Commit Graph

129461 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
5158ef67a2
Merge pull request #131577 from ndbaker1/automated-cherry-pick-of-#131251-origin-release-1.33
Automated cherry pick of #131251: fix(kubelet): acquire imageRecordsLock when removing image
2025-07-11 18:17:28 -07:00
Kubernetes Prow Robot
f95a538dc5
Merge pull request #132728 from mimowo/automated-cherry-pick-of-#132614-upstream-release-1.33
Automated cherry pick of #132614: Fix validation for Job with suspend=true,completions=0 to set Complete condition
2025-07-11 17:07:28 -07:00
Kubernetes Prow Robot
a95af19070
Merge pull request #132860 from mimowo/automated-cherry-pick-of-#132502-upstream-release-1.33
Automated cherry pick of #132502: Fix flake caused by invalid detection of active policies in VAP integration tests
2025-07-11 13:35:28 -07:00
Michal Wozniak
053e244efb Skip linter validation to allow cherrypick 2025-07-10 11:30:20 +02:00
Ben Luddy
6a9319c527 Use per-policy marker names for VAP integration tests.
Writes to policy resources don't instantaneously take effect in admission. ValidatingAdmissionPolicy
integration tests determine that the policies under test have taken effect by adding a sentinel
policy rule and polling until that rule is applied to a request.

If the marker resource names are the same for each test case in a series of test cases, then
observing a policy's effect on a marker request only indicates that _any_ test policy is in effect,
but it's not necessarily the policy the current test case is waiting for. For example:

1. Test 1 creates a policy and binding.

2. The policy and binding are observed by the admission plugin and take effect.

3. Test 1 observes that a policy is in effect via marker requests.

4. Test 1 exercises the behavior under test and successfully deletes the policy and binding it
created.

5. Test 2 creates a policy and binding.

6. Test 2 observes that a policy is in effect via marker requests, but the policy in effect is still
the one created by Test 1.

7. Test 2 exercises the behavior under test, which fails because it was evaluated against Test 1's
policy.

Generating a per-policy name for the marker resource in each test resolves the timing issue. In the
example, step (6) will not proceed until the admission plugin has observed the policy and binding
created in (5).
2025-07-10 10:12:40 +02:00
Kubernetes Prow Robot
ecc8d0ae6a
Merge pull request #132337 from hakuna-matatah/automated-cherry-pick-of-#132244-upstream-release-1.33
Automated cherry pick of #132244: 1.33 regression - Consistent paginated lists serve from cache
2025-07-09 21:47:26 -07:00
Kubernetes Prow Robot
54a0ceab5f
Merge pull request #132280 from neolit123/automated-cherry-pick-of-#130782-origin-release-1.33
Automated cherry pick of #130782: Kubeadm issue #3152 ControlPlane node setup failing with "etcdserver: can only promote a learner member"
2025-07-09 09:01:28 -07:00
Kubernetes Prow Robot
e9c25f7a90
Merge pull request #132158 from linxiulei/automated-cherry-pick-of-#132109-release-1.33
Automated cherry pick of #132109: Clean backoff record earlier
2025-07-09 05:43:26 -07:00
Michal Wozniak
068079fb7e Review remarks 2025-07-04 11:28:46 +02:00
Michal Wozniak
3851253305 Fix validation for Job with suspend=true,completions=0 to set Complete condition 2025-07-04 11:28:46 +02:00
Kubernetes Release Robot
f208b6c73d Update CHANGELOG/CHANGELOG-1.33.md for v1.33.2 2025-06-17 19:04:01 +00:00
Kubernetes Release Robot
a57b6f7709 Release commit for Kubernetes v1.33.2 2025-06-17 18:31:31 +00:00
Harish Kuna
d4a4a1d881 Fix -Consistent paginated lists serve from cache 2025-06-16 17:48:00 +00:00
Kubernetes Prow Robot
83613fcfd5
Merge pull request #132316 from HirazawaUi/automated-cherry-pick-of-#132308-upstream-release-1.33
Automated cherry pick of #132308: Kubeadm: fix failing e2e tests
2025-06-16 02:20:58 -07:00
HirazawaUi
05e72aa38d fix kubeadm e2e tests 2025-06-15 13:24:28 +08:00
Kubernetes Prow Robot
2242f6c369
Merge pull request #132226 from cpanato/update-go-1-33
[release-1.33] [go] Bump images, dependencies and versions to go 1.24.4 and distroless iptables
2025-06-13 03:46:57 -07:00
bconry
cb130042b1 Add check to see if promote worked within the retry loop 2025-06-13 10:04:18 +03:00
Carlos Panato
612e055556
Bump images, dependencies and versions to go 1.24.4 and distroless iptables
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
2025-06-11 08:35:06 +02:00
Eric Lin
d2be12ab76 Clean backoff record earlier
Once received job deletion event, it cleans the backoff records for that
job before enqueueing this job so that we can avoid a race condition
that the syncJob() may incorrect use stale backoff records for a newly created
job with same key.

