Commit Graph

99435 Commits

Author SHA1 Message Date
Masashi Honma
3266136c1d Fire an event when failing to open NodePort
[issue]
When creating a NodePort service with the kubectl create command, the NodePort
assignment may fail.

Failure to assign a NodePort can be simulated with the following malicious
command[1].

$ kubectl create service nodeport temp-svc --tcp=`python3 <<EOF
print("1", end="")
for i in range(2, 1026):
  print("," + str(i), end="")
EOF
`

The command succeeds and shows following output.

service/temp-svc created

The service has been successfully generated and can also be referenced with the
get command.

$ kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)
temp-svc     NodePort    10.0.0.139   <none>        1:31335/TCP,2:32367/TCP,3:30263/TCP,(omitted),1023:31821/TCP,1024:32475/TCP,1025:30311/TCP   12s

The user does not recognize failure to assign a NodePort because
create/get/describe command does not show any error. This is the issue.

[solution]
Users can notice errors by looking at the kube-proxy logs, but it may be difficult to see the kube-proxy logs of all nodes.

E0327 08:50:10.216571  660960 proxier.go:1286] "can't open port, skipping this nodePort" err="listen tcp4 :30641: socket: too many open files" port="\"nodePort for default/temp-svc:744\" (:30641/tcp4)"
E0327 08:50:10.216611  660960 proxier.go:1286] "can't open port, skipping this nodePort" err="listen tcp4 :30827: socket: too many open files" port="\"nodePort for default/temp-svc:857\" (:30827/tcp4)"
...
E0327 08:50:10.217119  660960 proxier.go:1286] "can't open port, skipping this nodePort" err="listen tcp4 :32484: socket: too many open files" port="\"nodePort for default/temp-svc:805\" (:32484/tcp4)"
E0327 08:50:10.217293  660960 proxier.go:1612] "Failed to execute iptables-restore" err="pipe2: too many open files ()"
I0327 08:50:10.217341  660960 proxier.go:1615] "Closing local ports after iptables-restore failure"

So, this patch will fire an event when NodePort assignment fails.
In fact, when the externalIP assignment fails, it is also notified by event.

The event will be displayed like this.

$ kubectl get event
LAST SEEN   TYPE      REASON                                            OBJECT           MESSAGE
...
2s          Warning   listen tcp4 :31055: socket: too many open files   node/127.0.0.1   can't open "nodePort for default/temp-svc:901" (:31055/tcp4), skipping this nodePort: listen tcp4 :31055: socket: too many open files
2s          Warning   listen tcp4 :31422: socket: too many open files   node/127.0.0.1   can't open "nodePort for default/temp-svc:474" (:31422/tcp4), skipping this nodePort: listen tcp4 :31422: socket: too many open files
...

This PR fixes iptables and ipvs proxier.
Since userspace proxier does not seem to be affected by this issue, it is not fixed.

