + // To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. + // Default: + // memory.available: "100Mi" + // nodefs.available: "10%" + // nodefs.inodesFree: "5%" + // imagefs.available: "15%" + // +optional + EvictionHard map[string]string `json:"evictionHard,omitempty"` + // evictionSoft is a map of signal names to quantities that defines soft eviction thresholds. + // For example: `{"memory.available": "300Mi"}`. + // Default: nil + // +optional + EvictionSoft map[string]string `json:"evictionSoft,omitempty"` + // evictionSoftGracePeriod is a map of signal names to quantities that defines grace + // periods for each soft eviction signal. For example: `{"memory.available": "30s"}`. + // Default: nil + // +optional + EvictionSoftGracePeriod map[string]string `json:"evictionSoftGracePeriod,omitempty"` + // evictionPressureTransitionPeriod is the duration for which the kubelet has to wait + // before transitioning out of an eviction pressure condition. + // Default: "5m" + // +optional + EvictionPressureTransitionPeriod metav1.Duration `json:"evictionPressureTransitionPeriod,omitempty"` + // evictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use + // when terminating pods in response to a soft eviction threshold being met. This value + // effectively caps the Pod's terminationGracePeriodSeconds value during soft evictions. + // Note: Due to issue #64530, the behavior has a bug where this value currently just + // overrides the grace period during soft eviction, which can increase the grace + // period from what is set on the Pod. This bug will be fixed in a future release. + // Default: 0 + // +optional + EvictionMaxPodGracePeriod int32 `json:"evictionMaxPodGracePeriod,omitempty"` + // evictionMinimumReclaim is a map of signal names to quantities that defines minimum reclaims, + // which describe the minimum amount of a given resource the kubelet will reclaim when + // performing a pod eviction while that resource is under pressure. + // For example: `{"imagefs.available": "2Gi"}`. + // Default: nil + // +optional + EvictionMinimumReclaim map[string]string `json:"evictionMinimumReclaim,omitempty"` + // podsPerCore is the maximum number of pods per core. Cannot exceed maxPods. + // The value must be a non-negative integer. + // If 0, there is no limit on the number of Pods. + // Default: 0 + // +optional + PodsPerCore int32 `json:"podsPerCore,omitempty"` + // enableControllerAttachDetach enables the Attach/Detach controller to + // manage attachment/detachment of volumes scheduled to this node, and + // disables kubelet from executing any attach/detach operations. + // Note: attaching/detaching CSI volumes is not supported by the kubelet, + // so this option needs to be true for that use case. + // Default: true + // +optional + EnableControllerAttachDetach *bool `json:"enableControllerAttachDetach,omitempty"` + // protectKernelDefaults, if true, causes the Kubelet to error if kernel + // flags are not as it expects. Otherwise the Kubelet will attempt to modify + // kernel flags to match its expectation. + // Default: false + // +optional + ProtectKernelDefaults bool `json:"protectKernelDefaults,omitempty"` + // makeIPTablesUtilChains, if true, causes the Kubelet ensures a set of iptables rules + // are present on host. + // These rules will serve as utility rules for various components, e.g. kube-proxy. + // The rules will be created based on iptablesMasqueradeBit and iptablesDropBit. + // Default: true + // +optional + MakeIPTablesUtilChains *bool `json:"makeIPTablesUtilChains,omitempty"` + // iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT. + // Values must be within the range [0, 31]. Must be different from other mark bits. + // Warning: Please match the value of the corresponding parameter in kube-proxy. + // TODO: clean up IPTablesMasqueradeBit in kube-proxy. + // Default: 14 + // +optional + IPTablesMasqueradeBit *int32 `json:"iptablesMasqueradeBit,omitempty"` + // iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. + // Values must be within the range [0, 31]. Must be different from other mark bits. + // Default: 15 + // +optional + IPTablesDropBit *int32 `json:"iptablesDropBit,omitempty"` + // featureGates is a map of feature names to bools that enable or disable experimental + // features. This field modifies piecemeal the built-in default values from + // "k8s.io/kubernetes/pkg/features/kube_features.go". + // Default: nil + // +optional + FeatureGates map[string]bool `json:"featureGates,omitempty"` + // failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. + // Default: true + // +optional + FailSwapOn *bool `json:"failSwapOn,omitempty"` + // memorySwap configures swap memory available to container workloads. + // +featureGate=NodeSwap + // +optional + MemorySwap MemorySwapConfiguration `json:"memorySwap,omitempty"` + // containerLogMaxSize is a quantity defining the maximum size of the container log + // file before it is rotated. For example: "5Mi" or "256Ki". + // Default: "10Mi" + // +optional + ContainerLogMaxSize string `json:"containerLogMaxSize,omitempty"` + // containerLogMaxFiles specifies the maximum number of container log files that can + // be present for a container. + // Default: 5 + // +optional + ContainerLogMaxFiles *int32 `json:"containerLogMaxFiles,omitempty"` + // configMapAndSecretChangeDetectionStrategy is a mode in which ConfigMap and Secret + // managers are running. Valid values include: + // + // - `Get`: kubelet fetches necessary objects directly from the API server; + // - `Cache`: kubelet uses TTL cache for object fetched from the API server; + // - `Watch`: kubelet uses watches to observe changes to objects that are in its interest. + // + // Default: "Watch" + // +optional + ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy `json:"configMapAndSecretChangeDetectionStrategy,omitempty"` + + /* the following fields are meant for Node Allocatable */ + + // systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) + // pairs that describe resources reserved for non-kubernetes components. + // Currently only cpu and memory are supported. + // See http://kubernetes.io/docs/user-guide/compute-resources for more detail. + // Default: nil + // +optional + SystemReserved map[string]string `json:"systemReserved,omitempty"` + // kubeReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs + // that describe resources reserved for kubernetes system components. + // Currently cpu, memory and local storage for root file system are supported. + // See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // for more details. + // Default: nil + // +optional + KubeReserved map[string]string `json:"kubeReserved,omitempty"` + // The reservedSystemCPUs option specifies the CPU list reserved for the host + // level system threads and kubernetes related threads. This provide a "static" + // CPU list rather than the "dynamic" list by systemReserved and kubeReserved. + // This option does not support systemReservedCgroup or kubeReservedCgroup. + ReservedSystemCPUs string `json:"reservedSystemCPUs,omitempty"` + // showHiddenMetricsForVersion is the previous version for which you want to show + // hidden metrics. + // Only the previous minor version is meaningful, other values will not be allowed. + // The format is `.`, e.g.: `1.16`. + // The purpose of this format is make sure you have the opportunity to notice + // if the next release hides additional metrics, rather than being surprised + // when they are permanently removed in the release after that. + // Default: "" + // +optional + ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion,omitempty"` + // systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used + // to enforce `systemReserved` compute resource reservation for OS system daemons. + // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) + // doc for more information. + // Default: "" + // +optional + SystemReservedCgroup string `json:"systemReservedCgroup,omitempty"` + // kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used + // to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. + // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) + // doc for more information. + // Default: "" + // +optional + KubeReservedCgroup string `json:"kubeReservedCgroup,omitempty"` + // This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. + // This flag accepts a list of options. Acceptable options are `none`, `pods`, + // `system-reserved` and `kube-reserved`. + // If `none` is specified, no other options may be specified. + // When `system-reserved` is in the list, systemReservedCgroup must be specified. + // When `kube-reserved` is in the list, kubeReservedCgroup must be specified. + // This field is supported only when `cgroupsPerQOS` is set to true. + // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) + // for more information. + // Default: ["pods"] + // +optional + EnforceNodeAllocatable []string `json:"enforceNodeAllocatable,omitempty"` + // A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in `*`). + // Unsafe sysctl groups are `kernel.shm*`, `kernel.msg*`, `kernel.sem`, `fs.mqueue.*`, + // and `net.*`. For example: "`kernel.msg*,net.ipv4.route.min_pmtu`" + // Default: [] + // +optional + AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"` + // volumePluginDir is the full path of the directory in which to search + // for additional third party volume plugins. + // Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" + // +optional + VolumePluginDir string `json:"volumePluginDir,omitempty"` + // providerID, if set, sets the unique ID of the instance that an external + // provider (i.e. cloudprovider) can use to identify a specific node. + // Default: "" + // +optional + ProviderID string `json:"providerID,omitempty"` + // kernelMemcgNotification, if set, instructs the kubelet to integrate with the + // kernel memcg notification for determining if memory eviction thresholds are + // exceeded rather than polling. + // Default: false + // +optional + KernelMemcgNotification bool `json:"kernelMemcgNotification,omitempty"` + // logging specifies the options of logging. + // Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) + // for more information. + // Default: + // Format: text + // + optional + Logging logsapi.LoggingConfiguration `json:"logging,omitempty"` + // enableSystemLogHandler enables system logs via web interface host:port/logs/ + // Default: true + // +optional + EnableSystemLogHandler *bool `json:"enableSystemLogHandler,omitempty"` + // shutdownGracePeriod specifies the total duration that the node should delay the + // shutdown and total grace period for pod termination during a node shutdown. + // Default: "0s" + // +featureGate=GracefulNodeShutdown + // +optional + ShutdownGracePeriod metav1.Duration `json:"shutdownGracePeriod,omitempty"` + // shutdownGracePeriodCriticalPods specifies the duration used to terminate critical + // pods during a node shutdown. This should be less than shutdownGracePeriod. + // For example, if shutdownGracePeriod=30s, and shutdownGracePeriodCriticalPods=10s, + // during a node shutdown the first 20 seconds would be reserved for gracefully + // terminating normal pods, and the last 10 seconds would be reserved for terminating + // critical pods. + // Default: "0s" + // +featureGate=GracefulNodeShutdown + // +optional + ShutdownGracePeriodCriticalPods metav1.Duration `json:"shutdownGracePeriodCriticalPods,omitempty"` + // shutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based + // on their associated priority class value. + // When a shutdown request is received, the Kubelet will initiate shutdown on all pods + // running on the node with a grace period that depends on the priority of the pod, + // and then wait for all pods to exit. + // Each entry in the array represents the graceful shutdown time a pod with a priority + // class value that lies in the range of that value and the next higher entry in the + // list when the node is shutting down. + // For example, to allow critical pods 10s to shutdown, priority>=10000 pods 20s to + // shutdown, and all remaining pods 30s to shutdown. + // + // shutdownGracePeriodByPodPriority: + // - priority: 2000000000 + // shutdownGracePeriodSeconds: 10 + // - priority: 10000 + // shutdownGracePeriodSeconds: 20 + // - priority: 0 + // shutdownGracePeriodSeconds: 30 + // + // The time the Kubelet will wait before exiting will at most be the maximum of all + // shutdownGracePeriodSeconds for each priority class range represented on the node. + // When all pods have exited or reached their grace periods, the Kubelet will release + // the shutdown inhibit lock. + // Requires the GracefulNodeShutdown feature gate to be enabled. + // This configuration must be empty if either ShutdownGracePeriod or ShutdownGracePeriodCriticalPods is set. + // Default: nil + // +featureGate=GracefulNodeShutdownBasedOnPodPriority + // +optional + ShutdownGracePeriodByPodPriority []ShutdownGracePeriodByPodPriority `json:"shutdownGracePeriodByPodPriority,omitempty"` + // reservedMemory specifies a comma-separated list of memory reservations for NUMA nodes. + // The parameter makes sense only in the context of the memory manager feature. + // The memory manager will not allocate reserved memory for container workloads. + // For example, if you have a NUMA0 with 10Gi of memory and the reservedMemory was + // specified to reserve 1Gi of memory at NUMA0, the memory manager will assume that + // only 9Gi is available for allocation. + // You can specify a different amount of NUMA node and memory types. + // You can omit this parameter at all, but you should be aware that the amount of + // reserved memory from all NUMA nodes should be equal to the amount of memory specified + // by the [node allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable). + // If at least one node allocatable parameter has a non-zero value, you will need + // to specify at least one NUMA node. + // Also, avoid specifying: + // + // 1. Duplicates, the same NUMA node, and memory type, but with a different value. + // 2. zero limits for any memory type. + // 3. NUMAs nodes IDs that do not exist under the machine. + // 4. memory types except for memory and hugepages- + // + // Default: nil + // +optional + ReservedMemory []MemoryReservation `json:"reservedMemory,omitempty"` + // enableProfilingHandler enables profiling via web interface host:port/debug/pprof/ + // Default: true + // +optional + EnableProfilingHandler *bool `json:"enableProfilingHandler,omitempty"` + // enableDebugFlagsHandler enables flags endpoint via web interface host:port/debug/flags/v + // Default: true + // +optional + EnableDebugFlagsHandler *bool `json:"enableDebugFlagsHandler,omitempty"` + // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. + // This requires the corresponding SeccompDefault feature gate to be enabled as well. + // Default: false + // +optional + SeccompDefault *bool `json:"seccompDefault,omitempty"` + // MemoryThrottlingFactor specifies the factor multiplied by the memory limit or node allocatable memory + // when setting the cgroupv2 memory.high value to enforce MemoryQoS. + // Decreasing this factor will set lower high limit for container cgroups and put heavier reclaim pressure + // while increasing will put less reclaim pressure. + // See http://kep.k8s.io/2570 for more details. + // Default: 0.8 + // +featureGate=MemoryQoS + // +optional + MemoryThrottlingFactor *float64 `json:"memoryThrottlingFactor,omitempty"` + // registerWithTaints are an array of taints to add to a node object when + // the kubelet registers itself. This only takes effect when registerNode + // is true and upon the initial registration of the node. + // Default: nil + // +optional + RegisterWithTaints []v1.Taint `json:"registerWithTaints,omitempty"` + // registerNode enables automatic registration with the apiserver. + // Default: true + // +optional + RegisterNode *bool `json:"registerNode,omitempty"` +} + +type KubeletAuthorizationMode string + +const ( + // KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests + KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" + // KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization + KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" +) + +type KubeletAuthorization struct { + // mode is the authorization mode to apply to requests to the kubelet server. + // Valid values are `AlwaysAllow` and `Webhook`. + // Webhook mode uses the SubjectAccessReview API to determine authorization. + // +optional + Mode KubeletAuthorizationMode `json:"mode,omitempty"` + + // webhook contains settings related to Webhook authorization. + // +optional + Webhook KubeletWebhookAuthorization `json:"webhook"` +} + +type KubeletWebhookAuthorization struct { + // cacheAuthorizedTTL is the duration to cache 'authorized' responses from the + // webhook authorizer. + // +optional + CacheAuthorizedTTL metav1.Duration `json:"cacheAuthorizedTTL,omitempty"` + // cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from + // the webhook authorizer. + // +optional + CacheUnauthorizedTTL metav1.Duration `json:"cacheUnauthorizedTTL,omitempty"` +} + +type KubeletAuthentication struct { + // x509 contains settings related to x509 client certificate authentication. + // +optional + X509 KubeletX509Authentication `json:"x509"` + // webhook contains settings related to webhook bearer token authentication. + // +optional + Webhook KubeletWebhookAuthentication `json:"webhook"` + // anonymous contains settings related to anonymous authentication. + // +optional + Anonymous KubeletAnonymousAuthentication `json:"anonymous"` +} + +type KubeletX509Authentication struct { + // clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request + // presenting a client certificate signed by one of the authorities in the bundle + // is authenticated with a username corresponding to the CommonName, + // and groups corresponding to the Organization in the client certificate. + // +optional + ClientCAFile string `json:"clientCAFile,omitempty"` +} + +type KubeletWebhookAuthentication struct { + // enabled allows bearer token authentication backed by the + // tokenreviews.authentication.k8s.io API. + // +optional + Enabled *bool `json:"enabled,omitempty"` + // cacheTTL enables caching of authentication results + // +optional + CacheTTL metav1.Duration `json:"cacheTTL,omitempty"` +} + +type KubeletAnonymousAuthentication struct { + // enabled allows anonymous requests to the kubelet server. + // Requests that are not rejected by another authentication method are treated as + // anonymous requests. + // Anonymous requests have a username of `system:anonymous`, and a group name of + // `system:unauthenticated`. + // +optional + Enabled *bool `json:"enabled,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SerializedNodeConfigSource allows us to serialize v1.NodeConfigSource. +// This type is used internally by the Kubelet for tracking checkpointed dynamic configs. +// It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet. +type SerializedNodeConfigSource struct { + metav1.TypeMeta `json:",inline"` + // source is the source that we are serializing. + // +optional + Source v1.NodeConfigSource `json:"source,omitempty" protobuf:"bytes,1,opt,name=source"` +} + +// MemoryReservation specifies the memory reservation of different types for each NUMA node +type MemoryReservation struct { + NumaNode int32 `json:"numaNode"` + Limits v1.ResourceList `json:"limits"` +} + +// ShutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based on their associated priority class value +type ShutdownGracePeriodByPodPriority struct { + // priority is the priority