Commit Graph

129431 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
18edacf576
Merge pull request #131781 from rata/automated-cherry-pick-of-#131623-upstream-release-1.33
Automated cherry pick of #131623: kubelet: userns: Improve errors returned to the user
2025-06-05 04:14:39 -07:00
Kubernetes Prow Robot
6144faccba
Merge pull request #131876 from pohly/automated-cherry-pick-of-#131844-origin-release-1.33
Automated cherry pick of #131844: DRA node: reject static pods which reference ResourceClaims
2025-06-04 11:02:42 -07:00
Kubernetes Prow Robot
f20adaecd4
Merge pull request #131935 from cpanato/update-go-1.33
[release-1.33] [go]Bump images, dependencies and versions to go 1.24.9 and distroless iptables
2025-05-26 01:43:18 -07:00
Carlos Panato
c4f2287f8a
Bump images, dependencies and versions to go 1.24.9 and distroless iptables
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
2025-05-23 09:14:58 -04:00
Patrick Ohly
1fde2b884c DRA node: reject static pods which reference ResourceClaims
If someone gains the ability to create static pods, they might try to use that
ability to run code which gets access to the resources associated with some
existing claim which was previously allocated for some other pod. Such an
attempt already fails because the claim status tracks which pods are allowed to
use the claim, the static pod is not in that list, the node is not authorized
to add it, and the kubelet checks that list before starting the pod in
195803cde5/pkg/kubelet/cm/dra/manager.go (L218-L222).

Even if the pod were started, DRA drivers typically manage node-local resources
which can already be accessed via such an attack without involving DRA. DRA
drivers which manage non-node-local resources have to consider access by a
compromised node as part of their threat model.

Nonetheless, it is better to not accept static pods which reference
ResourceClaims or ResourceClaimTemplates in the first place because there
is no valid use case for it.

This is done at different levels for defense in depth:
- configuration validation in the kubelet
- admission checking of node restrictions
- API validation

Co-authored-by: Jordan Liggitt <liggitt@google.com>

Code changes by Jordan, with one small change (resourceClaims -> resourceclaims).
Unit tests by Patrick.
2025-05-21 08:40:50 +02:00
Rodrigo Campos
2628e18dab userns: Wrap more errors
Most errors where already wrapped, but these were missing.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-05-15 12:20:04 +02:00
Rodrigo Campos
514da8a95a userns: Improve error returned if userns is not supported
This makes it clear the error comes due to a user namespace
configuration. Otherwise the error returned looks too generic and is not
clear.

Before this PR, the error was:

	  Warning  FailedCreatePodSandBox  1s    kubelet            Failed to create pod sandbox: the handler "" is not known

Now it is:

	  Warning  FailedCreatePodSandBox  1s    kubelet            Failed to create pod sandbox: runtime does not support user namespaces

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-05-15 12:20:04 +02:00
Rodrigo Campos
992924664b userns: Use len to handle empty non-nil slices
When using an old runtime like containerd 1.7, this message is not
implemented and what we get here is an empty non-nil slice. Let's check
the len of the slice instead.

While we are there, let's just return false and no error. In the
following commits we will wrap the error and we didn't find any more
info to add here.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-05-15 12:20:04 +02:00
Kubernetes Release Robot
76747b4eed Update CHANGELOG/CHANGELOG-1.33.md for v1.33.1 2025-05-15 08:46:51 +00:00
Kubernetes Release Robot
8adc0f041b Release commit for Kubernetes v1.33.1 2025-05-15 08:19:07 +00:00
Taha Farahani
cce99a8c73
Automated cherry pick of #130503: Unhandled panic crash on rollout_history printer.PrintObj (#131496)
* Change: Handling nil runtime.Object

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Return only if there is error in rollout_history

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Return the unknown revision error directly in rollout_history.go

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Remove unintended newline

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Using go idiomatic way for checking if historyInfo[o.Revision] exists

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Remove 'error:' from returned error message in rollout_history.go

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Check for printer.PrintObj returned err

