Automatic merge from submit-queue
Update build requirements
**What this PR does / why we need it**:
Update the build requirements for docker so that the three configurations are shown as sub-lists instead of a parallel list.
Currently, the requirements are shown in this way.
1. xxx
2. xxx
3. xxx
4. xxx
5. xxx
But it should be shown as something like this:
1. xxx
* xxx
* xxx
* xxx
2. xxx
The problem is because markdown doesn't support well for ordered sub-list under ordered list. So, change it to unordered sub-list can avoid this problem.
Automatic merge from submit-queue
Update OWNERS to correct members' handles
**What this PR does / why we need it**:
Fix some typos of members' handles as per https://github.com/kubernetes/kubernetes/issues/50048#issuecomment-319831957.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Associated with: #50048
**Special notes for your reviewer**:
/cc @madhusudancs @sebgoa @liggitt @saad-ali
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Task 0: Added node taints labels and feature flags
**What this PR does / why we need it**:
Added node taint const for node condition.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: part of #42001
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Move remaining cert helper functions from pkg/serviceaccount to client-go/util/cert
**What this PR does / why we need it**:
Unifies all remaining certificate helper functions from pkh/serviceaccount to client-go/util/cert. Private key functions were moved in #40907
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#40807
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Fail on swap enabled and deprecate experimental-fail-swap-on flag
**What this PR does / why we need it**:
* Deprecate the old experimental-fail-swap-on
* Add a new flag fail-swap-on and set it to true
Before this change, we would not fail when swap is on. With this
change we fail for everyone when swap is on, unless they explicitly
set --fail-swap-on to false.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#34726
**Special notes for your reviewer**:
**Release note**:
```release-note
Kubelet will by default fail with swap enabled from now on. The experimental flag "--experimental-fail-swap-on" has been deprecated, please set the new "--fail-swap-on" flag to false if you wish to run with /proc/swaps on.
```
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Add basic install and mount flexvolumes e2e tests
fixes https://github.com/kubernetes/kubernetes/issues/47010
These two tests install a skeleton "dummy" flex driver, attachable and non-attachable respectively, then test that a pod can successfully use the flex driver. They are labeled disruptive because kubelet and controller-manager get restarted as part of the flex install. IMO it's important to keep this install procedure as part of the test to isolate any bugs with the startup plugin probe code.
There is a bit of an ugly dependency on cluster/gce/config-test.sh because --flex-volume-plugin-dir must be set to a dir that's readable from controller-manager container and writable by the flex e2e test. The default path is not writable on GCE masters with read-only root so I picked a location that looks okay.
In the "dummy" drivers I trick kubelet into thinking there is a mount point by doing "mount -t tmpfs none ${MNTPATH} >/dev/null 2>&1", hope that is okay.
I have only tested on GCE and theoretically they may work on AWS but I don't think there is a need to test on multiple cloudproviders.
-->
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
increase the GC e2e test timeout
Fix https://github.com/kubernetes/kubernetes/issues/50047.
The root cause is #50046. See log analysis in #50047. For now, we just increase the timeout.
Automatic merge from submit-queue
kube-gen: cut off dependencies
Only gengo is left and apimachinery/pkg/openapi. The later will go away when #48861 merges.
This is the preparation that we can use kube-gen also from apimachinery without circular dependencies.
Automatic merge from submit-queue
Fix incorrect call to 'bind' in scheduler
I previously submitted https://github.com/kubernetes/kubernetes/pull/49661 -- I'm not sure if that PR is too big or what, but this is an attempt at a smaller PR that makes progress on the same issue and is easier to review.
**What this PR does / why we need it**:
In this refactor (https://github.com/kubernetes/kubernetes/commit/ecb962e6585#diff-67f2b61521299ca8d8687b0933bbfb19R223) the scheduler code was refactored into separate `bind` and `assume` functions. When that happened, `bind` was called with `pod` as an argument. The argument to `bind` should be the assumed pod, not the original pod. Evidence that `assumedPod` is the correct argument bind and not `pod`: 80f26fa8a8/plugin/pkg/scheduler/scheduler.go (L229-L234). (and it says `assumed` in the function signature for `bind`, even though it's not called with the assumed pod as an argument).