value associated with the shutdown grace period + Priority int32 `json:"priority"` + // shutdownGracePeriodSeconds is the shutdown grace period in seconds + ShutdownGracePeriodSeconds int64 `json:"shutdownGracePeriodSeconds"` +} + +type MemorySwapConfiguration struct { + // swapBehavior configures swap memory available to container workloads. May be one of + // "", "LimitedSwap": workload combined memory and swap usage cannot exceed pod memory limit + // "UnlimitedSwap": workloads can use unlimited swap, up to the allocatable limit. + // +featureGate=NodeSwap + // +optional + SwapBehavior string `json:"swapBehavior,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderConfig is the configuration containing information about +// each exec credential provider. Kubelet reads this configuration from disk and enables +// each provider as specified by the CredentialProvider type. +type CredentialProviderConfig struct { + metav1.TypeMeta `json:",inline"` + + // providers is a list of credential provider plugins that will be enabled by the kubelet. + // Multiple providers may match against a single image, in which case credentials + // from all providers will be returned to the kubelet. If multiple providers are called + // for a single image, the results are combined. If providers return overlapping + // auth keys, the value from the provider earlier in this list is used. + Providers []CredentialProvider `json:"providers"` +} + +// CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only +// invoked when an image being pulled matches the images handled by the plugin (see matchImages). +type CredentialProvider struct { + // name is the required name of the credential provider. It must match the name of the + // provider executable as seen by the kubelet. The executable must be in the kubelet's + // bin directory (set by the --image-credential-provider-bin-dir flag). + Name string `json:"name"` + + // matchImages is a required list of strings used to match against images in order to + // determine if this provider should be invoked. If one of the strings matches the + // requested image from the kubelet, the plugin will be invoked and given a chance + // to provide credentials. Images are expected to contain the registry domain + // and URL path. + // + // Each entry in matchImages is a pattern which can optionally contain a port and a path. + // Globs can be used in the domain, but not in the port or the path. Globs are supported + // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. + // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match + // a single subdomain segment, so *.io does not match *.k8s.io. + // + // A match exists between an image and a matchImage when all of the below are true: + // - Both contain the same number of domain parts and each part matches. + // - The URL path of an imageMatch must be a prefix of the target image URL path. + // - If the imageMatch contains a port, then the port must match in the image as well. + // + // Example values of matchImages: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + MatchImages []string `json:"matchImages"` + + // defaultCacheDuration is the default duration the plugin will cache credentials in-memory + // if a cache duration is not provided in the plugin response. This field is required. + DefaultCacheDuration *metav1.Duration `json:"defaultCacheDuration"` + + // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse + // MUST use the same encoding version as the input. Current supported values are: + // - credentialprovider.kubelet.k8s.io/v1beta1 + APIVersion string `json:"apiVersion"` + + // Arguments to pass to the command when executing it. + // +optional + Args []string `json:"args,omitempty"` + + // Env defines additional environment variables to expose to the process. These + // are unioned with the host's environment, as well as variables client-go uses + // to pass argument to the plugin. + // +optional + Env []ExecEnvVar `json:"env,omitempty"` +} + +// ExecEnvVar is used for setting environment variables when executing an exec-based +// credential plugin. +type ExecEnvVar struct { + Name string `json:"name"` + Value string `json:"value"` +} diff --git a/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..ccb8fbbafbd --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go @@ -0,0 +1,605 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1beta1 + +import ( + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) { + *out = *in + if in.MatchImages != nil { + in, out := &in.MatchImages, &out.MatchImages + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DefaultCacheDuration != nil { + in, out := &in.DefaultCacheDuration, &out.DefaultCacheDuration + *out = new(v1.Duration) + **out = **in + } + if in.Args != nil { + in, out := &in.Args, &out.Args + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Env != nil { + in, out := &in.Env, &out.Env + *out = make([]ExecEnvVar, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProvider. +func (in *CredentialProvider) DeepCopy() *CredentialProvider { + if in == nil { + return nil + } + out := new(CredentialProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderConfig) DeepCopyInto(out *CredentialProviderConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Providers != nil { + in, out := &in.Providers, &out.Providers + *out = make([]CredentialProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderConfig. +func (in *CredentialProviderConfig) DeepCopy() *CredentialProviderConfig { + if in == nil { + return nil + } + out := new(CredentialProviderConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExecEnvVar) DeepCopyInto(out *ExecEnvVar) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecEnvVar. +func (in *ExecEnvVar) DeepCopy() *ExecEnvVar { + if in == nil { + return nil + } + out := new(ExecEnvVar) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletAnonymousAuthentication) DeepCopyInto(out *KubeletAnonymousAuthentication) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAnonymousAuthentication. +func (in *KubeletAnonymousAuthentication) DeepCopy() *KubeletAnonymousAuthentication { + if in == nil { + return nil + } + out := new(KubeletAnonymousAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletAuthentication) DeepCopyInto(out *KubeletAuthentication) { + *out = *in + out.X509 = in.X509 + in.Webhook.DeepCopyInto(&out.Webhook) + in.Anonymous.DeepCopyInto(&out.Anonymous) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAuthentication. +func (in *KubeletAuthentication) DeepCopy() *KubeletAuthentication { + if in == nil { + return nil + } + out := new(KubeletAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletAuthorization) DeepCopyInto(out *KubeletAuthorization) { + *out = *in + out.Webhook = in.Webhook + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAuthorization. +func (in *KubeletAuthorization) DeepCopy() *KubeletAuthorization { + if in == nil { + return nil + } + out := new(KubeletAuthorization) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.EnableServer != nil { + in, out := &in.EnableServer, &out.EnableServer + *out = new(bool) + **out = **in + } + out.SyncFrequency = in.SyncFrequency + out.FileCheckFrequency = in.FileCheckFrequency + out.HTTPCheckFrequency = in.HTTPCheckFrequency + if in.StaticPodURLHeader != nil { + in, out := &in.StaticPodURLHeader, &out.StaticPodURLHeader + *out = make(map[string][]string, len(*in)) + for key, val := range *in { + var outVal []string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = make([]string, len(*in)) + copy(*out, *in) + } + (*out)[key] = outVal + } + } + if in.TLSCipherSuites != nil { + in, out := &in.TLSCipherSuites, &out.TLSCipherSuites + *out = make([]string, len(*in)) + copy(*out, *in) + } + in.Authentication.DeepCopyInto(&out.Authentication) + out.Authorization = in.Authorization + if in.RegistryPullQPS != nil { + in, out := &in.RegistryPullQPS, &out.RegistryPullQPS + *out = new(int32) + **out = **in + } + if in.EventRecordQPS != nil { + in, out := &in.EventRecordQPS, &out.EventRecordQPS + *out = new(int32) + **out = **in + } + if in.EnableDebuggingHandlers != nil { + in, out := &in.EnableDebuggingHandlers, &out.EnableDebuggingHandlers + *out = new(bool) + **out = **in + } + if in.HealthzPort != nil { + in, out := &in.HealthzPort, &out.HealthzPort + *out = new(int32) + **out = **in + } + if in.OOMScoreAdj != nil { + in, out := &in.OOMScoreAdj, &out.OOMScoreAdj + *out = new(int32) + **out = **in + } + if in.ClusterDNS != nil { + in, out := &in.ClusterDNS, &out.ClusterDNS + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout + out.NodeStatusUpdateFrequency = in.NodeStatusUpdateFrequency + out.NodeStatusReportFrequency = in.NodeStatusReportFrequency + out.ImageMinimumGCAge = in.ImageMinimumGCAge + if in.ImageGCHighThresholdPercent != nil { + in, out := &in.ImageGCHighThresholdPercent, &out.ImageGCHighThresholdPercent + *out = new(int32) + **out = **in + } + if in.ImageGCLowThresholdPercent != nil { + in, out := &in.ImageGCLowThresholdPercent, &out.ImageGCLowThresholdPercent + *out = new(int32) + **out = **in + } + out.VolumeStatsAggPeriod = in.VolumeStatsAggPeriod + if in.CgroupsPerQOS != nil { + in, out := &in.CgroupsPerQOS, &out.CgroupsPerQOS + *out = new(bool) + **out = **in + } + if in.CPUManagerPolicyOptions != nil { + in, out := &in.CPUManagerPolicyOptions, &out.CPUManagerPolicyOptions + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.CPUManagerReconcilePeriod = in.CPUManagerReconcilePeriod + if in.QOSReserved != nil { + in, out := &in.QOSReserved, &out.QOSReserved + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.RuntimeRequestTimeout = in.RuntimeRequestTimeout + if in.PodPidsLimit != nil { + in, out := &in.PodPidsLimit, &out.PodPidsLimit + *out = new(int64) + **out = **in + } + if in.ResolverConfig != nil { + in, out := &in.ResolverConfig, &out.ResolverConfig + *out = new(string) + **out = **in + } + if in.CPUCFSQuota != nil { + in, out := &in.CPUCFSQuota, &out.CPUCFSQuota + *out = new(bool) + **out = **in + } + if in.CPUCFSQuotaPeriod != nil { + in, out := &in.CPUCFSQuotaPeriod, &out.CPUCFSQuotaPeriod + *out = new(v1.Duration) + **out = **in + } + if in.NodeStatusMaxImages != nil { + in, out := &in.NodeStatusMaxImages, &out.NodeStatusMaxImages + *out = new(int32) + **out = **in + } + if in.KubeAPIQPS != nil { + in, out := &in.KubeAPIQPS, &out.KubeAPIQPS + *out = new(int32) + **out = **in + } + if in.SerializeImagePulls != nil { + in, out := &in.SerializeImagePulls, &out.SerializeImagePulls + *out = new(bool) + **out = **in + } + if in.EvictionHard != nil { + in, out := &in.EvictionHard, &out.EvictionHard + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EvictionSoft != nil { + in, out := &in.EvictionSoft, &out.EvictionSoft + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EvictionSoftGracePeriod != nil { + in, out := &in.EvictionSoftGracePeriod, &out.EvictionSoftGracePeriod + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.EvictionPressureTransitionPeriod = in.EvictionPressureTransitionPeriod + if in.EvictionMinimumReclaim != nil { + in, out := &in.EvictionMinimumReclaim, &out.EvictionMinimumReclaim + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EnableControllerAttachDetach != nil { + in, out := &in.EnableControllerAttachDetach, &out.EnableControllerAttachDetach + *out = new(bool) + **out = **in + } + if in.MakeIPTablesUtilChains != nil { + in, out := &in.MakeIPTablesUtilChains, &out.MakeIPTablesUtilChains + *out = new(bool) + **out = **in + } + if in.IPTablesMasqueradeBit != nil { + in, out := &in.IPTablesMasqueradeBit, &out.IPTablesMasqueradeBit + *out = new(int32) + **out = **in + } + if in.IPTablesDropBit != nil { + in, out := &in.IPTablesDropBit, &out.IPTablesDropBit + *out = new(int32) + **out = **in + } + if in.FeatureGates != nil { + in, out := &in.FeatureGates, &out.FeatureGates + *out = make(map[string]bool, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.FailSwapOn != nil { + in, out := &in.FailSwapOn, &out.FailSwapOn + *out = new(bool) + **out = **in + } + out.MemorySwap = in.MemorySwap + if in.ContainerLogMaxFiles != nil { + in, out := &in.ContainerLogMaxFiles, &out.ContainerLogMaxFiles + *out = new(int32) + **out = **in + } + if in.SystemReserved != nil { + in, out := &in.SystemReserved, &out.SystemReserved + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.KubeReserved != nil { + in, out := &in.KubeReserved, &out.KubeReserved + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EnforceNodeAllocatable != nil { + in, out := &in.EnforceNodeAllocatable, &out.EnforceNodeAllocatable + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedUnsafeSysctls != nil { + in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } + in.Logging.DeepCopyInto(&out.Logging) + if in.EnableSystemLogHandler != nil { + in, out := &in.EnableSystemLogHandler, &out.EnableSystemLogHandler + *out = new(bool) + **out = **in + } + out.ShutdownGracePeriod = in.ShutdownGracePeriod + out.ShutdownGracePeriodCriticalPods = in.ShutdownGracePeriodCriticalPods + if in.ShutdownGracePeriodByPodPriority != nil { + in, out := &in.ShutdownGracePeriodByPodPriority, &out.ShutdownGracePeriodByPodPriority + *out = make([]ShutdownGracePeriodByPodPriority, len(*in)) + copy(*out, *in) + } + if in.ReservedMemory != nil { + in, out := &in.ReservedMemory, &out.ReservedMemory + *out = make([]MemoryReservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.EnableProfilingHandler != nil { + in, out := &in.EnableProfilingHandler, &out.EnableProfilingHandler + *out = new(bool) + **out = **in + } + if in.EnableDebugFlagsHandler != nil { + in, out := &in.EnableDebugFlagsHandler, &out.EnableDebugFlagsHandler + *out = new(bool) + **out = **in + } + if in.SeccompDefault != nil { + in, out := &in.SeccompDefault, &out.SeccompDefault + *out = new(bool) + **out = **in + } + if in.MemoryThrottlingFactor != nil { + in, out := &in.MemoryThrottlingFactor, &out.MemoryThrottlingFactor + *out = new(float64) + **out = **in + } + if in.RegisterWithTaints != nil { + in, out := &in.RegisterWithTaints, &out.RegisterWithTaints + *out = make([]corev1.Taint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.RegisterNode != nil { + in, out := &in.RegisterNode, &out.RegisterNode + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletConfiguration. +func (in *KubeletConfiguration) DeepCopy() *KubeletConfiguration { + if in == nil { + return nil + } + out := new(KubeletConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *KubeletConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletWebhookAuthentication) DeepCopyInto(out *KubeletWebhookAuthentication) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + out.CacheTTL = in.CacheTTL + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletWebhookAuthentication. +func (in *KubeletWebhookAuthentication) DeepCopy() *KubeletWebhookAuthentication { + if in == nil { + return nil + } + out := new(KubeletWebhookAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletWebhookAuthorization) DeepCopyInto(out *KubeletWebhookAuthorization) { + *out = *in + out.CacheAuthorizedTTL = in.CacheAuthorizedTTL + out.CacheUnauthorizedTTL = in.CacheUnauthorizedTTL + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletWebhookAuthorization. +func (in *KubeletWebhookAuthorization) DeepCopy() *KubeletWebhookAuthorization { + if in == nil { + return nil + } + out := new(KubeletWebhookAuthorization) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletX509Authentication) DeepCopyInto(out *KubeletX509Authentication) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletX509Authentication. +func (in *KubeletX509Authentication) DeepCopy() *KubeletX509Authentication { + if in == nil { + return nil + } + out := new(KubeletX509Authentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MemoryReservation) DeepCopyInto(out *MemoryReservation) { + *out = *in + if in.Limits != nil { + in, out := &in.Limits, &out.Limits + *out = make(corev1.ResourceList, len(*in)) + for key, val := range *in { + (*out)[key] = val.DeepCopy() + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryReservation. +func (in *MemoryReservation) DeepCopy() *MemoryReservation { + if in == nil { + return nil + } + out := new(MemoryReservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MemorySwapConfiguration) DeepCopyInto(out *MemorySwapConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemorySwapConfiguration. +func (in *MemorySwapConfiguration) DeepCopy() *MemorySwapConfiguration { + if in == nil { + return nil + } + out := new(MemorySwapConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SerializedNodeConfigSource) DeepCopyInto(out *SerializedNodeConfigSource) { + *out = *in + out.TypeMeta = in.TypeMeta + in.Source.DeepCopyInto(&out.Source) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SerializedNodeConfigSource. +func (in *SerializedNodeConfigSource) DeepCopy() *SerializedNodeConfigSource { + if in == nil { + return nil + } + out := new(SerializedNodeConfigSource) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SerializedNodeConfigSource) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ShutdownGracePeriodByPodPriority) DeepCopyInto(out *ShutdownGracePeriodByPodPriority) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShutdownGracePeriodByPodPriority. +func (in *ShutdownGracePeriodByPodPriority) DeepCopy() *ShutdownGracePeriodByPodPriority { + if in == nil { + return nil + } + out := new(ShutdownGracePeriodByPodPriority) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go new file mode 100644 index 00000000000..df4f4bf150d --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go @@ -0,0 +1,22 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=k8s.io/kubelet/pkg/apis/credentialprovider +// +k8s:defaulter-gen=TypeMeta +// +groupName=credentialprovider.kubelet.k8s.io + +package v1beta1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go new file mode 100644 index 00000000000..75ec067cb03 --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go @@ -0,0 +1,46 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name use in this package +const GroupName = "credentialprovider.kubelet.