Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove experimental keystone authenticator
**What this PR does / why we need it**:
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559
So we don't need this older style / hard coded / experimental code
anymore.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Avoid hook errors when effecting label changes on kubernetes-worker charm.
**What this PR does / why we need it**: Avoid hook errors when effecting label changes on kubernetes-worker charm.
**Release note**:
```release-note
Avoid hook errors when effecting label changes on kubernetes-worker charm.
```
Automatic merge from submit-queue (batch tested with PRs 59705, 59207, 59677). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
local-up-cluster.sh conformance tests - ALLOW_SECURITY_CONTEXT should default to true
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
SecurityContextDeny Admission plugin causes failures in several conformance tests
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59705, 59207, 59677). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
build: fix a logic error in shell script.
**What this PR does / why we need it**: It looks like that there's a logic error in `build/common.sh`. The return value of a `docker inspect` command is not checked properly, since the value being assigned is actually the previous command's return value (a `0`, because `local` always returns `0` when used like this).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubectl port-forward allows using resource name to select a matching pod
**What this PR does / why we need it**:
#15180 describes use cases that port-foward should use resource name for selecting a pod.
**Which issue(s) this PR fixes**:
Add support so resource/name can be used to select a pod.
**Special notes for your reviewer**:
I decided to reuse `AttachablePodForObject` to select a pod using resource name, and extended it to support Service (which it did not). I think that should not be a problem, and may help improve attach's use case. If it makes more sense to fork the function I'd be happy to do so. The practice of waiting for pods to become ready is also copied over.
In keeping the change to minimal, I also decided to resolve pod from resource name in Complete(), following the pattern in attach.
**Release note**:
```release-note
kubectl port-forward now allows using resource name (e.g., deployment/www) to select a matching pod, as well as allows the use of --pod-running-timeout to wait till at least one pod is running.
kubectl port-forward no longer support deprecated -p flag
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add reviewers to util/mount
**What this PR does / why we need it**:
Add some more reviewers
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add node e2e tests to verify HugePages feature
**What this PR does / why we need it**:
Add node e2e tests to verify HugePages feature.
**Special notes for your reviewer**:
Test follows same pattern as pod container manager tests.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
libffi-dev dependency added in fluentd-es-image Dockerfile to solve the docker build error
**What this PR does / why we need it**:
Not able to build the docker images for fluentd-es-image. The docker build shows the error like below
```
Installing fluent-plugin-elasticsearch (2.4.1)
Installing ffi (1.9.21)
Building native extensions. This could take a while...
ERROR: While executing gem ... (Gem::Ext::BuildError)
ERROR: Failed to build gem native extension.
current directory: /var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c
/usr/bin/ruby2.3 -r ./siteconf20180209-4127-3e9tjv.rb extconf.rb
checking for ffi.h... no
checking for ffi.h in /usr/local/include,/usr/include/ffi... no
checking for shlwapi.h... no
checking for rb_thread_blocking_region()... no
checking for rb_thread_call_with_gvl()... yes
checking for rb_thread_call_without_gvl()... yes
creating extconf.h
creating Makefile
To see why this extension failed to compile, please check the mkmf.log which can be found here:
/var/lib/gems/2.3.0/extensions/x86_64-linux/2.3.0/ffi-1.9.21/mkmf.log
current directory: /var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c
make "DESTDIR=" clean
current directory: /var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c
make "DESTDIR="
Running autoreconf for libffi
/var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c/libffi/autogen.sh: 2: exec: autoreconf: not found
libffi.mk:6: recipe for target '"/var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c/libffi-x86_64-linux-gnu"/.libs/libffi_convenience.a' failed
make: *** ["/var/lib/gems/2.3.0/gems/ffi-1.9.21/ext/ffi_c/libffi-x86_64-linux-gnu"/.libs/libffi_convenience.a] Error 127
make failed, exit code 2
Gem files will remain installed in /var/lib/gems/2.3.0/gems/ffi-1.9.21 for inspection.