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Add TestRolloutHistoryErrors test

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Simple typo fix on Complete() function description

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Checking for error on o.Complete in TestRolloutHistoryErrors

Signed-off-by: Taha Farahani <tahacodes@proton.me>

---------

Signed-off-by: Taha Farahani <tahacodes@proton.me>
2025-05-14 00:26:54 -07:00
Kubernetes Prow Robot
00ebe85a29
Merge pull request #131636 from gnufied/automated-cherry-pick-of-#131568-upstream-release-1.33
Automated cherry pick of #131568: Disable size checking performed during resize
2025-05-13 23:13:02 -07:00
Kubernetes Prow Robot
5dc469cd4f
Merge pull request #131523 from carlory/automated-cherry-pick-of-#131495-release-1.33
Automated cherry pick of #131495: Handle unsupported node expansion for RWX volumes
2025-05-13 23:12:55 -07:00
Kubernetes Prow Robot
973b3812d6
Merge pull request #131437 from gnufied/automated-cherry-pick-of-#131418-upstream-release-1.33
Automated cherry pick of #131418: Check for newer fields when deciding expansion recovery feature status
2025-05-13 23:12:48 -07:00
Kubernetes Prow Robot
b5a1738ccc
Merge pull request #131708 from tigrato/automated-cherry-pick-of-#131702-upstream-release-1.33
Automated cherry pick of #131702: Panic in `NewYAMLToJSONDecoder`
2025-05-13 05:05:15 -07:00
Kubernetes Prow Robot
3a09aeb4fa
Merge pull request #131679 from mortent/automated-cherry-pick-of-#131662-upstream-release-1.33
Automated cherry pick of #131662: DRA: Fix failure to allocate large number of devices
2025-05-13 03:51:16 -07:00
Tiago Silva
a257be8299
fix: fixes a possible panic in NewYAMLToJSONDecoder
This PR fixes a possible panic caused by decoding a JSON document
followed by a YAML document that is shorter than the first json
document.

