Commit Graph

28986 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
1078cf59b9 Merge pull request #133964 from K-Diger/fix/dra-plugin-unreachable-code
kubelet: refactor DRA plugin health client initialization
2025-12-17 16:26:03 -08:00
Kubernetes Prow Robot
97e95711c5 Merge pull request #133654 from kwohlfahrt/kubelet-cert
Fix kubelet certificate reload when connecting by IP address
2025-12-17 16:25:32 -08:00
Kubernetes Prow Robot
e14cdadc5a Merge pull request #132807 from iholder101/feature/ImageVolumeWithDigest
[KEP-5365] Implement Image Volume with Digest
2025-12-17 16:25:17 -08:00
bzsuni
2c811fdd3a etcd: Update etcd to v3.6.6
Signed-off-by: bzsuni <bingzhe.sun@daocloud.io>
2025-12-08 05:37:15 +00:00
Kubernetes Prow Robot
ff9971ec7f Merge pull request #135586 from pohly/dra-upgrade-downgrade-skew-range
DRA upgrade/downgrade: roll over only after -alpha.0
2025-12-05 09:22:56 -08:00
Carlos Panato
eae2a1bd5f Bump images and versions to go 1.25.5 and distroless iptables
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
2025-12-05 10:40:45 +01:00
Kubernetes Prow Robot
2711e8cb53 Merge pull request #135499 from aojea/crazy_ipallocator
ipallocator: handle errors correctly
2025-12-04 10:21:02 -08:00
k-diger
b255410b4f Remove duplicate connection management in DRA plugin Fixes 2025-12-05 01:34:44 +09:00
Patrick Ohly
91e221b047 DRA upgrade/downgrade: roll over only after -alpha.0
All version up to and including x.y.z-alpha.0 are treated as if we were
still the previous minor version x.(y-1). There are two reason for this:

- During code freeze around (at?) -rc.0, the master branch already
  identfies itself as the next release with -alpha.0. Without this
  special case, we would change the version skew testing from what
  has been tested and been known to work to something else, which
  can and at least once did break.

- Early in the next cycle the differences compared to the previous
  release are small, so it's more interesting to go back further.
2025-12-04 14:25:12 +01:00
Antonio Ojea
51f614a156 ipallocator: handle errors correctly
The ipallocator was blindly assuming that all errors are retryable, that
causes that the allocator tries to exhaust all the possibilities to
allocate an IP address.

If the error is not retryable this means the allocator will generate as
many API calls as existing available IPs are in the allocator, causing
CPU exhaustion since this requests are coming from inside the apiserver.

In addition to handle the error correctly, this patch also interpret the
error to return the right status code depending on the error type.

Co-authored-by: carlory <baofa.fan@daocloud.io>
2025-12-03 10:39:57 +00:00
Carlos Panato
3661554f87 Bump images and versions to go 1.25.4 and distroless iptables
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
2025-11-28 10:21:55 +01:00
Kubernetes Prow Robot
61c629cc57 Merge pull request #135426 from kfess/update-relaxedservicenamevalidation
Fix: Check `defaultBackend` in `allowRelaxedServiceNameValidation`
2025-11-28 00:00:22 -08:00
Adrian Moisey
dae1dbc1ff KEP-5311 - Revert RelaxedServiceNameValidation promote to beta 2025-11-27 20:52:35 +09:00
Kubernetes Prow Robot
4bed36e03e Merge pull request #135445 from mortent/FixExtendedResourcesIntegrationTest
DRA: Fix flaky integration test
2025-11-26 12:46:21 -08:00
Kubernetes Prow Robot
1043513f30 Merge pull request #135461 from liggitt/deflake-pod-certificates
Run a unique signer name for each pod certificate tests to avoid cross-test flaking
2025-11-26 11:50:24 -08:00
Jordan Liggitt
6bf802807b Make unique signerName per pod certificate test 2025-11-26 12:19:56 -05:00
Kubernetes Prow Robot
4c04786f74 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
e2e/storage: deflake CSI Mock volume expansion quota validation
2025-11-26 09:10:36 -08:00
Dev1622
d80e73c0a9 cleanup: removed uncached client plumbing, keeping the sequencing fix for quota validation 2025-11-26 19:56:42 +05:30
Kai Wohlfahrt
2ba1b66b57 Fix kubelet certificate reload when connecting by IP
Currently, we set TLSConfig.Config.GetCertificate, but then also pass
certificate and key paths to http.Server.ListenAndServeTLS.

ListenAndServeTLS uses these paths to populate the TLS config Certificate
property. Then, when accepting connections, a non-nil Certificate is preferred
over GetCertificate if the ServerName is not set in ClientHelloInfo. Finally,
the Go TLS client doesn't set ServerName when connecting by IP. As a result,
when connecting to the kubelet by IP (e.g. to fetch pod logs), stale
certificates are served.

