github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 04:06:03 +00:00
Code Issues Projects Releases Wiki Activity
109,991 Commits 42 Branches 7,905 Tags 1.3 GiB
8373f71d82
Commit Graph

109991 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jan Safranek
39f0d78714 Add unit tests for GetPodVolumeNames 2022-08-04 10:51:57 +02:00
Jan Safranek
260912490e Add a coment about handling same volumes with different contexts 2022-08-04 10:51:56 +02:00
Jan Safranek
a01e720a1a Rename IsRWOP 
To be able to update content of the function to other access modes when we
implement SELinux mount for more of them.
 2022-08-04 10:51:54 +02:00
Jan Safranek
1490d51028 Remove noisy log 
The error would be logged every reconciler sync (100 ms).
 2022-08-04 10:51:53 +02:00
Jan Safranek
0793ecee3a Add unit tests for ASW.AddPodToVolume 2022-08-04 10:51:52 +02:00
Jan Safranek
17d850ee0e Add interface for SELinuxOptionsToFileLabel 
github.com/opencontainers/selinux/go-selinux needs OS that supports SELinux
and SELinux enabled in it to return useful data, therefore add an interface
in front of it, so we can mock its behavior in unit tests.
 2022-08-04 10:51:51 +02:00
Jan Safranek
d9f792633d Add AddPodToVolume unit tests with SELinux 2022-08-04 10:51:50 +02:00
Jan Safranek
8d6b721ddd Extract SELinux context error handling into a common func 
Add handlerSELinuxMetricError() which bumps the right metric + either
consumes a SELinux error or lets it propagate up the stack.
 2022-08-04 10:51:48 +02:00
Jan Safranek
4df3f58737 Add SELinux feature check for iSCSI volume plugin 
In theory the check is not necessary, but for sake of robustness and
completenes, let's check SELinuxMountReadWriteOncePod feature gate before
assuming anything about SELinux labels.
 2022-08-04 10:51:47 +02:00
Jan Safranek
49148ddfd0 Extract getSELinuxLabel from AddPodToVolume 
To keep the function smaller.
 2022-08-04 10:51:46 +02:00
Jan Safranek
5c90474f38 Add SELinux mount support to CSI driver 
With some minor refactoring to use common getCSIDriver function.
 2022-08-04 10:51:45 +02:00
Jan Safranek
de7f5b66ed Fix existing unit tests 2022-08-04 10:51:44 +02:00
Jan Safranek
b2e18c0b20 Add metrics for SELinux context mount 
Add separate _errors and _warnings to capture volumes that were rejected
from those will be rejected when the feature is expanded to all access
mode.
 2022-08-04 10:51:43 +02:00
Jan Safranek
48b0751269 Add SELinux context tracking to volume manager 
Both ActualStateOfWorld and DesiredStateOfWorld must track SELinux context
of volume mounts.
 2022-08-04 10:51:41 +02:00
Jan Safranek
4cfb277e8b Implement mounting with -o context= in iSCSI volume plugin 2022-08-04 10:51:31 +02:00
Jan Safranek
cdb3ead5a9 Add SupportsSELinuxContextMount 
Add a new call to VolumePlugin interface and change all its
implementations.

Kubelet's VolumeManager will be interested whether a volume supports
mounting with -o conext=XYZ or not to hanle SetUp() / MountDevice()
accordingly.
 2022-08-04 10:51:28 +02:00
Jan Safranek
f99cf5180e Add SELinux mount option to NewMounter() and MountDevice() 
Let volume plugins decide if they want to mount volumes with "-o
context=XYZ" or let the container runtime relabel the volume on container
startup.

