HandlePodCleanups is responsible for restarting pods that are no
longer running (usually due to delete and recreation with the same
UID in quick succession). We have to filter the list of pods to
restart from podManager to get the list of admitted pods, which
uses filterOutInactivePods on the kubelet. That method excludes
pods the pod worker has already terminated. Since a restarted
pod will be in the terminated state before HandlePodCleanups
calls SyncKnownPods, we have to call filterOutInactivePods after
SyncKnownPods, otherwise the to-be-restarted pod is ignored and
we have to wait for the next houskeeping cycle to restart it.
Since static pods are often critical system components, this
extra 2s wait is undesirable and we should restart as soon as
we can. Add a failing test that passes after we move the filter
call after SyncKnownPods.
The status manager channel forces all container status to be
processed, even if multiple updates are generated in succession.
Instead of queueing the updates, just remember which ones changed
and process them in a batch. This should reduce QPS load from
the Kubelet for status, reduce latency of status propagation to
the API in general, and is easier to reason about.
This also prevents status from being lost when the channel is
full - all updates sent by SetPodStatus are guaranteed to be
recorded. Changing to remove the channel allows us to set a
marker flag when the pod worker state machine completes that
avoids the status manager having to call into the pod worker
directly.
This commit is the main API piece of KEP-3257 (ClusterTrustBundles).
This commit:
* Adds the certificates.k8s.io/v1alpha1 API group
* Adds the ClusterTrustBundle type.
* Registers the new type in kube-apiserver.
* Implements the type-specfic validation specified for
ClusterTrustBundles:
- spec.pemTrustAnchors must always be non-empty.
- spec.signerName must be either empty or a valid signer name.
- Changing spec.signerName is disallowed.
* Implements the "attest" admission check to restrict actions on
ClusterTrustBundles that include a signer name.
Because it wasn't specified in the KEP, I chose to make attempts to
update the signer name be validation errors, rather than silently
ignored.
I have tested this out by launching these changes in kind and
manipulating ClusterTrustBundle objects in the resulting cluster using
kubectl.
* Add custom match conditions for CEL admission
This PR is based off of, and dependent on the following PR:
https://github.com/kubernetes/kubernetes/pull/116261
Signed-off-by: Max Smythe <smythe@google.com>
* run `make update`
Signed-off-by: Max Smythe <smythe@google.com>
* Fix unit tests
Signed-off-by: Max Smythe <smythe@google.com>
* Fix unit tests
Signed-off-by: Max Smythe <smythe@google.com>
* Update compatibility test data
Signed-off-by: Max Smythe <smythe@google.com>
* Revert "Update compatibility test data"
This reverts commit 312ba7f9e74e0ec4a7ac1f07bf575479c608af28.
* Allow params during validation; make match conditions optional
Signed-off-by: Max Smythe <smythe@google.com>
* Add conditional ignoring of matcher CEL expression validation on update
Signed-off-by: Max Smythe <smythe@google.com>
* Run codegen
Signed-off-by: Max Smythe <smythe@google.com>
* Add more validation tests
Signed-off-by: Max Smythe <smythe@google.com>
* Short-circuit CEL matcher when no matchers specified
Signed-off-by: Max Smythe <smythe@google.com>
* Run codegen
Signed-off-by: Max Smythe <smythe@google.com>
* Address review comments
Signed-off-by: Max Smythe <smythe@google.com>
---------
Signed-off-by: Max Smythe <smythe@google.com>
* Slightly changed pod spec to repro issue #116262
* Refactor test to ensure that the static pod is deleted even if the
test fails
Signed-off-by: David Porter <david@porter.me>
Though not obvious as currently written, PreferNodeIP() has different
semantics with legacy and external cloud providers, since one kind of
node IP value never gets passed in the external cloud provider case.
Split it into two functions to make this clearer (and to prepare for
adding new external-cloud-only semantics, and to make it clearer that
some of the code can be deleted when legacy cloud providers go away).
Add an arg to ParseNodeIPArgument saying whether to allow dual-stack
IPs for external cloud providers. Update kubelet for the new API, but
always pass "false" for now.
The same code should be used to parse the command-line argument and
the annotation. Unfortunately, for compatiblity reasons, they have to
handle invalid inputs differently...
(It doesn't make sense to put this code in cloud-provider, since
ParseNodeIPArgument is used for the non-cloud-provider case too.)
We now get structured output using jsonpath for the
name and version fields of the node object and then
compare the outputs.
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