This is an issue (and causes #49314, where pods that fail to bind to a node get stuck indefinitely) in the following scenario:
1. The pod fails to bind to the node
2. `bind` calls `ForgetPod` with the `pod` argument
3. since `ForgetPod` is expecting the assumed pod as an argument (because that's what's in the scheduler cache), it fails with an error like `scheduler cache ForgetPod failed: pod test-677550-rc-edit-namespace/nginx-jvn09 state was assumed on a different node`
4. The pod gets lost forever because of some incomplete error handling (which I haven't addressed here in the interest of making a simpler PR)
In this PR I've fixed the call to `bind` and modified the tests to make sure that `ForgetPod` gets called with the correct argument (the assumed pod) when binding fails.
**Which issue this PR fixes**: fixes#49314
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
federation-controller/clustercontroller: fix race when updating data
Fix#49958
Updates for ClusterController's maps were made without locking which can lead
to race conditions.
This change adds a RWMutex to protect the data. We lock and unlock them
whenever the data is accessed to make sure that we dont slow down too much
Automatic merge from submit-queue
kubelet: remove code for handling old pod/containers paths
**What this PR does / why we need it**:
This PR removes the code for handling the paths that has been deprecated for a long time.
**Release note**:
```release-note
NONE
```
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 46685, 49863, 50098, 50070, 50096)
GCE: Bump GLBC version to 0.9.6
Closes#50095
**Release note**:
```release-note
GCE: Bump GLBC version to 0.9.6
```
Automatic merge from submit-queue (batch tested with PRs 46685, 49863, 50098, 50070, 50096)
Remove 0,1,3 from rand.String to avoid 'bad words'
**What this PR does / why we need it**:
Remove 0,1,3 from the runes to prevent accidental bad words profanity
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49543
**Special notes for your reviewer**:
/cc @mml @jamesawebb1 @spiffxp
**Release note**:
```release-note
Remove 0,1,3 from rand.String, to avoid 'bad words'
```
Automatic merge from submit-queue (batch tested with PRs 46685, 49863, 50098, 50070, 50096)
apiextensions: fix data race in storage
Fixes data race in CRD storage.
Copy to a new map because we cannot write to storageMap without a race as it is used without locking elsewhere.
**Release note**:
```release-note
NONE
```
/cc @sttts
Automatic merge from submit-queue (batch tested with PRs 46685, 49863, 50098, 50070, 50096)
Cover equivalence cache tests in scheduler core
**What this PR does / why we need it**:
Finish the last part of equivalence class scheduling #17390 : complete unit tests.
Also, removed `InvalidateCachedPredicateItemForPod` which is unused in latest design.
```
godep go test -v equivalence_cache_test.go equivalence_cache.go -cover
PASS
coverage: 92.3% of statements
ok command-line-arguments 0.071s
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
fix err message in namespace_policy
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes#49541
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Fix pointer bug in local volume e2e test
**What this PR does / why we need it**:
Fix pointer bug in local volume e2e test
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/50043
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48237, 50084, 50019, 50069, 50090)
Fix comment of isHTTPSURL
**What this PR does / why we need it**:
fix comment of isHTTPSURL
Automatic merge from submit-queue (batch tested with PRs 48237, 50084, 50019, 50069, 50090)
create default storage selection functions
The vast majority of our REST storage needs either default selection predicates or minor tweaks the the field selection criteria. This pull makes that work without any special fields set, but also allows the more complex configuration where it is required. I only changed one storage an example. Once this merges, I'll update the others.
@kubernetes/sig-api-machinery-misc @wojtek-t @smarterclayton @sttts @cheftako ptal.
