Automatic merge from submit-queue (batch tested with PRs 64503, 64903, 64643, 64987). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create system:cluster-autoscaler account & role and introduce it to C…
**What this PR does / why we need it**:
This PR adds cluster-autoscaler ClusterRole & binding, to be used by the Cluster Autoscaler (kubernetes/autoscaler repository).
It also updates GCE scripts to make CA use the cluster-autoscaler user account.
User account instead of Service account is chosen to be more in line with kube-scheduler.
**Which issue(s) this PR fixes**:
Fixes [issue 383](https://github.com/kubernetes/autoscaler/issues/383) from kubernetes/autoscaler.
**Special notes for your reviewer**:
This PR might be treated as a security fix since prior to it CA on GCE was using system:cluster-admin account, assumed due to default handling of unsecured & unauthenticated traffic over plain HTTP.
**Release note**:
```release-note
A cluster-autoscaler ClusterRole is added to cover only the functionality required by Cluster Autoscaler and avoid abusing system:cluster-admin role.
action required: Cloud providers other than GCE might want to update their deployments or sample yaml files to reuse the role created via add-on.
```
Investigated issue 63622. The test usually passes. When it does it seems
to take almost 30 seconds for the sample-apiserver to start returning
2xx rather than 4xx to flunder requests. On the failing tests I looked
at it was taking almost 45 seconds for the sample-apiserver to become
healthy. I bumped the wait/timeout in the test for this case to 60
seconds. I also added a log statement to make it easier to track how
long it was taking for the sample-apiserver to come up. Once we have a
bit more history I will log a bug for the long start up time.
Fixed go format error.
Automatic merge from submit-queue (batch tested with PRs 64945, 64977). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix kubeadm init does not inform the users it is pulling images
**What this PR does / why we need it**:
Kubeadm should print a message informing the user that it is pre-pulling images before starting the init sequence, making users aware of the action in progress, which can take some time in environments with poor internet connection.
**Which issue(s) this PR fixes**:
fixes https://github.com/kubernetes/kubeadm/issues/908
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
improve memory footprint of daemonset simulate
**What this PR does / why we need it**:
This is an alternative for https://github.com/kubernetes/kubernetes/pull/64915 (it might be not needed if that PR will merge)
During memory profiling of OpenShift, we noticed a significant amount of object allocations done by `IsControlledBy()`. @sttts found that the `GetObjectReferences()` method is doing a deep-copy of the object references.
This PR simplify the `IsControlledBy()` to just iterate over the ownerRefs, without copying them.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix field removal in mutating admission webhooks
A mutating admission controller webhook doesn't remove object fields
when instructed to.
E.g. when the JSON patch
```
[
{"op": "remove", "path": "/spec/containers/0/resources/limits/fpga-arria10"},
{"op": "add", "path": "/spec/containers/0/resources/limits/fpga-interface-id-524abcf", "value": 1}
]
```
is applied to this pod
```
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
restartPolicy: Never
containers:
-
name: test-pod-container
image: ubuntu:bionic
imagePullPolicy: IfNotPresent
command: [ "ls", "-l", "/" ]
resources:
limits:
fpga-arria10: 1
```
in order to replace the resource name "fpga-arria10" with something understandable
by the device plugin the resulting pod spec still contains the old field plus
a new one. The resulting pod looks like
```
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
restartPolicy: Never
containers:
-
name: test-pod-container
image: ubuntu:bionic
imagePullPolicy: IfNotPresent
command: [ "ls", "-l", "/" ]
resources:
limits:
fpga-arria10: 1
fpga-interface-id-524abcf: 1
```
The patch unmarshals patched JSON into a new empty object instead of
existing one. Otherwise JSON unmarshaling reuses existing maps, keeping
existing entries as specified in the "encoding/json" standard package.
**Release note**:
```release-note
Webhooks for the mutating admission controller now support "remove" operation.
```
A mutating admission controller webhook doesn't remove object fields
when instructed to.