This patch passes empty certFile and keyFile arguments, to force the TLS
server to use the GetCertificate function.

This is done by clearing key/cert file config when setting GetCertificate as
suggested in PR review. This way, all downstream users of kubeDeps.TLSConfig
will do the right thing automatically.
2025-11-25 20:44:19 +01:00
Morten Torkildsen
c33c0464db DRA: Fix flaky integration test 2025-11-25 18:13:00 +00:00
Kubernetes Prow Robot
5bcb759973 Merge pull request #135304 from macsko/fix_failing_sched_perf_tests_on_featuregates
Fix failing scheduler_perf test cases that don't set any feature gate
2025-11-20 10:26:40 -08:00
Kubernetes Prow Robot
0f093c9f49 Merge pull request #134921 from Karthik-K-N/cel-test
Improve CEL Policy Admission test
2025-11-20 10:26:32 -08:00
Karthik Bhat
3e19cc5160 Address review comments 2025-11-19 21:07:28 +05:30
Maciej Skoczeń
04eb121d32 Fix failing scheduler_perf test cases that don't set any feature gate 2025-11-19 10:48:51 +00:00
Itamar Holder
792f1643d4 Add e2e tests
Signed-off-by: Itamar Holder <iholder@redhat.com>
2025-11-18 14:14:42 +02:00
Itamar Holder
af66766bf5 Add auto-generated code and boilerplate
Signed-off-by: Itamar Holder <iholder@redhat.com>
2025-11-18 14:14:41 +02:00
Sascha Grunert
a66c025dc9 test/e2e_node: Update procMount test to use Restricted PSA level
Update the procMount test expectations to match the intentional PSA
policy relaxation introduced in commit e8bd3f629d.

As of Kubernetes 1.35+, Pod Security Admission Baseline policy
allows UnmaskedProcMount for pods with user namespaces (hostUsers:
false). This was an intentional change to support nested container
use cases while maintaining security through user namespace isolation.

The test "will fail to unmask proc mounts if not privileged" was
written before this relaxation and expected Baseline level to reject
UnmaskedProcMount. Since Baseline now allows it (for user namespace
pods), the test needs to use Restricted level instead, which
unconditionally blocks UnmaskedProcMount regardless of user namespace
settings.

Changes:
- Change PSA level from Baseline to Restricted
- Update test name to clarify it's testing Restricted level behavior
- Update framework name from "proc-mount-baseline-test" to
  "proc-mount-restricted-test"

Fixes the ci-crio-userns-e2e-serial test failure that started occurring
when runtimes began reporting user namespace support.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2025-11-14 10:17:54 +01:00
Dev1622
f76d0e5aa4 test/e2e: replace forbidden gomega.BeTrue usage with Eventually(...).Should(Succeed()) 2025-11-13 12:39:17 +05:30
Surya Dev
cee5b837da Resolve lint restriction on BeTrue by introducing Succeed() with contextual error messages 2025-11-13 12:39:16 +05:30
bwsalmon
854e67bb51 KEP 5598: Opportunistic Batching (#135231)
* First version of batching w/out signatures.

* First version of pod signatures.

* Integrate batching with signatures.

* Fix merge conflicts.

* Fixes from self-review.

* Test fixes.

* Fix a bug that limited batches to size 2
Also add some new high-level logging and
simplify the pod affinity signature.

* Re-enable batching on perf tests for now.

* fwk.NewStatus(fwk.Success)

* Review feedback.

* Review feedback.

* Comment fix.

* Two plugin specific unit tests.:

* Add cycle state to the sign call, apply to topo spread.
Also add unit tests for several plugi signature
calls.

* Review feedback.

* Switch to distinct stats for hint and store calls.

* Switch signature from string to []byte

* Revert cyclestate in signs. Update node affinity.
Node affinity now sorts all of the various
nested arrays in the structure. CycleState no
longer in signature; revert to signing fewer
cases for pod spread.

* hack/update-vendor.sh

* Disable signatures when extenders are configured.

* Update pkg/scheduler/framework/runtime/batch.go

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>

* Update staging/src/k8s.io/kube-scheduler/framework/interface.go

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>

* Review feedback.

* Disable node resource signatures when extended DRA enabled.

* Review feedback.

* Update pkg/scheduler/framework/plugins/imagelocality/image_locality.go

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>

* Update pkg/scheduler/framework/interface.go

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>

* Update pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures.go

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>

* Update pkg/scheduler/framework/runtime/batch.go

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>

* Review feedback.

* Fixes for review suggestions.

* Add integration tests.

* Linter fixes, test fix.

* Whitespace fix.

* Remove broken test.

* Unschedulable test.

* Remove go.mod changes.