Co-authored-by: Michal Wozniak <michalwozniak@google.com>
2025-06-06 20:45:35 +00:00
Kubernetes Prow Robot
f900f01725
Merge pull request #131987 from gnufied/automated-cherry-pick-of-#131868-upstream-release-1.33
Automated cherry pick of #131868: Remove superflous expansion calls if controller finished expansion
2025-06-05 18:50:50 -07:00
Kubernetes Prow Robot
ee4b297f37
Merge pull request #131767 from ingvagabund/automated-cherry-pick-of-#131742-upstream-release-1.33
Automated cherry pick of #131742: [sig-scheduling] SchedulerPreemption [Serial] validates various priority Pods preempt expectedly with the async preemption: replace finalizers with preStop hook and TerminationGracePeriodSeconds
2025-06-05 18:50:43 -07:00
Kubernetes Prow Robot
9a90a6cca2
Merge pull request #132098 from gnufied/automated-cherry-pick-of-#131408-upstream-release-1.33
Automated cherry pick of #131408: Remove warning about resizing failed for unknown reason
2025-06-05 14:02:38 -07:00
Kubernetes Prow Robot
6ea58e512b
Merge pull request #131649 from princepereira/automated-cherry-pick-of-#131506-upstream-release-1.33
Automated cherry pick of #131506: Update hnslib version in Windows KubeProxy.
2025-06-05 11:20:38 -07:00
Kubernetes Prow Robot
1fe90c4c7d
Merge pull request #131993 from superbrothers/automated-cherry-pick-of-#131962-upstream-release-1.33
Automated cherry pick of #131962: Revert shorthand for kubectl explain --output
2025-06-05 07:56:42 -07:00
Kubernetes Prow Robot
18edacf576
Merge pull request #131781 from rata/automated-cherry-pick-of-#131623-upstream-release-1.33
Automated cherry pick of #131623: kubelet: userns: Improve errors returned to the user
2025-06-05 04:14:39 -07:00
Kubernetes Prow Robot
6144faccba
Merge pull request #131876 from pohly/automated-cherry-pick-of-#131844-origin-release-1.33
Automated cherry pick of #131844: DRA node: reject static pods which reference ResourceClaims
2025-06-04 11:02:42 -07:00
Hemant Kumar
a792b77906 Remove warning about resizing failed for unknown reason 2025-06-04 11:35:44 -04:00
Hemant Kumar
ea3aa29181 Add tests that validate the return value of resize operation 2025-05-28 11:52:34 -04:00
Kazuki Suda
060a498537
Revert shorthand for kubectl explain --output 2025-05-28 09:30:07 +09:00
Kubernetes Prow Robot
f20adaecd4
Merge pull request #131935 from cpanato/update-go-1.33
[release-1.33] [go]Bump images, dependencies and versions to go 1.24.9 and distroless iptables
2025-05-26 01:43:18 -07:00
Carlos Panato
c4f2287f8a
Bump images, dependencies and versions to go 1.24.9 and distroless iptables
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
2025-05-23 09:14:58 -04:00
Patrick Ohly
1fde2b884c DRA node: reject static pods which reference ResourceClaims
If someone gains the ability to create static pods, they might try to use that
ability to run code which gets access to the resources associated with some
existing claim which was previously allocated for some other pod. Such an
attempt already fails because the claim status tracks which pods are allowed to
use the claim, the static pod is not in that list, the node is not authorized
to add it, and the kubelet checks that list before starting the pod in
195803cde5/pkg/kubelet/cm/dra/manager.go (L218-L222).

Even if the pod were started, DRA drivers typically manage node-local resources
which can already be accessed via such an attack without involving DRA. DRA
drivers which manage non-node-local resources have to consider access by a
compromised node as part of their threat model.

Nonetheless, it is better to not accept static pods which reference
ResourceClaims or ResourceClaimTemplates in the first place because there
is no valid use case for it.

This is done at different levels for defense in depth:
- configuration validation in the kubelet
- admission checking of node restrictions
- API validation

Co-authored-by: Jordan Liggitt <liggitt@google.com>

Code changes by Jordan, with one small change (resourceClaims -> resourceclaims).
Unit tests by Patrick.
2025-05-21 08:40:50 +02:00
Rodrigo Campos
2628e18dab userns: Wrap more errors
Most errors where already wrapped, but these were missing.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-05-15 12:20:04 +02:00
Rodrigo Campos
514da8a95a userns: Improve error returned if userns is not supported
This makes it clear the error comes due to a user namespace
configuration. Otherwise the error returned looks too generic and is not
clear.

Before this PR, the error was:

	  Warning  FailedCreatePodSandBox  1s    kubelet            Failed to create pod sandbox: the handler "" is not known

Now it is:

	  Warning  FailedCreatePodSandBox  1s    kubelet            Failed to create pod sandbox: runtime does not support user namespaces

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-05-15 12:20:04 +02:00
Rodrigo Campos
992924664b userns: Use len to handle empty non-nil slices
When using an old runtime like containerd 1.7, this message is not
implemented and what we get here is an empty non-nil slice. Let's check
the len of the slice instead.