E.g. when the JSON patch
[
{"op": "remove", "path": "/spec/containers/0/resources/limits/fpga-arria10"},
{"op": "add", "path": "/spec/containers/0/resources/limits/fpga-interface-id-524abcf", "value": 1}
]
is applied to this pod
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
restartPolicy: Never
containers:
-
name: test-pod-container
image: ubuntu:bionic
imagePullPolicy: IfNotPresent
command: [ "ls", "-l", "/" ]
resources:
limits:
fpga-arria10: 1
in order to replace the resource name "fpga-arria10" with something understandable
by the device plugin the resulting pod spec still contains the old field plus
a new one. The resulting pod looks like
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
restartPolicy: Never
containers:
-
name: test-pod-container
image: ubuntu:bionic
imagePullPolicy: IfNotPresent
command: [ "ls", "-l", "/" ]
resources:
limits:
fpga-arria10: 1
fpga-interface-id-524abcf: 1
The patch unmarshals patched JSON into a new empty object instead of
existing one. Otherwise JSON unmarshaling reuses existing maps, keeping
existing entries as specified in the "encoding/json" standard package.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix bug excludeCIDRs was not assign in func NewProxier
**What this PR does / why we need it**:
fix bug excludeCIDRs was not assign in func NewProxier
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60699, 63780). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
e2e/storage: parameterize container images
**What this PR does / why we need it**:
The CSI integration test for hostpath was hard-coded to use the latest
stable release of the sidecar and hostpath container images. This
makes sense for regression testing of changes made in Kubernetes
itself, but the same test is also useful for testing the "canary"
images on quay.io before tagging them as a new release or for testing
locally produced images. Both is now possible via command line
parameters.
**Which issue(s) this PR fixes**:
Related-to: kubernetes-csi/docs#23
**Special notes for your reviewer**:
The commit message has usage instructions.
```release-note
NONE
```
/sig storage
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove deprecated option '--enable-custom-metrics'
**Release note**:
```release-note
deprecated and inactive option '--enable-custom-metrics' is removed in 1.11
```
I've been involved with the kubelet network code, including most
of this code, for a couple years and contributed a good number
of PRs for these directories. I've also been a SIG Network
co-lead for couple years.
I've also been on the CNI maintainers team for a couple years.
Automatic merge from submit-queue (batch tested with PRs 64889, 64897). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Don't specify a description for Calico CRDs
**What this PR does / why we need it**:
CRDs have lost the "description" field, so as it stands these won't validate. This is needed to allow Calico to function again.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure directory is created for kubelet configuration
**What this PR does / why we need it**:
Ensure directory is present before writing the config file.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64887
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64836, 64890). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adds a crictl package for kubeadm installs
Closeskubernetes/kubeadm#811
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR packages crictl into a deb and rpm so we can reference / rely on it in kubeadm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#811
**Special notes for your reviewer**:
I think this change doesn't actually deploy the deb, I'll have to port this over to test-infra, but this is the first step.
Also I might need help on the release note
**Release note**:
```release-note
kubernetes now packages cri-tools (crictl) in addition to all the other kubeadm tools in a deb and rpm.
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @luxas @timstclair
Automatic merge from submit-queue (batch tested with PRs 64881, 64885). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix output of `kubeadm migrate config`
The output should always be valid kubeadmapi.MasterConfiguration YAML.
The general problem was that we printed with fmt.Fprintf but it turns out some of the default values have `%`s in them so this caused Go to think we were missing values that we wanted substituted. We don't want to do any substitution here.
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR fixes a small bug that cause kubeadm migrate config to print YAML that was not valid.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#904
```release-note
NONE
```
/cc @luxas @timothysc
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use repo prefix when generating image names
CI defines its own custom repository. The function responsible
for listing all images now takes this into account.
Closeskubernetes/kubeadm#901
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This fixes ci-cross.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#901
**Special notes for your reviewer**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63905, 64855). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Setup dns servers and search domains for Windows Pods
**What this PR does / why we need it**:
Kubelet is depending on docker container's ResolvConfPath (e.g. /var/lib/docker/containers/439efe31d70fc17485fb6810730679404bb5a6d721b10035c3784157966c7e17/resolv.conf) to setup dns servers and search domains. While this is ok for Linux containers, ResolvConfPath is always an empty string for windows containers. So that the DNS setting for windows containers is always not set.
This PR setups DNS for Windows sandboxes. In this way, Windows Pods could also use kubernetes dns policies.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61579
**Special notes for your reviewer**:
Requires Docker EE version >= 17.10.0.
**Release note**:
```release-note
Setup dns servers and search domains for Windows Pods in dockershim. Docker EE version >= 17.10.0 is required for propagating DNS to containers.
```
/cc @PatrickLang @taylorb-microsoft @michmike @JiangtianLi
CI defines its own custom repository. The function responsible
for listing all images now takes this into account.
Closeskubernetes/kubeadm#901
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
