Automatic merge from submit-queue
Add aleksandra-malinowska to cluster-autoscaler salt definition owners
@aleksandra-malinowska is working on Cluster Autoscaler so she should be added to reviewers and approvers.
Automatic merge from submit-queue
Reduce Cluster Autoscaler cpu request to 10m
We are super tight on 1 cpu master node. With the recent changes we cannot fit to the master if request is bigger than 10m.
cc: @gmarek @MaciekPytel @aleksandra-malinowska
Automatic merge from submit-queue
Update addons with upstream CVE fixes
**What this PR does / why we need it**: refreshes the kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-1000366
* CVE-2017-2616
* CVE-2017-9526
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47386 (yay!)
**Special notes for your reviewer**:
**Release note**:
```release-note
Update kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for CVE-2016-4448, CVE-2016-9841, CVE-2016-9843, CVE-2017-1000366, CVE-2017-2616, and CVE-2017-9526.
```
/assign @bowei @MrHohn @Q-Lee @crassirostris @dnardo
/cc @dchen1107 @timstclair
Automatic merge from submit-queue (batch tested with PRs 47380, 47839)
Add liveness probe for cluster autoscaler
Configure a liveness probe for cluster autoscaler.
Automatic merge from submit-queue
hide operator when describe pod with empty value tolerations
**What this PR does / why we need it**:
The tolerations printing in `kubectl descirbe pod` is not correct when toleration.value is empty, this PR is to fix it.
Before:
```
Tolerations: node.alpha.kubernetes.io/notReady=:Exists:NoExecute for 300s
node.alpha.kubernetes.io/unreachable=:Exists:NoExecute for 300s
```
After:
```
Tolerations: node.alpha.kubernetes.io/notReady:NoExecute for 300s
node.alpha.kubernetes.io/unreachable:NoExecute for 300s
```
Also updated tests to cover all possible cases of describing pod with tolerations. See changes in of `TestDescribePodTolerations()` in `describe_test.go`
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Create e2e test of cluster autoscaler working with pod anti-affinity
Test to verify cluster is scaled up when there are pending pods that cannot be scheduled due to anti-affinity, issue: kubernetes/autoscaler#30
Automatic merge from submit-queue
Remove initial resources e2e
This is just a cleanup PR. We won't continue initial resources effort. It is dropped in favor of VPA developed in kubernetes/autoscaler.
cc: @piosz @jszczepkowski @kgrygiel
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
Bump the memory request/limit for ip-masq-daemon.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
issue #47865
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
fix HostAliases' json keys to be hostAlias instead of hostMapping to reflect actual feature name
**What this PR does / why we need it**: a rename was introduce during the middle of #44641 to change from `hostMappings` to `hostAliases`. the Go structs were updated, but I neglected to update the json keys. They should be in sync.
**Special notes for your reviewer**: I messed up. This is an API change. I hope this is still ok to be in the 1.7 release.
**Release note**:
```release-note
HostAliases is now parsed with `hostAliases` json keys to be in line with the feature's name.
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
volumes: simplify append-to-slice code
Minor simplification - can append to empty/nil slice.
Part of #40583
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42252, 42251, 42249, 47512, 47887)
volumes: promote some logs from info -> warning
Part of #40583
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
Remove controller node plugin driver dependency for non-attachable fl…
…ex volume drivers (Ex: NFS).
**What this PR does / why we need it**:
Removes requirement to install flex volume drivers on master node for non-attachable drivers likes NFS.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47109
```release-note
Fixes issue w/Flex volume, introduced in 1.6.0, where drivers without an attacher would fail (node indefinitely waiting for attach). Drivers that don't implement attach should return `attach: false` on `init`.
```
Automatic merge from submit-queue
Bump Cluster Autoscaler to 0.6.0-beta1
This is a part of the release process of CA 0.6 with K8S 1.7. This version fixes bugs spotted in CA 0.6.0-alpha2.
Automatic merge from submit-queue
Regenerate docs (if necessary) during cherry-pick operations.
This change ensures that cherrypicks are coupled with any related doc generation required.
closes#44533
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert "[Federation] Fix federated service reconcilation issue due to addition of External…"
Reverts kubernetes/kubernetes#45798
Reverting the temporary fix as the problem is fixed in #45869.
with that fix federation also can default ExternalTrafficLocalOnly if not set.