Automatic merge from submit-queue (batch tested with PRs 48237, 50084, 50019, 50069, 50090)
Allow for some pods not to get scheduled in CA tests.
This will allow us to ignore long tail node creation or failure
to create some nodes when running scalability tests on kubemark.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Add test for kube-proxy running with "--cleanup-iptables=true"
**What this PR does / why we need it**:
Add test to prevent such kube-proxy panic to happen again.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48177
**Special notes for your reviewer**:
Forgot to add this in last PR #48183. Should we also add this to v1.7 milestone?
/cc @ncdc @dchen1107
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
Run kazel on the entire tree
**What this PR does / why we need it**: part of #47558: auto-generate `BUILD` files on the entire tree, since this is what `gazelle` does, and it'll make subsequent reviews easier if less is changing.
**Release note**:
```release-note
NONE
```
/assign
/release-note-none
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
Adding IPv6 to cidr_set and cidr_set_test
**What this PR does / why we need it**:
This allows IPv6 in cidr_set
Currently cidr_set only supports IPv4. This adds IPv6 compatibility and adds
IPv6 unit tests.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#43588
**Special notes for your reviewer**:
The IPv6 code here makes some assumptions.
The subnets should be at least /64. (maximum 64 bits of prefix)
The subnet mask size cannot be greater than 30 more than the cluster mask size.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
Do not try to run preStopHook when the gracePeriod is 0
**What this PR does / why we need it**:
1. Sometimes when the user force deletes a POD with no gracePeriod, its possible that kubelet attempts to execute the preStopHook which will certainly fail. This PR prevents this inavitable PreStopHook failure.
```
kubectl delete --force --grace-period=0 po/<pod-name>
```
2. This also adds UT for LifeCycle Hooks
```
time go test --cover -v --run "Hook" ./pkg/kubelet/kuberuntime/
.
.
.
--- PASS: TestLifeCycleHook (0.00s)
--- PASS: TestLifeCycleHook/PreStop-CMDExec (0.00s)
--- PASS: TestLifeCycleHook/PreStop-HTTPGet (0.00s)
--- PASS: TestLifeCycleHook/PreStop-NoTimeToRun (0.00s)
--- PASS: TestLifeCycleHook/PostStart-CmdExe (0.00s)
PASS
coverage: 15.3% of statements
ok k8s.io/kubernetes/pkg/kubelet/kuberuntime 0.429s
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
Do not try to run preStopHook when the gracePeriod is 0
```
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
Add missing UID in SubjectAccessReviewSpec
**What this PR does / why we need it**:
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
The SubjectAccessReview API in the authorization.k8s.io API group now allows providing the user uid.
```
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)
[Bug Fix] Fix updating LastHeartbeatTime for the OutOfDisk node condition.
Fixes#50058. #49841 for some (currently unknown) reason did not correctly update LastHeartbeatTime, causing OutOfDisk to be marked unknown.
I have not found the reason for this yet. This change makes the setNodeOODCondition method nearly identical to the other conditions (e.g. [setNodeMemoryPressureCondition](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kubelet_node_status.go#L741)).
I have started a cluster with this change, and all nodes have been reporting `Ready` for 25 minutes.
- Move public key functions to client-go/util/cert
- Move pki file helper functions to client-go/util/cert
- Standardize on certutil package alias
- Update dependencies to client-go/util/cert
Automatic merge from submit-queue
Add kube-proxy change notice to v1.7.3 release note
**What this PR does / why we need it**: Add necessary release note for issue #48600.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48600
**Special notes for your reviewer**:
This is suppose to be in v1.7.3 release note, but turned out I only updated release note on the cherrypick PR (#49799) instead of the original PR (#48625) so nothing got picked up :(
/assign @bowei @wojtek-t
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
apiextensions: fix panic with KUBE_API_VERSIONS set
https://github.com/kubernetes/kubernetes/pull/48837 introduced a panic in apiextension-apiserver triggered by the `hack/test-update-storage-objects.sh` script in CI.