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var ( + SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} + localSchemeBuilder = &SchemeBuilder +) + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &CredentialProviderRequest{}, + &CredentialProviderResponse{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go new file mode 100644 index 00000000000..2bc37ce9294 --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go @@ -0,0 +1,117 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderRequest includes the image that the kubelet requires authentication for. +// Kubelet will pass this request object to the plugin via stdin. In general, plugins should +// prefer responding with the same apiVersion they were sent. +type CredentialProviderRequest struct { + metav1.TypeMeta `json:",inline"` + + // image is the container image that is being pulled as part of the + // credential provider plugin request. Plugins may optionally parse the image + // to extract any information required to fetch credentials. + Image string `json:"image"` +} + +type PluginCacheKeyType string + +const ( + // ImagePluginCacheKeyType means the kubelet will cache credentials on a per-image basis, + // using the image passed from the kubelet directly as the cache key. This includes + // the registry domain, port (if specified), and path but does not include tags or SHAs. + ImagePluginCacheKeyType PluginCacheKeyType = "Image" + // RegistryPluginCacheKeyType means the kubelet will cache credentials on a per-registry basis. + // The cache key will be based on the registry domain and port (if present) parsed from the requested image. + RegistryPluginCacheKeyType PluginCacheKeyType = "Registry" + // GlobalPluginCacheKeyType means the kubelet will cache credentials for all images that + // match for a given plugin. This cache key should only be returned by plugins that do not use + // the image input at all. + GlobalPluginCacheKeyType PluginCacheKeyType = "Global" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderResponse holds credentials that the kubelet should use for the specified +// image provided in the original request. Kubelet will read the response from the plugin via stdout. +// This response should be set to the same apiVersion as CredentialProviderRequest. +type CredentialProviderResponse struct { + metav1.TypeMeta `json:",inline"` + + // cacheKeyType indiciates the type of caching key to use based on the image provided + // in the request. There are three valid values for the cache key type: Image, Registry, and + // Global. If an invalid value is specified, the response will NOT be used by the kubelet. + CacheKeyType PluginCacheKeyType `json:"cacheKeyType"` + + // cacheDuration indicates the duration the provided credentials should be cached for. + // The kubelet will use this field to set the in-memory cache duration for credentials + // in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in + // CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig. + // +optional + CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"` + + // auth is a map containing authentication information passed into the kubelet. + // Each key is a match image string (more on this below). The corresponding authConfig value + // should be valid for all images that match against this key. A plugin should set + // this field to null if no valid credentials can be returned for the requested image. + // + // Each key in the map is a pattern which can optionally contain a port and a path. + // Globs can be used in the domain, but not in the port or the path. Globs are supported + // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. + // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match + // a single subdomain segment, so *.io does not match *.k8s.io. + // + // The kubelet will match images against the key when all of the below are true: + // - Both contain the same number of domain parts and each part matches. + // - The URL path of an imageMatch must be a prefix of the target image URL path. + // - If the imageMatch contains a port, then the port must match in the image as well. + // + // When multiple keys are returned, the kubelet will traverse all keys in reverse order so that: + // - longer keys come before shorter keys with the same prefix + // - non-wildcard keys come before wildcard keys with the same prefix. + // + // For any given match, the kubelet will attempt an image pull with the provided credentials, + // stopping after the first successfully authenticated pull. + // + // Example keys: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + // +optional + Auth map[string]AuthConfig `json:"auth,omitempty"` +} + +// AuthConfig contains authentication information for a container registry. +// Only username/password based authentication is supported today, but more authentication +// mechanisms may be added in the future. +type AuthConfig struct { + // username is the username used for authenticating to the container registry + // An empty username is valid. + Username string `json:"username"` + + // password is the password used for authenticating to the container registry + // An empty password is valid. + Password string `json:"password"` +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go new file mode 100644 index 00000000000..1991aab6dde --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go @@ -0,0 +1,137 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1beta1 + +import ( + unsafe "unsafe" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" + credentialprovider "k8s.io/kubelet/pkg/apis/credentialprovider" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*AuthConfig)(nil), (*credentialprovider.AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(a.(*AuthConfig), b.(*credentialprovider.AuthConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*credentialprovider.AuthConfig)(nil), (*AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(a.(*credentialprovider.AuthConfig), b.(*AuthConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*CredentialProviderRequest)(nil), (*credentialprovider.CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(a.(*CredentialProviderRequest), b.(*credentialprovider.CredentialProviderRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderResponse)(nil), (*CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(a.(*credentialprovider.CredentialProviderResponse), b.(*CredentialProviderResponse), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { + out.Username = in.Username + out.Password = in.Password + return nil +} + +// Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig is an autogenerated conversion function. +func Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { + return autoConvert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in, out, s) +} + +func autoConvert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { + out.Username = in.Username + out.Password = in.Password + return nil +} + +// Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig is an autogenerated conversion function. +func Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { + return autoConvert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in, out, s) +} + +func autoConvert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { + out.Image = in.Image + return nil +} + +// Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest is an autogenerated conversion function. +func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { + return autoConvert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in, out, s) +} + +func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { + out.Image = in.Image + return nil +} + +// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function. +func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { + return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s) +} + +func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { + out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType) + out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration)) + out.Auth = *(*map[string]credentialprovider.AuthConfig)(unsafe.Pointer(&in.Auth)) + return nil +} + +// Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse is an autogenerated conversion function. +func Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { + return autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in, out, s) +} + +func autoConvert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { + out.CacheKeyType = PluginCacheKeyType(in.CacheKeyType) + out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration)) + out.Auth = *(*map[string]AuthConfig)(unsafe.Pointer(&in.Auth)) + return nil +} + +// Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse is an autogenerated conversion function. +func Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { + return autoConvert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in, out, s) +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..ca2143c77fc --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go @@ -0,0 +1,105 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1beta1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthConfig) DeepCopyInto(out *AuthConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig. +func (in *AuthConfig) DeepCopy() *AuthConfig { + if in == nil { + return nil + } + out := new(AuthConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderRequest. +func (in *CredentialProviderRequest) DeepCopy() *CredentialProviderRequest { + if in == nil { + return nil + } + out := new(CredentialProviderRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderResponse) DeepCopyInto(out *CredentialProviderResponse) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.CacheDuration != nil { + in, out := &in.CacheDuration, &out.CacheDuration + *out = new(v1.Duration) + **out = **in + } + if in.Auth != nil { + in, out := &in.Auth, &out.Auth + *out = make(map[string]AuthConfig, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderResponse. +func (in *CredentialProviderResponse) DeepCopy() *CredentialProviderResponse { + if in == nil { + return nil + } + out := new(CredentialProviderResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderResponse) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go new file mode 100644 index 00000000000..198b5be4af5 --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go @@ -0,0 +1,33 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1beta1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} From 977a8ebb3a4be17d14c11476c27bd77a80e8ef32 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Mon, 1 Aug 2022 19:21:30 +0000 Subject: [PATCH 02/13] Renaming usage of v1beta1 to v1, and adding API violation exceptions and vendor module for v1 --- api/api-rules/violation_exceptions.list | 4 + hack/.import-aliases | 1 + pkg/credentialprovider/plugin/config_test.go | 46 + pkg/credentialprovider/plugin/plugin.go | 4 + pkg/credentialprovider/plugin/plugin_test.go | 28 + pkg/features/kube_features.go | 3 +- pkg/kubelet/apis/config/scheme/scheme.go | 4 + pkg/kubelet/apis/config/types.go | 1 + pkg/kubelet/apis/config/v1/doc.go | 21 + pkg/kubelet/apis/config/v1/register.go | 33 + .../apis/config/v1/zz_generated.conversion.go | 144 +++ .../apis/config/v1/zz_generated.deepcopy.go | 22 + .../apis/config/v1/zz_generated.defaults.go | 33 + staging/src/k8s.io/kubelet/config/v1/doc.go | 2 +- .../src/k8s.io/kubelet/config/v1/register.go | 6 +- .../k8s.io/kubelet/config/v1/register_test.go | 2 +- staging/src/k8s.io/kubelet/config/v1/types.go | 876 +----------------- .../credentialprovider/install/install.go | 3 + .../pkg/apis/credentialprovider/v1/doc.go | 2 +- .../apis/credentialprovider/v1/register.go | 4 +- .../pkg/apis/credentialprovider/v1/types.go | 2 +- vendor/modules.txt | 2 + 22 files changed, 359 insertions(+), 884 deletions(-) create mode 100644 pkg/kubelet/apis/config/v1/doc.go create mode 100644 pkg/kubelet/apis/config/v1/register.go create mode 100644 pkg/kubelet/apis/config/v1/zz_generated.conversion.go create mode 100644 pkg/kubelet/apis/config/v1/zz_generated.deepcopy.go create mode 100644 pkg/kubelet/apis/config/v1/zz_generated.defaults.go diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list index 278b6f8a8c4..d65befb0fd9 100644 --- a/api/api-rules/violation_exceptions.list +++ b/api/api-rules/violation_exceptions.list @@ -349,6 +349,10 @@ API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta2,Exten API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta3,ExtenderTLSConfig,CAData API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta3,ExtenderTLSConfig,CertData API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta3,ExtenderTLSConfig,KeyData +API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProvider,Args +API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProvider,Env +API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProvider,MatchImages +API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProviderConfig,Providers API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,Args API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,Env API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,MatchImages diff --git a/hack/.import-aliases b/hack/.import-aliases index ea5bbde09b0..49843e89333 100644 --- a/hack/.import-aliases +++ b/hack/.import-aliases @@ -45,6 +45,7 @@ "k8s.io/kubelet/apis/stats/v1alpha1": "kubeletstatsv1alpha1", "k8s.io/kubernetes/pkg/controller/apis/config/v1alpha1": "controllerconfigv1alpha1", "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1": "kubeletconfigv1beta1", + "k8s.io/kubernetes/pkg/kubelet/apis/config/v1": "kubeletconfigv1", "k8s.io/kubelet/pkg/apis/deviceplugin/v1alpha": "kubeletdevicepluginv1alpha", "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1": "kubeletdevicepluginv1beta1", "k8s.io/kubelet/pkg/apis/pluginregistration/v1": "kubeletpluginregistrationv1", diff --git a/pkg/credentialprovider/plugin/config_test.go b/pkg/credentialprovider/plugin/config_test.go index 6e6ef0f57d4..940109cc44d 100644 --- a/pkg/credentialprovider/plugin/config_test.go +++ b/pkg/credentialprovider/plugin/config_test.go @@ -229,6 +229,52 @@ providers: }, }, }, + { + name: "v1 config with multiple providers", + configData: `--- +kind: CredentialProviderConfig +apiVersion: kubelet.config.k8s.io/v1 +providers: + - name: test1 + matchImages: + - "registry.io/one" + defaultCacheDuration: 10m + apiVersion: credentialprovider.kubelet.k8s.io/v1 + - name: test2 + matchImages: + - "registry.io/two" + defaultCacheDuration: 10m + apiVersion: credentialprovider.kubelet.k8s.io/v1 + args: + - --v=5 + env: + - name: FOO + value: BAR`, + + config: &kubeletconfig.CredentialProviderConfig{ + Providers: []kubeletconfig.CredentialProvider{ + { + Name: "test1", + MatchImages: []string{"registry.io/one"}, + DefaultCacheDuration: &metav1.Duration{Duration: 10 * time.Minute}, + APIVersion: "credentialprovider.kubelet.k8s.io/v1", + }, + { + Name: "test2", + MatchImages: []string{"registry.io/two"}, + DefaultCacheDuration: &metav1.Duration{Duration: 10 * time.Minute}, + APIVersion: "credentialprovider.kubelet.k8s.io/v1", + Args: []string{"--v=5"}, + Env: []kubeletconfig.ExecEnvVar{ + { + Name: "FOO", + Value: "BAR", + }, + }, + }, + }, + }, + }, { name: "config with wrong Kind", configData: `--- diff --git a/pkg/credentialprovider/plugin/plugin.go b/pkg/credentialprovider/plugin/plugin.go index 5e6db98b465..dc458634eeb 100644 --- a/pkg/credentialprovider/plugin/plugin.go +++ b/pkg/credentialprovider/plugin/plugin.go @@ -38,10 +38,12 @@ import ( "k8s.io/klog/v2" credentialproviderapi "k8s.io/kubelet/pkg/apis/credentialprovider" "k8s.io/kubelet/pkg/apis/credentialprovider/install" + credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1" credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1" credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" "k8s.io/kubernetes/pkg/credentialprovider" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" + kubeletconfigv1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1" kubeletconfigv1alpha1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1alpha1" kubeletconfigv1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1" "k8s.io/utils/clock" @@ -59,6 +61,7 @@ var ( apiVersions = map[string]schema.GroupVersion{ credentialproviderv1alpha1.SchemeGroupVersion.String(): credentialproviderv1alpha1.SchemeGroupVersion, credentialproviderv1beta1.SchemeGroupVersion.String(): credentialproviderv1beta1.SchemeGroupVersion, + credentialproviderv1.SchemeGroupVersion.String(): credentialproviderv1.SchemeGroupVersion, } ) @@ -67,6 +70,7 @@ func init() { kubeletconfig.AddToScheme(scheme) kubeletconfigv1alpha1.AddToScheme(scheme) kubeletconfigv1beta1.AddToScheme(scheme) + kubeletconfigv1.AddToScheme(scheme) } // RegisterCredentialProviderPlugins is called from kubelet to register external credential provider diff --git a/pkg/credentialprovider/plugin/plugin_test.go b/pkg/credentialprovider/plugin/plugin_test.go index 68d0bee804c..1f02992b11d 100644 --- a/pkg/credentialprovider/plugin/plugin_test.go +++ b/pkg/credentialprovider/plugin/plugin_test.go @@ -30,6 +30,7 @@ import ( "k8s.io/apimachinery/pkg/util/rand" "k8s.io/client-go/tools/cache" credentialproviderapi "k8s.io/kubelet/pkg/apis/credentialprovider" + credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1" credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1" credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" "k8s.io/kubernetes/pkg/credentialprovider" @@ -432,6 +433,16 @@ func Test_encodeRequest(t *testing.T) { Image: "test.registry.io/foobar", }, expectedData: []byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1beta1","image":"test.registry.io/foobar"} +`), + expectedErr: false, + }, + { + name: "successful with v1", + apiVersion: credentialproviderv1.SchemeGroupVersion, + request: &credentialproviderapi.CredentialProviderRequest{ + Image: "test.registry.io/foobar", + }, + expectedData: []byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1","image":"test.registry.io/foobar"} `), expectedErr: false, }, @@ -474,6 +485,23 @@ func Test_decodeResponse(t *testing.T) { expectedResponse *credentialproviderapi.CredentialProviderResponse expectedErr bool }{ + { + name: "success with v1", + data: []byte(`{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1","cacheKeyType":"Registry","cacheDuration":"1m","auth":{"*.registry.io":{"username":"user","password":"password"}}}`), + expectedResponse: &credentialproviderapi.CredentialProviderResponse{ + CacheKeyType: credentialproviderapi.RegistryPluginCacheKeyType, + CacheDuration: &metav1.Duration{ + Duration: time.Minute, + }, + Auth: map[string]credentialproviderapi.AuthConfig{ + "*.registry.io": { + Username: "user", + Password: "password", + }, + }, + }, + expectedErr: false, + }, { name: "success with v1beta1", data: []byte(`{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1beta1","cacheKeyType":"Registry","cacheDuration":"1m","auth":{"*.registry.io":{"username":"user","password":"password"}}}`), diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 5a0dbd7e81a..e375e9c820b 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -485,6 +485,7 @@ const ( // owner: @andrewsykim @adisky // alpha: v1.20 // beta: v1.24 + // ga: v1.25 // // Enable kubelet exec plugins for image pull credentials. KubeletCredentialProviders featuregate.Feature = "KubeletCredentialProviders" @@ -1019,7 +1020,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS JobTrackingWithFinalizers: {Default: true, PreRelease: featuregate.Beta}, - KubeletCredentialProviders: {Default: true, PreRelease: featuregate.Beta}, + KubeletCredentialProviders: {Default: true, PreRelease: featuregate.GA}, KubeletInUserNamespace: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/kubelet/apis/config/scheme/scheme.go b/pkg/kubelet/apis/config/scheme/scheme.go index 0a5ae0b5eea..a8120b5436c 100644 --- a/pkg/kubelet/apis/config/scheme/scheme.go +++ b/pkg/kubelet/apis/config/scheme/scheme.go @@ -20,6 +20,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" + kubeletconfigv1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1" kubeletconfigv1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1" ) @@ -36,6 +37,9 @@ func NewSchemeAndCodecs(mutators ...serializer.CodecFactoryOptionsMutator) (*run if err := kubeletconfigv1beta1.AddToScheme(scheme); err != nil { return nil, nil, err } + if err := kubeletconfigv1.AddToScheme(scheme); err != nil { + return nil, nil, err + } codecs := serializer.NewCodecFactory(scheme, mutators...) return scheme, &codecs, nil } diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go index 0ec23416fab..dbe52a1bd70 100644 --- a/pkg/kubelet/apis/config/types.go +++ b/pkg/kubelet/apis/config/types.go @@ -595,6 +595,7 @@ type CredentialProvider struct { // MUST use the same encoding version as the input. Current supported values are: // - credentialprovider.kubelet.k8s.io/v1alpha1 // - credentialprovider.kubelet.k8s.io/v1beta1 + // - credentialprovider.kubelet.k8s.io/v1 APIVersion string // Arguments to pass to the command when executing it. diff --git a/pkg/kubelet/apis/config/v1/doc.go b/pkg/kubelet/apis/config/v1/doc.go new file mode 100644 index 00000000000..f4a6f4a6d4f --- /dev/null +++ b/pkg/kubelet/apis/config/v1/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2022 The Kubernetes Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=k8s.io/kubernetes/pkg/kubelet/apis/config +// +k8s:conversion-gen-external-types=k8s.io/kubelet/config/v1 +// +k8s:defaulter-gen=TypeMeta +// +k8s:defaulter-gen-input=k8s.io/kubelet/config/v1 +// +groupName=kubelet.config.k8s.io + +package v1 // import "k8s.io/kubernetes/pkg/kubelet/apis/config/v1" diff --git a/pkg/kubelet/apis/config/v1/register.go b/pkg/kubelet/apis/config/v1/register.go new file mode 100644 index 00000000000..ec933333914 --- /dev/null +++ b/pkg/kubelet/apis/config/v1/register.go @@ -0,0 +1,33 @@ +/* +Copyright 2022 The Kubernetes Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + kubeletconfigv1 "k8s.io/kubelet/config/v1" +) + +// GroupName is the group name used in this package +const GroupName = "kubelet.