[1] Assume that fd limit is 1024(default).
$ ulimit -n
1024
2021-04-01 08:27:51 +09:00
Kubernetes Prow Robot
a651804427
Merge pull request #100687 from dims/switch-to-newer-agnhost-image-2.31
Switch to newer agnhost image - 2.31
2021-03-30 21:54:58 -07:00
Davanum Srinivas
57ddfb7314
Switch to newer agnhost image
We have an update to the image in
f9aaf71ccb, we need to bump to use this
image.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-03-30 20:15:36 -04:00
Kubernetes Prow Robot
bb89384f39
Merge pull request #100680 from smira/fix-100674
test/e2e: fix the OIDC discovery test with ECDSA service account key
2021-03-30 14:00:58 -07:00
Andrey Smirnov
f9aaf71ccb test/e2e: fix the OIDC discovery test with ECDSA service account key
By default oidc library enables only `RS256` signature validation
method.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
2021-03-30 22:58:50 +03:00
Kubernetes Prow Robot
3d48f0d1dd
Merge pull request #100660 from dims/common-auth-plugins-should-always-be-available
Common auth plugins should always be available
2021-03-30 07:11:57 -07:00
Kubernetes Prow Robot
b6ff1370bd
Merge pull request #100638 from tkashem/fix-98697
apf: fix data race in queueset
2021-03-30 05:15:57 -07:00
Davanum Srinivas
b1e9fc4935
Common auth plugins should always be available
Whether `providerless` is present or not, the OIDC plugin
should be available.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-03-30 06:10:21 -04:00
Abu Kashem
fa0952ee77
apf: fix test flake 2021-03-29 17:25:03 -04:00
Kubernetes Prow Robot
6572fe4d90
Merge pull request #100550 from dims/add-new-iptables-rule-for-local-up-cluster.sh
Add new iptables rule for local-up-cluster.sh
2021-03-29 13:24:09 -07:00
Kubernetes Prow Robot
e33a80bf2a
Merge pull request #100544 from dims/set-some-kube-proxy-params-for-local-up-cluster
Set some kube-proxy parameters for local-up-cluster.sh
2021-03-29 13:23:57 -07:00
Kubernetes Prow Robot
816bdd3011
Merge pull request #100569 from dims/set-jwks-uri-in-local-up-cluster.sh
Set jwks uri in local-up-cluster.sh
2021-03-29 12:17:57 -07:00
Kubernetes Prow Robot
ff09d509ca
Merge pull request #100632 from logicalhan/etcd_deprecation
bump the deprecated version to 1.22
2021-03-29 08:56:46 -07:00
Han Kang
e7ee76efc0 bump the deprecated version to 1.22
Change-Id: Ibefaa94151704fcaaa920541bbb9a8ad714c1d24
2021-03-29 07:54:12 -07:00
Kubernetes Prow Robot
26fc02a9e2
Merge pull request #100606 from dims/providerless-tag-for-client-go-auth-plugins
Providerless tag for client go auth plugins
2021-03-29 07:46:45 -07:00
Kubernetes Prow Robot
fc9ffb4103
Merge pull request #100616 from nikhita/publishing-release-21
staging/publishing: add release-1.21 branch
2021-03-29 03:22:50 -07:00
Nikhita Raghunath
817e0c873d staging/publishing: add go1.15.10 for release-1.20 branch 2021-03-29 14:50:01 +05:30
Nikhita Raghunath
1268d0bb23 staging/publishing: add release-1.21 rules 2021-03-29 14:45:13 +05:30
Davanum Srinivas
1ac2d6f7fa
providerless tag for client-go auth plugins
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-03-28 20:07:59 -04:00
Davanum Srinivas
44d143f6e1
Add new iptables rule for local-up-cluster.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-03-28 11:19:02 -04:00
Kubernetes Prow Robot
770d3f181c
Merge pull request #99734 from wgahnagl/sysctls-conformance
Promote sysctls e2e test to Conformance
2021-03-26 18:26:43 -07:00
Anago GCB
7146eb5931 CHANGELOG: Update directory for v1.21.0-rc.0 release 2021-03-26 22:35:18 +00:00
Kubernetes Prow Robot
9c9af69ea6
Merge pull request #100573 from pacoxu/upgrade-corefile-migration
Update the kubelet log pod status to level 6 as it is so big
2021-03-26 11:26:43 -07:00
Paco Xu
54606db1b4
Update pkg/kubelet/pleg/generic.go
Co-authored-by: Elana Hashman <ehashman@users.noreply.github.com>
2021-03-26 13:19:51 +08:00
Kubernetes Prow Robot
30a261d97c
Merge pull request #100566 from dekkagaijin/patch-1
Update image base to `gcr.io/distroless/base-debian10:latest`
2021-03-25 20:04:43 -07:00
pacoxu
3fc1e0891b Update the kubelet log status to level 6 as it is so big
Signed-off-by: pacoxu <paco.xu@daocloud.io>
2021-03-26 10:09:20 +08:00
Kubernetes Prow Robot
9af6f70f8f
Merge pull request #100571 from puerco/conformance-on-tarballs
Add KUBE_BUILD_CONFORMANCE on package-tarballs target
2021-03-25 19:00:45 -07:00
Adolfo García Veytia (Puerco)
999a1f5c76 Add KUBE_BUILD_CONFORMANCE on package-tarballs target
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
2021-03-25 18:20:36 -06:00
Kubernetes Prow Robot
931516a87b
Merge pull request #100191 from jingxu97/mar/deployment
Fix deployment lifecycle test issue
2021-03-25 17:13:49 -07:00
Kubernetes Prow Robot
447e338e26
Merge pull request #100552 from BenTheElder/prometheus-visibility
add a verify equivilant to prometheus visibility rules
2021-03-25 15:43:46 -07:00
Benjamin Elder
7ede8a2647 add a verify equivilant to prometheus visibility rules 2021-03-25 14:42:10 -07:00
Kubernetes Prow Robot
01f7495b65
Merge pull request #100563 from msau42/revert-azure
Revert #97417 "fix azure file secret not found issue"
2021-03-25 14:27:46 -07:00
Davanum Srinivas
91ca1b12bb
Set jwks uri in local-up-cluster.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-03-25 17:09:58 -04:00
Jake Sanders
2c165506bd
Update image base to gcr.io/distroless/base-debian10:latest
This change:
* Updates the base image be based on `buster` (vs. the default `stretch`)
* Consumes the fix for [CVE-2021-3449](https://security-tracker.debian.org/tracker/CVE-2021-3449) in https://github.com/GoogleContainerTools/distroless/pull/700
2021-03-25 12:52:34 -07:00
Kubernetes Prow Robot
4333e5caa7
Merge pull request #100553 from adtac/suspend-intfail
job controller: don't mutate shared cache object
2021-03-25 10:31:29 -07:00
Michelle Au
9c169a2122 Revert "fix azure file secret not found issue"
This reverts commit 8d43976b74.

