Automatic merge from submit-queue
Fix issue in updating device path when volume is attached multiple times
When volume is attached, it is possible that the actual state
already has this volume object (e.g., the volume is attached to multiple
nodes, or volume was detached and attached again). We need to update the
device path in such situation, otherwise, the device path would be stale
information and cause kubelet mount to the wrong device.
This PR partially fixes issue #29324
Automatic merge from submit-queue
Fix#33784, IN_CREATE event does not guarantee file content written
Fixed#33784.
The CREATE inotify event [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/config/file_linux_test.go#L275) is triggered by os.OpenFile(), however the content would be written by the following f.Write(). It will fail if the program try to process the event in between.
IN_CREAE event is triggered by open(2), mkdir(2), link(2), symlink(2), bind(2), but not all of them will guarantee the content is written ([ref](http://man7.org/linux/man-pages/man7/inotify.7.html)). <s>Hence we should not respond to IN_CREATE event for pod creation. I believe listen on IN_MODIFY and IN_MOVED_TO would be sufficient for pod addition&update.
Would like to see the Jenkins test results for further evaluation.
@Random-Liu
Automatic merge from submit-queue
Split NodeDiskPressure into NodeInodePressure and NodeDiskPressure
Added NodeInodePressure as a NodeConditionType. SignalImageFsInodesFree and SignalNodeFsInodesFree signal this pressure. Also added simple pieces to the scheduler predicates so that it takes InodePressure into account.
Automatic merge from submit-queue
Add seccomp and apparmor support.
This PR adds seccomp and apparmor support in new CRI.
This a WIP because I'm still adding unit test for some of the functions. Sent this PR here for design discussion.
This PR is similar with https://github.com/kubernetes/kubernetes/pull/33450.
The differences are:
* This PR passes seccomp and apparmor configuration via annotations;
* This PR keeps the seccomp handling logic in docker shim because current seccomp implementation is very docker specific, and @timstclair told me that even the json seccomp profile file is defined by docker.
Notice that this PR almost passes related annotations in `api.Pod` to the runtime directly instead of introducing new CRI annotation.
@yujuhong @feiskyer @timstclair
Automatic merge from submit-queue
e2e.go / kops: Add ssh-key option to override ssh key
**What this PR does / why we need it**: By default, Jenkins stuffs the ssh key in `/workspace/.aws/kube_aws_rsa`. This allow the SSH key to be overridden easily on the command line.
Automatic merge from submit-queue
wait for federation informer store to catch up before update
Fixes#33838#33880
There is a flake in the federation-controller code where an update to a resource is done too quickly after the create. Because the resource is not yet in the federated informer store, when the reconcile<Resource>() is called, it can't find the resource and treats the change as a create rather than a update.
This causes a failure (actually a panic) in the test code, which expects an update event, not a create, in response to the resource modification.
@derekwaynecarr @apelisse @mwielgus
Automatic merge from submit-queue
Deregister clusters during federated namespace e2e tear down.
This is causing other tests to leak resources.
cc @mwielgus @kubernetes/sig-cluster-federation
When volume is attached, it is possible that the actual state
already has this volume object (e.g., the volume is attached to multiple
nodes, or volume was detached and attached again). We need to update the
device path in such situation, otherwise, the device path would be stale
information and cause kubelet mount to the wrong device.
This PR partially fixes issue #29324
Automatic merge from submit-queue
DeltaFIFO should not report HasSynced until deletes are reported
Deletions identified by knownObjects on the initial sync replace
(immediately after the List from a reflector) should be considered part
of the initial sync since we have the information available at the time
we do the deletion.
An error during Replace() can result in Populated not being set, but it
was incorrect before (population would be wrong) and queueActionLocked
does not error except on "my cache is broken because I gave an incorrect
keyFunc".
@lavalamp @deads2k hit this while trying to use DeltaFIFO to implement an "external" controller (one that uses the knownObjects as provided by a call to a remote system of record).
Not 1.4
Automatic merge from submit-queue
CRI: Fix bug in dockershim to set sandbox id properly.
For https://github.com/kubernetes/kubernetes/issues/33189#issuecomment-249307796.
During debugging `Variable Expansion should allow composing env vars into new env vars`, I found that the root cause is that the sandbox was removed before all containers were deleted, which caused the pod to be started again after succeed.
This happened because the `PodSandboxID` field is not set. This PR fixes the bug.
Some other test flakes are also caused by this
```
Downward API volume should provide node allocatable (cpu) as default cpu limit if the limit is not set
Downward API volume should provide container's memory limit
EmptyDir volumes should support (non-root,0666,tmpfs)
...
```
/cc @yujuhong @feiskyer
Automatic merge from submit-queue
fix loopback authorizer
Fixes the loopback authorizer to properly inspect groups. P0 for security problem.
@liggitt @dims let's get this fixed.
Automatic merge from submit-queue
Fix summary test
Issue was comparing an `unversioned.Time` rather than `time.Time`. I temporarily removed the `[Flaky]` tag so the PR builder will run the test. I will revert that change before submitting.
Automatic merge from submit-queue
Do not probe so aggressively which may lead to unnecessary restarts
@errordeveloper @mikedanese PTAL
I came across a case where etcd restarted about 5-10 times because the load was very high on the machine.
The load seems to have lead to that the `etcd` container occasionally didn't respond to the probe, which caused many restart and made the whole thing even worse.
