Automatic merge from submit-queue
Convert service account token controller to use a work queue
Converts the service account token controller to use a work queue. This allows parallelization of token generation (useful when there are several simultaneous namespaces or service accounts being created). It also lets us requeue failures to be retried sooned than the next sync period (which can be very long).
Fixes an issue seen when a namespace is created with secrets quotaed, and the token controller tries to create a token secret prior to the quota status having been initialized. In that case, the secret is rejected at admission, and the token controller wasn't retrying until the resync period.
Automatic merge from submit-queue
Mark "RW PD, remove it, then schedule" test flaky
Mark test as flaky while it is being investigated. Tracked by https://github.com/kubernetes/kubernetes/issues/27691
Assigning to @jlowdermilk since he's on call
Automatic merge from submit-queue
Fix initialization of volume controller caches.
Fix `PersistentVolumeController.initializeCaches()` to pass pointers to volume or claim to `storeObjectUpdate()` and add extra functions to enforce that the right types are checked in the future.
Fixes#28076
This allows the user the set "working-dir" in their vsphere.cfg file.
The value should be a path in the vSphere datastore in which the
provider will look for vms.
Automatic merge from submit-queue
Enable setting up Kubernetes cluster in Ubuntu on Azure
Implement basic cloud provider functionality to deploy Kubernetes on
Azure. SaltStack is used to deploy Kubernetes on top of Ubuntu
virtual machines. OpenVpn provides network connectivity. For
kubelet authentication, we use basic authentication (username and
password). The scripts use the legacy Azure Service Management APIs.
We have set up a nightly test job in our Jenkins server for federated
testing to run the e2e test suite on Azure. With the cloud provider
scripts in this commit, 14 e2e test cases pass in this environment.
We plan to implement additional Azure functionality to support more
test cases.
<!-- Reviewable:start -->
---
This change is [<img src="http://reviewable.k8s.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](http://reviewable.k8s.io/reviews/kubernetes/kubernetes/21207)
<!-- Reviewable:end -->
Automatic merge from submit-queue
Should verify --secure-port and --insecure-port when starting kube-apiserver
When starting kube-apiserver, if we pass the flag `--secure-port` or `--insecure-port` with an invalid value (i.e. < 1 or > 65535), though there is an error message, the apiserver still runs normally. Actually, it should exit (as when not passing the flag `--etcd-servers` does), or else it's meaningless.
This fix is similar to #27762.
Maybe there is still other flags which have to be verified, if found, I will try to fix them.
Before fix:
```
root@vm:/home/paas/zxp/log/kube# kube-apiserver --etcd-servers=http://172.16.1.11:4001 --service-cluster-ip-range=192.168.122.0/24 --insecure-bind-address=0.0.0.0 --logtostderr=false --log-dir=/home/paas/zxp/log/kube --v=10 --secure-port=-1 &
[1] 1500
root@vm:/home/paas/zxp/log/kube# E0623 04:14:15.378332 1500 controller.go:97] Unable to perform initial Kubernetes service initialization: Endpoints "kubernetes" is invalid: [subsets[0].ports[0].port: Invalid value: -1: must be between 1 and 65535, inclusive, subsets[0].ports[0].port: Invalid value: -1: must be between 1 and 65535, inclusive]
[restful] 2016/06/23 04:14:15 log.go:30: [restful/swagger] listing is available at https://172.16.1.11:-1/swaggerapi/
[restful] 2016/06/23 04:14:15 log.go:30: [restful/swagger] https://172.16.1.11:-1/swaggerui/ is mapped to folder /swagger-ui/
E0623 04:14:15.422742 1500 genericapiserver.go:730] Unable to listen for secure (listen tcp: invalid port -1); will try again.
root@vm:/home/paas/zxp/log/kube#
root@vm:/home/paas/zxp/log/kube# E0623 04:14:30.425211 1500 genericapiserver.go:730] Unable to listen for secure (listen tcp: invalid port -1); will try again.
