Commit Graph

654 Commits

Author SHA1 Message Date
Monis Khan
735bbc135c
Clean up formatting
Signed-off-by: Monis Khan <mok@microsoft.com>
2023-03-30 16:38:15 -04:00
Taahir Ahmed
6a75e7c40c ClusterTrustBundles: Define types
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).

This commit:

* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
  ClusterTrustBundles:
  - spec.pemTrustAnchors must always be non-empty.
  - spec.signerName must be either empty or a valid signer name.
  - Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
  ClusterTrustBundles that include a signer name.

Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.

I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
2023-03-15 20:10:18 -07:00
Patrick Ohly
fec5233668 api: resource.k8s.io PodScheduling -> PodSchedulingContext
The name "PodScheduling" was unusual because in contrast to most other names,
it was impossible to put an article in front of it. Now PodSchedulingContext is
used instead.
2023-03-14 10:18:08 +01:00
Matthew Cary
1d6df8233c Graduate StatefulSetAutoDelete to beta
Change-Id: Iee385580d313c69fbb8a893eb5c165aa0b75725d
2023-03-13 17:09:29 -07:00
Maksim Nabokikh
c1431af4f8
KEP-3325: Promote SelfSubjectReview to Beta (#116274)
* Promote SelfSubjectReview to Beta

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Fix whoami API

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Fixes according to code review

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

---------

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2023-03-08 15:42:33 -08:00
SataQiu
b9e5f5ad2f using const systemNodeRoleName instead of string system:node 2023-02-13 14:22:28 +08:00
SataQiu
bc4a13bd74 remove heapster rule from system:controller:horizontal-pod-autoscaler clusterrole 2023-01-04 16:28:42 +08:00
Jordan Liggitt
78cb3862f1
Fix indentation/spacing in comments to render correctly in godoc 2022-12-17 23:27:38 -05:00
Daniel Smith
8100efc7b3 Enable propagration of HasSynced
* Add tracker types and tests
* Modify ResourceEventHandler interface's OnAdd member
* Add additional ResourceEventHandlerDetailedFuncs struct
* Fix SharedInformer to let users track HasSynced for their handlers
* Fix in-tree controllers which weren't computing HasSynced correctly
* Deprecate the cache.Pop function
2022-12-14 18:43:33 +00:00
Kubernetes Prow Robot
6edb35d63e
Merge pull request #114116 from jsafrane/fix-pvc-autodelete
Fix OwnerReferencesPermissionEnforcement complaints when autodeleting PVCs
2022-12-10 06:04:40 -08:00
Kubernetes Prow Robot
8814b99bfa
Merge pull request #111576 from inosato/remove-ioutil-from-auth-plugin
Remove ioutil from auth plugin
2022-12-09 15:42:07 -08:00
Kubernetes Prow Robot
da8a78ebd2
Merge pull request #113267 from hoskeri/cleanup-kubelet-admin-role
Remove unused RBAC rule from system:kubelet-api-admin
2022-12-09 14:33:33 -08:00
Jan Safranek
ebc5b208ae Fix OwnerReferencesPermissionEnforcement complaints when autodeleting PVCs
When StatefulSetAutoDeletePVC feature gate is enabled, StatefulSet
controller updates ownerReferences on managed PVCs. To be able to pass
OwnerReferencesPermissionEnforcement admission, it must have permissions to
delete PVCs.
2022-11-24 14:46:45 +01:00
Ed Bartosh
ae0f38437c kubelet: add support for dynamic resource allocation
Dependencies need to be updated to use
github.com/container-orchestrated-devices/container-device-interface.

It's not decided yet whether we will implement Topology support
for DRA or not. Not having any toppology-related code
will help to avoid wrong impression that DRA is used as a hint
provider for the Topology Manager.
2022-11-11 21:58:03 +01:00
Patrick Ohly
d2ff210c20 scheduler: add dynamic resource allocation plugin
The plugin handles the interaction with ResourceClaims that are referenced by a
Pod.
2022-11-11 21:58:03 +01:00
Patrick Ohly
0133df3929 kube-controller-manager: add ResourceClaim controller
The controller uses the exact same logic as the generic ephemeral inline volume
controller, just for inline ResourceClaimTemplate -> ResourceClaim.