Using NewMounter, as it's the call where a volume plugin gets the other MountOptions.
 2022-08-04 10:51:11 +02:00
Jan Safranek
f2fd9c1c16 Regenerate files 2022-08-04 10:51:01 +02:00
Jan Safranek
189f19a698 Update generation when SELinuxMount is changed 2022-08-04 10:51:00 +02:00
Jan Safranek
3efeeef346 Add CSIDriverSpec.SELinuxMount 
The new field tells Kubernetes if the CSI driver supports mounting of
volumes with -o context=XYZ or not.
 2022-08-04 10:51:00 +02:00
Jan Safranek
34dc6b2587 Add SELinuxMountReadWriteOncePod feature gate 2022-08-04 10:51:00 +02:00
cpanato
90291eea5f
Update publishing-bot rules for go1.17.13 and go1.18.5 
Signed-off-by: cpanato <ctadeu@gmail.com>
 2022-08-04 09:16:13 +02:00
Kubernetes Prow Robot
ef7fc10460
Merge pull request #111677 from dims/stop-panic-in-govet-levee 
Stop panic in govet levee under golang 1.19
 2022-08-03 22:31:46 -07:00
Kubernetes Prow Robot
feec95583a
Merge pull request #111669 from pohly/trim_report_framework 
e2e: trim junit report for Spyglass
 2022-08-03 20:49:58 -07:00
Kubernetes Prow Robot
b661944b65
Merge pull request #110939 from Abirdcfly/deleteutil 
don't quota events.k8s.io events by default
 2022-08-03 20:49:46 -07:00
Adolfo García Veytia (Puerco)
f17efe9278 Update default go version in common.sh to 1.19 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
 2022-08-03 22:23:21 -05:00
Adolfo García Veytia (Puerco)
7324b781fe Update versions and images to go 1.19 versions 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
 2022-08-03 22:23:15 -05:00
Adolfo García Veytia (Puerco)
2be8ac828e Update default go to 1.19 in pubbot rules 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
 2022-08-03 22:05:27 -05:00
Adolfo García Veytia (Puerco)
5d2de18956 Bump test Makefile to final 1.19 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
 2022-08-03 22:05:03 -05:00
Adolfo García Veytia (Puerco)
79df9e66f3 Update kubecross version to v1.25.0-go1.19-bullseye.0 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
 2022-08-03 22:04:21 -05:00
Davanum Srinivas
34742f2d2e
run lint-dependencies and follow directions 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2022-08-03 22:00:02 -04:00
Davanum Srinivas
30e2fcd041
Stop panic in govet-levee CI job 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2022-08-03 21:51:01 -04:00
Kubernetes Prow Robot
d4795e4bec
Merge pull request #111620 from Jiawei0227/storageos 
cleanup: Remove storageos volume plugins from k8s codebase
 2022-08-03 18:05:36 -07:00
Kubernetes Prow Robot
0a2ae7ab3a
Merge pull request #111126 from aramase/kms-v2alpha1-impl 
Implement KMS v2alpha1
 2022-08-03 16:41:43 -07:00
Kubernetes Prow Robot
aee13fc3de
Merge pull request #109706 from alexanderConstantinescu/etp-local-svc 
Avoid re-syncing LBs for ETP=local services
 2022-08-03 16:41:36 -07:00
Kubernetes Prow Robot
a0e702763e
Merge pull request #110495 from alexzielenski/atomic-objectreference 
make ObjectReference field ownership granular
 2022-08-03 14:21:48 -07:00
Jiawei Wang
d52cdeae79 cleanup: Remove storageos volume plugins from k8s codebase 2022-08-03 20:19:59 +00:00
Stephen Heywood
88e86a7d98 Revert "e2e: should manage the lifecycle of an APIService" 2022-08-04 08:06:07 +12:00
Kubernetes Prow Robot
442574f3a7
Merge pull request #111513 from jingxu97/july/localstorage 
Promote Local storage capacity isolation feature to GA
 2022-08-03 13:05:59 -07:00
Kubernetes Prow Robot
4b6134b6dc
Merge pull request #111090 from kinvolk/rata/userns-support-2022 
Add support for user namespaces phase 1 (KEP 127)
 2022-08-03 13:05:47 -07:00
Anish Ramasekar
f19f3f4099
Implement KMS v2alpha1 
- add feature gate
- add encrypted object and run generated_files
- generate protobuf for encrypted object and add unit tests
- move parse endpoint to util and refactor
- refactor interface and remove unused interceptor
- add protobuf generate to update-generated-kms.sh
- add integration tests
- add defaulting for apiVersion in kmsConfiguration
- handle v1/v2 and default in encryption config parsing
- move metrics to own pkg and reuse for v2
- use Marshal and Unmarshal instead of serializer
- add context for all service methods
- check version and keyid for healthz

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2022-08-03 19:04:47 +00:00
Kubernetes Prow Robot
d6a3a68afc
Merge pull request #111647 from bobbypage/bump_cadvisor_0_45_0 
vendor: Bump cAdvisor to v0.45.0
 2022-08-03 11:11:53 -07:00
Alexander Zielenski
bd648f3f9e
add regression test of formerly atomic claimRef 2022-08-03 10:57:13 -07:00
Rodrigo Campos
8dc98c9b8e Update autogenerated files 
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-08-03 19:53:22 +02:00
Giuseppe Scrivano
b1eaf6a2d9 tests: add e2e tests for userns 
Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-08-03 19:53:22 +02:00
Rodrigo Campos
138e80819e kubelet: set user namespace options 
Set the user namespace options to use for the pod.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-08-03 19:53:22 +02:00
Giuseppe Scrivano
67b38ffe6e kubelet: propagate errors from namespacesForPod 
it is a preparatory change for the next commit.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2022-08-03 19:53:22 +02:00
Rodrigo Campos
695b30e91c volume: use GetHostIDsForPod() 
This commit only changes the UID/GID if user namespaces is enabled. When
it is enabled, it changes it so the hostUID and hostGID that are mapped
to the currently used UID/GID. This is needed so volumes are created
with the hostUID/hostGID and the user inside the container can read
them.

If user namespaces are disabled for this pod, this is a no-op: there is
no user namespace mapping, so the hostUID/hostGID are the same as inside
the container.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-08-03 19:53:22 +02:00
Rodrigo Campos
d07c2688fe kubelet: add GetHostIDsForPod() 
In future commits we will need this to set the user/group of supported
volumes of KEP 127 - Phase 1.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-08-03 19:53:22 +02:00
Giuseppe Scrivano
9b2fc639a0 kubelet: add GetUserNamespaceMappings to RuntimeHelper 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2022-08-03 19:53:22 +02:00