Automatic merge from submit-queue (batch tested with PRs 63588, 63806). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm - do not generate etcd ca/certs for external etcd
**What this PR does / why we need it**:
Currently we generate an etcd CA and certificates even if we are specifying an external etcd cluster when running `kubeadm init`, this PR changes this behavior to skip generating the etcd CA and certificates if configured for an external etcd cluster.
**Which issue(s) this PR fixes**
Fixes https://github.com/kubernetes/kubeadm/issues/807
**Release note**:
```release-note
kubeadm will no longer generate an unused etcd CA and certificates when configured to use an external etcd cluster.
```
Automatic merge from submit-queue (batch tested with PRs 63735, 62807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kubeadm: Update comments and UT to remove /66 restriction
**What this PR does / why we need it**:
The comments in cmd/kubeadm/app/phases/controlplane/manifests.go mention the
IPv6 /66 restriction, and the UT also refers to this.
This restriction was removed in PR#60089
This removes those comments and updates the UT
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62806
**Special notes for your reviewer**:
**Release note**:
```release-note-none
```
Automatic merge from submit-queue (batch tested with PRs 63735, 62807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm-init: update note about failing containers
**What this PR does / why we need it**:
This PR was merged before all requested changes
were applied:
kubernetes/pull/59731
Update the note about failing containers as requested here:
https://github.com/kubernetes/kubernetes/pull/59731#pullrequestreview-119517427
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63783, 63734). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Kubeadm marshal tests
**What this PR does / why we need it**:
Adds tests for the marshalling utilities in kubeadm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes: kubernetes/kubeadm#802
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63783, 63734). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename `kubeadmapiext` to the more explicit `kubeadmapiv1alpha1`
**What this PR does / why we need it**:
`kubeadmext` is somewhat confusing to those who read the code (although it means "the external API of kubeadm", which to some degree makes sense), so I'm swapping all references to it to the more explicit `kubeadmapiv1alpha1`. This change is needed given that we will support multiple external APIs.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of https://github.com/kubernetes/community/pull/2131
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @liztio
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add necessary explanation for container log rotation.
**What this PR does / why we need it**:
#59898
> Container log manager only starts when the container runtime is remote (not docker), because we can't implement ReopenContainerLog for docker.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Control exactly what we use in kubeadm
**What this PR does / why we need it**:
we recently got rid of extra arg validation for preflight check:
9f21f5dd1e
the import-boss configuration will help us control exactly what
gets added/used in kubeadm. In this PR, we add a white-list of
the exact packages we use currently.
We will need to review these, make new PR(s) to eliminate things
we don't want to be depending on (just like the cloud provider related code).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
we recently got rid of extra arg validation for preflight check:
9f21f5dd1e
the import-boss configuration will help us control exactly what
gets added/used in kubeadm. In this PR, we add a white-list of
the exact packages we use currently.
We will need to review these, make new PR(s) to eliminate things
we don't want to be depending on (just like the cloud provider related code).
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Revisit the OWNERS file for kubeadm
**What this PR does / why we need it**:
The OWNERS file for kubeadm is getting a little bit stale. As discussed in today's SIG Cluster Lifecycle meeting, we're gonna update it with the currently active contributors.
**Special notes for your reviewer**:
Every person that is involved here, please ACK and LGTM the change.
@jbeda removed from approvers
@krousey removed from approvers/reviewers
@fabriziopandini graduated to an approver
@dmmcquay removed from reviewers
@jamiehannaford removed from reviewers
@kargakis removed from reviewers
@liztio added to reviewers
@chuckha added to reviewers
@detiber added to reviewers
@stealthybox added to reviewers
@dixudx added to reviewers
Thank you everyone for your contributions 👏 (no one can't maintain something forever), and congratulations and welcome everyone with a new role, happy to have you here 👍!
**Release note**:
```release-note
NONE
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: add test coverage to completion.go
**What this PR does / why we need it**:
Add `completion_test.go` with the following tests:
- TestNewCmdCompletion
- TestRunCompletion
A separate commit exports the function GetSupportedShells() to obtain the list of supported shells.
Test coverage is at 96%. The only untested bit is an `io.Writer.Write()` call in `RunCompletion()`. in the case of `bytes.Buffer` it would panic and/or always return `nil` for `error`.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63367, 63718, 63446, 63723, 63720). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add kind and version to Kubeadm MasterConfiguration configmaps
**What this PR does / why we need it**:
Right now Kubeadm serializes its configuration objects with just `yaml.Marshal`. By switching to `runtime.Encode`, we guarantee that version information will be added.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
First part of KEP0008
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 63367, 63718, 63446, 63723, 63720). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
finish new dynamic client and deprecate old dynamic client
Builds on a couple other pulls. This completes the transition to the new dynamic client.
