Automatic merge from submit-queue
SELinux Overhaul
Overhauls handling of SELinux in Kubernetes. TLDR: Kubelet dir no longer has to be labeled `svirt_sandbox_file_t`.
Fixes#33351 and #33510. Implements #33951.
Automatic merge from submit-queue
Add SNI support to the apiserver
This PR adds the `--tls-sni-key-cert` flag to the apiserver. It can be passed multiple times in the following ways:
``` shell
$ apiserver \
--tls-sni-cert-key '*.example.com,example.com: example.key,example.crt' \
--tls-sni-cert-key 'foo.key,foo.crt'
```
The first variant explicitly sets the accepted domain names, the second variant reads the common names and DNS names from the certificate itself.
If no domain name matches, the existing certificate (`--tls-cert-file`) is used.
``` golang
fs.Var(config.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
"A pair of x509 certificate and private key file paths, optionally prefixed with a list of "+
"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
"segments. If no domain patterns are provided, the names of the certificate are "+
"extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns "+
"trump over extracted names. For multiple key/certificate pairs, use the "+
"--tls-sni-key-cert multiple times. "+
"Examples: \"example.key,example.crt\" or \"*.foo.com,foo.com:foo.key,foo.crt\".")
```
``` release-note
Add SNI support to the apiserver
Pass multiple certificates and domain name patterns with `--tls-sni-cert-key` and the right certificate will be chosen depending on the url the client is using.
```
Automatic merge from submit-queue
Correct the article in generated documents
**What this PR does / why we need it**:
Fix the article in generated docs for "create/delete [article] [kind]"
**Which issue this PR fixes**
fixes#32305
**Special notes for your reviewer**:
None
**Release note**:
``` release-note
Correct the article in generated documents
```
For example:
"a Ingress" > "an Ingress"
Automatic merge from submit-queue
Alternative unsafe copy
Have run this for 2 hours in the stresser without an error (no guarantee).
@wojtek-t can we do a 500 kubemark run with this prior to merge?
Automatic merge from submit-queue
Update PodAntiAffinity to ignore calls to subresources
@smarterclayton I hit this when I was trying to evict a pod, apparently k8s does not have this particular admission plugin on by default. ptal
@mml @davidopp fyi
Automatic merge from submit-queue
Allow apiserver to choose preferred kubelet address type
Follow up to #33718 to stay compatible with clusters using DNS names for master->node communications. Adds the `--kubelet-preferred-address-types` apiserver flag for clusters that prefer a different node address type.
```release-note
The apiserver can now select which type of kubelet-reported address to use for master->node communications, using the --kubelet-preferred-address-types flag.
```
Automatic merge from submit-queue
Improve CockroachDB example
This is primarily about pulling in the init container to make the config more production-ready, but I've pulled in a few other small improvements that have been made since this was first contributed.
* Use an init container to eliminate potential edge case where losing
the first pet's data could cause it to start a second logical cluster
* Exec the cockroach binary so that it runs as PID 1 in the container
* Make some small improvements to the README
@bprashanth
```release-note
```
Automatic merge from submit-queue
Disable update-staging-client-go until code freeze
I don't want to cause developer friction until code freeze. I'll babysit the script for the moment to keep the client-go up-to-date.
Should had done this in #34489.
Automatic merge from submit-queue
quota controller uses informers if available for pod calculation
This PR does the following:
1. plumb informer factory into quota registry and evaluators
2. pod quota evaluator uses informers for determining aggregrate usage instead of making direct calls
3. admission code path does not use informers because
1. we do not want to add new watches in apiserver
2. admission code path does not require aggregate usage calculation
As a result, quota controller is much faster in re-calculating quota usage when it observes a pod deletion.
Follow-on PRs will make similar changes for other informer backed resources (pvcs next).
/cc @deads2k @mfojtik @smarterclayton @kubernetes/rh-cluster-infra
* Use an init container to eliminate potential edge case where losing
the first pet's could cause it to start a second logical cluster
* Exec the cockroach binary so that it runs as PID 1 in the container
* Make some small improvements to the README
Automatic merge from submit-queue
Initialize CIDR allocator before registering handle functions
Currently we start shared informers after everything is already created, but this change make it future-proof.
cc @davidopp @kevin-wangzefeng @foxish
Automatic merge from submit-queue
update list of vailable resources
Hi,
kubectl get --help produce a list of resource types and aliases :
```
Valid resource types include:
* clusters (valid only for federation apiservers)
* componentstatuses (aka 'cs')
...
```
``` release-note
Update the list of resources in kubectl get --help
```
The list is currently outdated (for exemple missing networkpolicy).
http://kubernetes.io/docs/user-guide/kubectl-overview/#resource-types has the same data and is also outdated.
The patch updates these 2 lists.
Automatic merge from submit-queue
make localupcluster work with RBAC enabled
When `ENABLE_RBAC=true` is set to true, `local-up-cluster` fails because it can't reach the endpoint (get a 403). This changes to an endpoint that the default policy allows anyone to see.
Automatic merge from submit-queue
Misc master and federation cleanups
- misc small cleanups
- make ServerRunOption embeddings explicit in order to make the technical debt in our plumbing code visible.
Automatic merge from submit-queue
Remove stale volumes if endpoint/svc creation fails.
Remove stale volumes if endpoint/svc creation fails.
Signed-off-by: Humble Chirammal hchiramm@redhat.com
Automatic merge from submit-queue
make kubeadm version use kubeadmutil
What this PR does / why we need it:
this PR makes sure `kubeadmutil.CheckErr()` other than `cmdutil.CheckErr()` is called in `kubeadm version` subcommand.
in `version.go`, `RunVersion()` function only returns `nil`, `kubeadmutil.CheckErr()` is enough for this
Signed-off-by: redhatlinux10 <ouyang.qinhua@zte.com.cn>
