Commit Graph

88538 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
ba10669143
Merge pull request #87595 from hase1128/add-comment-hack-script
Add comments in several hack/*.sh
2020-02-11 23:14:20 -08:00
Kubernetes Prow Robot
f9244a5223
Merge pull request #87417 from hase1128/add-comment-to-several-verify-scripts_4
Add comments in several hack/verify-*.sh(s-v)
2020-02-11 23:14:07 -08:00
Matthew Wong
c048fb19fc Initialize http Request Header before RoundTrip to avoid panic 2020-02-12 06:55:37 +00:00
Michelle Au
d9184b75c9 Convert volume.TestConfig to use NodeSelection
Change-Id: I6adbb53b65e4a4f7e220fc0d91a26dc6bc135c36
2020-02-11 21:13:42 -08:00
Michelle Au
76a4a34dae Pass NodeSelection directly into e2e testsuites so that tests can use them more consistently
Change-Id: I99c8c1d8535a2a2319fbe8216b953c14a56f2763
2020-02-11 20:25:24 -08:00
Jordan Liggitt
242e3ebf01 Add buffer for GC resync retry to GC e2e tests 2020-02-11 22:31:09 -05:00
Michelle Au
fb9f02b5e1 Don't set NodeName directly in Pods so that it still goes through the scheduler
Change-Id: I244b6aac0289a13339f3ac228c4ad9ecf8c07b42
2020-02-11 19:17:41 -08:00
Kubernetes Prow Robot
6eaa4af025
Merge pull request #85234 from matthyx/patch-1
Add matthyx to sig-node-reviewers in OWNERS_ALIASES
2020-02-11 18:32:07 -08:00
Kubernetes Prow Robot
f9250c4f95
Merge pull request #87795 from zhan849/harry/reflector-backoff
add exponential backoff with cap and reset in reflector during retrying ListWatch
2020-02-11 17:06:21 -08:00
Kubernetes Prow Robot
04cfa4981a
Merge pull request #87463 from mwwolters/healthmon2healthz
Migrate health monitor from read only port to healthz port
2020-02-11 17:06:08 -08:00
Charles Eckman
5a176ac772 Provide OIDC discovery endpoints
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.

Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
  the API server's external address and port.

- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).

- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.

Co-authored-by: Michael Taufen <mtaufen@google.com>
2020-02-11 16:23:31 -08:00
Kubernetes Prow Robot
7faee2c30a
Merge pull request #88019 from liggitt/ssa
Lower ssa auto-enablement to 10%
2020-02-11 15:50:09 -08:00
Anago GCB
06fad92509 Add CHANGELOG/CHANGELOG-1.15.md for v1.15.10 2020-02-11 22:02:07 +00:00
Andrew Sy Kim
1653476e3f proxier: use IPSet from k8s.io/utils/net to store local addresses
This allows the proxier to cache local addresses instead of fetching all
local addresses every time in IsLocalIP.

Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2020-02-11 16:44:34 -05:00
Andrew Sy Kim
77feb1126e userspace proxy: get local addresses only once per sync loop
This avoids fetching all local network interfaces everytime we sync an
external IP. For clusters with many external IPs this gets really
expensive. This change caches all local addresses once per sync.

Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2020-02-11 16:35:49 -05:00
Andrew Sy Kim
126bf5a231 ipvs proxier: use util proxy methods for getting local addresses
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2020-02-11 16:35:49 -05:00
Andrew Sy Kim
313c3b81e3 iptables proxier: get local addresses only once per sync loop
This avoids fetching all local network interfaces everytime we sync an
external IP. For clusters with many external IPs this gets really
expensive. This change caches all local addresses once per sync.

Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2020-02-11 16:35:49 -05:00
andrewsykim
9e5a06c3ed update vendor k8s.io/utils to 5f6fbceb4c31
Signed-off-by: andrewsykim <kim.andrewsy@gmail.com>
2020-02-11 16:35:49 -05:00
Anago GCB
e3ab253cd8 Add CHANGELOG/CHANGELOG-1.16.md for v1.16.7 2020-02-11 21:18:47 +00:00
jennybuckley
888a322d9c Round times to nearest second before sorting 2020-02-11 12:54:19 -08:00
Davanum Srinivas
f26dbc473d
Avoid running docker specific test in containerd 2020-02-11 14:32:18 -05:00
Anago GCB
5e94cccf5c Add CHANGELOG/CHANGELOG-1.17.md for v1.17.3 2020-02-11 19:18:37 +00:00
Jordan Liggitt
a657d51ce3 Lower server-side apply percentage to 10% 2020-02-11 12:55:28 -05:00
notpad
89066cceb9 Add RegisterPluginAsExtensionsWithWeight 2020-02-11 23:11:53 +08:00
wojtekt
ca81235f24 Fix serializer test 2020-02-11 15:54:05 +01:00
Kubernetes Prow Robot
574acbe310
Merge pull request #87847 from notpad/feature/slow_path
Cleanup "slow-path" logic in scheduler Filters
2020-02-11 06:46:04 -08:00
Jan Safranek
2430c48c10 Delete pod in volume tests
All storage e2e tests should delete pods they use so we can identify issues
on volume cleanup easily.
2020-02-11 12:54:38 +01:00
andyzhangx
9cb7f54c0b fix: add azure disk migration support for CSINode 2020-02-11 11:39:55 +00:00
Antonio Ojea
11263bb57f
kube-proxy filter Load Balancer Status ingress
kube-proxy, if is configured with an IP family, filters out the
incorrect IP version of the services.

