Automatic merge from submit-queue
Function annotation modification
“return kl.pleg.Healthy()”,Based on the return function,"healty" to "healthy" better
Automatic merge from submit-queue
change unconfined_t to spc_t
**What this PR does / why we need it**:
When installing kube via kubeadm on a system w/ selinux enabled, it's necessary to disable selinux in order for the etcd and kube-discovery containers to run.
The kube etcd and discovery pods are currently set to unconfined_t in order to avoid disabling selinux, but the correct type for an unconfined container is spc_t. For more information, see http://danwalsh.livejournal.com/2016/10/03/.
Automatic merge from submit-queue
build: don't call unset_platform_envs before building
**What this PR does / why we need it**: unbreaks local builds that override `GOROOT`.
It partially reverts #37665, but the sub-shelling introduced in #37665 remains and should continue to fix#37079.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#37802
cc @jsafrane @sttts @sebgoa @iTagir
Automatic merge from submit-queue
Fix conditional in log-dump.sh
I think a `-n` was unintentionally changed to a `-z` in #37646, [here](a1bd743118 (commitcomment-20039393)), which caused us to stop collecting master/node logs. This undoes that change.
cc @zmerlynn @spxtr @krzyzacy @jingxu97 @saad-ali
Automatic merge from submit-queue
Bug fix. Incoming UDP packets not reach newly deployed services
**What this PR does / why we need it**:
Incoming UDP packets not reach newly deployed services when old connection's state in conntrack is not cleared. When a packet arrives, it will not go through NAT table again, because it is not "the first" packet. The PR fix the issue
**Which issue this PR fixes**
Fixes#31983
xref https://github.com/docker/docker/issues/8795
Automatic merge from submit-queue
rescale immediately if the basic constraints are not satisfied
refactor reconcileAutoscaler.
If the basic constraints are not satisfied, we should rescale the target ref immediately.
Automatic merge from submit-queue
Keep host port socket open for kubenet
fixes#37087
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
NONE
```
When cni is set to kubenet, kubelet should hold the host port socket,
so that other application in this node could not listen/bind this port
any more. However, the sockets are closed accidentally, because
kubelet forget to reconcile the protocol format before comparing.
@kubernetes/sig-network
Automatic merge from submit-queue
Unify fluentd-gcp configurations
There're two different configs and two different pod specs for fluentd agent for GCL: one for GCI and one for CVM. This PR makes it possible to use only one config and only one pod spec.
CC @piosz
Automatic merge from submit-queue
Enable updates in unit test for federated daemonset controller
Fixes flakiness in federated daemonset controller unit tests. Adds an option to rerun the tests multiple times.
cc: @nikhiljindal @madhusudancs
Automatic merge from submit-queue
configure local-up-cluster.sh to handle auth proxies
Builds on https://github.com/kubernetes/kubernetes/pull/36707. Last commit only.
This adds the ability to have an auth proxy provide user info with secured client-cert to the API server.
@sttts
Automatic merge from submit-queue
fix rbac informer. it's listers are all internal
Fixes https://github.com/kubernetes/kubernetes/issues/37615
The rbac informer still uses internal types in its listers, which means it must use internal clients for evaluation. Since its running inside the API server, this seems ok for now and we can/should fix it when generated informers come along. This just patches us to keep RBAC working.
@kubernetes/sig-auth @sttts @liggitt this is broken in master, let's get it sorted quickly.
Automatic merge from submit-queue
add kubectl get rolebindings/clusterrolebindings -o wide
Use "-o wide" to get more information of roleRef/subjects
`kubectl get rolebindings -o wide`
|NAME | AGE | ROLE | USERS | GROUPS | SERVICEACCOUNTS|
|:-------|:-------|:-------|:-------|:-------|:-------|
|admin-resource-binding |1s | Role/admin-resource-role | test | | |
`kubectl get clusterrolebindings -o wide`
|NAME|AGE|ROLE|USERS|GROUPS|SERVICEACCOUNTS|
|:-------|:-------|:-------|:-------|:-------|:-------|
|cluster-admin|27s|cluster-admin| |system:masters| |
|system:basic-user|27s|system:basic-user| |system:authenticated, system:unauthenticated | |
|system:controller:replication-controller|27s|system:controller:replication-controller | | |kube-system/replication-controller|
|system:discovery |27s|system:discovery| |system:authenticated, system:unauthenticated| |
Automatic merge from submit-queue
Adds termination hook in reboot test for debugging
From #33405 and #36230.