While we are there, let's just return false and no error. In the
following commits we will wrap the error and we didn't find any more
info to add here.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-05-15 12:20:04 +02:00
Kubernetes Release Robot
76747b4eed Update CHANGELOG/CHANGELOG-1.33.md for v1.33.1 2025-05-15 08:46:51 +00:00
Kubernetes Release Robot
8adc0f041b Release commit for Kubernetes v1.33.1 2025-05-15 08:19:07 +00:00
Jan Chaloupka
f240b3abf5 SchedulerPreemption [Serial] validates various priority Pods preempt expectedly with the async preemption: replace finalizers with preStop hook and TerminationGracePeriodSeconds
Finalizers do not work as expected when an informer with a field
selector is used. Any time a pod changing its state gets excluded by the
field selector a synthetic delete event is issues even though the pod
with a finalizer set is still present. Thus, making the scheduler
schedule the high and medium priority pods before any of the low
priority pod finalizers is removed. Instead, rely on preStop hook and
TerminationGracePeriodSeconds to keep all low priority pods long enough
included by the field selector so all high priority pods can set their
.status.nominatedNodeName field.

Also, update the check for how many medium priority pods are expected to
be scheduled. Each node can accept 10 pods of the given extended
resources. Given there's 5 high priority created per node, there's
always 5 times number of nodes spots left for the medium priority pods.
2025-05-14 16:23:46 +02:00
Taha Farahani
cce99a8c73
Automated cherry pick of #130503: Unhandled panic crash on rollout_history printer.PrintObj (#131496)
* Change: Handling nil runtime.Object

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Return only if there is error in rollout_history

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Return the unknown revision error directly in rollout_history.go

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Remove unintended newline

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Using go idiomatic way for checking if historyInfo[o.Revision] exists

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Remove 'error:' from returned error message in rollout_history.go

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Check for printer.PrintObj returned err

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Add TestRolloutHistoryErrors test

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Simple typo fix on Complete() function description

Signed-off-by: Taha Farahani <tahacodes@proton.me>

* Change: Checking for error on o.Complete in TestRolloutHistoryErrors

Signed-off-by: Taha Farahani <tahacodes@proton.me>

---------

Signed-off-by: Taha Farahani <tahacodes@proton.me>
2025-05-14 00:26:54 -07:00
Kubernetes Prow Robot
00ebe85a29
Merge pull request #131636 from gnufied/automated-cherry-pick-of-#131568-upstream-release-1.33
Automated cherry pick of #131568: Disable size checking performed during resize
2025-05-13 23:13:02 -07:00
Kubernetes Prow Robot
5dc469cd4f
Merge pull request #131523 from carlory/automated-cherry-pick-of-#131495-release-1.33
Automated cherry pick of #131495: Handle unsupported node expansion for RWX volumes
2025-05-13 23:12:55 -07:00
Kubernetes Prow Robot
973b3812d6
Merge pull request #131437 from gnufied/automated-cherry-pick-of-#131418-upstream-release-1.33
Automated cherry pick of #131418: Check for newer fields when deciding expansion recovery feature status
2025-05-13 23:12:48 -07:00
Kubernetes Prow Robot
b5a1738ccc
Merge pull request #131708 from tigrato/automated-cherry-pick-of-#131702-upstream-release-1.33
Automated cherry pick of #131702: Panic in `NewYAMLToJSONDecoder`
2025-05-13 05:05:15 -07:00
Kubernetes Prow Robot
3a09aeb4fa
Merge pull request #131679 from mortent/automated-cherry-pick-of-#131662-upstream-release-1.33
Automated cherry pick of #131662: DRA: Fix failure to allocate large number of devices
2025-05-13 03:51:16 -07:00
Tiago Silva
a257be8299
fix: fixes a possible panic in NewYAMLToJSONDecoder
This PR fixes a possible panic caused by decoding a JSON document
followed by a YAML document that is shorter than the first json
document.

This can cause a panic because the stream already consumed the JSON
data. When we fallback to YAML reader, the YAML starts with a zero
offset while the stream consumed data is non-zero. This could lead into
consuming negative bytes because `d.yaml.InputOffset() -
d.stream.Consumed()` is negative which will cause a panic.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
2025-05-09 23:37:42 +01:00
Morten Torkildsen
b59deb4914 DRA: Fix failure to allocate large number of devices 2025-05-08 20:03:36 +00:00
Prince Pereira
750d2c02f0 Update hnslib version in Windows KubeProxy. 2025-05-07 09:26:11 -07:00
Kubernetes Prow Robot
d3c7573e54
Merge pull request #131427 from princepereira/automated-cherry-pick-of-#131138-upstream-release-1.33
Automated cherry pick of #131138: Fix for HNS local endpoint was being deleted instead of the remote endpoint.
2025-05-06 17:59:13 -07:00
Hemant Kumar
c916dba607 Disable size check for xfs/ext3/ext4 filesystems before expansion 2025-05-06 16:54:51 -04:00
Hemant Kumar
c8f2295d68 Disable disk size checking when calling NeedsResize function 2025-05-06 16:54:51 -04:00