field is set
This fixes a bug where a partial EndpointSlice update could cause node
name information to be dropped from endpoints that were not updated.
* Adds docs to the NestedObjectDecoder about handling strict decoding
errors.
* Updates all in-tree NestedObjectDecoder implementations and callers to
check for strict decoding errors before short-circuiting on error.
kube-proxy sets the sysctl net.ipv4.conf.all.route_localnet=1
so NodePort services can be accessed on the loopback addresses in
IPv4, but this may present security issues.
Leverage the --nodeport-addresses flag to opt-out of this feature,
if the list is not empty and none of the IP ranges contains an IPv4
loopback address this sysctl is not set.
In addition, add a warning to inform users about this behavior.
- Modify VerifyUnmarshalStrict to use serializer/json instead
of sigs.k8s.io/yaml. In strict mode, the serializers
in serializer/json use the new sigs.k8s.io/json library
that also catches case sensitive errors for field names -
e.g. foo vs Foo. Include test case for that in strict/testdata.
- Move the hardcoded schemes to check to the side of the
caller - i.e. accept a slice of runtime.Scheme.
- Move the klog warnings outside of VerifyUnmarshalStrict
and make them the responsibility of the caller.
- Call VerifyUnmarshalStrict when downloading the configuration
from kubeadm-config or the kube-proxy or kubelet-config CMs.
This validation is useful if the user has manually patched the CMs.
When an envelope transformer calls out to KMS (for instance), it will be
very helpful to pass a `context.Context` to allow for cancellation. This
patch does that, while passing the previously-expected additional data
via a context value.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
* This updates tests that make requests that call
into admission.
* For apiextensions-apiserver, the namespace is set
to metav1.NamespaceNone since the CRD created and
worked with is a cluster scoped CRD.
* For most tests in register/storage, the namespace
is set to NamespaceDefault or NamespaceNone based
on if the resource is cluster scoped (namespaces)
or namespace scoped (pvs).
* Endpoints tests now have a namespace specified in
the expected object - NamespaceDefault or other
based on the test.
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
A mount option can contain commas in double quoted string. Such comma is
part of the mount option and it is not option separator.
For example, this is a single mount option:
context="system_u:object_r:container_file_t:s0:c460,c902"
The field in fact says that the container runtime should relabel a volume
when running a container with it, it does not say that the volume supports
SELinux. For example, NFS can support SELinux, but we don't want NFS
volumes relabeled, because they can be shared among several Pods.
