Automatic merge from submit-queue
append an abac rule for $KUBE_USER.
Allows the specified basic-auth credentials to be authorized against all resources.
Fixes#28869.
This operation takes 2-5 seconds on every build, but doesn't actually need to
run most of the time. Now we cache it and see if it needs a rebuild (fast)
before actually rebuilding (slow).
Previously even 'make clean' would first produce dependency information (slow)
and sinclude all the metadata, possibly restarting the make, before removing
the things it just did.
Now dependencies are only processed when something explicitly depends on them,
by calling 'make' on the rules around generated files, rather than sincluding
them.
Net result: make clean is faster and safer. Additionally, bash tab-completion
for 'make' does not run the slow 'find' any more.
Automatic merge from submit-queue
Updating federation controllers to use release_1_4 clientset instead of release_1_3 clientset
release_1_4 client was introduced in https://github.com/kubernetes/kubernetes/pull/26588.
Motivation for this change: All changes are now being done to release_1_4 clientset. Namespaces for ex is included in federation_release_1_4 clientset but not in federation_release_1_3.
cc @caesarxuchao @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
Add load balancer in front of apiserver in HA master setup
The first commit is just https://github.com/kubernetes/kubernetes/pull/29201 and has been already LGTMed.
Second commit has some small fixes:
1. Precompute REGION variable in config
2. Add timeout for waiting for loadbalancer
3. Fix kube-down so that it doesn't delete some resources if there are still masters/nodes in other zones
Second commit also fixes bug in https://github.com/kubernetes/kubernetes/pull/29201 where variable `REGION` was unset in `kube-down` when deleting master IP. The bug caused leaking of IP addresses.
https://github.com/kubernetes/kubernetes/issues/21124
@davidopp @jszczepkowski @wojtek-t @mikedanese
Automatic merge from submit-queue
Revert "Drop support for --gce-service-account, require activated creds"
Reverts kubernetes/kubernetes#28802
This appears to break the soak tests with "invalid grant" errors -- see the recent batch of errors in #27920.
Automatic merge from submit-queue
Fix Windows terminal handling
Fix some issues with Windows terminal handling with respect to TTYs that came up as part of the
code that adds support for terminal resizing.
cc @smarterclayton @sttts @csrwng
Automatic merge from submit-queue
Allow for overriding throughput in load test
We seem to be already supporting higher throughput that what the default is.
I'm going to increase the throughput in our tests:
- speed up scalability tests
- ensure that what I'm seeing locally is really the repeatable case
This PR is a short preparation for those experiments.
[Ideally, I would like to have kubemark-500 to be finishing within 30 minutes. And I think this should be doable pretty soon.]
@gmarek
Automatic merge from submit-queue
rkt: Don't return if the service file doesn't exist when killing the pod
Remove an unused logic. Also this prevents the KillPod() from failing
when the service file doesn't exist. E.g., it can be removed by garbage
collection in a rare case:
1, There are already more than `gcPolicy.MaxContainers` containers running
on the host.
2, The new pod(A) starts to run but doesn't enter 'RUNNING' state yet.
3, GC is triggered, and it sees the pod(A) is in an inactive state (not running),
and the it needs to remove the pod to force the `gcPolicy.MaxContainers`.
4, GC fails to remove the pod because `rkt rm` fails when the pod is running,
but it removes the service file anyway.
5, Follow up KillPod() call will fail because it cannot find the service file
on disk.
Also this is possible only when the pod has been in prepared state for longer
than 1 min, which sounds like another issue.
cc @kubernetes/sig-rktnetes
Automatic merge from submit-queue
use a separate queue for initial quota calculation
When the quota controller gets backed up on resyncs, it can take a long time to observe the first usage stats which are needed by the admission plugin. This creates a second queue to prioritize the initial calculation.
Automatic merge from submit-queue
Improve scheduler throughput
Ref #28590
This improves scheduler throughput by another 10-15%.
@davidopp @kubernetes/sig-scheduling
Automatic merge from submit-queue
Change some node e2e test to use the prepull image framework.
Fix https://github.com/kubernetes/kubernetes/issues/28868.
Node e2e test framework pre-pulls all images in [image_list.go](bc2f223f5a/test/e2e_node/image_list.go)
All node e2e test should use image from the "image_list". If a test needs new image, we should update the image_list to include the new image.
/cc @kubernetes/sig-node to notice people to use `image_list` when adding test. :)
Automatic merge from submit-queue
Optimise getAPIGroupVersion function in genericapiserver.go
About the newAPIGroupVersion and the getAPIGroupVersion function in genericapiserver.go, I think they can optimise.
Automatic merge from submit-queue
Fix init container update validation for pods
Partial fix#26840
The remaining issues with `kubectl apply` on pods with init containers
are caused by temporary annotation-based representation and
will resolve themselves once init containers leave alpha state.
Also, this PR makes sure internal and external objects don't get mixed up by the
PATCH handler (see related issue #25106).
This PR is an alternative for #28557 which met criticism from @smarterclayton
and @liggitt for working around the temporary issue with annotations.
#28557 is a full fix for #26840 and contains an e2e test that cannot pass
without the `VolumeMounts` workaround. As there appears to be no
good way to include an e2e test that's known to be failing in k8s source,
I've removed it from this PR.
Either this PR or #28557 should be applied, but not both.
Automatic merge from submit-queue
add tokenreviews endpoint to implement webhook
Wires up an API resource under `apis/authentication.k8s.io/v1beta1` to expose the webhook token authentication API as an API resource. This allows one API server to use another for authentication and uses existing policy engines for the "authoritative" API server to controller access to the endpoint.
@cjcullen you wrote the initial type
Automatic merge from submit-queue
adds source debug build options
See issue & discussion here: #28227
Enables source debugging the Kubernetes binaries with tools like delve by providing the user with the ability to provide debug build options to the glang compiler.
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
Automatic merge from submit-queue
Fix "PVC Volume not detached if pod deleted via namespace deletion" issue
Fixes#29051: "PVC Volume not detached if pod deleted via namespace deletion"
This PR:
* Fixes a bug in `desired_state_of_the_world_populator.go` to check the value of `exists` returned by the `podInformer` so that it can delete pods even if the delete event is missed (or fails).
* Reduces the desired state of the world populators sleep period from 5 min to 1 min (reducing the amount of time a volume would remain attached if a volume delete event is missed or fails).
