Commit Graph

102398 Commits

Author SHA1 Message Date
Jordan Liggitt
d541970751 PodSecurity: seLinuxOptions: cleanup
rename to seLinuxOptions
make message consistent
add unit tests for message
consolidate integration test fixtures
2021-07-08 02:19:28 -04:00
Jordan Liggitt
19c8ab297c PodSecurity: sysctls: cleanup
Add documentation and unit tests for messages
2021-07-08 02:19:28 -04:00
Jordan Liggitt
e178695c25 PodSecurity: seccompProfile_baseline: regenerate files 2021-07-08 02:19:28 -04:00
Jordan Liggitt
bebf612967 PodSecurity: seccompProfile_baseline: cleanup
Make messages consistent
Add unit tests for messages
Consolidate integration test fixtures
Rename to seccompProfile_baseline
2021-07-08 02:19:28 -04:00
Jordan Liggitt
2af08d1a5a PodSecurity: seccompProfile_restricted: regenerate files 2021-07-08 02:19:27 -04:00
Jordan Liggitt
88a1241299 PodSecurity: seccompProfile_restricted: cleanup
Switch from field paths to container names in messages
Add unit tests for messages
Consolidate integration test fixtures
2021-07-08 02:19:27 -04:00
Jordan Liggitt
43146d4377 PodSecurity: runAsNonRoot: regenerate files 2021-07-08 02:19:27 -04:00
Jordan Liggitt
5fc06591a2 PodSecurity: runAsNonRoot: cleanup
Improve message and details
Add unit tests
Consolidate integration test fixtures
2021-07-08 02:19:27 -04:00
Jordan Liggitt
edb7cdb02a PodSecurity: restrictedVolumes: regenerate files 2021-07-08 02:19:26 -04:00
Jordan Liggitt
676240a342 PodSecurity: restrictedVolumes: cleanup
Updated forbidden reason/details
Added unit test to exercise all volume types
Consolidated fixtures
2021-07-08 02:19:26 -04:00
Jordan Liggitt
4a69c57992 PodSecurity: procMount: cleanup 2021-07-08 02:19:26 -04:00
Jordan Liggitt
f9b8dfd0e6 PodSecurity: privileged: cleanup 2021-07-08 02:19:26 -04:00
Jordan Liggitt
7c70467400 PodSecurity: windowsHostProcess: regenerate files 2021-07-08 02:19:26 -04:00
Jordan Liggitt
9dce1d6a49 PodSecurity: windowsHostProcess: cleanup
Rename to windowsHostProcess
Format reason/details
Add unit tests
2021-07-08 02:19:25 -04:00
Jordan Liggitt
45485bb7ae PodSecurity: hostPorts: cleanup
Reformat message
Add unit test to exercise message/details
2021-07-08 02:19:25 -04:00
Jordan Liggitt
f709cf05f4 PodSecurity: hostPathVolumes: regenerate files 2021-07-08 02:19:25 -04:00
Jordan Liggitt
a39c448684 PodSecurity: hostPathVolumes: cleanup
Rename id to hostPathVolumes
Simplify message construction
Add unit test to exercise messages
Simplify integration test fixtures
2021-07-08 02:19:24 -04:00
Jordan Liggitt
826c57701c PodSecurity: hostNamespaces: cleanup
Use slice instead of set to accumulate errors
Add unit test to exercise message
Update docs to clarify undefined values are permitted
2021-07-08 02:19:24 -04:00
Jordan Liggitt
62b71175e7 PodSecurity: restricted capabilities: regenerate files 2021-07-08 02:19:24 -04:00
Jordan Liggitt
f10dfc6e30 PodSecurity: restricted capabilities: cleanup
Fix formatting of container names,
Add unit test for containers missing drop, containers with invalid adds
Consolidate integration test fixtures
2021-07-08 02:19:24 -04:00
Jordan Liggitt
bd4dc42a72 PodSecurity: baseline capabilities: regenerate files 2021-07-08 02:19:24 -04:00
Jordan Liggitt
809abf4f5b PodSecurity: baseline capabilities: cleanup
Rename to capabilities_baseline
Add unit test exercising forbidden reason and details
Consolidate integration test fixtures
2021-07-08 02:19:23 -04:00
Jordan Liggitt
b390e9e32d PodSecurity: appArmorProfile: cleanup
Also allow  values
Add unit test exercising forbidden reason/detail
Clean up forbidden reason construction
2021-07-08 02:19:23 -04:00
Jordan Liggitt
8291f8490b PodSecurity: allowPrivilegeEscalation: regenerate files 2021-07-08 02:19:23 -04:00
Jordan Liggitt
1e2886341a PodSecurity: allowPrivilegeEscalation: cleanup
Make forbidden details more compact
Add unit test exercising forbidden message/details
Consolidate fixtures
2021-07-08 02:19:23 -04:00
Jordan Liggitt
648b970718 PodSecurity: add message helper 2021-07-08 02:19:22 -04:00
Jordan Liggitt
92541f46e6 Restore ability to print long strings 2021-07-08 01:53:01 -04:00
Davanum Srinivas
6c72fbaa89
update vendor after switch
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:37 -04:00
Davanum Srinivas
79d0c6cdc1
switch from golang-lru to the one in k8s.io/utils
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:37 -04:00
Davanum Srinivas
3a221b3332
update to new k8s.io/utils
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:30 -04:00
Harry Zhang
a3f57886a2 fix CleanScope so we can resolve correct verb for apiserver_request_terminations_total 2021-07-07 19:07:49 -07:00
Samuel Roth
a6b30e9629 podsecurity: added ValidatePodSecurityConfiguration 2021-07-07 21:59:05 -04:00
Li Bo
c3d9b10ca8 feature: support Memory QoS for cgroups v2 2021-07-08 09:26:46 +08:00
Kubernetes Prow Robot
f915aa39e8
Merge pull request #103541 from jbartosik/bump-addon-manager
Bump version of Addon Resizer used by Metrics Server
2021-07-07 18:09:29 -07:00
Kubernetes Prow Robot
16af282ee7
Merge pull request #103520 from swetharepakula/truncate-endpoints
Truncate endpoints over a 1000 addresses
2021-07-07 18:09:21 -07:00
Kubernetes Prow Robot
8fb777efb0
Merge pull request #103451 from swetharepakula/ga-proxy-gates
Graduate EndpointSliceProxying and WindowsEndpointSliceProxying Gates
2021-07-07 18:09:13 -07:00
Kubernetes Prow Robot
36a7426aa5
Merge pull request #99144 from bart0sh/PR0094-promote-HugePageStorageMediumSize-to-GA
promote huge page storage medium size to GA
2021-07-07 18:09:05 -07:00
Kubernetes Prow Robot
ebbe63f116
Merge pull request #92863 from AkihiroSuda/rootless-pr
kubelet & kube-proxy: ignore sysctl errors and rlimit errors when running in UserNS (for rootless)
2021-07-07 18:08:53 -07:00
Tim Hockin
80dda49ce2 Service: Fix semantics for Update wrt allocations
It is not uncommon for users to Create a Service and not specify things
like ClusterIP and NodePort, which we then allocate for them.  They same
that YAML somewhere and later use it again in an Update, but then it
fails.