Change-Id: Iefaa0e76489883830ba1c9bdcbc3101bcc33082c
2021-03-25 09:28:50 -07:00
Skyler Clark
c6b99025a6
adds sysctls conformance tests 2021-03-25 09:28:25 -04:00
Kubernetes Prow Robot
5ab4b580de
Merge pull request #100554 from nikhita/branch-smoketests-rules
staging/publishing: add branch-specific smoke tests
2021-03-25 03:49:31 -07:00
Nikhita Raghunath
a2e9727f9b staging/publishing: add branch-specific smoke tests
The `-mod=mod` option is only supported from go1.14. Since `release-1.18`
and `release-1.17` branches use go1.13.15, this commit adds smoke tests
per branch to only add the `-mod=mod` option to branches after
`release-1.18`.

The duplicate smoke test config can be removed once v1.21 is released
and v1.18 is out of support.
2021-03-25 12:48:48 +05:30
Kubernetes Prow Robot
2eb6911e83
Merge pull request #94334 from RaunakShah/volume_provision_perf
Add e2e test to validate performance metrics of volume lifecycle operations
2021-03-24 23:47:29 -07:00
Adhityaa Chandrasekar
0a21157c96 job controller: don't mutate shared cache object
Signed-off-by: Adhityaa Chandrasekar <adtac@google.com>
2021-03-25 06:36:15 +00:00
Adhityaa Chandrasekar
4118dff509 suspend integration tests: run all subtests in pre-submit
Signed-off-by: Adhityaa Chandrasekar <adtac@google.com>
2021-03-25 06:36:00 +00:00
Kubernetes Prow Robot
533931cfe5
Merge pull request #100549 from RaunakShah/fix_snapshot_cleanup
Fix check before deleting PV in Snapshot e2e test
2021-03-24 21:41:29 -07:00
Kubernetes Prow Robot
e34046c81d
Merge pull request #100537 from pohly/storage-capacity-e2e-test
storage e2e: verify CSIStorageCapacity publishing
2021-03-24 20:01:41 -07:00
Kubernetes Prow Robot
bacce2eca6
Merge pull request #100215 from pacoxu/fix/data-race
fix a data race in volume reconciler ut #99815
2021-03-24 20:01:29 -07:00
shahra
6a97ff529d Fix check before deleting PV in Snapshot e2e test 2021-03-24 18:34:44 -07:00
Jing Xu
787559581f Fix deployment lifecycle and ReplicaSet test issue
The pause image should not run sleep commands. This will cause pod fail
to start correctly.

See details in issue #100047. We discovered some behavior about
development in certain cases like new pod fail to start correctly, but will be further investigated.

Change-Id: I9761bbefa694f6fe51a6f1e7561fa7e566ce4d8f
2021-03-24 18:22:13 -07:00
Kubernetes Prow Robot
bcab4c35d2
Merge pull request #100540 from mauriciopoppe/remove-selinuxoptions
Remove SELinuxOptions double setup in pod spec
2021-03-24 18:01:28 -07:00
Kubernetes Prow Robot
68c021261c
Merge pull request #100519 from tanjing2020/validateOOMScoreAdjSettingIsInRange
Fix the wrong judgment of oom_score_adj
2021-03-24 16:23:28 -07:00
Kubernetes Prow Robot
2a41853329
Merge pull request #100502 from soltysh/nil_in_printerflags
Prevent nil-pointer exception when constructing PrinterFlags
2021-03-24 15:17:29 -07:00