This commit fix a bug caused by not filtering out the IPs in the
LoadBalancer Status Ingress field.
2020-02-11 10:25:59 +01:00
Kubernetes Prow Robot
38acec9bbc
Merge pull request #87527 from brianpursley/kubectl-796
Added 'No resources found' message to describe <type> and top pod commands
2020-02-11 01:20:02 -08:00
notpad
fb895056c6 Add test 2020-02-11 16:51:21 +08:00
Kubernetes Prow Robot
dc8208dddc
Merge pull request #87871 from msau42/fix-hostexec
Use NodeSelector instead of NodeName in hostexec Pod
2020-02-10 20:44:01 -08:00
Mike Spreitzer
73614ddd4e Added API Priority and Fairness filter and config consumer 2020-02-10 22:54:40 -05:00
Davanum Srinivas
8f764b113e
Support for adding test-handler for containerd 2020-02-10 20:43:40 -05:00
shaloulcy
fe312ed74a add index for pod cacher
Signed-off-by: shaloulcy <lcy041536@gmail.com>
2020-02-11 09:25:27 +08:00
Kubernetes Prow Robot
6eba154f6e
Merge pull request #87984 from apelisse/100-percent-ssa
Enable field management for all new objects
2020-02-10 17:22:33 -08:00
Kubernetes Prow Robot
26ecb7ed60
Merge pull request #87982 from damemi/damemi-sched-reviewer
Add damemi to sig-scheduling owners
2020-02-10 17:22:24 -08:00
Kubernetes Prow Robot
f8f6229d77
Merge pull request #87950 from tanjunchen/fix-no-non-ascii-characters-/test
test/ : fix non-ascii characters
2020-02-10 17:22:15 -08:00
Kubernetes Prow Robot
921ef35e64
Merge pull request #87949 from 928234269/non_ascii_01
Fix non-ascii characters in test/e2e_node and test/network.
2020-02-10 17:22:01 -08:00
Haowei Cai
01328ae291 add roycaihw to reviewers in apiextensions-apiserver 2020-02-10 15:44:31 -08:00
Michelle Au
1ee35e788e Use NodeSelector instead of NodeName in hostexec Pod so that the Pod runs through the scheduler
Change-Id: Ia2f7ad39af318bbe707b43dfea706293ecdf5203
2020-02-10 15:36:04 -08:00
Kubernetes Prow Robot
0b2636a7e7
Merge pull request #87991 from mikedanese/createcontext
remove authn/z.CreateContext expansions
2020-02-10 14:53:53 -08:00
Jonathan Basseri
09121d9686 Add missing tag to vSphere storage E2E tests
This adds the [Feature:vsphere] tag to those vSphere tests which were
missing it. This makes it easier to specifically target the vSphere
storage E2E test suite.
2020-02-10 14:48:55 -08:00
Francesco Romani
70cce5e3f1 e2e: topomgr: introduce sriov setup/teardown funcs
Reorganize the code with setup and teardown functions,
to make room for the future addition of more device plugin
support, and to make the code a bit tidier.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:54 +01:00
Francesco Romani
2f0a6d2c76 e2e: topomgr: use constants for test limits
Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:54 +01:00
Francesco Romani
fee1dba054 e2r: topomgr: improve the test logs
Add clarification to which test is doing what, to make
the test output easier to understand.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:54 +01:00
Francesco Romani
83c344647f e2e: topomgr: better check for AffinityError
Add a helper function to check if a Pod failed
admission for Topology Affinity Error.
So far we only check the Status.Reason.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:54 +01:00
Francesco Romani
512a4e8a3e e2e: topomgr: reduce node readiness timeout
Five minutes was initially used only to be overcautious.
From my experiments, the node is ready in usually less than a minute.
Double it to give some buffer space.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:54 +01:00
Francesco Romani
3b4122bd03 e2e: topomgr: get and use topology hints from conf
TO properly implement some e2e tests, we need to know
some basic topology facts about the system running the tests.
The bare minimum we need to know is how many PCI SRIOV devices
are attached to which NUMA node.

This way we know which core we can reserve for kube services,
and which NUMA socket we can take to test full socket reservation.

To let the tests know the PCI device topology, we use annotations
in the SRIOV device plugin ConfigMap we need anyway.
The format is

```yaml
  metadata:
    annotations:
      pcidevice_node0: "2"
      pcidevice_node1: "0"
```

with one annotation per NUMA node in the system.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:53 +01:00
Francesco Romani
d9d652e867 e2e: topomgr: initial negative tests
Negative tests is when we request a gu Pod we know the system cannot
fullfill - hence we expect rejection from the topology manager.

Unfortunately, besides the trivial case of excessive cores (request
more socket than a NUMA node provides) we cannot easily test the
devices, because crafting a proper pod will require detailed knowledge
of the hw topology.

Let's consider a hypotetical two-node NUMA system with two PCIe busses,
one per NUMA node, with a SRIOV device on each bus.
A proper negative test would require two SRIOV device, that the system
can provide but not on the same single NUMA node.
Requiring for example three devices (one more than the system provides)
will lead to a different, legitimate admission error.

For these reasons we bootstrap the testing infra for the negative tests,
but we add just the simplest one.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2020-02-10 22:47:53 +01:00