Add unit tests for handwritten and declarative validation, controller
logic, metrics, table printer output, controller-manager registration,
etcd storage round-trip, and an integration test for the full RPSR
lifecycle. Also add an e2e test exercising the DRA test driver with
RPSR and the example manifest.
Implement the RPSR controller that watches ResourcePoolStatusRequest
objects and aggregates pool status from DRA drivers. Add the API server
registry (strategy, storage), handwritten validation, RBAC bootstrap
policy for the controller, kube-controller-manager wiring, table
printer columns, and storage factory registration.
The check runs only when MemoryQoS feature gate is enabled and
cgroups v2 is in use. It logs a warning but does not block kubelet
startup, since RHEL/LTS kernels may backport the fix without bumping
the version.
Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
Add server-side streaming RPCs to bypass the gRPC 16MB message size
limit on nodes with many containers/pods. This implements KEP-5825.
New RuntimeService streaming RPCs:
- StreamPodSandboxes
- StreamContainers
- StreamContainerStats
- StreamPodSandboxStats
- StreamPodSandboxMetrics
New ImageService streaming RPC:
- StreamImages
Each streaming RPC accepts the same filter as its unary counterpart
and streams results one item at a time.
Feature gate: CRIListStreaming
KEP: https://kep.k8s.io/5825🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Ayato Tokubi <atokubi@redhat.com>
- update expectations for the default BindingTimeout in KubeSchedulerConfiguration
- DRA unit tests:
- enable DRADeviceBindingConditions by default
- add allocationTimestamp to expected ResourceClaims for PreBind cases
- disable DRADeviceBindingConditions when testing the stable allocator in TestSchedulerPerf
Signed-off-by: Tsubasa Watanabe <w.tsubasa@fujitsu.com>
This is the last step in the process, simply linking ReleaseOnCancel to
ControllerManagerReleaseLeaderElectionLockOnExit feature gate.
The original logic when the leader election release on exit feature gate
is disabled is to not catch signals and exit immediately when the LE
lock is lost. This is being put back into place so that the new behavior
can be tested without affecting the former approach at all.
When StartTestServer is called with a TContext by the caller, tearing down the
apiserver via its tear-down function would also cancel the context for everyone
else using it, which is unexpected and not intended.
Accidentally, scheduler_perf and scheduler/batch relied on this behavior:
- The apiserver clients waited on a context that got its cancellation
from the root context and thus gets canceled last.
- The apiserver was told to stop earlier, but then waited because
it still had active clients.
- Shutdown gets slowed down enough that integration testing times out.
The fix is to explicitly cancel the clients before the apiserver. Long-term
ktesting should be changed to do the same as the new testing.T.Context: cancel
the context *before* cleaning up, not *after* it.
Add MemoryReservationPolicy (None/HardReservation) controls memory.min. This allows
independently of memory.min protection, providing operators more
granular control over memoryQoS behavior.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Introduce support for specifying allowed TLS key exchange mechanisms
(IANA TLS Supported Groups) via a new --tls-curve-preferences flag,
following the same pattern as --tls-cipher-suites.
Curve preferences are specified as numeric IANA TLS Supported Group IDs
(e.g. 23,29,4588) rather than string names. This avoids maintaining a
hardcoded name-to-ID map that would become stale with each Go release,
and ensures new curves (such as Go 1.26's SecP256r1MLKEM768 and
SecP384r1MLKEM1024) work automatically when rebuilding with a newer Go
version -- no code changes required.
Changes:
- Add curves_flag.go in component-base/cli/flag with a simple
int-to-tls.CurveID cast function
- Add CurvePreferences field ([]int32) to SecureServingOptions, registered
via IntSliceVar, and wire it through to tls.Config
The order of the list is ignored; Go selects from the set using an
internal preference order. If omitted, Go defaults are used. The set of
accepted values depends on the Go version used to build the binary; see
https://pkg.go.dev/crypto/tls#CurveID for reference.
The fields become beta, enabled by default. DeviceTaintRule gets
added to the v1beta2 API, but support for it must remain off by default
because that API group is also off by default.
The v1beta1 API is left unchanged. No-one should be using it
anymore (deprecated in 1.33, could be removed now if it wasn't for
reading old objects and version emulation).
To achieve consistent validation, declarative validation must be enabled also
for v1alpha3 (was already enabled for other versions). Otherwise,
TestVersionedValidationByFuzzing fails:
--- FAIL: TestVersionedValidationByFuzzing (0.09s)
--- FAIL: TestVersionedValidationByFuzzing/resource.k8s.io/v1beta2,_Kind=DeviceTaintRule (0.00s)
validation_test.go:109: different error count (0 vs. 1)
resource.k8s.io/v1alpha3: <no errors>
resource.k8s.io/v1beta2: "spec.taint.effect: Unsupported value: \"幤HxÒQP¹¬永唂ȳ垞ş]嘨鶊\": supported values: \"NoExecute\", \"NoSchedule\", \"None\""
...