root@vm:/home/paas/zxp/log/kube# ps -ef|grep kube
root 1500 13507 1 04:14 pts/1 00:00:00 kube-apiserver --etcd-servers=http://172.16.1.11:4001 --service-cluster-ip-range=192.168.122.0/24 --insecure-bind-address=0.0.0.0 --logtostderr=false --log-dir=/home/paas/zxp/log/kube --v=10 --secure-port=-1
```
After:
```
root@vm:/home/paas/zxp/log/kube# kube-apiserver --etcd-servers=http://172.16.1.11:4001 --service-cluster-ip-range=192.168.122.0/24 --insecure-bind-address=0.0.0.0 --logtostderr=false --log-dir=/home/paas/zxp/log/kube --v=10 --insecure-port=-1 &
[1] 10570
root@vm:/home/paas/zxp/log/kube# F0623 05:37:16.124206 10570 genericapiserver.go:594] --insecure-port -1 must be between 1 and 65535, inclusive
goroutine 1 [running]:
k8s.io/kubernetes/vendor/github.com/golang/glog.stacks(0x4418400, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:766 +0xb8
k8s.io/kubernetes/vendor/github.com/golang/glog.(*loggingT).output(0x43f7f60, 0xc800000003, 0xc8200e4600, 0x42b2d5a, 0x13, 0x252, 0x0)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:717 +0x259
k8s.io/kubernetes/vendor/github.com/golang/glog.(*loggingT).printf(0x43f7f60, 0xc800000003, 0x32278a0, 0x39, 0xc82037ac90, 0x1, 0x1)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:655 +0x1d4
k8s.io/kubernetes/vendor/github.com/golang/glog.Fatalf(0x32278a0, 0x39, 0xc82037ac90, 0x1, 0x1)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:1145 +0x5d
k8s.io/kubernetes/pkg/genericapiserver.verifyInsecurePort(0xc820199800)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:594 +0x103
k8s.io/kubernetes/pkg/genericapiserver.ValidateRunOptions(0xc820199800)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:603 +0x59
k8s.io/kubernetes/pkg/genericapiserver.DefaultAndValidateRunOptions(0xc820199800)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:607 +0x4e
k8s.io/kubernetes/cmd/kube-apiserver/app.Run(0xc820468b40, 0x0, 0x0)
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:83 +0x344
main.main()
/home/paas/zxp/code/k8s/train_test/kubernetes/_output/local/go/src/k8s.io/kubernetes/cmd/kube-apiserver/apiserver.go:50 +0x121
[1]+ Exit 255 kube-apiserver --etcd-servers=http://172.16.1.11:4001 --service-cluster-ip-range=192.168.122.0/24 --insecure-bind-address=0.0.0.0 --logtostderr=false --log-dir=/home/paas/zxp/log/kube --v=10 --insecure-port=-1
root@vm:/home/paas/zxp/log/kube#
```
Add EndpointReconcilerConfig to master Config to allow downstream integrators to customize the reconciler
and reconciliation interval when starting a customized master.
Fix PersistentVolumeController.initializeCaches() to pass pointers to volume
or claim to storeObjectUpdate() and add extra functions to enforce that the
right types are checked in the future.
Fixes#28076
The one side effect is that for the "kubectl help" commands a newline
is prepended to output, which will alter the yaml output.
Here we use dedent to format the code to match the output.
hack/update-generated-docs.sh has been run and the affected files have
been added.
Note: for describe.go we added a period to the end of an output message.
Automatic merge from submit-queue
Add support for basic QoS and pod level cgroup management
This PR is a WIP and is tied to this upstream issue #27204
It adds support for creation,deletion and updates of cgroups in Kubernetes.
@vishh PTAL
Please note that the first commit is part of this PR: #27749
cc @kubernetes/sig-node
Signed-off-by: Buddha Prakash <buddhap@google.com>
Automatic merge from submit-queue
Hotfix: Fixup the hyperkube dns manifest from a breaking federation PR
This one has to be cherrypicked into v1.3.0, ref: #27986
@girishkalele @madhusudancs @quinton-hoole @eparis @nikhiljindal @mml @roberthbailey @david-mcmahon
Automatic merge from submit-queue
Use preferred group version when discovery fails due to 403
```
kubectl get pods --as bob
```
Returns:
```
error: failed to negotiate an api version; server supports: map[], client supports: map[autoscaling/v1:{} rbac.authorization.k8s.io/v1alpha1:{} federation/v1alpha1:{} batch/v1:{} v1:{} authentication.k8s.io/v1beta1:{} apps/v1alpha1:{} componentconfig/v1alpha1:{} authorization.k8s.io/v1beta1:{} batch/v2alpha1:{} extensions/v1beta1:{} policy/v1alpha1:{}]
```
It should return:
```
User "deads" cannot "impersonate" "users" with name "bob" in project ""
```
`serverVersions` is empty when discovery fails, thus we fallback to the `preferredGV`.
See openshift/origin#9307 and [openshift/origin/pull/9389](https://github.com/openshift/origin/pull/9389) for further details.
Automatic merge from submit-queue
Refactor func canRunPod
After refactoring, we only need to check `if pod.Spec.SecurityContext == nil` once. The logic is a bit clearer.
Automatic merge from submit-queue
e2e: Allow skipping tests for specific runtimes, skip a few tests under rkt
The main benefit of this is that it gives a developer more useful output (more signal to noise) for things that are known broken on that runtime.
cc @kubernetes/rktnetes-maintainers , @ixdy
I'll run this PR through our jenkins and make sure things look happy and compare to the e2e results for this PR.
