Recently in PR 131741 the kubeadm fixture for cluster-info
in dryrun.go was updated to remove the 'preferences' struct.
This means that the hardcoded JWS signature of the cluster-info
fixture must also be updated.
Update the signature to the expected one to fix e2e
failures in dryrun-latest.
https://testgrid.k8s.io/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-dryrun-latest
This commit introduces support for using ECDSA P-384 as an encryption
algorithm for generating certificates and keys within kubeadm.
The following changes are included:
- Defined the `EncryptionAlgorithmECDSAP384` constant in the kubeadm API types.
- Updated API documentation to reflect the new algorithm option ("ECDSA-P384").
- Added validation for `ECDSA-P384` in the cluster configuration.
- Implemented key generation logic for ECDSA P-384 keys in `pkiutil`
(using `elliptic.P384()`).
- Added corresponding unit tests to verify the new algorithm's functionality
in `pkiutil`.
This allows users to choose ECDSA P-384 for
kubeadm-managed clusters.
Add metrics for compatibility version for kube-apiserver, kube-scheduler, and kube-controller-manager.
Signed-off-by: Michael Aspinwall <maspinwall@google.com>
kubectl command construction is slowly getting more functionality which
sometimes requires to log certain actions. Currently we parse the
verbosity only when actually running the command, so all of construction
code is not able to use -v=5. This commit adds the manual parsing and
loglevel setting berore we even start creating the kubectl command.
Signed-off-by: Maciej Szulik <soltysh@gmail.com>
IPv6 should also be checked if it is globally enabled. On nftables, today this
is hardcoded, so if a Linux Kernel disables IPv6 during its boot or doesn't
have IPv6 compiled, it will still try to use IPv6, which can lead to some
unexpected errors.
This change verifies if IPv6 is enabled by checking if the IPv6 network interfaces
proc file is available
With StreamingCollectionEncodingToJSON and
StreamingCollectionEncodingToProtobuf, the WatchList must re-justify its
necessity. To prevent an ecosystem from building around a feature that
may not be promoted, we will stop serving list-via-watch until
performance numbers can justify its inclusion.
This also stops the kube-controller-manager from using the
list-via-watch by default. The fallback is a regular list, so during
the skew during an upgrade the "right" thing will happen and the new
StreamingCollectionEncoding will be used.
Choosing a port in advance is racy. A better solution is to use a Unix Domain
socket in the per-etcd-instance data directory. Then the name can be determined
in advance and there's no risk of conflicts with other etcd instances.
With unix:// for the endpoint, we have to be a bit more careful about
passing a TLS config to the etcd client library because for unix://, in
contrast to http://, it tries to use an incomplete config which
then fails to establish the connection.
This also fixes it so that ipvs.CleanupLeftovers only deletes
ipvs/ipset stuff once, rather than first deleting all of it on behalf
of the IPv4 Proxier and then no-op "deleting" it all again on behalf
of the IPv6 Proxier.