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} + +var ( + // localSchemeBuilder extends the SchemeBuilder instance with the external types. In this package, + // defaulting and conversion init funcs are registered as well. + localSchemeBuilder = &kubeletconfigv1.SchemeBuilder + // AddToScheme is a global function that registers this API group & version to a scheme + AddToScheme = localSchemeBuilder.AddToScheme +) diff --git a/pkg/kubelet/apis/config/v1/zz_generated.conversion.go b/pkg/kubelet/apis/config/v1/zz_generated.conversion.go new file mode 100644 index 00000000000..8c6ac6e0468 --- /dev/null +++ b/pkg/kubelet/apis/config/v1/zz_generated.conversion.go @@ -0,0 +1,144 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1 + +import ( + unsafe "unsafe" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" + v1 "k8s.io/kubelet/config/v1" + config "k8s.io/kubernetes/pkg/kubelet/apis/config" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*v1.CredentialProvider)(nil), (*config.CredentialProvider)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_CredentialProvider_To_config_CredentialProvider(a.(*v1.CredentialProvider), b.(*config.CredentialProvider), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.CredentialProvider)(nil), (*v1.CredentialProvider)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_CredentialProvider_To_v1_CredentialProvider(a.(*config.CredentialProvider), b.(*v1.CredentialProvider), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1.CredentialProviderConfig)(nil), (*config.CredentialProviderConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_CredentialProviderConfig_To_config_CredentialProviderConfig(a.(*v1.CredentialProviderConfig), b.(*config.CredentialProviderConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.CredentialProviderConfig)(nil), (*v1.CredentialProviderConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_CredentialProviderConfig_To_v1_CredentialProviderConfig(a.(*config.CredentialProviderConfig), b.(*v1.CredentialProviderConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1.ExecEnvVar)(nil), (*config.ExecEnvVar)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ExecEnvVar_To_config_ExecEnvVar(a.(*v1.ExecEnvVar), b.(*config.ExecEnvVar), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.ExecEnvVar)(nil), (*v1.ExecEnvVar)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_ExecEnvVar_To_v1_ExecEnvVar(a.(*config.ExecEnvVar), b.(*v1.ExecEnvVar), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1_CredentialProvider_To_config_CredentialProvider(in *v1.CredentialProvider, out *config.CredentialProvider, s conversion.Scope) error { + out.Name = in.Name + out.MatchImages = *(*[]string)(unsafe.Pointer(&in.MatchImages)) + out.DefaultCacheDuration = (*metav1.Duration)(unsafe.Pointer(in.DefaultCacheDuration)) + out.APIVersion = in.APIVersion + out.Args = *(*[]string)(unsafe.Pointer(&in.Args)) + out.Env = *(*[]config.ExecEnvVar)(unsafe.Pointer(&in.Env)) + return nil +} + +// Convert_v1_CredentialProvider_To_config_CredentialProvider is an autogenerated conversion function. +func Convert_v1_CredentialProvider_To_config_CredentialProvider(in *v1.CredentialProvider, out *config.CredentialProvider, s conversion.Scope) error { + return autoConvert_v1_CredentialProvider_To_config_CredentialProvider(in, out, s) +} + +func autoConvert_config_CredentialProvider_To_v1_CredentialProvider(in *config.CredentialProvider, out *v1.CredentialProvider, s conversion.Scope) error { + out.Name = in.Name + out.MatchImages = *(*[]string)(unsafe.Pointer(&in.MatchImages)) + out.DefaultCacheDuration = (*metav1.Duration)(unsafe.Pointer(in.DefaultCacheDuration)) + out.APIVersion = in.APIVersion + out.Args = *(*[]string)(unsafe.Pointer(&in.Args)) + out.Env = *(*[]v1.ExecEnvVar)(unsafe.Pointer(&in.Env)) + return nil +} + +// Convert_config_CredentialProvider_To_v1_CredentialProvider is an autogenerated conversion function. +func Convert_config_CredentialProvider_To_v1_CredentialProvider(in *config.CredentialProvider, out *v1.CredentialProvider, s conversion.Scope) error { + return autoConvert_config_CredentialProvider_To_v1_CredentialProvider(in, out, s) +} + +func autoConvert_v1_CredentialProviderConfig_To_config_CredentialProviderConfig(in *v1.CredentialProviderConfig, out *config.CredentialProviderConfig, s conversion.Scope) error { + out.Providers = *(*[]config.CredentialProvider)(unsafe.Pointer(&in.Providers)) + return nil +} + +// Convert_v1_CredentialProviderConfig_To_config_CredentialProviderConfig is an autogenerated conversion function. +func Convert_v1_CredentialProviderConfig_To_config_CredentialProviderConfig(in *v1.CredentialProviderConfig, out *config.CredentialProviderConfig, s conversion.Scope) error { + return autoConvert_v1_CredentialProviderConfig_To_config_CredentialProviderConfig(in, out, s) +} + +func autoConvert_config_CredentialProviderConfig_To_v1_CredentialProviderConfig(in *config.CredentialProviderConfig, out *v1.CredentialProviderConfig, s conversion.Scope) error { + out.Providers = *(*[]v1.CredentialProvider)(unsafe.Pointer(&in.Providers)) + return nil +} + +// Convert_config_CredentialProviderConfig_To_v1_CredentialProviderConfig is an autogenerated conversion function. +func Convert_config_CredentialProviderConfig_To_v1_CredentialProviderConfig(in *config.CredentialProviderConfig, out *v1.CredentialProviderConfig, s conversion.Scope) error { + return autoConvert_config_CredentialProviderConfig_To_v1_CredentialProviderConfig(in, out, s) +} + +func autoConvert_v1_ExecEnvVar_To_config_ExecEnvVar(in *v1.ExecEnvVar, out *config.ExecEnvVar, s conversion.Scope) error { + out.Name = in.Name + out.Value = in.Value + return nil +} + +// Convert_v1_ExecEnvVar_To_config_ExecEnvVar is an autogenerated conversion function. +func Convert_v1_ExecEnvVar_To_config_ExecEnvVar(in *v1.ExecEnvVar, out *config.ExecEnvVar, s conversion.Scope) error { + return autoConvert_v1_ExecEnvVar_To_config_ExecEnvVar(in, out, s) +} + +func autoConvert_config_ExecEnvVar_To_v1_ExecEnvVar(in *config.ExecEnvVar, out *v1.ExecEnvVar, s conversion.Scope) error { + out.Name = in.Name + out.Value = in.Value + return nil +} + +// Convert_config_ExecEnvVar_To_v1_ExecEnvVar is an autogenerated conversion function. +func Convert_config_ExecEnvVar_To_v1_ExecEnvVar(in *config.ExecEnvVar, out *v1.ExecEnvVar, s conversion.Scope) error { + return autoConvert_config_ExecEnvVar_To_v1_ExecEnvVar(in, out, s) +} diff --git a/pkg/kubelet/apis/config/v1/zz_generated.deepcopy.go b/pkg/kubelet/apis/config/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..87181b43048 --- /dev/null +++ b/pkg/kubelet/apis/config/v1/zz_generated.deepcopy.go @@ -0,0 +1,22 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1 diff --git a/pkg/kubelet/apis/config/v1/zz_generated.defaults.go b/pkg/kubelet/apis/config/v1/zz_generated.defaults.go new file mode 100644 index 00000000000..dac177e93bd --- /dev/null +++ b/pkg/kubelet/apis/config/v1/zz_generated.defaults.go @@ -0,0 +1,33 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/staging/src/k8s.io/kubelet/config/v1/doc.go b/staging/src/k8s.io/kubelet/config/v1/doc.go index 5644377d6c8..27df1a2441a 100644 --- a/staging/src/k8s.io/kubelet/config/v1/doc.go +++ b/staging/src/k8s.io/kubelet/config/v1/doc.go @@ -18,4 +18,4 @@ limitations under the License. // +k8s:openapi-gen=true // +groupName=kubelet.config.k8s.io -package v1beta1 // import "k8s.io/kubelet/config/v1beta1" +package v1 // import "k8s.io/kubelet/config/v1" diff --git a/staging/src/k8s.io/kubelet/config/v1/register.go b/staging/src/k8s.io/kubelet/config/v1/register.go index 22bdfbb4cba..5d7a8e8a21f 100644 --- a/staging/src/k8s.io/kubelet/config/v1/register.go +++ b/staging/src/k8s.io/kubelet/config/v1/register.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1beta1 +package v1 import ( "k8s.io/apimachinery/pkg/runtime" @@ -25,7 +25,7 @@ import ( const GroupName = "kubelet.config.k8s.io" // SchemeGroupVersion is group version used to register these objects -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} var ( // SchemeBuilder is the scheme builder with scheme init functions to run for this API package @@ -37,8 +37,6 @@ var ( // addKnownTypes registers known types to the given scheme func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, - &KubeletConfiguration{}, - &SerializedNodeConfigSource{}, &CredentialProviderConfig{}, ) return nil diff --git a/staging/src/k8s.io/kubelet/config/v1/register_test.go b/staging/src/k8s.io/kubelet/config/v1/register_test.go index 7e45b544602..188b62a259d 100644 --- a/staging/src/k8s.io/kubelet/config/v1/register_test.go +++ b/staging/src/k8s.io/kubelet/config/v1/register_test.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1beta1 +package v1 import ( "testing" diff --git a/staging/src/k8s.io/kubelet/config/v1/types.go b/staging/src/k8s.io/kubelet/config/v1/types.go index 2504f2aa253..1b59a7d8dc6 100644 --- a/staging/src/k8s.io/kubelet/config/v1/types.go +++ b/staging/src/k8s.io/kubelet/config/v1/types.go @@ -1,5 +1,5 @@ /* -Copyright 2017 The Kubernetes Authors. +Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,882 +14,12 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1beta1 +package v1 import ( - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - logsapi "k8s.io/component-base/logs/api/v1" ) -// HairpinMode denotes how the kubelet should configure networking to handle -// hairpin packets. -type HairpinMode string - -// Enum settings for different ways to handle hairpin packets. -const ( - // Set the hairpin flag on the veth of containers in the respective - // container runtime. - HairpinVeth = "hairpin-veth" - // Make the container bridge promiscuous. This will force it to accept - // hairpin packets, even if the flag isn't set on ports of the bridge. - PromiscuousBridge = "promiscuous-bridge" - // Neither of the above. If the kubelet is started in this hairpin mode - // and kube-proxy is running in iptables mode, hairpin packets will be - // dropped by the container bridge. - HairpinNone = "none" -) - -// ResourceChangeDetectionStrategy denotes a mode in which internal -// managers (secret, configmap) are discovering object changes. -type ResourceChangeDetectionStrategy string - -// Enum settings for different strategies of kubelet managers. -const ( - // GetChangeDetectionStrategy is a mode in which kubelet fetches - // necessary objects directly from apiserver. - GetChangeDetectionStrategy ResourceChangeDetectionStrategy = "Get" - // TTLCacheChangeDetectionStrategy is a mode in which kubelet uses - // ttl cache for object directly fetched from apiserver. - TTLCacheChangeDetectionStrategy ResourceChangeDetectionStrategy = "Cache" - // WatchChangeDetectionStrategy is a mode in which kubelet uses - // watches to observe changes to objects that are in its interest. - WatchChangeDetectionStrategy ResourceChangeDetectionStrategy = "Watch" - // RestrictedTopologyManagerPolicy is a mode in which kubelet only allows - // pods with optimal NUMA node alignment for requested resources - RestrictedTopologyManagerPolicy = "restricted" - // BestEffortTopologyManagerPolicy is a mode in which kubelet will favour - // pods with NUMA alignment of CPU and device resources. - BestEffortTopologyManagerPolicy = "best-effort" - // NoneTopologyManagerPolicy is a mode in which kubelet has no knowledge - // of NUMA alignment of a pod's CPU and device resources. - NoneTopologyManagerPolicy = "none" - // SingleNumaNodeTopologyManagerPolicy is a mode in which kubelet only allows - // pods with a single NUMA alignment of CPU and device resources. - SingleNumaNodeTopologyManagerPolicy = "single-numa-node" - // ContainerTopologyManagerScope represents that - // topology policy is applied on a per-container basis. - ContainerTopologyManagerScope = "container" - // PodTopologyManagerScope represents that - // topology policy is applied on a per-pod basis. - PodTopologyManagerScope = "pod" - // NoneMemoryManagerPolicy is a memory manager none policy, under the none policy - // the memory manager will not pin containers memory of guaranteed pods - NoneMemoryManagerPolicy = "None" - // StaticMemoryManagerPolicy is a memory manager static policy, under the static policy - // the memory manager will try to pin containers memory of guaranteed pods to the smallest - // possible sub-set of NUMA nodes - StaticMemoryManagerPolicy = "Static" -) - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// KubeletConfiguration contains the configuration for the Kubelet -type KubeletConfiguration struct { - metav1.TypeMeta `json:",inline"` - - // enableServer enables Kubelet's secured server. - // Note: Kubelet's insecure port is controlled by the readOnlyPort option. - // Default: true - EnableServer *bool `json:"enableServer,omitempty"` - // staticPodPath is the path to the directory containing local (static) pods to - // run, or the path to a single static pod file. - // Default: "" - // +optional - StaticPodPath string `json:"staticPodPath,omitempty"` - // syncFrequency is the max period between synchronizing running - // containers and config. - // Default: "1m" - // +optional - SyncFrequency metav1.Duration `json:"syncFrequency,omitempty"` - // fileCheckFrequency is the duration between checking config files for - // new data. - // Default: "20s" - // +optional - FileCheckFrequency metav1.Duration `json:"fileCheckFrequency,omitempty"` - // httpCheckFrequency is the duration between checking http for new data. - // Default: "20s" - // +optional - HTTPCheckFrequency metav1.Duration `json:"httpCheckFrequency,omitempty"` - // staticPodURL is the URL for accessing static pods to run. - // Default: "" - // +optional - StaticPodURL string `json:"staticPodURL,omitempty"` - // staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL. - // Default: nil - // +optional - StaticPodURLHeader map[string][]string `json:"staticPodURLHeader,omitempty"` - // address is the IP address for the Kubelet to serve on (set to 0.0.0.0 - // for all interfaces). - // Default: "0.0.0.0" - // +optional - Address string `json:"address,omitempty"` - // port is the port for the Kubelet to serve on. - // The port number must be between 1 and 65535, inclusive. - // Default: 10250 - // +optional - Port int32 `json:"port,omitempty"` - // readOnlyPort is the read-only port for the Kubelet to serve on with - // no authentication/authorization. - // The port number must be between 1 and 65535, inclusive. - // Setting this field to 0 disables the read-only service. - // Default: 0 (disabled) - // +optional - ReadOnlyPort int32 `json:"readOnlyPort,omitempty"` - // tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, - // if any, concatenated after server cert). If tlsCertFile and - // tlsPrivateKeyFile are not provided, a self-signed certificate - // and key are generated for the public address and saved to the directory - // passed to the Kubelet's --cert-dir flag. - // Default: "" - // +optional - TLSCertFile string `json:"tlsCertFile,omitempty"` - // tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile. - // Default: "" - // +optional - TLSPrivateKeyFile string `json:"tlsPrivateKeyFile,omitempty"` - // tlsCipherSuites is the list of allowed cipher suites for the server. - // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). - // Default: nil - // +optional - TLSCipherSuites []string `json:"tlsCipherSuites,omitempty"` - // tlsMinVersion is the minimum TLS version supported. - // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). - // Default: "" - // +optional - TLSMinVersion string `json:"tlsMinVersion,omitempty"` - // rotateCertificates enables client certificate rotation. The Kubelet will request a - // new certificate from the certificates.k8s.io API. This requires an approver to approve the - // certificate signing requests. - // Default: false - // +optional - RotateCertificates bool `json:"rotateCertificates,omitempty"` - // serverTLSBootstrap enables server certificate bootstrap. Instead of self - // signing a serving certificate, the Kubelet will request a certificate from - // the 'certificates.k8s.io' API. This requires an approver to approve the - // certificate signing requests (CSR). The RotateKubeletServerCertificate feature - // must be enabled when setting this field. - // Default: false - // +optional - ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"` - // authentication specifies how requests to the Kubelet's server are authenticated. - // Defaults: - // anonymous: - // enabled: false - // webhook: - // enabled: true - // cacheTTL: "2m" - // +optional - Authentication KubeletAuthentication `json:"authentication"` - // authorization specifies how requests to the Kubelet's server are authorized. - // Defaults: - // mode: Webhook - // webhook: - // cacheAuthorizedTTL: "5m" - // cacheUnauthorizedTTL: "30s" - // +optional - Authorization KubeletAuthorization `json:"authorization"` - // registryPullQPS is the limit of registry pulls per second. - // The value must not be a negative number. - // Setting it to 0 means no limit. - // Default: 5 - // +optional - RegistryPullQPS *int32 `json:"registryPullQPS,omitempty"` - // registryBurst is the maximum size of bursty pulls, temporarily allows - // pulls to burst to this number, while still not exceeding registryPullQPS. - // The value must not be a negative number. - // Only used if registryPullQPS is greater than 0. - // Default: 10 - // +optional - RegistryBurst int32 `json:"registryBurst,omitempty"` - // eventRecordQPS is the maximum event creations per second. If 0, there - // is no limit enforced. The value cannot be a negative number. - // Default: 5 - // +optional - EventRecordQPS *int32 `json:"eventRecordQPS,omitempty"` - // eventBurst is the maximum size of a burst of event creations, temporarily - // allows event creations to burst to this number, while still not exceeding - // eventRecordQPS. This field canot be a negative number and it is only used - // when eventRecordQPS > 0. - // Default: 10 - // +optional - EventBurst int32 `json:"eventBurst,omitempty"` - // enableDebuggingHandlers enables server endpoints for log access - // and local running of containers and commands, including the exec, - // attach, logs, and portforward features. - // Default: true - // +optional - EnableDebuggingHandlers *bool `json:"enableDebuggingHandlers,omitempty"` - // enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. - // Default: false - // +optional - EnableContentionProfiling bool `json:"enableContentionProfiling,omitempty"` - // healthzPort is the port of the localhost healthz endpoint (set to 0 to disable). - // A valid number is between 1 and 65535. - // Default: 10248 - // +optional - HealthzPort *int32 `json:"healthzPort,omitempty"` - // healthzBindAddress