@kubernetes/sig-api-machinery-pr-reviews
@caesarxuchao @sttts
```release-note
The old dynamic client has been replaced by a new one. The previous dynamic client will exist for one release in `client-go/deprecated-dynamic`. Switch as soon as possible.
```
Automatic merge from submit-queue (batch tested with PRs 63049, 59731). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add instructions on how to debug a crashed pod
When I was using `kubeadm init`, I ran into an issue where I had passed an
invalid flag through the kubeadm config file. The flag was being passed into
apiserver and preventing it from launching with a "unknown flag" error.
The flag in question is (other flags elided for clarity):
```
admission-control: ...,GenericAdmissionWebhook,...
```
Since this prevented the apiserver from coming up, the setup timed out
and gave me the error message I just modified.
It would be better if the config was vetted more thoroughly, but I think
documenting the backup strategy for viewing logs in case of failure is
also valuable.
**What this PR does / why we need it**:
This PR extends an error message in kubeadm to make it clear a potential step forward for new cluster users.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59731
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63049, 59731). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
re-enable nodeipam in kube-controller-manager
**What this PR does / why we need it**:
Re-enables nodeipam controller for external clouds. Also does a small refactor so that we don't need to pass in `allocateNodeCidr` into the controller.
In v1.10 we made a change (9187b343e1 (diff-f11913dc67d80d36b3d06a93f61c49cf) in https://github.com/kubernetes/kubernetes/pull/57492) where nodeipam would be disabled for any cluster that sets `--cloud-provider=external`. The original intention behind this was that the nodeipam controller is cloud specific for some clouds (only GCE at the moment) so it should be moved to the CCM (cloud controller manager). After some discussions with wg-cloud-provider it makes sense to re-enable nodeipam controller in KCM and have GCE CCM enable its own cloud-specific IPAM controller as part of [Initialize()](https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/cloud.go#L33-L35). This would allow for GCE to run nodeipam in both KCM (by setting --cloud-provider=gce and --allocate-node-cidr) and in the CCM (once implemented in `Initialize()`) without disabling nodeipam in the KCM for all external clouds and avoids having to implement nodeipam in CCM.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Re-enable nodeipam controller for external clouds.
```
Automatic merge from submit-queue (batch tested with PRs 63673, 63712, 63691, 63684). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add 'system-cluster-critical' to kubeadm control plane pods.
**What this PR does / why we need it**:
Add 'system-cluster-critical' to kubeadm control plane pods.
**Which issue(s) this PR fixes**:
Fixes https://github.com/kubernetes/kubeadm/issues/395
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 63673, 63712, 63691, 63684). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm - add preflight warning when using systemd-resolved
**What this PR does / why we need it**:
This PR adds a preflight warning when the host is running systemd-resolved.
Newer Ubuntu releases (artful and bionic in particular) run systemd-resolved by default and in the dfeault configuration have an /etc/resolv.conf file that references 127.0.0.53 which is not accessible from containers running on the host. We will now provide a warning to the user to tell them that the kubelet args should include `--resolv-conf=/run/systemd/resolve/resolv.conf`. `/run/systemd/resolve/resolv.conf`.
**Which issue(s) this PR fixes**:
This does not resolve the following issues, but it does provide better output to the users affected by the issues: https://github.com/kubernetes/kubeadm/issues/273https://github.com/kubernetes/kubeadm/issues/787
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63673, 63712). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove ExtraArgs kubeadm preflight check
This check pulled in a number of dependencies that bloated the dep graph.
The feature itself was not worth an extra 500 dependencies so we decided
to remove the feature.
Closeskubernetes/kubeadm#497
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR removes a check that was pulling in a lot of external dependencies. We decided the check was not worth the extra dependencies.
**Special notes for your reviewer**:
We might want to keep the first part of the check and only delete the second part, but it was easier to delete the whole thing.
**Release note**:
```release-note
Removes a preflight check for kubeadm that validated custom kube-apiserver, kube-controller-manager and kube-scheduler arguments.
```
Automatic merge from submit-queue (batch tested with PRs 63669, 63511, 63561, 63289). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
move resource builder to generic options
This pull snips the last kube/kube links from the resource builder and moves it to the genericclioptions to be built out into flags from there.
@kubernetes/sig-cli-maintainers
```release-note
NONE
```
The comments in cmd/kubeadm/app/phases/controlplane/manifests.go mention the
IPv6 /66 restriction, and the UT also refers to this.