Results logged to /var/lib/gems/2.3.0/extensions/x86_64-linux/2.3.0/ffi-1.9.21/gem_make.out
The command '/bin/sh -c BUILD_DEPS="make gcc g++ libc6-dev ruby-dev" && clean-install $BUILD_DEPS ca-certificates libjemalloc1 ruby && echo 'gem: --no-document' >> /etc/gemrc && gem install --file Gemfile && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $BUILD_DEPS && clean-apt && ulimit -n 65536' returned a non-zero code: 1
```
added the libffi-dev dependency solves the build error.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
controller-manager: switch to options+config pattern and add https+auth
This PR switch the {kube,cloud}-controller-managers to use the Options+Config struct pattern for bootstrapping, as we use it throughout all apiservers. This allows us to easily plug in https and authn/z support.
Fixes parts of https://github.com/kubernetes/kubernetes/issues/59483
This is equivalent to https://github.com/kubernetes/kubernetes/pull/59408 after squashing.
```release-note
Deprecate insecure HTTP port of kube-controller-manager and cloud-controller-manager. Use `--secure-port` and `--bind-address` instead.
```
Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add HTTPProxyCheck to preflight checks for 'kubeadm join' subcommand
**What this PR does / why we need it:**
Add HTTPProxyCheck for API servers
It makes sense to check API servers and print warnings if they're
going to be accessed through proxy. This is similar to what's
already done for 'kubeadm init'.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove bootstrap kubelet config on reset
**What this PR does / why we need it**:
Remove /etc/kubernetes/bootstrap-kubelet.conf when running 'kubeadm reset'
to ensure it will not be reused when joining the cluster next time.
**Release note**:
```release-note
NONE
```
rename ALLOW_SECURITY_CONTEXT to DENY_SECURITY_CONTEXT_ADMISSION to be
in line with the other admission plugins (like PSP_ADMISSION). Make
sure by default, this plugin is not enabled as well.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ignore 0% and 100% eviction thresholds
Primarily, this gives a way to explicitly disable eviction, which is
necessary to use omitempty on EvictionHard.
See: https://github.com/kubernetes/kubernetes/pull/53833#discussion_r166672137
As justification for this approach, neither 0% nor 100% make sense as
eviction thresholds; in the "less-than" case, you can't have less than
0% of a resource and 100% perpetually evicts; in the
"greater-than" case (assuming we ever add a resource with this
semantic), the reasoning is the reverse (not more than 100%, 0%
perpetually evicts).
```release-note
Eviction thresholds set to 0% or 100% are now ignored.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
admissionregistration use shared informer instead of poll
**What this PR does / why we need it**:
poll with 1s interval influence apiserver's performance
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56357
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Format some import statements in scheduler pkg
**What this PR does / why we need it**:
As the title says, apply `goimports` on some files under `pkg/scheduler` pkg.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove myself (timothysc) from OWNERS files on areas that I do not maintain
I do not actively participate in api-machinery, so I'm removing myself from the OWNERS files.
/cc @ncdc
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pass listener in integration test
**What this PR does / why we need it**:
pass listener to `SecureServingOptions` to prevent port in use flake.
partially fix#58936
**Special notes for your reviewer**:
/assign @liggitt @sttts @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Audit support resource wildcard matching
**What this PR does / why we need it**:
audit policy support "resource/subresources" wildcard matching "resource/*", "*/subresource","*"
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#55305
**Special notes for your reviewer**:
**Release note**:
```release-note
[advanced audit] support subresources wildcard matching.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase timeout on waiting on cluster resize in autoscaling tests
Looks like autoscaling tests in GKE are failing due to insufficient wait time for master resize. Increasing the timeout by 1 minute to help with this.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove /ui/ redirect
The existing kube-apiserver hard-codes `/ui` to redirect to an optional add-on, which is not appropriate. It does not work in the following scenarios:
* https-enabled dashboards
* the dashboard is deployed to a different namespace or service name
* the dashboard is not installed at all
* authorization is enabled and does not allow access to /ui
This PR removes the hard-coded `/ui` redirect.
```release-note
apiserver: the /ui kube-dashboard redirect has been removed. Follow instructions specific to your deployment to access kube-dashboard
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
code-generator: add boilerplate header
Currently, the boilerplate header from k8s.io/kubernetes is used. If k8s.io/kubernetes is not in the GOPATH, a
panic will occur.
Making this a part of k8s.io/code-generator will prevent this panic.