That's because we detected them trying to set a ClusterIP from a value
to "", which is not allowed.  If it was just NodePort, they would
actually succeed and reallocate a new port.

After this change, we try to "patch" updates where the user did not
specify those values from the old object.
2021-07-07 17:09:12 -07:00
Kubernetes Prow Robot
818ed1afff
Merge pull request #103552 from liggitt/podsecurity-code
PodSecurity: use code/reason/details from admission library
2021-07-07 17:05:56 -07:00
Kubernetes Prow Robot
075ce33452
Merge pull request #103487 from novahe/fix/fixture-data-race
client-go: fix fixture data race
2021-07-07 17:05:48 -07:00
Kubernetes Prow Robot
7bfd0b0503
Merge pull request #103467 from thockin/svc-alloc-lb-nodeports-bug
Fix small bug with AllocateLoadBalancerNodePorts
2021-07-07 17:05:40 -07:00
Kubernetes Prow Robot
10ba908d74
Merge pull request #103419 from natasha41575/upgradeKust4.2
Upgrade kustomize-in-kubectl to v4.2.0
2021-07-07 17:05:31 -07:00
Kubernetes Prow Robot
6ed98b60f0
Merge pull request #103383 from Huang-Wei/move-up-pods
sched: provide an option for plugin developers to move pods to activeQ
2021-07-07 17:05:22 -07:00
Kubernetes Prow Robot
8e56a34195
Merge pull request #102966 from SergeyKanzhelev/deprecateDynamicKubeletConfig
deprecate and disable by default DynamicKubeletConfig feature flag
2021-07-07 17:05:15 -07:00
Kubernetes Prow Robot
785d9f028a
Merge pull request #102188 from alculquicondor/fasterselector
Improve slice allocation in LabelSelectorAsSelector
2021-07-07 17:05:06 -07:00
Kubernetes Prow Robot
e3234f3d6b
Merge pull request #101604 from pacoxu/tuning-grpc
use PermitWithoutStream=true for etcd: send pings even without active stream
2021-07-07 17:04:53 -07:00
Lubomir I. Ivanov
6cf3e36c37 kubeadm: statically default the "from cluster" InitConfiguration
During operations such as "upgrade", kubeadm fetches the
ClusterConfiguration object from the kubeadm ConfigMap.
However, due to requiring node specifics it wraps it in an
InitConfiguration object. The function responsible for that is:
  app/util/config#FetchInitConfigurationFromCluster().

A problem with this function (and sub-calls) is that it ignores
the static defaults applied from versioned types
(e.g. v1beta3/defaults.go) and only applies dynamic defaults for:
- API endpoints
- node registration
- etc...

The introduction of Init|JoinConfiguration.ImagePullPolicy now
has static defaulting of the NodeRegistration object with a default
policy of "PullIfNotPresent". Respect this defaulting by constructing
a defaulted internal InitConfiguration from
FetchInitConfigurationFromCluster() and only then apply the dynamic
defaults over it.

This fixes a bug where "kubeadm upgrade ..." fails when pulling images
due to an empty ("") ImagePullPolicy. We could assume that empty
string means default policy on runtime in:
cmd/kubeadm/app/preflight/checks.go#ImagePullCheck()

but that might actually not be the user intent during "init" and "join",
due to e.g. a typo. Similarly, we don't allow empty tokens
on runtime and error out.
2021-07-08 02:52:11 +03:00
Kubernetes Prow Robot
e67979eaf6
Merge pull request #103550 from tkashem/apf-bootstrap-log-message
apf: fix bootstrap ensurer log message
2021-07-07 14:20:36 -07:00
Kubernetes Prow Robot
a392ca0f25
Merge pull request #103543 from liggitt/implement-check_dropCapabilities.go
Implement check drop capabilities.go
2021-07-07 14:20:23 -07:00