Issue: #45812
cc @MrHohn @madhusudancs @kubernetes/sig-federation-bugs
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
bump the gke-cert-controller wokers to match it's qps
This increases Issuance per second from 2.5 csrs to 5 csrs which is the theoretical limit with the current client side rate limiting.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert 44714 manually
#44714 broke backward compatibility for old swagger spec that kubectl still uses. The decision on #47448 was to revert this change but the change was not automatically revertible. Here I semi-manually remove all references to UnixUserID and UnixGroupID and updated generated files accordingly.
Please wait for tests to pass then review that as there may still be tests that are failing.
Fixes#47448
Adding release note just because the original PR has a release note. If possible, we should remove both release notes as they cancel each other.
**Release note**: (removed by caesarxuchao)
UnixUserID and UnixGroupID is reverted back as int64 to keep backward compatibility.
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
Revert "Merge pull request #43946 from jhorwit2/jah/host-path-psp"
fixes#47863
This reverts commit b5eadb5d6b, reversing
changes made to 1889d654f5.
**What this PR does / why we need it**:
Revert whitelist host paths in psp due to API concerns. Please refer to https://github.com/kubernetes/kubernetes/pull/47811 for the concerns.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
cc @liggitt @ericchiang @smarterclayton
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Fix rawextension decoding in update
Fixes https://github.com/kubernetes/kubernetes/issues/47842
The `Create` handler was correctly decoding into the internal version, but the `Update` handler was not.
Top-level objects were not affected, because the type of the `New()` object returned by the rest handler governs the destination group/version/kind.
If a field within the object is of type `RawExtension`, and converts to a `runtime.Object` field in the internal object, the `runtime.Object` field provides no information about the desired group/version/kind, so the decoder's groupversioner governs.
This would manifest as the resthandler's Update function being given an internal top-level object with it's runtime.Object field containing an external object.
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Adding alpha feature gate to node statuses from local storage capacity isolation.
**What this PR does / why we need it**: The Capacity.storage node attribute should not be exposed since it's part of an alpha feature. Added an feature gate.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47809
There should be a test for new statuses in the alpha feature. Will include in a different PR.
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
Clear auth config when gcp app default credentials fail
**What this PR does / why we need it**:
Specific use case is when utilizing multiple gcp accounts, the user may provide credentials for the wrong account.
This change ensures the incorrect credentials are not cached in auth config, and logs an appropriate message.
**Which issue this PR fixes** : fixes#38075
**Special notes for your reviewer**:
**Release note**:
```release-note
Tokens retrieved from Google Cloud with application default credentials will not be cached if the client fails authorization
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
not allow backsteps in local volume plugin
**Which issue this PR fixes** : fixes#47207
**Special notes for your reviewer**:
cc @msau42 @ddysher
Just follow @liggitt [commented](https://github.com/kubernetes/kubernetes/issues/47107#issuecomment-306831175).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792)
remove unused constant
**What this PR does / why we need it**:
In flexvolume constant definitions, fix typo StatusFailure string to "Failure", not "Failed" at
b359034817/pkg/volume/flexvolume/flexvolume_util.go (L45)
**Which issue this PR fixes** _(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)_: fixes #
#34510
**Special notes for your reviewer**:
Simple string literal change, but hopefully will prevent future confusion for developers.
Automatic merge from submit-queue
Add E2E tests for Azure internal loadbalancer support, fix an issue for public IP resource deletion.
**What this PR does / why we need it**:
- Add E2E tests for Azure internal loadbalancer support: https://github.com/kubernetes/kubernetes/pull/43510
- Fix an issue that public IP resource not get deleted when switching from external loadbalancer to internal static loadbalancer.
**Special notes for your reviewer**:
1. Add new Azure resource tag to Public IP resources to indicate kubernetes managed resources.
Currently we determine whether the public IP resource should be deleted by looking at LoadBalancerIp property on spec. In the scenario 'Switching from external loadbalancer to internal loadbalancer with static IP', that value might have been updated for internal loadbalancer. So here we're to add an explicit tag for kubernetes managed resources.
2. Merge cleanupPublicIP logic into cleanupLoadBalancer
**Release note**:
NONE
CC @brendandburns @colemickens
Automatic merge from submit-queue
Separate serviceaccount and secret storage config
Fixes#47815, and is required in order to enable the secret encryption feature with a recommended configuration
This passes distinct storage options for serviceaccounts and secrets, since secrets can now have an encrypting transformer associated with them