is the IP address for the healthz server to serve on. - // Default: "127.0.0.1" - // +optional - HealthzBindAddress string `json:"healthzBindAddress,omitempty"` - // oomScoreAdj is The oom-score-adj value for kubelet process. Values - // must be within the range [-1000, 1000]. - // Default: -999 - // +optional - OOMScoreAdj *int32 `json:"oomScoreAdj,omitempty"` - // clusterDomain is the DNS domain for this cluster. If set, kubelet will - // configure all containers to search this domain in addition to the - // host's search domains. - // Default: "" - // +optional - ClusterDomain string `json:"clusterDomain,omitempty"` - // clusterDNS is a list of IP addresses for the cluster DNS server. If set, - // kubelet will configure all containers to use this for DNS resolution - // instead of the host's DNS servers. - // Default: nil - // +optional - ClusterDNS []string `json:"clusterDNS,omitempty"` - // streamingConnectionIdleTimeout is the maximum time a streaming connection - // can be idle before the connection is automatically closed. - // Default: "4h" - // +optional - StreamingConnectionIdleTimeout metav1.Duration `json:"streamingConnectionIdleTimeout,omitempty"` - // nodeStatusUpdateFrequency is the frequency that kubelet computes node - // status. If node lease feature is not enabled, it is also the frequency that - // kubelet posts node status to master. - // Note: When node lease feature is not enabled, be cautious when changing the - // constant, it must work with nodeMonitorGracePeriod in nodecontroller. - // Default: "10s" - // +optional - NodeStatusUpdateFrequency metav1.Duration `json:"nodeStatusUpdateFrequency,omitempty"` - // nodeStatusReportFrequency is the frequency that kubelet posts node - // status to master if node status does not change. Kubelet will ignore this - // frequency and post node status immediately if any change is detected. It is - // only used when node lease feature is enabled. nodeStatusReportFrequency's - // default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, - // nodeStatusReportFrequency's default value will be set to - // nodeStatusUpdateFrequency for backward compatibility. - // Default: "5m" - // +optional - NodeStatusReportFrequency metav1.Duration `json:"nodeStatusReportFrequency,omitempty"` - // nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease. - // NodeLease provides an indicator of node health by having the Kubelet create and - // periodically renew a lease, named after the node, in the kube-node-lease namespace. - // If the lease expires, the node can be considered unhealthy. - // The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal - // interval may be set based on the lease duration. - // The field value must be greater than 0. - // Default: 40 - // +optional - NodeLeaseDurationSeconds int32 `json:"nodeLeaseDurationSeconds,omitempty"` - // imageMinimumGCAge is the minimum age for an unused image before it is - // garbage collected. - // Default: "2m" - // +optional - ImageMinimumGCAge metav1.Duration `json:"imageMinimumGCAge,omitempty"` - // imageGCHighThresholdPercent is the percent of disk usage after which - // image garbage collection is always run. The percent is calculated by - // dividing this field value by 100, so this field must be between 0 and - // 100, inclusive. When specified, the value must be greater than - // imageGCLowThresholdPercent. - // Default: 85 - // +optional - ImageGCHighThresholdPercent *int32 `json:"imageGCHighThresholdPercent,omitempty"` - // imageGCLowThresholdPercent is the percent of disk usage before which - // image garbage collection is never run. Lowest disk usage to garbage - // collect to. The percent is calculated by dividing this field value by 100, - // so the field value must be between 0 and 100, inclusive. When specified, the - // value must be less than imageGCHighThresholdPercent. - // Default: 80 - // +optional - ImageGCLowThresholdPercent *int32 `json:"imageGCLowThresholdPercent,omitempty"` - // volumeStatsAggPeriod is the frequency for calculating and caching volume - // disk usage for all pods. - // Default: "1m" - // +optional - VolumeStatsAggPeriod metav1.Duration `json:"volumeStatsAggPeriod,omitempty"` - // kubeletCgroups is the absolute name of cgroups to isolate the kubelet in - // Default: "" - // +optional - KubeletCgroups string `json:"kubeletCgroups,omitempty"` - // systemCgroups is absolute name of cgroups in which to place - // all non-kernel processes that are not already in a container. Empty - // for no container. Rolling back the flag requires a reboot. - // The cgroupRoot must be specified if this field is not empty. - // Default: "" - // +optional - SystemCgroups string `json:"systemCgroups,omitempty"` - // cgroupRoot is the root cgroup to use for pods. This is handled by the - // container runtime on a best effort basis. - // +optional - CgroupRoot string `json:"cgroupRoot,omitempty"` - // cgroupsPerQOS enable QoS based CGroup hierarchy: top level CGroups for QoS classes - // and all Burstable and BestEffort Pods are brought up under their specific top level - // QoS CGroup. - // Default: true - // +optional - CgroupsPerQOS *bool `json:"cgroupsPerQOS,omitempty"` - // cgroupDriver is the driver kubelet uses to manipulate CGroups on the host (cgroupfs - // or systemd). - // Default: "cgroupfs" - // +optional - CgroupDriver string `json:"cgroupDriver,omitempty"` - // cpuManagerPolicy is the name of the policy to use. - // Requires the CPUManager feature gate to be enabled. - // Default: "None" - // +optional - CPUManagerPolicy string `json:"cpuManagerPolicy,omitempty"` - // cpuManagerPolicyOptions is a set of key=value which allows to set extra options - // to fine tune the behaviour of the cpu manager policies. - // Requires both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled. - // Default: nil - // +optional - CPUManagerPolicyOptions map[string]string `json:"cpuManagerPolicyOptions,omitempty"` - // cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager. - // Requires the CPUManager feature gate to be enabled. - // Default: "10s" - // +optional - CPUManagerReconcilePeriod metav1.Duration `json:"cpuManagerReconcilePeriod,omitempty"` - // memoryManagerPolicy is the name of the policy to use by memory manager. - // Requires the MemoryManager feature gate to be enabled. - // Default: "none" - // +optional - MemoryManagerPolicy string `json:"memoryManagerPolicy,omitempty"` - // topologyManagerPolicy is the name of the topology manager policy to use. - // Valid values include: - // - // - `restricted`: kubelet only allows pods with optimal NUMA node alignment for - // requested resources; - // - `best-effort`: kubelet will favor pods with NUMA alignment of CPU and device - // resources; - // - `none`: kubelet has no knowledge of NUMA alignment of a pod's CPU and device resources. - // - `single-numa-node`: kubelet only allows pods with a single NUMA alignment - // of CPU and device resources. - // - // Policies other than "none" require the TopologyManager feature gate to be enabled. - // Default: "none" - // +optional - TopologyManagerPolicy string `json:"topologyManagerPolicy,omitempty"` - // topologyManagerScope represents the scope of topology hint generation - // that topology manager requests and hint providers generate. Valid values include: - // - // - `container`: topology policy is applied on a per-container basis. - // - `pod`: topology policy is applied on a per-pod basis. - // - // "pod" scope requires the TopologyManager feature gate to be enabled. - // Default: "container" - // +optional - TopologyManagerScope string `json:"topologyManagerScope,omitempty"` - // qosReserved is a set of resource name to percentage pairs that specify - // the minimum percentage of a resource reserved for exclusive use by the - // guaranteed QoS tier. - // Currently supported resources: "memory" - // Requires the QOSReserved feature gate to be enabled. - // Default: nil - // +optional - QOSReserved map[string]string `json:"qosReserved,omitempty"` - // runtimeRequestTimeout is the timeout for all runtime requests except long running - // requests - pull, logs, exec and attach. - // Default: "2m" - // +optional - RuntimeRequestTimeout metav1.Duration `json:"runtimeRequestTimeout,omitempty"` - // hairpinMode specifies how the Kubelet should configure the container - // bridge for hairpin packets. - // Setting this flag allows endpoints in a Service to loadbalance back to - // themselves if they should try to access their own Service. Values: - // - // - "promiscuous-bridge": make the container bridge promiscuous. - // - "hairpin-veth": set the hairpin flag on container veth interfaces. - // - "none": do nothing. - // - // Generally, one must set `--hairpin-mode=hairpin-veth to` achieve hairpin NAT, - // because promiscuous-bridge assumes the existence of a container bridge named cbr0. - // Default: "promiscuous-bridge" - // +optional - HairpinMode string `json:"hairpinMode,omitempty"` - // maxPods is the maximum number of Pods that can run on this Kubelet. - // The value must be a non-negative integer. - // Default: 110 - // +optional - MaxPods int32 `json:"maxPods,omitempty"` - // podCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. - // In cluster mode, this is obtained from the control plane. - // Default: "" - // +optional - PodCIDR string `json:"podCIDR,omitempty"` - // podPidsLimit is the maximum number of PIDs in any pod. - // Default: -1 - // +optional - PodPidsLimit *int64 `json:"podPidsLimit,omitempty"` - // resolvConf is the resolver configuration file used as the basis - // for the container DNS resolution configuration. - // If set to the empty string, will override the default and effectively disable DNS lookups. - // Default: "/etc/resolv.conf" - // +optional - ResolverConfig *string `json:"resolvConf,omitempty"` - // runOnce causes the Kubelet to check the API server once for pods, - // run those in addition to the pods specified by static pod files, and exit. - // Default: false - // +optional - RunOnce bool `json:"runOnce,omitempty"` - // cpuCFSQuota enables CPU CFS quota enforcement for containers that - // specify CPU limits. - // Default: true - // +optional - CPUCFSQuota *bool `json:"cpuCFSQuota,omitempty"` - // cpuCFSQuotaPeriod is the CPU CFS quota period value, `cpu.cfs_period_us`. - // The value must be between 1 us and 1 second, inclusive. - // Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled. - // Default: "100ms" - // +optional - CPUCFSQuotaPeriod *metav1.Duration `json:"cpuCFSQuotaPeriod,omitempty"` - // nodeStatusMaxImages caps the number of images reported in Node.status.images. - // The value must be greater than -2. - // Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. - // Default: 50 - // +optional - NodeStatusMaxImages *int32 `json:"nodeStatusMaxImages,omitempty"` - // maxOpenFiles is Number of files that can be opened by Kubelet process. - // The value must be a non-negative number. - // Default: 1000000 - // +optional - MaxOpenFiles int64 `json:"maxOpenFiles,omitempty"` - // contentType is contentType of requests sent to apiserver. - // Default: "application/vnd.kubernetes.protobuf" - // +optional - ContentType string `json:"contentType,omitempty"` - // kubeAPIQPS is the QPS to use while talking with kubernetes apiserver. - // Default: 5 - // +optional - KubeAPIQPS *int32 `json:"kubeAPIQPS,omitempty"` - // kubeAPIBurst is the burst to allow while talking with kubernetes API server. - // This field cannot be a negative number. - // Default: 10 - // +optional - KubeAPIBurst int32 `json:"kubeAPIBurst,omitempty"` - // serializeImagePulls when enabled, tells the Kubelet to pull images one - // at a time. We recommend *not* changing the default value on nodes that - // run docker daemon with version < 1.9 or an Aufs storage backend. - // Issue #10959 has more details. - // Default: true - // +optional - SerializeImagePulls *bool `json:"serializeImagePulls,omitempty"` - // evictionHard is a map of signal names to quantities that defines hard eviction - // thresholds. For example: `{"memory.available": "300Mi"}`. - // To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. - // Default: - // memory.available: "100Mi" - // nodefs.available: "10%" - // nodefs.inodesFree: "5%" - // imagefs.available: "15%" - // +optional - EvictionHard map[string]string `json:"evictionHard,omitempty"` - // evictionSoft is a map of signal names to quantities that defines soft eviction thresholds. - // For example: `{"memory.available": "300Mi"}`. - // Default: nil - // +optional - EvictionSoft map[string]string `json:"evictionSoft,omitempty"` - // evictionSoftGracePeriod is a map of signal names to quantities that defines grace - // periods for each soft eviction signal. For example: `{"memory.available": "30s"}`. - // Default: nil - // +optional - EvictionSoftGracePeriod map[string]string `json:"evictionSoftGracePeriod,omitempty"` - // evictionPressureTransitionPeriod is the duration for which the kubelet has to wait - // before transitioning out of an eviction pressure condition. - // Default: "5m" - // +optional - EvictionPressureTransitionPeriod metav1.Duration `json:"evictionPressureTransitionPeriod,omitempty"` - // evictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use - // when terminating pods in response to a soft eviction threshold being met. This value - // effectively caps the Pod's terminationGracePeriodSeconds value during soft evictions. - // Note: Due to issue #64530, the behavior has a bug where this value currently just - // overrides the grace period during soft eviction, which can increase the grace - // period from what is set on the Pod. This bug will be fixed in a future release. - // Default: 0 - // +optional - EvictionMaxPodGracePeriod int32 `json:"evictionMaxPodGracePeriod,omitempty"` - // evictionMinimumReclaim is a map of signal names to quantities that defines minimum reclaims, - // which describe the minimum amount of a given resource the kubelet will reclaim when - // performing a pod eviction while that resource is under pressure. - // For example: `{"imagefs.available": "2Gi"}`. - // Default: nil - // +optional - EvictionMinimumReclaim map[string]string `json:"evictionMinimumReclaim,omitempty"` - // podsPerCore is the maximum number of pods per core. Cannot exceed maxPods. - // The value must be a non-negative integer. - // If 0, there is no limit on the number of Pods. - // Default: 0 - // +optional - PodsPerCore int32 `json:"podsPerCore,omitempty"` - // enableControllerAttachDetach enables the Attach/Detach controller to - // manage attachment/detachment of volumes scheduled to this node, and - // disables kubelet from executing any attach/detach operations. - // Note: attaching/detaching CSI volumes is not supported by the kubelet, - // so this option needs to be true for that use case. - // Default: true - // +optional - EnableControllerAttachDetach *bool `json:"enableControllerAttachDetach,omitempty"` - // protectKernelDefaults, if true, causes the Kubelet to error if kernel - // flags are not as it expects. Otherwise the Kubelet will attempt to modify - // kernel flags to match its expectation. - // Default: false - // +optional - ProtectKernelDefaults bool `json:"protectKernelDefaults,omitempty"` - // makeIPTablesUtilChains, if true, causes the Kubelet ensures a set of iptables rules - // are present on host. - // These rules will serve as utility rules for various components, e.g. kube-proxy. - // The rules will be created based on iptablesMasqueradeBit and iptablesDropBit. - // Default: true - // +optional - MakeIPTablesUtilChains *bool `json:"makeIPTablesUtilChains,omitempty"` - // iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT. - // Values must be within the range [0, 31]. Must be different from other mark bits. - // Warning: Please match the value of the corresponding parameter in kube-proxy. - // TODO: clean up IPTablesMasqueradeBit in kube-proxy. - // Default: 14 - // +optional - IPTablesMasqueradeBit *int32 `json:"iptablesMasqueradeBit,omitempty"` - // iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. - // Values must be within the range [0, 31]. Must be different from other mark bits. - // Default: 15 - // +optional - IPTablesDropBit *int32 `json:"iptablesDropBit,omitempty"` - // featureGates is a map of feature names to bools that enable or disable experimental - // features. This field modifies piecemeal the built-in default values from - // "k8s.io/kubernetes/pkg/features/kube_features.go". - // Default: nil - // +optional - FeatureGates map[string]bool `json:"featureGates,omitempty"` - // failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. - // Default: true - // +optional - FailSwapOn *bool `json:"failSwapOn,omitempty"` - // memorySwap configures swap memory available to container workloads. - // +featureGate=NodeSwap - // +optional - MemorySwap MemorySwapConfiguration `json:"memorySwap,omitempty"` - // containerLogMaxSize is a quantity defining the maximum size of the container log - // file before it is rotated. For example: "5Mi" or "256Ki". - // Default: "10Mi" - // +optional - ContainerLogMaxSize string `json:"containerLogMaxSize,omitempty"` - // containerLogMaxFiles specifies the maximum number of container log files that can - // be present for a container. - // Default: 5 - // +optional - ContainerLogMaxFiles *int32 `json:"containerLogMaxFiles,omitempty"` - // configMapAndSecretChangeDetectionStrategy is a mode in which ConfigMap and Secret - // managers are running. Valid values include: - // - // - `Get`: kubelet fetches necessary objects directly from the API server; - // - `Cache`: kubelet uses TTL cache for object fetched from the API server; - // - `Watch`: kubelet uses watches to observe changes to objects that are in its interest. - // - // Default: "Watch" - // +optional - ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy `json:"configMapAndSecretChangeDetectionStrategy,omitempty"` - - /* the following fields are meant for Node Allocatable */ - - // systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) - // pairs that describe resources reserved for non-kubernetes components. - // Currently only cpu and memory are supported. - // See http://kubernetes.io/docs/user-guide/compute-resources for more detail. - // Default: nil - // +optional - SystemReserved map[string]string `json:"systemReserved,omitempty"` - // kubeReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs - // that describe resources reserved for kubernetes system components. - // Currently cpu, memory and local storage for root file system are supported. - // See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - // for more details. - // Default: nil - // +optional - KubeReserved map[string]string `json:"kubeReserved,omitempty"` - // The reservedSystemCPUs option specifies the CPU list reserved for the host - // level system threads and kubernetes related threads. This provide a "static" - // CPU list rather than the "dynamic" list by systemReserved and kubeReserved. - // This option does not support systemReservedCgroup or kubeReservedCgroup. - ReservedSystemCPUs string `json:"reservedSystemCPUs,omitempty"` - // showHiddenMetricsForVersion is the previous version for which you want to show - // hidden metrics. - // Only the previous minor version is meaningful, other values will not be allowed. - // The format is `.