The conntrack reconciler maintains the consistency between the
conntrack table on each node and the desired state of Kubernetes UDP services.
A valid entry matches a service's ClusterIP, LoadBalancerIP, or ExternalIP and Service port,
or any ip matching a NodePort, and has a reverse source IP matching an active endpoint for
that service. Other entries are deleted.
Services without endpoints and traffic not handled by kube-proxy are ignored
Co-authored-by: Daman Arora <aroradaman@gmail.com>
Before, containers with the PostStart sleep lifecycle hook would cause
null pointer panics due to a typo in the field name being checked. This
commit fixes that.
The check also needs to be done on the oldPodSpec, rather than the
podSpec, so that existing workloads which use the zero value continue
functioning in the same way.
Added tests to check that if NodeRules, ClusterRoles, and NamespaceRoles
include `List`, it also include `Watch`.
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
Starting from version 1.32, the client feature `WatchListClient` has been
set to `true` in `kube-controller-manager`.
(commit 06a15c5cf9)
As a result, when the `kube-controller-manager` executes the `List` method,
it utilizes `Watch`. However, there are some existing controller roles that
include `List` but do not include `Watch`. Therefore, when processes using
these controller roles execute the `List` method, `Watch` is executed first,
but due to permission errors, it falls back to `List`.
This PR adds `Watch` to the controller roles that include `List` but do not
include `Watch`.
The affected roles are as follows (prefixed with `system:controller:`):
- `cronjob-controller`
- `endpoint-controller`
- `endpointslice-controller`
- `endpointslicemirroring-controller`
- `horizontal-pod-autoscaler`
- `node-controller`
- `pod-garbage-collector`
- `storage-version-migrator-controller`
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
Due to a recent change in k8s.io/gengo/v2, the register-gen is
missing 2 imports.The imports were previously auto inserted during
the code generation by k8s.io/gengo/v2.
Now, instead, they are directly imported by the register-gen.
An output_tests has been added to register-gen. This generates an
example, which would have been invalid with these changes.
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
IIUC, before using the translator handler, the ping data can be delivered from
the client to the runtime side since kube-apiserver does not parse any client
data. However, with WebSocket, the server responds with a pong to the client
without forwarding the data to the runtime side. If a proxy is present, it may
close the connection due to inactivity. SPDY's PingPeriod can help address this
issue.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Antonio Ojea <aojea@google.com>
(cherry picked from commit dc59c0246f)
Signed-off-by: Wei Fu <fuweid89@gmail.com>
This should reduce the number of slow (100ms) LIST requests when there
are no ResourceQuota objects present in the namespace. The behavior
stays virtually the same.
Set expected slice fields in the reactor function instead of
test cleanup instead of doing it in the test cleanup.
This should fix the test failure caused by kubelet calling reactor function
before the test cleanup sets the deleteCollectionForDriver variable.