---------

Co-authored-by: Maciej Skoczeń <87243939+macsko@users.noreply.github.com>
2025-11-12 21:51:37 -08:00
Kubernetes Prow Robot
8849917973 Merge pull request #135246 from carlory/fix-135239-2
Fix volume performance tests with performance constraints
2025-11-12 18:49:37 -08:00
Surya
c68b35c4c7 Update vendored dependencies 2025-11-12 22:06:10 +05:30
Kubernetes Prow Robot
c245b40b87 Merge pull request #135254 from saschagrunert/image-volume-containerd-skip
[KEP-4639] Remove image volume e2e test because CI has containerd < 2.1
2025-11-12 07:59:49 -08:00
Kubernetes Prow Robot
9673a7fbf1 Merge pull request #132919 from ndixita/pod-level-in-place-pod-resize
Pod level in place pod resize - alpha
2025-11-12 07:59:41 -08:00
Sascha Grunert
71ddb98ae4 Remove image volume e2e test because CI has containerd < 2.1
Remove the e2e test since we switched to beta (enabled by default)
instead of GA. We re-add the test in 1.36.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2025-11-12 09:31:34 +01:00
ndixita
10b73f8ef9 Test fixes
Signed-off-by: ndixita <ndixita@google.com>
2025-11-12 06:21:06 +00:00
ndixita
21920bb37e Test fixes
Signed-off-by: ndixita <ndixita@google.com>
2025-11-12 01:18:53 +00:00
ndixita
0f88a9a17e verioned_feature_list update 2025-11-11 18:19:11 +00:00
ndixita
1733d8fc8c e2e tests
Signed-off-by: ndixita <ndixita@google.com>
2025-11-11 18:19:09 +00:00
ndixita
efc3126b76 Adding Resources and AllocatedResoures fields to the list of expected fields in PodStatus in admission test 2025-11-11 18:15:20 +00:00
ndixita
6d30134256 Adding InPlacePodLevelResourcesVerticalScaling feature gate 2025-11-11 18:12:33 +00:00
Stanislav Láznička
d26b44540e move Ensure Secret-Pulled Images feature to beta
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2025-11-11 11:48:35 -05:00
Stanislav Láznička
805eb885e3 node e2e: add tests for Ensure Secret Image Pulls default policy
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>

Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2025-11-11 11:15:53 -05:00
Kubernetes Prow Robot
462ee14a36 Merge pull request #134345 from yuanwang04/restart-pod
Implement RestartAllContainers
2025-11-11 07:18:56 -08:00
Yuan Wang
0b47a37861 Keep pod in running state and prune past container status from runtime 2025-11-11 06:37:49 +00:00
carlory
2f55207dff Fix volume performance tests with performance constraints
Signed-off-by: carlory <baofa.fan@daocloud.io>
2025-11-11 11:37:23 +08:00
carlory
094b1bf018 fix [sig-node] Container Runtime blackbox test when running a container with a new image [Serial] should be able to pull from private registry with secret [NodeConformance] 2025-11-11 10:31:12 +08:00
Surya Dev
2c81b6e8ad fix: replace BeTrue with BeTrueBecause for better failure message 2025-11-11 07:59:48 +05:30
Heba
aceb89debc KEP-5471: Extend tolerations operators (#134665)
* Add numeric operations to tolerations

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>

* code review feedback

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>

* add default feature gate

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>

* Add integration tests

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>

* Add toleration value validation

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>

* Add validate options for new operators

Signed-off-by: helayoty <heelayot@microsoft.com>

* Remove log

Signed-off-by: helayoty <heelayot@microsoft.com>

* Update feature gate check

Signed-off-by: helayoty <heelayot@microsoft.com>

* emove IsValidNumericString func

Signed-off-by: helayoty <heelayot@microsoft.com>

* Implement IsDecimalInteger

Signed-off-by: helayoty <heelayot@microsoft.com>

* code review feedback

Signed-off-by: helayoty <heelayot@microsoft.com>

* Add logs to v1/toleration

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>
Signed-off-by: helayoty <heelayot@microsoft.com>

* Update integration tests and address code review feedback

Signed-off-by: helayoty <heelayot@microsoft.com>

* Add feature gate to the scheduler framework

Signed-off-by: helayoty <heelayot@microsoft.com>

* Remove extra test

Signed-off-by: helayoty <heelayot@microsoft.com>

* Fix integration test

Signed-off-by: helayoty <heelayot@microsoft.com>

* pass feature gate via TolerationsTolerateTaint

Signed-off-by: helayoty <heelayot@microsoft.com>

---------

Signed-off-by: Heba Elayoty <heelayot@microsoft.com>
Signed-off-by: helayoty <heelayot@microsoft.com>
2025-11-10 12:42:54 -08:00
Yuan Wang
aac951d902 Add dependency for NodeDeclaredFeatures 2025-11-10 09:41:02 +00:00