Fixeskubernetes/code-generator#6
**Release note**:
```release-note
NONE
```
/assign sttts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve performance of scheduling queue by adding a hash map to track all pods with a nominatedNodeName
**What this PR does / why we need it**:
Our investigations show that there is a performance regression in the new scheduling queue which is not enabled by default and is enabled only if "priority and preemption" which is an alpha feature is enabled. This PR is an important performance improvement for those who want to use priority and preemption in larger clusters.
The PR adds a hash table to track nominated Pods so that finding such Pods will be faster.
Other than improving performance, we don't expect this PR to change behavior of scheduler.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
ref/ #56032
ref/ #57471
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig scheduling
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor kube-proxy service/endpoints update so that can be consumed among different proxiers
**What this PR does / why we need it**:
There are huge duplication among different proxiers. For example, the service/endpoints list/watch part in iptables, ipvs and windows kernel mode(to be get in soon).
I think the more places this is replicated the harder it becomes to keep correct. We may need to refactor it and let different proxiers consume the same code.
**Which issue this PR fixes**:
fixes#52464
**Special notes for your reviewer**:
* This refactor reduces **500** Lines in iptables proxy, so it will reduce **500*N**(number of proxiers) lines in total. People no need to care the service/endpoints update logic any more and can be more focus on proxy logic.
* I would like to do the following things in follow-ups:
1. rsync it to ipvs proxier
2. rsync it to winkernel proxier
**Release note**:
```release-note
Refactor kube-proxy service/endpoints update so that can be consumed among different proxiers
```
Currently, the boilerplate header from k8s.io/kubernetes
is used. If k8s.io/kubernetes is not in the GOPATH, a
panic will occur.
To fix this, we first calculate the relative path to
k8s.io/code-generator and then use the boilerplate from
code-generator. This avoids hard coding the path and
works well for all repos.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove unused function printIndentedJson and printAllPods in test/integration/scheduler
**What this PR does / why we need it**:
remove unused function printIndentedJson and printAllPods in test/integration/scheduler
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create short name for cronjob
**What this PR does / why we need it**:
Following https://github.com/kubernetes/kubernetes/pull/59061 I'm adding short name for cronjob, since I was asked about it several times and was thinking about this for a long.
**Release note**:
```release-note
CronJobs can be accessed through cj alias
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add gnufied as AWS approver.
@gnufied has been maintaining the storage part of AWS cloud provider for a long while and he deserves to be approver.
```release-note
NONE
```
/sig aws
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix typo in resource_allocation.go
**What this PR does / why we need it**:
fix a typo in resource_allocation.go file
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
N/A
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix the error prone account creation method of blob disk
**What this PR does / why we need it**:
use new account generation method for blob disk to fix the error prone account creation method of blob disk
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59738
**Special notes for your reviewer**:
**Release note**:
```
fix the error prone account creation method of azure blob disk
```
/assign @karataliu
/sig azure
Automatic merge from submit-queue (batch tested with PRs 59298, 59773, 59772). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
bazel: update digests for debian-iptables-amd64 and busybox
**What this PR does / why we need it**: I've pushed updated (rebased) versions of the `debian-base-ARCH:0.3` and `debian-iptables-ARCH:v10` images. Since bazel uses the sha256 digest instead of the tag, we need to update those accordingly.
I also bumped the busybox digest, which hasn't been updated since last summer. This is updating it from v1.26.2 to v1.28.0. Note that the non-bazel build process uses `busybox:latest`, and so has already been using busybox v1.28.0.
**Special notes for your reviewer**:
We will update the hyperkube-base image in #57648.
**Release note**:
```release-note
NONE
```
/assign @tallclair
/cc @rphillips @rvkubiak
Automatic merge from submit-queue (batch tested with PRs 59298, 59773, 59772). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump GLBC to 0.9.8-alpha.2 and change back to --verbose
**What this PR does / why we need it**:
Bumps GLBC version to 0.9.8-alpha.2 which is logically equivalent to 0.9.8-alpha.1 except verbose mode sets v=3 instead of v=4
**Special notes for your reviewer**:
/cc @rramkumar1
/assign @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59298, 59773, 59772). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add etcd 3.x minor version rollback support to migrate-if-needed.sh
Provide automatic etcd 3.x minor version downgrade when using the gcr.io/google_containers/etcd docker images to operate etcd.