In addition, it supports removal of pods from the ReservedFor field when those
pods are known to not need the claim anymore. At the moment, only this special
case is supported. Removal of arbitrary objects would imply granting full read
access to all types to determine whether a) an object is gone and b) if the
current incarnation is the one which is listed in ReservedFor. This may get
added later.
2022-11-10 20:23:50 +01:00
Michal Wozniak
ac4da3f437 Add the "patch" permission to the "pods/status" unconditionally 2022-11-09 11:56:27 +01:00
Michal Wozniak
c803892bd8 Enable the feature into beta 2022-11-09 09:02:40 +01:00
Michal Wozniak
6f54848fa0 Fix disruption controller permissions to allow patching pod's status 2022-11-03 10:19:22 +01:00
Abhijit Hoskeri
9f2ac979ae Remove unused RBAC rule from system:kubelet-api-admin
cd54bd94e9 removes the
handlers for /spec from the kubelet server.

Cleanup the RBAC rules as well.

Change-Id: Id6befbcacec27ad383e336b7189289f55c1c0a68
2022-10-21 11:57:07 -07:00
Kubernetes Prow Robot
525280d285
Merge pull request #112643 from SergeyKanzhelev/removeDynamicKubeletConfig
remove DynamicKubeletConfig feature gate from the code
2022-10-12 01:33:00 -07:00
Han Kang
db13f51db9 enable health check SLI metrics for apiserver
Change-Id: I1b43e6dfea35b8c3bfdf5daaa8b42adff2fbc786
2022-09-27 09:58:54 -07:00
Sergey Kanzhelev
39e49a91d7 remove DynamicKubeletConfig feature gate from the code 2022-09-23 23:14:19 +00:00
Michal Wozniak
bb561e0324 Fix controller policy and improve logging of related errors
Improve error logging from timed workers which are used for pod eviction

Co-authored-by: Aldo Culquicondor <1299064+alculquicondor@users.noreply.github.com>
2022-09-23 16:53:32 +02:00
m.nabokikh
00dfba473b Add auth API to get self subject attributes
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-09-14 18:00:26 +02:00
Sarvesh Rangnekar
7093b10416 Introduce networking/v1alpha1 api, ClusterCIDR type
Introduce networking/v1alpha1 api group.

Add `ClusterCIDR` type to networking/v1alpha1 api group, this type
will enable the NodeIPAM controller to support multiple ClusterCIDRs.
2022-08-05 00:54:00 +00:00
Michal Wozniak
04fcbd721c Introduction of a pod condition type indicating disruption. Its reason field indicates the reason:
- PreemptionByKubeScheduler (Pod preempted by kube-scheduler)
- DeletionByTaintManager (Pod deleted by taint manager due to NoExecute taint)
- EvictionByEvictionAPI (Pod evicted by Eviction API)
- DeletionByPodGC (an orphaned Pod deleted by PodGC)PreemptedByScheduler (Pod preempted by kube-scheduler)
2022-08-02 11:12:16 +02:00
inosato
1a1ad16a5a Remove ioutil from auth plugin
Signed-off-by: inosato <si17_21@yahoo.co.jp>
2022-07-30 23:30:29 +09:00
David Eads
184356ae92 allow namespace admins to use leases to encourage migration off of configmaps 2022-07-27 12:58:34 -04:00
Davanum Srinivas
a9593d634c
Generate and format files
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-07-26 13:14:05 -04:00
Jiawei Wang
760365d5c9 CSIMigration feature gate to GA 2022-06-06 21:19:19 +00:00
James Laverack
7d57d5c70d Revert "Introduce APIs to support multiple ClusterCIDRs (#108290)"
This reverts commit b9792a9dae.
2022-04-13 13:58:19 +01:00
Sarvesh Rangnekar
b9792a9dae
Introduce APIs to support multiple ClusterCIDRs (#108290)
* Introduce networking/v1alpha1 api, ClusterCIDRConfig type

Introduce networking/v1alpha1 api group.