Logs the SSH command issued for dropping inbound / outbound traffic to file and dump it out when test ends.
The first `sudo iptables -t filter -nL` is called to confirm the rules are injected. The second `sudo iptables -t filter -nL` is to check whether the rules get clobbered. Adds `date` in between to check time frame.
@bprashanth @freehan
Automatic merge from submit-queue
auth delegation role
Add a bootstrap role for authentication and authorization delegation. Useful for extension API servers.
@kubernetes/sig-auth
Automatic merge from submit-queue
RunnningContainerStatues spelling mistake
runtime.go:in the function GetRunningContainerStatuses, runnningContainerStatues spelling mistake, modified into runningContainerStatus
Automatic merge from submit-queue
Add `clusterid`, an optional parameter to storageclass.
At present, admin doesn't have the privilege to chose the
trusted storage pool from which persistent gluster volume
has to be provided.
This patch introduce a new storage class parameter which allows
the admin to specify storage pool/cluster if required.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Automatic merge from submit-queue
local-up-cluster: avoid sudo for control plane
Only run control plane as root if the CERT_DIR is not writable.
Makes it easier to use e.g. delve against control plane processes.
Automatic merge from submit-queue
Activate client certs in local-cluster-up.sh for RBAC
- set up client certs for each component in local-cluster-up.sh
Automatic merge from submit-queue
clear impersonation headers
If you clone a request that came in after impersonation, you were also cloning the impersonation headers that came with it. These seem roughly analogous to the `Authorization` header, so this clears them.
@kubernetes/sig-auth
Automatic merge from submit-queue
Add the system verification test to the kubeadm preflight checks
And refactor the system verification test to accept to write to a specific writer in order to customize the output
This PR is targeting v1.5, PTAL
cc @Random-Liu @dchen1107 @kubernetes/sig-cluster-lifecycle
Automatic merge from submit-queue
Add namespace index for limit ranger
Without this PR I'm seeing a huge number of lines like this:
```
Index with name namespace does not exist
```
Those are coming from LimitRanger admission controller - this PR fixes those.
Automatic merge from submit-queue
[kubeadm] use iteration instead of recursion in function
**What this PR does / why we need it**:
before this PR, function `attemptToUpdateMasterRoleLabelsAndTaints` recursively call itself. there are some defeats in it:
1. potential stack overflow.
2. unnecessary extra `json.Marshal` calls.
3. unnecessary extra `client.Nodes().List` calls.
this PR rewrite `attemptToUpdateMasterRoleLabelsAndTaints` function, use iterate instead of recursion.
so these 3 defeats the metioned above are gone.
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue
fix forbid clusterrole with namespace
run `kubectl get clusterroles --all-namespaces`
old version
return error message:
```
NAMESPACE NAME AGE
clusterRole is not namespaced
clusterRole is not namespaced
clusterRole is not namespaced
clusterRole is not namespaced
clusterRole is not namespaced
clusterRole is not namespaced
clusterRole is not namespaced
```
```release-note
Add error message when trying to use clusterrole with namespace in kubectl
```
Automatic merge from submit-queue
Don't update gcloud in cluster/*/util.sh
**What this PR does / why we need it**:
Removes automatic gcloud update commands from `cluster/gce/util.sh`, `cluster/gke/util.sh`. Setting env `KUBE_PROMPT_FOR_UPDATE=y` will update required components, otherwise it will only verify that required components are present and at a minimum required version.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#35834
**Special notes for your reviewer**:
Inline python is nasty but I *really* don't want to do version comparison in bash. Open to other suggestions for verifying required version of gcloud components. cc @kubernetes/sig-cluster-lifecycle, @kubernetes/sig-testing
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
`kube-up.sh`/`kube-down.sh` no longer force update gcloud for provider=gce|gke.
```