This restriction was removed in PR#60089
Automatic merge from submit-queue (batch tested with PRs 62665, 62194, 63616, 63672, 63450). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adds kubeadm images command
Closeskubernetes/kubeadm#388
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR adds a `list-images` subcommand to `kubeadm config`. We need this to make installing kubernetes on air-gapped environments a little easier. This command will print out a list of images it expects to use for the master node.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#388
**Special notes for your reviewer**:
**Release note**:
```release-note
Adds a list-images subcommand to kubeadm that lists required images for a kubeadm install.
```
Automatic merge from submit-queue (batch tested with PRs 60200, 63623, 63406). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm-init: add details about --token
**What this PR does / why we need it**:
Add details about the required format when passing
a bootstrap token using 'kubeadm init --token'.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#768
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Optimize admission plugin API requests
xref https://github.com/kubernetes/kubernetes/issues/63030#issuecomment-387774934
* resource changes are typically slow-moving, and full discovery can be slightly expensive, so this reduces the refresh to a 30 second interval and bumps QPS on the admission client (which wasn't done when the client started getting used for discovery in #62659)
* a large consumer of API requests in scale tests was the node restriction plugin pod lookups during pod deletion. this switches to use the same informer that is feeding the node authorizer graph to avoid those lookups entirely.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
change deprecated Kubelet --allow-privileged flag default to true
This enables a smooth transition to PSP. Today, users would have to
manually set --allow-privileged to true before transitioning to PSP,
which isn't a smooth deprecation path for the flag (we want people
to *stop* setting it). This PR makes the default behavior isomorphic
with what will happen after the flag is removed.
Defaulting --allow-privileged to true should be safe, because it simply
allows a superset of Pods to run (all workloads continue to work).
WRT https://github.com/kubernetes/kubernetes/issues/58010#issuecomment-383264473
the --allow-privileged flag is effectively useless for security, so this
shouldn't be a concern from that perspective.
I also bumped the deprecation timeline in the comment to 1.13.0, so that
we give people the full period of time to stop setting
--allow-privileged, now that the behavior makes it possible to do so.
```release-note
The Kubelet's deprecated --allow-privileged flag now defaults to true. This enables users to stop setting --allow-privileged in order to transition to PodSecurityPolicy. Previously, users had to continue setting --allow-privileged, because the default was false.
```
Automatic merge from submit-queue (batch tested with PRs 63624, 59847). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
explicit kubelet config key in Node.Spec.ConfigSource.ConfigMap
This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.
As part of this change, we are retiring ConfigMapRef for ConfigMap.
```release-note
You must now specify Node.Spec.ConfigSource.ConfigMap.KubeletConfigKey when using dynamic Kubelet config to tell the Kubelet which key of the ConfigMap identifies its config file.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[kubeadm] Support `HostPathType` of ExtraVolumes in the kubeadm configuration file.
**What this PR does / why we need it**:
Now we use `DirectoryOrCreate ` as a default `HostPathType` in the kubeadm configuration file, when we create user's extra volumes(like `apiServerExtraVolumes`). So, user can't use other `HostPathType`. In order to let users use other types of `HostPath`(like `File`), I think we should support `HostPathType` of ExtraVolumes in the kubeadm configuration file.
**Which issue(s) this PR fixes**
ref [kubernetes/kubeadm#788](https://github.com/kubernetes/kubeadm/issues/788)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62850, 63504). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve where we load builds from for kubeadm upgrade jobs
**What this PR does / why we need it**:
For 1.8,1.9,1.10 branches, we need to load the latest
version from ci/latest*.txt.
For master, we need to load the version number from
ci-cross/latest.txt
try these to verify:
```
gsutil cat gs://kubernetes-release-dev/ci/latest-1.9.txt
gsutil cat gs://kubernetes-release-dev/ci-cross/latest.txt
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubernetes/issues/61483
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed where we get latest builds for stable branches
```
Automatic merge from submit-queue (batch tested with PRs 62850, 63504). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm-token: search for existing kubeconfig files
**What this PR does / why we need it**:
Add means to search the current user home path and
the environment variable KUBECONFIG for existing files if the
user does not provide a --kubeconfig flag.
If the user provides a --kubeconfig flag respect it.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/198
**Special notes for your reviewer**:
i'm not 100% sure if that's the correct approach and if that's what's requested. so let's discuss it.
**Release note**:
```release-note
Search standard KubeConfig file locations when using `kubeadm token` without `--kubeconfig`.
```