`, e.g.: `1.16`. - // The purpose of this format is make sure you have the opportunity to notice - // if the next release hides additional metrics, rather than being surprised - // when they are permanently removed in the release after that. - // Default: "" - // +optional - ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion,omitempty"` - // systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used - // to enforce `systemReserved` compute resource reservation for OS system daemons. - // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) - // doc for more information. - // Default: "" - // +optional - SystemReservedCgroup string `json:"systemReservedCgroup,omitempty"` - // kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used - // to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. - // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) - // doc for more information. - // Default: "" - // +optional - KubeReservedCgroup string `json:"kubeReservedCgroup,omitempty"` - // This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. - // This flag accepts a list of options. Acceptable options are `none`, `pods`, - // `system-reserved` and `kube-reserved`. - // If `none` is specified, no other options may be specified. - // When `system-reserved` is in the list, systemReservedCgroup must be specified. - // When `kube-reserved` is in the list, kubeReservedCgroup must be specified. - // This field is supported only when `cgroupsPerQOS` is set to true. - // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) - // for more information. - // Default: ["pods"] - // +optional - EnforceNodeAllocatable []string `json:"enforceNodeAllocatable,omitempty"` - // A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in `*`). - // Unsafe sysctl groups are `kernel.shm*`, `kernel.msg*`, `kernel.sem`, `fs.mqueue.*`, - // and `net.*`. For example: "`kernel.msg*,net.ipv4.route.min_pmtu`" - // Default: [] - // +optional - AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"` - // volumePluginDir is the full path of the directory in which to search - // for additional third party volume plugins. - // Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" - // +optional - VolumePluginDir string `json:"volumePluginDir,omitempty"` - // providerID, if set, sets the unique ID of the instance that an external - // provider (i.e. cloudprovider) can use to identify a specific node. - // Default: "" - // +optional - ProviderID string `json:"providerID,omitempty"` - // kernelMemcgNotification, if set, instructs the kubelet to integrate with the - // kernel memcg notification for determining if memory eviction thresholds are - // exceeded rather than polling. - // Default: false - // +optional - KernelMemcgNotification bool `json:"kernelMemcgNotification,omitempty"` - // logging specifies the options of logging. - // Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) - // for more information. - // Default: - // Format: text - // + optional - Logging logsapi.LoggingConfiguration `json:"logging,omitempty"` - // enableSystemLogHandler enables system logs via web interface host:port/logs/ - // Default: true - // +optional - EnableSystemLogHandler *bool `json:"enableSystemLogHandler,omitempty"` - // shutdownGracePeriod specifies the total duration that the node should delay the - // shutdown and total grace period for pod termination during a node shutdown. - // Default: "0s" - // +featureGate=GracefulNodeShutdown - // +optional - ShutdownGracePeriod metav1.Duration `json:"shutdownGracePeriod,omitempty"` - // shutdownGracePeriodCriticalPods specifies the duration used to terminate critical - // pods during a node shutdown. This should be less than shutdownGracePeriod. - // For example, if shutdownGracePeriod=30s, and shutdownGracePeriodCriticalPods=10s, - // during a node shutdown the first 20 seconds would be reserved for gracefully - // terminating normal pods, and the last 10 seconds would be reserved for terminating - // critical pods. - // Default: "0s" - // +featureGate=GracefulNodeShutdown - // +optional - ShutdownGracePeriodCriticalPods metav1.Duration `json:"shutdownGracePeriodCriticalPods,omitempty"` - // shutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based - // on their associated priority class value. - // When a shutdown request is received, the Kubelet will initiate shutdown on all pods - // running on the node with a grace period that depends on the priority of the pod, - // and then wait for all pods to exit. - // Each entry in the array represents the graceful shutdown time a pod with a priority - // class value that lies in the range of that value and the next higher entry in the - // list when the node is shutting down. - // For example, to allow critical pods 10s to shutdown, priority>=10000 pods 20s to - // shutdown, and all remaining pods 30s to shutdown. - // - // shutdownGracePeriodByPodPriority: - // - priority: 2000000000 - // shutdownGracePeriodSeconds: 10 - // - priority: 10000 - // shutdownGracePeriodSeconds: 20 - // - priority: 0 - // shutdownGracePeriodSeconds: 30 - // - // The time the Kubelet will wait before exiting will at most be the maximum of all - // shutdownGracePeriodSeconds for each priority class range represented on the node. - // When all pods have exited or reached their grace periods, the Kubelet will release - // the shutdown inhibit lock. - // Requires the GracefulNodeShutdown feature gate to be enabled. - // This configuration must be empty if either ShutdownGracePeriod or ShutdownGracePeriodCriticalPods is set. - // Default: nil - // +featureGate=GracefulNodeShutdownBasedOnPodPriority - // +optional - ShutdownGracePeriodByPodPriority []ShutdownGracePeriodByPodPriority `json:"shutdownGracePeriodByPodPriority,omitempty"` - // reservedMemory specifies a comma-separated list of memory reservations for NUMA nodes. - // The parameter makes sense only in the context of the memory manager feature. - // The memory manager will not allocate reserved memory for container workloads. - // For example, if you have a NUMA0 with 10Gi of memory and the reservedMemory was - // specified to reserve 1Gi of memory at NUMA0, the memory manager will assume that - // only 9Gi is available for allocation. - // You can specify a different amount of NUMA node and memory types. - // You can omit this parameter at all, but you should be aware that the amount of - // reserved memory from all NUMA nodes should be equal to the amount of memory specified - // by the [node allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable). - // If at least one node allocatable parameter has a non-zero value, you will need - // to specify at least one NUMA node. - // Also, avoid specifying: - // - // 1. Duplicates, the same NUMA node, and memory type, but with a different value. - // 2. zero limits for any memory type. - // 3. NUMAs nodes IDs that do not exist under the machine. - // 4. memory types except for memory and hugepages- - // - // Default: nil - // +optional - ReservedMemory []MemoryReservation `json:"reservedMemory,omitempty"` - // enableProfilingHandler enables profiling via web interface host:port/debug/pprof/ - // Default: true - // +optional - EnableProfilingHandler *bool `json:"enableProfilingHandler,omitempty"` - // enableDebugFlagsHandler enables flags endpoint via web interface host:port/debug/flags/v - // Default: true - // +optional - EnableDebugFlagsHandler *bool `json:"enableDebugFlagsHandler,omitempty"` - // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. - // This requires the corresponding SeccompDefault feature gate to be enabled as well. - // Default: false - // +optional - SeccompDefault *bool `json:"seccompDefault,omitempty"` - // MemoryThrottlingFactor specifies the factor multiplied by the memory limit or node allocatable memory - // when setting the cgroupv2 memory.high value to enforce MemoryQoS. - // Decreasing this factor will set lower high limit for container cgroups and put heavier reclaim pressure - // while increasing will put less reclaim pressure. - // See http://kep.k8s.io/2570 for more details. - // Default: 0.8 - // +featureGate=MemoryQoS - // +optional - MemoryThrottlingFactor *float64 `json:"memoryThrottlingFactor,omitempty"` - // registerWithTaints are an array of taints to add to a node object when - // the kubelet registers itself. This only takes effect when registerNode - // is true and upon the initial registration of the node. - // Default: nil - // +optional - RegisterWithTaints []v1.Taint `json:"registerWithTaints,omitempty"` - // registerNode enables automatic registration with the apiserver. - // Default: true - // +optional - RegisterNode *bool `json:"registerNode,omitempty"` -} - -type KubeletAuthorizationMode string - -const ( - // KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests - KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" - // KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization - KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" -) - -type KubeletAuthorization struct { - // mode is the authorization mode to apply to requests to the kubelet server. - // Valid values are `AlwaysAllow` and `Webhook`. - // Webhook mode uses the SubjectAccessReview API to determine authorization. - // +optional - Mode KubeletAuthorizationMode `json:"mode,omitempty"` - - // webhook contains settings related to Webhook authorization. - // +optional - Webhook KubeletWebhookAuthorization `json:"webhook"` -} - -type KubeletWebhookAuthorization struct { - // cacheAuthorizedTTL is the duration to cache 'authorized' responses from the - // webhook authorizer. - // +optional - CacheAuthorizedTTL metav1.Duration `json:"cacheAuthorizedTTL,omitempty"` - // cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from - // the webhook authorizer. - // +optional - CacheUnauthorizedTTL metav1.Duration `json:"cacheUnauthorizedTTL,omitempty"` -} - -type KubeletAuthentication struct { - // x509 contains settings related to x509 client certificate authentication. - // +optional - X509 KubeletX509Authentication `json:"x509"` - // webhook contains settings related to webhook bearer token authentication. - // +optional - Webhook KubeletWebhookAuthentication `json:"webhook"` - // anonymous contains settings related to anonymous authentication. - // +optional - Anonymous KubeletAnonymousAuthentication `json:"anonymous"` -} - -type KubeletX509Authentication struct { - // clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request - // presenting a client certificate signed by one of the authorities in the bundle - // is authenticated with a username corresponding to the CommonName, - // and groups corresponding to the Organization in the client certificate. - // +optional - ClientCAFile string `json:"clientCAFile,omitempty"` -} - -type KubeletWebhookAuthentication struct { - // enabled allows bearer token authentication backed by the - // tokenreviews.authentication.k8s.io API. - // +optional - Enabled *bool `json:"enabled,omitempty"` - // cacheTTL enables caching of authentication results - // +optional - CacheTTL metav1.Duration `json:"cacheTTL,omitempty"` -} - -type KubeletAnonymousAuthentication struct { - // enabled allows anonymous requests to the kubelet server. - // Requests that are not rejected by another authentication method are treated as - // anonymous requests. - // Anonymous requests have a username of `system:anonymous`, and a group name of - // `system:unauthenticated`. - // +optional - Enabled *bool `json:"enabled,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// SerializedNodeConfigSource allows us to serialize v1.NodeConfigSource. -// This type is used internally by the Kubelet for tracking checkpointed dynamic configs. -// It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet. -type SerializedNodeConfigSource struct { - metav1.TypeMeta `json:",inline"` - // source is the source that we are serializing. - // +optional - Source v1.NodeConfigSource `json:"source,omitempty" protobuf:"bytes,1,opt,name=source"` -} - -// MemoryReservation specifies the memory reservation of different types for each NUMA node -type MemoryReservation struct { - NumaNode int32 `json:"numaNode"` - Limits v1.ResourceList `json:"limits"` -} - -// ShutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based on their associated priority class value -type ShutdownGracePeriodByPodPriority struct { - // priority is the priority value associated with the shutdown grace period - Priority int32 `json:"priority"` - // shutdownGracePeriodSeconds is the shutdown grace period in seconds - ShutdownGracePeriodSeconds int64 `json:"shutdownGracePeriodSeconds"` -} - -type MemorySwapConfiguration struct { - // swapBehavior configures swap memory available to container workloads. May be one of - // "", "LimitedSwap": workload combined memory and swap usage cannot exceed pod memory limit - // "UnlimitedSwap": workloads can use unlimited swap, up to the allocatable limit. - // +featureGate=NodeSwap - // +optional - SwapBehavior string `json:"swapBehavior,omitempty"` -} - // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialProviderConfig is the configuration containing information about @@ -945,7 +75,7 @@ type CredentialProvider struct { // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse // MUST use the same encoding version as the input. Current supported values are: - // - credentialprovider.kubelet.k8s.io/v1beta1 + // - credentialprovider.kubelet.k8s.io/v1 APIVersion string `json:"apiVersion"` // Arguments to pass to the command when executing it. diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/install/install.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/install/install.go index f3f8b1dfa3c..58461310054 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/install/install.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/install/install.go @@ -20,6 +20,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/kubelet/pkg/apis/credentialprovider" + v1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1" "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1" "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" ) @@ -31,4 +32,6 @@ func Install(scheme *runtime.Scheme) { utilruntime.Must(scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion)) utilruntime.Must(v1beta1.AddToScheme(scheme)) utilruntime.Must(scheme.SetVersionPriority(v1beta1.SchemeGroupVersion)) + utilruntime.Must(v1.AddToScheme(scheme)) + utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion)) } diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go index df4f4bf150d..474a085ab92 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go @@ -19,4 +19,4 @@ limitations under the License. // +k8s:defaulter-gen=TypeMeta // +groupName=credentialprovider.kubelet.k8s.io -package v1beta1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" +package v1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1" diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go index 75ec067cb03..0f8177bd8ca 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1beta1 +package v1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -27,7 +27,7 @@ const GroupName = "credentialprovider.kubelet.k8s.io" // SchemeGroupVersion is group version used to register these objects var ( - SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} + SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} localSchemeBuilder = &SchemeBuilder ) diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go index 2bc37ce9294..3cce9cc428e 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1beta1 +package v1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/vendor/modules.txt b/vendor/modules.txt index f8f4d979023..8d01b25656d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2308,6 +2308,7 @@ k8s.io/kubectl/pkg/util/term k8s.io/kubectl/pkg/validation # k8s.io/kubelet v0.0.0 => ./staging/src/k8s.io/kubelet ## explicit; go 1.19 +k8s.io/kubelet/config/v1 k8s.io/kubelet/config/v1alpha1 k8s.io/kubelet/config/v1beta1 k8s.io/kubelet/pkg/apis @@ -2315,6 +2316,7 @@ k8s.io/kubelet/pkg/apis/credentialprovider k8s.io/kubelet/pkg/apis/credentialprovider/install k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1 k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1 +k8s.io/kubelet/pkg/apis/credentialprovider/v1 k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1 k8s.io/kubelet/pkg/apis/pluginregistration/v1 k8s.io/kubelet/pkg/apis/podresources/v1 From 4cc741955c70ce5c7163074a0fbe910001cd219f Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Mon, 1 Aug 2022 22:00:56 +0000 Subject: [PATCH 03/13] Adding default values for v1 credential provider config --- .../scheme/testdata/CredentialProviderConfig/after/v1.yaml | 3 +++ .../scheme/testdata/CredentialProviderConfig/before/v1.yaml | 2 ++ .../CredentialProviderConfig/roundtrip/default/v1.yaml | 3 +++ 3 files changed, 8 insertions(+) create mode 100644 pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/after/v1.yaml create mode 100644 pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/before/v1.yaml create mode 100644 pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/roundtrip/default/v1.yaml diff --git a/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/after/v1.yaml b/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/after/v1.yaml new file mode 100644 index 00000000000..782a369be84 --- /dev/null +++ b/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/after/v1.yaml @@ -0,0 +1,3 @@ +apiVersion: kubelet.config.k8s.io/v1 +kind: CredentialProviderConfig +providers: null diff --git a/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/before/v1.yaml b/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/before/v1.yaml new file mode 100644 index 00000000000..c4bacc56b44 --- /dev/null +++ b/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/before/v1.yaml @@ -0,0 +1,2 @@ +kind: CredentialProviderConfig +apiVersion: kubelet.config.k8s.io/v1 \ No newline at end of file diff --git a/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/roundtrip/default/v1.yaml b/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/roundtrip/default/v1.yaml new file mode 100644 index 00000000000..782a369be84 --- /dev/null +++ b/pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/roundtrip/default/v1.yaml @@ -0,0 +1,3 @@ +apiVersion: kubelet.config.k8s.io/v1 +kind: CredentialProviderConfig +providers: null From 875920037a072ec9b34d598795a69f5c3ea8eaa3 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Wed, 7 Sep 2022 21:35:46 +0000 Subject: [PATCH 04/13] Adding files generated from running make generate and update commands --- pkg/generated/openapi/zz_generated.openapi.go | 157 ++++++ .../config/v1/zz_generated.deepcopy.go | 500 +----------------- .../v1/zz_generated.conversion.go | 68 +-- .../v1/zz_generated.deepcopy.go | 6 +- .../v1/zz_generated.defaults.go | 2 +- vendor/modules.txt | 2 +- 6 files changed, 199 insertions(+), 536 deletions(-) diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index da23aa5b6cd..05c1ea6196f 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -1066,6 +1066,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "k8s.io/kube-scheduler/config/v1beta3.ScoringStrategy": schema_k8sio_kube_scheduler_config_v1beta3_ScoringStrategy(ref), "k8s.io/kube-scheduler/config/v1beta3.UtilizationShapePoint": schema_k8sio_kube_scheduler_config_v1beta3_UtilizationShapePoint(ref), "k8s.io/kube-scheduler/config/v1beta3.VolumeBindingArgs": schema_k8sio_kube_scheduler_config_v1beta3_VolumeBindingArgs(ref), + "k8s.io/kubelet/config/v1.CredentialProvider": schema_k8sio_kubelet_config_v1_CredentialProvider(ref), + "k8s.io/kubelet/config/v1.CredentialProviderConfig": schema_k8sio_kubelet_config_v1_CredentialProviderConfig(ref), + "k8s.io/kubelet/config/v1.ExecEnvVar": schema_k8sio_kubelet_config_v1_ExecEnvVar(ref), "k8s.io/kubelet/config/v1alpha1.CredentialProvider": schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref), "k8s.io/kubelet/config/v1alpha1.CredentialProviderConfig": schema_k8sio_kubelet_config_v1alpha1_CredentialProviderConfig(ref), "k8s.io/kubelet/config/v1alpha1.ExecEnvVar": schema_k8sio_kubelet_config_v1alpha1_ExecEnvVar(ref), @@ -53643,6 +53646,160 @@ func schema_k8sio_kube_scheduler_config_v1beta3_VolumeBindingArgs(ref common.Ref } } +func schema_k8sio_kubelet_config_v1_CredentialProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only invoked when an image being pulled matches the images handled by the plugin (see matchImages).