Uses `etcdctl snapshot save` and `etcdctl snapshot restore` to safely downgrade etcd from 3.2->3.1 or 3.1->3.0. This is safe because the data storage file formats used by etcd have not changed between these versions.
Intended as a stop-gap until we can introduce more comprehensive downgrade support in etcd. The main limitation of this approach is that it is not able to perform zero downtime downgrades for HA clusters. For HA clusters, all members must be stopped and downgraded before the cluster may be restarted at the downgraded version.
Example usage:
- Initially the [etcd.manifest](58547ebd72/cluster/gce/manifests/etcd.manifest (L43)) is set to gcr.io/google_containers/etcd:3.0.17, TARGET_VERSION=3.0.17
- A upgrade to 3.1.11 is initiated.
- etcd.manifest is updated to gcr.io/google_containers/etcd:3.1.11, TARGET_VERSION=3.1.11
- etcd restarts and establishes 3.1 as it's "cluster version"
- For whatever reason, a downgrade is initiated
- etcd.manifest is updated gcr.io/google_containers/etcd:3.1.11, TARGET_VERSION=3.0.17
- migrate-if-needed.sh detects that the current version (3.1.11) is newer than the target version, so it:
- creates a snapshot using etcd & etcdctl 3.1.11
- backs up the data dir
- restores the snapshot using etcdctl 3.0.17 to create a replacement data dir
- starts etcd 3.0.17
Note that while this will rollback to an earlier etcd version, the newer etcd gcr.io image version must continue to be used throughout the downgrade. Only TARGET_VERSION is downgraded.
Test coverage was lacking for `migrate-if-needed.sh` so this adds some container level testing to the `Makefile` for migrating and rolling back. This surfaced a couple bugs that are fixed by this PR as well.
cc @mml @lavalamp @wenjiaswe
```release-note
Add automatic etcd 3.2->3.1 and 3.1->3.0 minor version rollback support to gcr.io/google_container/etcd images. For HA clusters, all members must be stopped before performing a rollback.
```
Automatic merge from submit-queue (batch tested with PRs 59479, 59246). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add tests for schedulercache
**What this PR does / why we need it**:
Add tests for `node_info.go` under `schedulercache` package.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Avoid race condition when updating equivalence cache
**What this PR does / why we need it**:
Lock the ecache to update the ecache on each predicate running, to avoid race condition.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fix#58507
**Special notes for your reviewer**:
None
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 59767, 56454, 59237, 59730, 55479). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: add configuration option to not taint master
**What this PR does / why we need it**:
Although tainting the master is normally a good and proper thing to do in some situations (docker for mac in our case, but I suppose minikube and such as well) having a single host configuration is desirable.
In linuxkit we have a [workaround](443e47c408/projects/kubernetes/kubernetes/kubeadm-init.sh (L19...L22)) to remove the taint after initialisation. With the change here we could simply populate `/etc/kubeadm/kubeadm.yaml` with `noTaintMaster: true` instead and have it never be tainted in the first place.
I have only added this to the config file and not to the CLI since AIUI the latter is somewhat deprecated.
The code also arranges to _remove_ an existing taint if it is unwanted. I'm unsure if this behaviour is correct or desirable, I think a reasonable argument could be made for leaving an existing taint in place too.
Signed-off-by: Ian Campbell <ijc@docker.com>
**Release note**:
Since the requirement for this option is rather niche and not best practice in the majority of cases I'm not sure if it warrants mentioning in the release notes? If it were then perhaps
```release-note
`kubeadm init` can now omit the tainting of the master node if configured to do so in `kubeadm.yaml`.
```
Automatic merge from submit-queue (batch tested with PRs 59767, 56454, 59237, 59730, 55479). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Requesting new credentials when node names change
**What this PR does / why we need it**:
Updating kubernetes-worker charm to request a new token when the node name changes due to a cloud provider change to kubelet-extra-args
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/491
**Special notes for your reviewer**:
**Release note**:
```release-note
Updated kubernetes-worker to request new security tokens when the aws cloud provider changes the registered node name.
```