Maybe we should remove the etcd probe totally? I don't know, what do you think?
This is at least a try to loosen the limits here...
Automatic merge from submit-queue
Replace references to http://releases.k8s.io/HEAD/docs/user-guide/
All of the anchor references are broken right now, so this change fixes that (at least).
I only touched `http://releases.k8s.io/HEAD/docs/user-guide/`, as all files in `docs/user-guide` had been moved, apart `kubectl*` ones (but those aren't referenced anywhere in the code for some reason.
Automatic merge from submit-queue
fix kubectl taint e2e flake: add retries for removing taint
**What this PR does / why we need it**:
Why we need it: recent failures occurred in #29503 are caused by taints removing conflict on nodes, this PR is to fix it. (#33073 fixed taints updating conflict, but not taints removing.)
What this PR does: use `runKubectlRetryOrDie()` instead of `RunKubectlOrDie()` in all the places in "Kubectl taint" e2e tests.
**Which issue this PR fixes** : fixes part of #29503, (would like to keep this issue open for some days more to make sure no other failures occur)
**Special notes for your reviewer**: NONE
**Release note**: NONE
Automatic merge from submit-queue
Provide more detailed error message when pod fails to be success state
Return more detailed error message when it timeouts for waiting for pod to success state.
This PR extends #31895. #31895 is for running and ready state.
It is used for debugging #31561#32980
cc: @lavalamp
Automatic merge from submit-queue
Kubeadm: print information about certificates
Prints basic information about certificates to the user.
Example of `kubeadm init` output:
```
<master/pki> generated Certificate Authority key and certificate:
Issuer: CN=kubernetes | Subject: CN=kubernetes | CA: true
Not before: 2016-09-30 11:19:19 +0000 UTC Not After: 2026-09-28 11:19:19 +0000 UTC
Public: /etc/kubernetes/pki/ca-pub.pem
Private: /etc/kubernetes/pki/ca-key.pem
Cert: /etc/kubernetes/pki/ca.pem
<master/pki> generated API Server key and certificate:
Issuer: CN=kubernetes | Subject: CN=kube-apiserver | CA: false
Not before: 2016-09-30 11:19:19 +0000 UTC Not After: 2017-09-30 11:19:19 +0000 UTC
Alternate Names: [172.18.76.239 10.0.0.1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local]
Public: /etc/kubernetes/pki/apiserver-pub.pem
Private: /etc/kubernetes/pki/apiserver-key.pem
Cert: /etc/kubernetes/pki/apiserver.pem
<master/pki> generated Service Account Signing keys:
Public: /etc/kubernetes/pki/sa-pub.pem
Private: /etc/kubernetes/pki/sa-key.pem
```
Example of `kubeadm join` command:
```
<node/csr> received signed certificate from the API server:
Issuer: CN=kubernetes | Subject: CN=system:node:minion | CA: false
Not before: 2016-09-30 11:28:00 +0000 UTC Not After: 2017-09-30 11:28:00 +0000 UTC
```
Fixes#33642
cc @kubernetes/sig-cluster-lifecycle
Automatic merge from submit-queue
pass loopback config to poststart hooks
Updates post start hooks to take a clientconfig with the new loopback credentials for bootstrapping.
@ericchiang This is a little bit of plumbing, but mainly auth I think.
Automatic merge from submit-queue
Add ECDSA support for service account tokens
Fixes#28180
```release-note
ECDSA keys can now be used for signing and verifying service account tokens.
```
Automatic merge from submit-queue
Add test cases to test the default value of HorizontalPodAutoscaler
Add test cases to test the default value of HorizontalPodAutoscaler.
Automatic merge from submit-queue
Run hack/update-codegen.sh in release-1.4 for generating an updated 1.4 clientset
@caesarxuchao doing steps 1 and 2 as described here https://github.com/kubernetes/kubernetes/pull/33851#issuecomment-250851272
adds apps, authentication, certificates, rbac, and storage.
The reason there are substantial deletions (aside from the oneliner "this package is generated by client-gen with arguments...") is because PR https://github.com/kubernetes/kubernetes/pull/32407 added a resource to the 1.4 clientset even though the resource is not present in 1.4 and the PR is targeted to 1.5. So this corrects that, as a bonus.
Automatic merge from submit-queue
Abstraction of endpoints in leaderelection code
**Problem Statement**:
Currently the Leader Election code is hard coded against the endpoints api. This causes performance issues on large scale clusters due to incessant iptables refreshes, see: https://github.com/kubernetes/kubernetes/issues/26637
The goal of this PR is to:
- Abstract Endpoints out of the leader election code
- Fix a known bug in the event recording
fixes#18386
**Special notes for your reviewer**:
This is a 1st pass at abstracting the details of endpoints out into an interface. Any suggestions around how we we want to refactor this interface is welcome and could be addressed in either this PR or follow on PR.
/cc @ncdc @wojtek-t @rrati
Automatic merge from submit-queue
Apply default image tags for all runtimes
Move the docker-specific logic up to the ImageManager to allow code sharing
among different implementations.
Part of #31459
/cc @kubernetes/sig-node
Automatic merge from submit-queue
Node-ip is not used when cloud provider is used
Currently --node-ip in kubelet is not being used when kubelet is configured with a cloud provider. With this fix, kubelet will get a list of IPs from the provider and parse it to return the one that matches node-ip.
This fixes#23568