This can cause a panic because the stream already consumed the JSON
data. When we fallback to YAML reader, the YAML starts with a zero
offset while the stream consumed data is non-zero. This could lead into
consuming negative bytes because `d.yaml.InputOffset() -
d.stream.Consumed()` is negative which will cause a panic.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
2025-05-09 23:37:42 +01:00
Morten Torkildsen
b59deb4914 DRA: Fix failure to allocate large number of devices 2025-05-08 20:03:36 +00:00
Kubernetes Prow Robot
d3c7573e54
Merge pull request #131427 from princepereira/automated-cherry-pick-of-#131138-upstream-release-1.33
Automated cherry pick of #131138: Fix for HNS local endpoint was being deleted instead of the remote endpoint.
2025-05-06 17:59:13 -07:00
Hemant Kumar
c916dba607 Disable size check for xfs/ext3/ext4 filesystems before expansion 2025-05-06 16:54:51 -04:00
Hemant Kumar
c8f2295d68 Disable disk size checking when calling NeedsResize function 2025-05-06 16:54:51 -04:00
carlory
3caaf056f1 Handle unsupported node expansion for RWX volumes
Co-authored-by: Hemant Kumar <gnufied@users.noreply.github.com>
Signed-off-by: carlory <baofa.fan@daocloud.io>
2025-04-29 10:43:44 +08:00
Hemant Kumar
c7eb93190c Mark NodeExpansion finsihed without featuregate check 2025-04-24 07:51:31 -04:00
Hemant Kumar
74035d7b77 Also change final status by removing featuregate check 2025-04-24 07:51:30 -04:00
Hemant Kumar
1a9d4fc468 Check for newer fields when deciding expansion recovery feature status 2025-04-24 07:51:30 -04:00
Prince Pereira
950bb3baf5 Fix for HNS local endpoint was being deleted instead of the remote endpoint. 2025-04-23 23:07:16 -07:00
Kubernetes Release Robot
5dc8b8dd26 Update CHANGELOG/CHANGELOG-1.33.md for v1.33.0 2025-04-23 13:24:20 +00:00
Kubernetes Release Robot
60a317eadf Release commit for Kubernetes v1.33.0 2025-04-23 13:00:13 +00:00
Kubernetes Release Robot
4190f9fd5d Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-23 07:38:22 +00:00
Kubernetes Release Robot
9ba7dcecc3 CHANGELOG: Update directory for v1.30.12 release 2025-04-23 02:22:45 +00:00
Kubernetes Release Robot
191c34eaba CHANGELOG: Update directory for v1.31.8 release 2025-04-23 02:22:38 +00:00
Kubernetes Release Robot
7bf818fb88 CHANGELOG: Update directory for v1.32.4 release 2025-04-22 16:21:58 +00:00
Kubernetes Release Robot
c0d2e6d81f Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-22 13:35:27 +00:00
Kubernetes Prow Robot
680ea07dbb
Merge pull request #131369 from ameukam/update-1242-master
[Go] Bump dependencies, images and versions used to Go 1.24.2 and distroless iptables
2025-04-21 09:19:06 -07:00
Kubernetes Release Robot
0019f96205 Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-20 01:32:51 +00:00
Kubernetes Prow Robot
0d9dccfc6b
Merge pull request #131382 from liggitt/watch-list-e2e
Correctly feature-gate WatchList e2e
2025-04-19 16:20:59 -07:00
Jordan Liggitt
95b926c93a
Feature-gate watchlist e2e 2025-04-19 17:18:31 -04:00
Kubernetes Release Robot
8d3db5cd56 Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-18 19:35:40 +00:00
Kubernetes Prow Robot
66931f07d9
Merge pull request #131359 from deads2k/disable
Stop exposing list-via-watch from the server
2025-04-18 07:55:08 -07:00
Arnaud Meukam
e467c9530b
[Go] Bump dependencies, images and versions used to Go 1.24.2 and distroless-iptables
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
2025-04-18 15:49:48 +02:00
David Eads
660df229bf Stop exposing list-via-watch from the server
With StreamingCollectionEncodingToJSON and
StreamingCollectionEncodingToProtobuf, the WatchList must re-justify its
necessity.  To prevent an ecosystem from building around a feature that
may not be promoted, we will stop serving list-via-watch until
performance numbers can justify its inclusion.

This also stops the kube-controller-manager from using the
list-via-watch by default.  The fallback is a regular list, so during
the skew during an upgrade the "right" thing will happen and the new
StreamingCollectionEncoding will be used.
2025-04-18 09:21:23 -04:00
Kubernetes Release Robot
1064a98ad9 Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-16 19:33:06 +00:00
Kubernetes Prow Robot
b53b9fb557
Merge pull request #131015 from aojea/final_servicecidr
Add the missing Conformance Test for ServiceCIDR and IPAddress APIS
2025-04-16 11:05:08 -07:00
Kubernetes Release Robot
84d2d56308 Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-16 01:34:27 +00:00
Antonio Ojea
a8f6d77c8d ServiceCIDR and IPAddess Conformance
Change-Id: I6ee188cc8c163c312f8a8da9f1277d83e1ea634c
2025-04-15 21:47:43 +00:00
Kubernetes Release Robot
44c230bf5c CHANGELOG: Update directory for v1.33.0-rc.1 release 2025-04-15 17:20:14 +00:00
Kubernetes Release Robot
4939c17914 Update CHANGELOG/CHANGELOG-1.33.md for v1.33.0-rc.1 2025-04-15 17:20:14 +00:00
Kubernetes Release Robot
92e86d1b4b Release commit for Kubernetes v1.33.0-rc.1 2025-04-15 16:51:25 +00:00
Kubernetes Release Robot
2f7a115a69 Merge remote-tracking branch 'origin/master' into release-1.33 2025-04-14 19:31:24 +00:00
Kubernetes Prow Robot
30469e1803
Merge pull request #131263 from aojea/dualstack_upgrade
Allow to convert clusters Service CIDRs from single to dual stack
2025-04-14 11:17:06 -07:00