in the isEphemeral case, the pvcBlock doesn't have a filled in name, which means the DevicePath is "/mnt".
When using the OCI runtime runc, this is valid because runc sanitizes the path, mounting it in `/mnt` in the container.
However, the OCI runtime crun does not do this.
One can argue the validity of passing a path structured like a directory as a block device, but ultimately from what I can see
this wasn't intentional.
As such, fix it by setting the mount to be based on the first Volume name, which both cases should have filled out.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
kubeadm does not rely on `crictl` any more, so we can now drop the
warning in 1.32 as outlined in:
https://github.com/kubernetes/kubeadm/issues/3064
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
After a node restart kubelet tries to (re)attach all volumes to the
pods. We poll the `verifyVolumesMountedFunc` every 300ms to check whether
the mount has succeeded. This function called the
`GetMountedVolumesForPod` function that allocates memory for every
volumes on every pod (`len(asw.attachedVolumes)`). Because this function
is executed for every pod simultaneously, this results in exponential
memory usage and high cpu usage due to garbage collection.
We already know the exact volume names and pod name and are able to
completly remove the slice allocation.
Signed-off-by: Luca Berneking <l.berneking@mittwald.de>
When the client does not have permission to watch a resource, the
RetryWatcher continuously retried. In this case, it's better to send an
error and stop retrying to let the caller handle this case since this is
not a transient error that can be recovered without user intervention.
This is particularly helpful in applications that leverage a user
provided service account and the application needs to notify the user to
set the correct permissions for the service account.
This also accounts for invalid credentials from the watch client.
Signed-off-by: mprahl <mprahl@users.noreply.github.com>
This commit expands the existing credential ID concept to cover X.509
certificates. We use the certificate's signature as the credential ID,
since this safe and unique.
hostNetwork pods mount the /etc/hosts from the root namespaces, hence
does not depend on PodIPs to be populated to mount the /etc/hosts file
and add the argumentes specified in the Pod.Spec like hostAliases.
mockery is set up to generate headers in all the mocks it produces, so
the separate header generation in update-mocks.sh is no longer useful
(and leads to duplicate headers in three cases). This removes the
relevant parts of the shell script.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ensure kube-proxy waits for the services/endpointslices informer
caches to be synced *and* all pre-sync events delivered before
setting isInitialized=true. Otherwise, in clusters with many services,
some services may be missing from svcPortMap when kube-proxy starts
(e.g. during daemonset rollout). This can cause kube-proxy to temporarily
remove service DNAT rules and then skip cleanup of UDP conntrack entries
to a service VIP.
Resolves: https://github.com/kubernetes/kubernetes/issues/126468