Add `ClusterCIDRConfig` type to networking/v1alpha1 api group, this type
will enable the NodeIPAM controller to support multiple ClusterCIDRs.

* Change ClusterCIDRConfig.NodeSelector type in api

* Fix review comments for API

* Update ClusterCIDRConfig API Spec

Introduce PerNodeHostBits field, remove PerNodeMaskSize
2022-03-30 19:39:00 -07:00
Kubernetes Prow Robot
c239b406f0
Merge pull request #108929 from gnufied/move-expansion-feature-gate-ga
Move all volume expansion feature gates to GA
2022-03-25 18:08:16 -07:00
Kubernetes Prow Robot
d60df5ba04
Merge pull request #108159 from pohly/logcheck
logcheck update and golangci-lint integration
2022-03-24 18:37:50 -07:00
Kubernetes Prow Robot
df790a5b06
Merge pull request #108738 from deads2k/add-eviction
allow namespace editors to evict pods
2022-03-24 12:18:41 -07:00
Hemant Kumar
9343cce20b remove ExpandPersistentVolume feature gate 2022-03-24 10:02:47 -04:00
Patrick Ohly
edffc700a4 enhance and fix log calls
Some of these changes are cosmetic (repeatedly calling klog.V instead of
reusing the result), others address real issues:

- Logging a message only above a certain verbosity threshold without
  recording that verbosity level (if klog.V().Enabled() { klog.Info... }):
  this matters when using a logging backend which records the verbosity
  level.

- Passing a format string with parameters to a logging function that
  doesn't do string formatting.

All of these locations where found by the enhanced logcheck tool from
https://github.com/kubernetes/klog/pull/297.

In some cases it reports false positives, but those can be suppressed with
source code comments.
2022-03-24 11:13:50 +01:00
David Eads
a5d3e6cd83 allow namespace editors to evict pods 2022-03-16 11:52:56 -04:00
Patrick Ohly
3a7deaa141 storage capacity: GA, always enabled, remove feature check
The code and tests for scenarios where the feature is disabled are no longer
needed because the feature is graduating to GA.
2022-03-14 20:05:45 +01:00
Kubernetes Prow Robot
85c43df3f6
Merge pull request #104244 from dgrisonnet/bootstrap-hpa-external-metrics
Add bootstrap policy for HPA external metrics
2022-03-03 08:43:48 -08:00
Kubernetes Prow Robot
effff78a1f
Merge pull request #107744 from Shubham82/Adding_logs-node_authorizer
Added Logs Statement for a Pod in graph_populator.
2022-02-28 16:07:58 -08:00
Shubham Kuchhal
cdfbcf94fc Recording the Duration. 2022-02-25 13:20:01 +05:30
Shubham Kuchhal
54fb058cfb Added timestamp and verbosity value to V(5). 2022-02-24 18:33:00 +05:30
Jordan Liggitt
42c93b058e Add service account token request permissions to edit and admin clusterroles 2022-02-09 14:05:53 -05:00
Shubham Kuchhal
831a8eed68 Added Logs Statement for a Pod in graph_populator. 2022-01-25 14:11:56 +05:30
Davanum Srinivas
9405e9b55e
Check in OWNERS modified by update-yamlfmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-12-09 21:31:26 -05:00
Matthew Cary
bce87a3e4f controller change for statefulset auto-delete (implementation) 2021-11-17 16:48:50 -08:00
Patrick Ohly
a8c930ef46 generic ephemeral volume: graduation to GA
The feature gate gets locked to "true", with the goal to remove it in two
releases.

All code now can assume that the feature is enabled. Tests for "feature
disabled" are no longer needed and get removed.

Some code wasn't using the new helper functions yet. That gets changed while
touching those lines.
2021-10-11 20:54:20 +02:00
Patrick Ohly
466dcdfcf6 auth: use generic ephemeral volume helper functions
The name concatenation and ownership check were originally considered small
enough to not warrant dedicated functions, but the intent of the code is more
readable with them.
2021-10-11 17:33:57 +02:00