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the required name of the credential provider. It must match the name of the provider executable as seen by the kubelet. The executable must be in the kubelet's bin directory (set by the --image-credential-provider-bin-dir flag).", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "matchImages": { + SchemaProps: spec.SchemaProps{ + Description: "matchImages is a required list of strings used to match against images in order to determine if this provider should be invoked. If one of the strings matches the requested image from the kubelet, the plugin will be invoked and given a chance to provide credentials. Images are expected to contain the registry domain and URL path.\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match a single subdomain segment, so *.io does not match *.k8s.io.\n\nA match exists between an image and a matchImage when all of the below are true: - Both contain the same number of domain parts and each part matches. - The URL path of an imageMatch must be a prefix of the target image URL path. - If the imageMatch contains a port, then the port must match in the image as well.\n\nExample values of matchImages:\n - 123456789.dkr.ecr.us-east-1.amazonaws.com\n - *.azurecr.io\n - gcr.io\n - *.*.registry.io\n - registry.io:8080/path", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "defaultCacheDuration": { + SchemaProps: spec.SchemaProps{ + Description: "defaultCacheDuration is the default duration the plugin will cache credentials in-memory if a cache duration is not provided in the plugin response. This field is required.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse MUST use the same encoding version as the input. Current supported values are: - credentialprovider.kubelet.k8s.io/v1", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "args": { + SchemaProps: spec.SchemaProps{ + Description: "Arguments to pass to the command when executing it.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "env": { + SchemaProps: spec.SchemaProps{ + Description: "Env defines additional environment variables to expose to the process. These are unioned with the host's environment, as well as variables client-go uses to pass argument to the plugin.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/kubelet/config/v1.ExecEnvVar"), + }, + }, + }, + }, + }, + }, + Required: []string{"name", "matchImages", "defaultCacheDuration", "apiVersion"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kubelet/config/v1.ExecEnvVar"}, + } +} + +func schema_k8sio_kubelet_config_v1_CredentialProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CredentialProviderConfig is the configuration containing information about each exec credential provider. Kubelet reads this configuration from disk and enables each provider as specified by the CredentialProvider type.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "providers": { + SchemaProps: spec.SchemaProps{ + Description: "providers is a list of credential provider plugins that will be enabled by the kubelet. Multiple providers may match against a single image, in which case credentials from all providers will be returned to the kubelet. If multiple providers are called for a single image, the results are combined. If providers return overlapping auth keys, the value from the provider earlier in this list is used.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/kubelet/config/v1.CredentialProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"providers"}, + }, + }, + Dependencies: []string{ + "k8s.io/kubelet/config/v1.CredentialProvider"}, + } +} + +func schema_k8sio_kubelet_config_v1_ExecEnvVar(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ExecEnvVar is used for setting environment variables when executing an exec-based credential plugin.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "value": { + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name", "value"}, + }, + }, + } +} + func schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go index ccb8fbbafbd..8b5189769b5 100644 --- a/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go @@ -19,11 +19,10 @@ limitations under the License. // Code generated by deepcopy-gen. DO NOT EDIT. -package v1beta1 +package v1 import ( - corev1 "k8s.io/api/core/v1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -37,7 +36,7 @@ func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) { } if in.DefaultCacheDuration != nil { in, out := &in.DefaultCacheDuration, &out.DefaultCacheDuration - *out = new(v1.Duration) + *out = new(metav1.Duration) **out = **in } if in.Args != nil { @@ -110,496 +109,3 @@ func (in *ExecEnvVar) DeepCopy() *ExecEnvVar { in.DeepCopyInto(out) return out } - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletAnonymousAuthentication) DeepCopyInto(out *KubeletAnonymousAuthentication) { - *out = *in - if in.Enabled != nil { - in, out := &in.Enabled, &out.Enabled - *out = new(bool) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAnonymousAuthentication. -func (in *KubeletAnonymousAuthentication) DeepCopy() *KubeletAnonymousAuthentication { - if in == nil { - return nil - } - out := new(KubeletAnonymousAuthentication) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletAuthentication) DeepCopyInto(out *KubeletAuthentication) { - *out = *in - out.X509 = in.X509 - in.Webhook.DeepCopyInto(&out.Webhook) - in.Anonymous.DeepCopyInto(&out.Anonymous) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAuthentication. -func (in *KubeletAuthentication) DeepCopy() *KubeletAuthentication { - if in == nil { - return nil - } - out := new(KubeletAuthentication) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletAuthorization) DeepCopyInto(out *KubeletAuthorization) { - *out = *in - out.Webhook = in.Webhook - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAuthorization. -func (in *KubeletAuthorization) DeepCopy() *KubeletAuthorization { - if in == nil { - return nil - } - out := new(KubeletAuthorization) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { - *out = *in - out.TypeMeta = in.TypeMeta - if in.EnableServer != nil { - in, out := &in.EnableServer, &out.EnableServer - *out = new(bool) - **out = **in - } - out.SyncFrequency = in.SyncFrequency - out.FileCheckFrequency = in.FileCheckFrequency - out.HTTPCheckFrequency = in.HTTPCheckFrequency - if in.StaticPodURLHeader != nil { - in, out := &in.StaticPodURLHeader, &out.StaticPodURLHeader - *out = make(map[string][]string, len(*in)) - for key, val := range *in { - var outVal []string - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = make([]string, len(*in)) - copy(*out, *in) - } - (*out)[key] = outVal - } - } - if in.TLSCipherSuites != nil { - in, out := &in.TLSCipherSuites, &out.TLSCipherSuites - *out = make([]string, len(*in)) - copy(*out, *in) - } - in.Authentication.DeepCopyInto(&out.Authentication) - out.Authorization = in.Authorization - if in.RegistryPullQPS != nil { - in, out := &in.RegistryPullQPS, &out.RegistryPullQPS - *out = new(int32) - **out = **in - } - if in.EventRecordQPS != nil { - in, out := &in.EventRecordQPS, &out.EventRecordQPS - *out = new(int32) - **out = **in - } - if in.EnableDebuggingHandlers != nil { - in, out := &in.EnableDebuggingHandlers, &out.EnableDebuggingHandlers - *out = new(bool) - **out = **in - } - if in.HealthzPort != nil { - in, out := &in.HealthzPort, &out.HealthzPort - *out = new(int32) - **out = **in - } - if in.OOMScoreAdj != nil { - in, out := &in.OOMScoreAdj, &out.OOMScoreAdj - *out = new(int32) - **out = **in - } - if in.ClusterDNS != nil { - in, out := &in.ClusterDNS, &out.ClusterDNS - *out = make([]string, len(*in)) - copy(*out, *in) - } - out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout - out.NodeStatusUpdateFrequency = in.NodeStatusUpdateFrequency - out.NodeStatusReportFrequency = in.NodeStatusReportFrequency - out.ImageMinimumGCAge = in.ImageMinimumGCAge - if in.ImageGCHighThresholdPercent != nil { - in, out := &in.ImageGCHighThresholdPercent, &out.ImageGCHighThresholdPercent - *out = new(int32) - **out = **in - } - if in.ImageGCLowThresholdPercent != nil { - in, out := &in.ImageGCLowThresholdPercent, &out.ImageGCLowThresholdPercent - *out = new(int32) - **out = **in - } - out.VolumeStatsAggPeriod = in.VolumeStatsAggPeriod - if in.CgroupsPerQOS != nil { - in, out := &in.CgroupsPerQOS, &out.CgroupsPerQOS - *out = new(bool) - **out = **in - } - if in.CPUManagerPolicyOptions != nil { - in, out := &in.CPUManagerPolicyOptions, &out.CPUManagerPolicyOptions - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - out.CPUManagerReconcilePeriod = in.CPUManagerReconcilePeriod - if in.QOSReserved != nil { - in, out := &in.QOSReserved, &out.QOSReserved - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - out.RuntimeRequestTimeout = in.RuntimeRequestTimeout - if in.PodPidsLimit != nil { - in, out := &in.PodPidsLimit, &out.PodPidsLimit - *out = new(int64) - **out = **in - } - if in.ResolverConfig != nil { - in, out := &in.ResolverConfig, &out.ResolverConfig - *out = new(string) - **out = **in - } - if in.CPUCFSQuota != nil { - in, out := &in.CPUCFSQuota, &out.CPUCFSQuota - *out = new(bool) - **out = **in - } - if in.CPUCFSQuotaPeriod != nil { - in, out := &in.CPUCFSQuotaPeriod, &out.CPUCFSQuotaPeriod - *out = new(v1.Duration) - **out = **in - } - if in.NodeStatusMaxImages != nil { - in, out := &in.NodeStatusMaxImages, &out.NodeStatusMaxImages - *out = new(int32) - **out = **in - } - if in.KubeAPIQPS != nil { - in, out := &in.KubeAPIQPS, &out.KubeAPIQPS - *out = new(int32) - **out = **in - } - if in.SerializeImagePulls != nil { - in, out := &in.SerializeImagePulls, &out.SerializeImagePulls - *out = new(bool) - **out = **in - } - if in.EvictionHard != nil { - in, out := &in.EvictionHard, &out.EvictionHard - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.EvictionSoft != nil { - in, out := &in.EvictionSoft, &out.EvictionSoft - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.EvictionSoftGracePeriod != nil { - in, out := &in.EvictionSoftGracePeriod, &out.EvictionSoftGracePeriod - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - out.EvictionPressureTransitionPeriod = in.EvictionPressureTransitionPeriod - if in.EvictionMinimumReclaim != nil { - in, out := &in.EvictionMinimumReclaim, &out.EvictionMinimumReclaim - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.EnableControllerAttachDetach != nil { - in, out := &in.EnableControllerAttachDetach, &out.EnableControllerAttachDetach - *out = new(bool) - **out = **in - } - if in.MakeIPTablesUtilChains != nil { - in, out := &in.MakeIPTablesUtilChains, &out.MakeIPTablesUtilChains - *out = new(bool) - **out = **in - } - if in.IPTablesMasqueradeBit != nil { - in, out := &in.IPTablesMasqueradeBit, &out.IPTablesMasqueradeBit - *out = new(int32) - **out = **in - } - if in.IPTablesDropBit != nil { - in, out := &in.IPTablesDropBit, &out.IPTablesDropBit - *out = new(int32) - **out = **in - } - if in.FeatureGates != nil { - in, out := &in.FeatureGates, &out.FeatureGates - *out = make(map[string]bool, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.FailSwapOn != nil { - in, out := &in.FailSwapOn, &out.FailSwapOn - *out = new(bool) - **out = **in - } - out.MemorySwap = in.MemorySwap - if in.ContainerLogMaxFiles != nil { - in, out := &in.ContainerLogMaxFiles, &out.ContainerLogMaxFiles - *out = new(int32) - **out = **in - } - if in.SystemReserved != nil { - in, out := &in.SystemReserved, &out.SystemReserved - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.KubeReserved != nil { - in, out := &in.KubeReserved, &out.KubeReserved - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.EnforceNodeAllocatable != nil { - in, out := &in.EnforceNodeAllocatable, &out.EnforceNodeAllocatable - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowedUnsafeSysctls != nil { - in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls - *out = make([]string, len(*in)) - copy(*out, *in) - } - in.Logging.DeepCopyInto(&out.Logging) - if in.EnableSystemLogHandler != nil { - in, out := &in.EnableSystemLogHandler, &out.EnableSystemLogHandler - *out = new(bool) - **out = **in - } - out.ShutdownGracePeriod = in.ShutdownGracePeriod - out.ShutdownGracePeriodCriticalPods = in.ShutdownGracePeriodCriticalPods - if in.ShutdownGracePeriodByPodPriority != nil { - in, out := &in.ShutdownGracePeriodByPodPriority, &out.ShutdownGracePeriodByPodPriority - *out = make([]ShutdownGracePeriodByPodPriority, len(*in)) - copy(*out, *in) - } - if in.ReservedMemory != nil { - in, out := &in.ReservedMemory, &out.ReservedMemory - *out = make([]MemoryReservation, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.EnableProfilingHandler != nil { - in, out := &in.EnableProfilingHandler, &out.EnableProfilingHandler - *out = new(bool) - **out = **in - } - if in.EnableDebugFlagsHandler != nil { - in, out := &in.EnableDebugFlagsHandler, &out.EnableDebugFlagsHandler - *out = new(bool) - **out = **in - } - if in.SeccompDefault != nil { - in, out := &in.SeccompDefault, &out.SeccompDefault - *out = new(bool) - **out = **in - } - if in.MemoryThrottlingFactor != nil { - in, out := &in.MemoryThrottlingFactor, &out.MemoryThrottlingFactor - *out = new(float64) - **out = **in - } - if in.RegisterWithTaints != nil { - in, out := &in.RegisterWithTaints, &out.RegisterWithTaints - *out = make([]corev1.Taint, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.RegisterNode != nil { - in, out := &in.RegisterNode, &out.RegisterNode - *out = new(bool) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletConfiguration. -func (in *KubeletConfiguration) DeepCopy() *KubeletConfiguration { - if in == nil { - return nil - } - out := new(KubeletConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *KubeletConfiguration) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletWebhookAuthentication) DeepCopyInto(out *KubeletWebhookAuthentication) { - *out = *in - if in.Enabled != nil { - in, out := &in.Enabled, &out.Enabled - *out = new(bool) - **out = **in - } - out.CacheTTL = in.CacheTTL - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletWebhookAuthentication. -func (in *KubeletWebhookAuthentication) DeepCopy() *KubeletWebhookAuthentication { - if in == nil { - return nil - } - out := new(KubeletWebhookAuthentication) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletWebhookAuthorization) DeepCopyInto(out *KubeletWebhookAuthorization) { - *out = *in - out.CacheAuthorizedTTL = in.CacheAuthorizedTTL - out.CacheUnauthorizedTTL = in.CacheUnauthorizedTTL - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletWebhookAuthorization. -func (in *KubeletWebhookAuthorization) DeepCopy() *KubeletWebhookAuthorization { - if in == nil { - return nil - } - out := new(KubeletWebhookAuthorization) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KubeletX509Authentication) DeepCopyInto(out *KubeletX509Authentication) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletX509Authentication. -func (in *KubeletX509Authentication) DeepCopy() *KubeletX509Authentication { - if in == nil { - return nil - } - out := new(KubeletX509Authentication) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MemoryReservation) DeepCopyInto(out *MemoryReservation) { - *out = *in - if in.Limits != nil { - in, out := &in.Limits, &out.Limits - *out = make(corev1.ResourceList, len(*in)) - for key, val := range *in { - (*out)[key] = val.DeepCopy() - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryReservation. -func (in *MemoryReservation) DeepCopy() *MemoryReservation { - if in == nil { - return nil - } - out := new(MemoryReservation) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MemorySwapConfiguration) DeepCopyInto(out *MemorySwapConfiguration) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemorySwapConfiguration. -func (in *MemorySwapConfiguration) DeepCopy() *MemorySwapConfiguration { - if in == nil { - return nil - } - out := new(MemorySwapConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *SerializedNodeConfigSource) DeepCopyInto(out *SerializedNodeConfigSource) { - *out = *in - out.TypeMeta = in.TypeMeta - in.Source.DeepCopyInto(&out.Source) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SerializedNodeConfigSource. -func (in *SerializedNodeConfigSource) DeepCopy() *SerializedNodeConfigSource { - if in == nil { - return nil - } - out := new(SerializedNodeConfigSource) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *SerializedNodeConfigSource) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ShutdownGracePeriodByPodPriority) DeepCopyInto(out *ShutdownGracePeriodByPodPriority) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShutdownGracePeriodByPodPriority. -func (in *ShutdownGracePeriodByPodPriority) DeepCopy() *ShutdownGracePeriodByPodPriority { - if in == nil { - return nil - } - out := new(ShutdownGracePeriodByPodPriority) - in.DeepCopyInto(out) - return out -} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go index 1991aab6dde..97922e9763c 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go @@ -19,12 +19,12 @@ limitations under the License. // Code generated by conversion-gen. DO NOT EDIT. -package v1beta1 +package v1 import ( unsafe "unsafe" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" credentialprovider "k8s.io/kubelet/pkg/apis/credentialprovider" @@ -38,100 +38,100 @@ func init() { // Public to allow building arbitrary schemes. func RegisterConversions(s *runtime.Scheme) error { if err := s.AddGeneratedConversionFunc((*AuthConfig)(nil), (*credentialprovider.AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(a.(*AuthConfig), b.(*credentialprovider.AuthConfig), scope) + return Convert_v1_AuthConfig_To_credentialprovider_AuthConfig(a.(*AuthConfig), b.(*credentialprovider.AuthConfig), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*credentialprovider.AuthConfig)(nil), (*AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(a.(*credentialprovider.AuthConfig), b.(*AuthConfig), scope) + return Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(a.(*credentialprovider.AuthConfig), b.(*AuthConfig), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*CredentialProviderRequest)(nil), (*credentialprovider.CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(a.(*CredentialProviderRequest), b.(*credentialprovider.CredentialProviderRequest), scope) + return Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(a.(*CredentialProviderRequest), b.(*credentialprovider.CredentialProviderRequest), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope) + return Convert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope) + return Convert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderResponse)(nil), (*CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(a.(*credentialprovider.CredentialProviderResponse), b.(*CredentialProviderResponse), scope) + return Convert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(a.(*credentialprovider.CredentialProviderResponse), b.(*CredentialProviderResponse), scope) }); err != nil { return err } return nil } -func autoConvert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { +func autoConvert_v1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { out.Username = in.Username out.Password = in.Password return nil } -// Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig is an autogenerated conversion function. -func Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { - return autoConvert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in, out, s) +// Convert_v1_AuthConfig_To_credentialprovider_AuthConfig is an autogenerated conversion function. +func Convert_v1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { + return autoConvert_v1_AuthConfig_To_credentialprovider_AuthConfig(in, out, s) } -func autoConvert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { +func autoConvert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { out.Username = in.Username out.Password = in.Password return nil } -// Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig is an autogenerated conversion function. -func Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { - return autoConvert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in, out, s) +// Convert_credentialprovider_AuthConfig_To_v1_AuthConfig is an autogenerated conversion function. +func Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { + return autoConvert_credentialprovider_AuthConfig_To_v1_AuthConfig(in, out, s) } -func autoConvert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { +func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { out.Image = in.Image return nil } -// Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest is an autogenerated conversion function. -func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { - return autoConvert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in, out, s) +// Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest is an autogenerated conversion function. +func Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { + return autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in, out, s) } -func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { +func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { out.Image = in.Image return nil } -// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function. -func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { - return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s) +// Convert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest is an autogenerated conversion function. +func Convert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { + return autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in, out, s) } -func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { +func autoConvert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType) - out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration)) + out.CacheDuration = (*metav1.Duration)(unsafe.Pointer(in.CacheDuration)) out.Auth = *(*map[string]credentialprovider.AuthConfig)(unsafe.Pointer(&in.Auth)) return nil } -// Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse is an autogenerated conversion function. -func Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { - return autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in, out, s) +// Convert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse is an autogenerated conversion function. +func Convert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { + return autoConvert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in, out, s) } -func autoConvert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { +func autoConvert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { out.CacheKeyType = PluginCacheKeyType(in.CacheKeyType) - out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration)) + out.CacheDuration = (*metav1.Duration)(unsafe.Pointer(in.CacheDuration)) out.Auth = *(*map[string]AuthConfig)(unsafe.Pointer(&in.Auth)) return nil } -// Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse is an autogenerated conversion function. -func Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { - return autoConvert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in, out, s) +// Convert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse is an autogenerated conversion function. +func Convert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { + return autoConvert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(in, out, s) } diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go index ca2143c77fc..aa12d576747 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go @@ -19,10 +19,10 @@ limitations under the License. // Code generated by deepcopy-gen. DO NOT EDIT. -package v1beta1 +package v1 import ( - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -73,7 +73,7 @@ func (in *CredentialProviderResponse) DeepCopyInto(out *CredentialProviderRespon out.TypeMeta = in.TypeMeta if in.CacheDuration != nil { in, out := &in.CacheDuration, &out.CacheDuration - *out = new(v1.Duration) + *out = new(metav1.Duration) **out = **in } if in.Auth != nil { diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go index 198b5be4af5..dac177e93bd 100644 --- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go @@ -19,7 +19,7 @@ limitations under the License. // Code generated by defaulter-gen. DO NOT EDIT. -package v1beta1 +package v1 import ( runtime "k8s.io/apimachinery/pkg/runtime" diff --git a/vendor/modules.txt b/vendor/modules.txt index 8d01b25656d..8d3952cb9b8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2314,9 +2314,9 @@ k8s.io/kubelet/config/v1beta1 k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis/credentialprovider k8s.io/kubelet/pkg/apis/credentialprovider/install +k8s.io/kubelet/pkg/apis/credentialprovider/v1 k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1 k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1 -k8s.io/kubelet/pkg/apis/credentialprovider/v1 k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1 k8s.io/kubelet/pkg/apis/pluginregistration/v1 k8s.io/kubelet/pkg/apis/podresources/v1 From 52a9c1d5599e733a4393fa2552387ea46e9c4bae Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Thu, 8 Sep 2022 06:18:15 +0000 Subject: [PATCH 05/13] Fixing the year of creation of the new files --- staging/src/k8s.io/kubelet/config/v1/doc.go | 2 +- staging/src/k8s.io/kubelet/config/v1/register.go | 2 +- staging/src/k8s.io/kubelet/config/v1/register_test.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/staging/src/k8s.io/kubelet/config/v1/doc.go b/staging/src/k8s.io/kubelet/config/v1/doc.go index 27df1a2441a..b411f7151b7 100644 --- a/staging/src/k8s.io/kubelet/config/v1/doc.go +++ b/staging/src/k8s.io/kubelet/config/v1/doc.go @@ -1,5 +1,5 @@ /* -Copyright 2018 The Kubernetes Authors. +Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/staging/src/k8s.io/kubelet/config/v1/register.go b/staging/src/k8s.io/kubelet/config/v1/register.go index 5d7a8e8a21f..effb5b38171 100644 --- a/staging/src/k8s.io/kubelet/config/v1/register.go +++ b/staging/src/k8s.io/kubelet/config/v1/register.go @@ -1,5 +1,5 @@ /* -Copyright 2018 The Kubernetes Authors. +Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/staging/src/k8s.io/kubelet/config/v1/register_test.go b/staging/src/k8s.io/kubelet/config/v1/register_test.go index 188b62a259d..cadf2cf2bab 100644 --- a/staging/src/k8s.io/kubelet/config/v1/register_test.go +++ b/staging/src/k8s.io/kubelet/config/v1/register_test.go @@ -1,5 +1,5 @@ /* -Copyright 2020 The Kubernetes Authors. +Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 9c3cb6e66dccf04ba231f34b7ac9bad0c6e5b874 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Fri, 9 Sep 2022 18:23:41 +0000 Subject: [PATCH 06/13] Fixing boilerplate header --- pkg/kubelet/apis/config/v1/doc.go | 3 +++ pkg/kubelet/apis/config/v1/register.go | 3 +++ 2 files changed, 6 insertions(+) diff --git a/pkg/kubelet/apis/config/v1/doc.go b/pkg/kubelet/apis/config/v1/doc.go index f4a6f4a6d4f..713be2de60a 100644 --- a/pkg/kubelet/apis/config/v1/doc.go +++ b/pkg/kubelet/apis/config/v1/doc.go @@ -1,9 +1,12 @@ /* Copyright 2022 The Kubernetes Authors. + Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. diff --git a/pkg/kubelet/apis/config/v1/register.go b/pkg/kubelet/apis/config/v1/register.go index ec933333914..efd8f35fa95 100644 --- a/pkg/kubelet/apis/config/v1/register.go +++ b/pkg/kubelet/apis/config/v1/register.go @@ -1,9 +1,12 @@ /* Copyright 2022 The Kubernetes Authors. + Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. From 6b4281d1671052c6d8ca29d679849b9740a0c385 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Fri, 9 Sep 2022 18:48:58 +0000 Subject: [PATCH 07/13] Moving verifyComponentConfigKindExists to verify internal package to support sparse external package versions --- .../k8s.io/component-base/config/testing/apigroup.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/staging/src/k8s.io/component-base/config/testing/apigroup.go b/staging/src/k8s.io/component-base/config/testing/apigroup.go index 2759f6524da..ead01ad2bc6 100644 --- a/staging/src/k8s.io/component-base/config/testing/apigroup.go +++ b/staging/src/k8s.io/component-base/config/testing/apigroup.go @@ -56,11 +56,10 @@ const ( ) var testingFuncs = map[string]testingFunc{ - verifyTagNaming: verifyTagNamingFunc, - verifyGroupNameSuffix: verifyGroupNameSuffixFunc, - verifyGroupNameMatch: verifyGroupNameMatchFunc, - verifyCorrectGroupName: verifyCorrectGroupNameFunc, - verifyComponentConfigKindExists: verifyComponentConfigKindExistsFunc, + verifyTagNaming: verifyTagNamingFunc, + verifyGroupNameSuffix: verifyGroupNameSuffixFunc, + verifyGroupNameMatch: verifyGroupNameMatchFunc, + verifyCorrectGroupName: verifyCorrectGroupNameFunc, } // VerifyExternalTypePackage tests if external component config package is defined correctly @@ -94,7 +93,8 @@ func VerifyInternalTypePackage(pkginfo *ComponentConfigPackage) error { return fmt.Errorf("test setup error: %v", err) } extraFns := map[string]testingFunc{ - verifyInternalAPIVersion: verifyInternalAPIVersionFunc, + verifyInternalAPIVersion: verifyInternalAPIVersionFunc, + verifyComponentConfigKindExists: verifyComponentConfigKindExistsFunc, } return runFuncs(scheme, pkginfo, extraFns) } From d3955624b8fcca6b58122ac030de2d320437babe Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Fri, 16 Sep 2022 18:53:10 +0000 Subject: [PATCH 08/13] Changing the targeted version of K8s to 1.26 for the feature --- pkg/features/kube_features.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index e375e9c820b..8a14f2b1b2a 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -485,7 +485,7 @@ const ( // owner: @andrewsykim @adisky // alpha: v1.20 // beta: v1.24 - // ga: v1.25 + // ga: v1.26 // // Enable kubelet exec plugins for image pull credentials. KubeletCredentialProviders featuregate.Feature = "KubeletCredentialProviders" From ff1f5255117d7792484a2de760f87b07627b22c7 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Thu, 29 Sep 2022 16:42:48 +0000 Subject: [PATCH 09/13] Setting LockToDefault as true for KubeletCredentialProviders feature, and removing conditions that check if the feature is enabled since now the feature is enabled by default --- pkg/features/kube_features.go | 2 +- pkg/kubelet/kuberuntime/kuberuntime_manager.go | 9 +-------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 8a14f2b1b2a..aba976cb8fa 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -1020,7 +1020,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS JobTrackingWithFinalizers: {Default: true, PreRelease: featuregate.Beta}, - KubeletCredentialProviders: {Default: true, PreRelease: featuregate.GA}, + KubeletCredentialProviders: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28 KubeletInUserNamespace: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go index 89eaf8b4fcd..634c1bdcd0e 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go @@ -32,7 +32,6 @@ import ( kubetypes "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilversion "k8s.io/apimachinery/pkg/util/version" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/tools/record" ref "k8s.io/client-go/tools/reference" "k8s.io/client-go/util/flowcontrol" @@ -42,7 +41,6 @@ import ( "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/credentialprovider" "k8s.io/kubernetes/pkg/credentialprovider/plugin" - "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/kubelet/cm" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" "k8s.io/kubernetes/pkg/kubelet/events" @@ -251,12 +249,7 @@ func NewKubeGenericRuntimeManager( } } - if !utilfeature.DefaultFeatureGate.Enabled(features.KubeletCredentialProviders) && (imageCredentialProviderConfigFile != "" || imageCredentialProviderBinDir != "") { - klog.InfoS("Flags --image-credential-provider-config or --image-credential-provider-bin-dir were set but the feature gate was disabled, these flags will be ignored", - "featureGate", features.KubeletCredentialProviders) - } - - if utilfeature.DefaultFeatureGate.Enabled(features.KubeletCredentialProviders) && (imageCredentialProviderConfigFile != "" || imageCredentialProviderBinDir != "") { + if imageCredentialProviderConfigFile != "" || imageCredentialProviderBinDir != "" { if err := plugin.RegisterCredentialProviderPlugins(imageCredentialProviderConfigFile, imageCredentialProviderBinDir); err != nil { klog.ErrorS(err, "Failed to register CRI auth plugins") os.Exit(1) From 1ac4fc779b7c846e2cf34e6cdd4dc644269a5a19 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Fri, 30 Sep 2022 20:51:39 +0000 Subject: [PATCH 10/13] Update kubelet credential provider tests to use new v1 APIs --- test/e2e_node/remote/utils.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e_node/remote/utils.go b/test/e2e_node/remote/utils.go index 657ff8089a6..5cb5fc38ceb 100644 --- a/test/e2e_node/remote/utils.go +++ b/test/e2e_node/remote/utils.go @@ -49,10 +49,10 @@ const cniConfig = `{ ` const credentialProviderConfig = `kind: CredentialProviderConfig -apiVersion: kubelet.config.k8s.io/v1beta1 +apiVersion: kubelet.config.k8s.io/v1 providers: - name: gcp-credential-provider - apiVersion: credentialprovider.kubelet.k8s.io/v1beta1 + apiVersion: credentialprovider.kubelet.k8s.io/v1 matchImages: - "gcr.io" - "*.gcr.io" From a016b06bbdb02d00c036912e12ee24b7c8efb770 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Fri, 30 Sep 2022 20:55:24 +0000 Subject: [PATCH 11/13] Update test plugin to use v1 kubelet APIs --- test/e2e_node/plugins/gcp-credential-provider/main.go | 10 +++++----- .../plugins/gcp-credential-provider/provider.go | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/test/e2e_node/plugins/gcp-credential-provider/main.go b/test/e2e_node/plugins/gcp-credential-provider/main.go index 543057d1e08..2f570e8681d 100644 --- a/test/e2e_node/plugins/gcp-credential-provider/main.go +++ b/test/e2e_node/plugins/gcp-credential-provider/main.go @@ -27,7 +27,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog/v2" - credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" + credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1" ) const metadataTokenEndpoint = "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/token" @@ -51,7 +51,7 @@ func getCredentials(tokenEndpoint string, r io.Reader, w io.Writer) error { return err } - var authRequest credentialproviderv1beta1.CredentialProviderRequest + var authRequest credentialproviderv1.CredentialProviderRequest err = json.Unmarshal(data, &authRequest) if err != nil { return err @@ -62,12 +62,12 @@ func getCredentials(tokenEndpoint string, r io.Reader, w io.Writer) error { return err } - response := &credentialproviderv1beta1.CredentialProviderResponse{ + response := &credentialproviderv1.CredentialProviderResponse{ TypeMeta: metav1.TypeMeta{ Kind: "CredentialProviderResponse", - APIVersion: "credentialprovider.kubelet.k8s.io/v1beta1", + APIVersion: "credentialprovider.kubelet.k8s.io/v1", }, - CacheKeyType: credentialproviderv1beta1.RegistryPluginCacheKeyType, + CacheKeyType: credentialproviderv1.RegistryPluginCacheKeyType, Auth: auth, } diff --git a/test/e2e_node/plugins/gcp-credential-provider/provider.go b/test/e2e_node/plugins/gcp-credential-provider/provider.go index 59ff39febc2..3bbe9a04312 100644 --- a/test/e2e_node/plugins/gcp-credential-provider/provider.go +++ b/test/e2e_node/plugins/gcp-credential-provider/provider.go @@ -25,7 +25,7 @@ import ( "io/ioutil" "net/http" - credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" + credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1" ) const ( @@ -59,8 +59,8 @@ type provider struct { tokenEndpoint string } -func (p *provider) Provide(image string) (map[string]credentialproviderv1beta1.AuthConfig, error) { - cfg := map[string]credentialproviderv1beta1.AuthConfig{} +func (p *provider) Provide(image string) (map[string]credentialproviderv1.AuthConfig, error) { + cfg := map[string]credentialproviderv1.AuthConfig{} tokenJSONBlob, err := readURL(p.tokenEndpoint, p.client) if err != nil { @@ -72,7 +72,7 @@ func (p *provider) Provide(image string) (map[string]credentialproviderv1beta1.A return cfg, err } - authConfig := credentialproviderv1beta1.AuthConfig{ + authConfig := credentialproviderv1.AuthConfig{ Username: "_token", Password: parsedBlob.AccessToken, } From d6ab1da1b57d3dcb740482abd70385aee6946181 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Fri, 30 Sep 2022 20:56:50 +0000 Subject: [PATCH 12/13] Update test to validate against v1 kubelet APIs --- test/e2e_node/plugins/gcp-credential-provider/main_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e_node/plugins/gcp-credential-provider/main_test.go b/test/e2e_node/plugins/gcp-credential-provider/main_test.go index 684e92450fa..09966c76754 100644 --- a/test/e2e_node/plugins/gcp-credential-provider/main_test.go +++ b/test/e2e_node/plugins/gcp-credential-provider/main_test.go @@ -36,7 +36,7 @@ func Test_getCredentials(t *testing.T) { server := httptest.NewServer(&fakeTokenServer{token: "abc123"}) defer server.Close() - in := bytes.NewBuffer([]byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1beta1","image":"gcr.io/foobar"}`)) + in := bytes.NewBuffer([]byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1","image":"gcr.io/foobar"}`)) out := bytes.NewBuffer(nil) err := getCredentials(server.URL, in, out) @@ -44,7 +44,7 @@ func Test_getCredentials(t *testing.T) { t.Fatalf("unexpected error running getCredentials: %v", err) } - expected := `{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1beta1","cacheKeyType":"Registry","auth":{"*.gcr.io":{"username":"_token","password":"abc123"},"*.pkg.dev":{"username":"_token","password":"abc123"},"container.cloud.google.com":{"username":"_token","password":"abc123"},"gcr.io":{"username":"_token","password":"abc123"}}} + expected := `{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1","cacheKeyType":"Registry","auth":{"*.gcr.io":{"username":"_token","password":"abc123"},"*.pkg.dev":{"username":"_token","password":"abc123"},"container.cloud.google.com":{"username":"_token","password":"abc123"},"gcr.io":{"username":"_token","password":"abc123"}}} ` if out.String() != expected { From 20fa9635d6c8ef7971dec83656ce48604fdb72c9 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Wed, 12 Oct 2022 17:12:17 +0000 Subject: [PATCH 13/13] Adding ndixita@ to KubeletCredentialProviders feature owner, and capitalizing GA --- pkg/features/kube_features.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index aba976cb8fa..f92345a4d13 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -482,10 +482,10 @@ const ( // yet. JobTrackingWithFinalizers featuregate.Feature = "JobTrackingWithFinalizers" - // owner: @andrewsykim @adisky + // owner: @andrewsykim @adisky @ndixita // alpha: v1.20 // beta: v1.24 - // ga: v1.26 + // GA: v1.26 // // Enable kubelet exec plugins for image pull credentials. KubeletCredentialProviders featuregate.Feature = "KubeletCredentialProviders"