Jordan Liggitt
d541970751
PodSecurity: seLinuxOptions: cleanup
...
rename to seLinuxOptions
make message consistent
add unit tests for message
consolidate integration test fixtures
2021-07-08 02:19:28 -04:00
Jordan Liggitt
19c8ab297c
PodSecurity: sysctls: cleanup
...
Add documentation and unit tests for messages
2021-07-08 02:19:28 -04:00
Jordan Liggitt
e178695c25
PodSecurity: seccompProfile_baseline: regenerate files
2021-07-08 02:19:28 -04:00
Jordan Liggitt
bebf612967
PodSecurity: seccompProfile_baseline: cleanup
...
Make messages consistent
Add unit tests for messages
Consolidate integration test fixtures
Rename to seccompProfile_baseline
2021-07-08 02:19:28 -04:00
Jordan Liggitt
2af08d1a5a
PodSecurity: seccompProfile_restricted: regenerate files
2021-07-08 02:19:27 -04:00
Jordan Liggitt
88a1241299
PodSecurity: seccompProfile_restricted: cleanup
...
Switch from field paths to container names in messages
Add unit tests for messages
Consolidate integration test fixtures
2021-07-08 02:19:27 -04:00
Jordan Liggitt
43146d4377
PodSecurity: runAsNonRoot: regenerate files
2021-07-08 02:19:27 -04:00
Jordan Liggitt
5fc06591a2
PodSecurity: runAsNonRoot: cleanup
...
Improve message and details
Add unit tests
Consolidate integration test fixtures
2021-07-08 02:19:27 -04:00
Jordan Liggitt
edb7cdb02a
PodSecurity: restrictedVolumes: regenerate files
2021-07-08 02:19:26 -04:00
Jordan Liggitt
676240a342
PodSecurity: restrictedVolumes: cleanup
...
Updated forbidden reason/details
Added unit test to exercise all volume types
Consolidated fixtures
2021-07-08 02:19:26 -04:00
Jordan Liggitt
4a69c57992
PodSecurity: procMount: cleanup
2021-07-08 02:19:26 -04:00
Jordan Liggitt
f9b8dfd0e6
PodSecurity: privileged: cleanup
2021-07-08 02:19:26 -04:00
Jordan Liggitt
7c70467400
PodSecurity: windowsHostProcess: regenerate files
2021-07-08 02:19:26 -04:00
Jordan Liggitt
9dce1d6a49
PodSecurity: windowsHostProcess: cleanup
...
Rename to windowsHostProcess
Format reason/details
Add unit tests
2021-07-08 02:19:25 -04:00
Jordan Liggitt
45485bb7ae
PodSecurity: hostPorts: cleanup
...
Reformat message
Add unit test to exercise message/details
2021-07-08 02:19:25 -04:00
Jordan Liggitt
f709cf05f4
PodSecurity: hostPathVolumes: regenerate files
2021-07-08 02:19:25 -04:00
Jordan Liggitt
a39c448684
PodSecurity: hostPathVolumes: cleanup
...
Rename id to hostPathVolumes
Simplify message construction
Add unit test to exercise messages
Simplify integration test fixtures
2021-07-08 02:19:24 -04:00
Jordan Liggitt
826c57701c
PodSecurity: hostNamespaces: cleanup
...
Use slice instead of set to accumulate errors
Add unit test to exercise message
Update docs to clarify undefined values are permitted
2021-07-08 02:19:24 -04:00
Jordan Liggitt
62b71175e7
PodSecurity: restricted capabilities: regenerate files
2021-07-08 02:19:24 -04:00
Jordan Liggitt
f10dfc6e30
PodSecurity: restricted capabilities: cleanup
...
Fix formatting of container names,
Add unit test for containers missing drop, containers with invalid adds
Consolidate integration test fixtures
2021-07-08 02:19:24 -04:00
Jordan Liggitt
bd4dc42a72
PodSecurity: baseline capabilities: regenerate files
2021-07-08 02:19:24 -04:00
Jordan Liggitt
809abf4f5b
PodSecurity: baseline capabilities: cleanup
...
Rename to capabilities_baseline
Add unit test exercising forbidden reason and details
Consolidate integration test fixtures
2021-07-08 02:19:23 -04:00
Jordan Liggitt
b390e9e32d
PodSecurity: appArmorProfile: cleanup
...
Also allow values
Add unit test exercising forbidden reason/detail
Clean up forbidden reason construction
2021-07-08 02:19:23 -04:00
Jordan Liggitt
8291f8490b
PodSecurity: allowPrivilegeEscalation: regenerate files
2021-07-08 02:19:23 -04:00
Jordan Liggitt
1e2886341a
PodSecurity: allowPrivilegeEscalation: cleanup
...
Make forbidden details more compact
Add unit test exercising forbidden message/details
Consolidate fixtures
2021-07-08 02:19:23 -04:00
Jordan Liggitt
648b970718
PodSecurity: add message helper
2021-07-08 02:19:22 -04:00
Jordan Liggitt
92541f46e6
Restore ability to print long strings
2021-07-08 01:53:01 -04:00
Davanum Srinivas
6c72fbaa89
update vendor after switch
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:37 -04:00
Davanum Srinivas
79d0c6cdc1
switch from golang-lru to the one in k8s.io/utils
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:37 -04:00
Davanum Srinivas
3a221b3332
update to new k8s.io/utils
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-07 22:31:30 -04:00
Harry Zhang
a3f57886a2
fix CleanScope so we can resolve correct verb for apiserver_request_terminations_total
2021-07-07 19:07:49 -07:00
Samuel Roth
a6b30e9629
podsecurity: added ValidatePodSecurityConfiguration
2021-07-07 21:59:05 -04:00
Li Bo
c3d9b10ca8
feature: support Memory QoS for cgroups v2
2021-07-08 09:26:46 +08:00
Kubernetes Prow Robot
f915aa39e8
Merge pull request #103541 from jbartosik/bump-addon-manager
...
Bump version of Addon Resizer used by Metrics Server
2021-07-07 18:09:29 -07:00
Kubernetes Prow Robot
16af282ee7
Merge pull request #103520 from swetharepakula/truncate-endpoints
...
Truncate endpoints over a 1000 addresses
2021-07-07 18:09:21 -07:00
Kubernetes Prow Robot
8fb777efb0
Merge pull request #103451 from swetharepakula/ga-proxy-gates
...
Graduate EndpointSliceProxying and WindowsEndpointSliceProxying Gates
2021-07-07 18:09:13 -07:00
Kubernetes Prow Robot
36a7426aa5
Merge pull request #99144 from bart0sh/PR0094-promote-HugePageStorageMediumSize-to-GA
...
promote huge page storage medium size to GA
2021-07-07 18:09:05 -07:00
Kubernetes Prow Robot
ebbe63f116
Merge pull request #92863 from AkihiroSuda/rootless-pr
...
kubelet & kube-proxy: ignore sysctl errors and rlimit errors when running in UserNS (for rootless)
2021-07-07 18:08:53 -07:00
Tim Hockin
80dda49ce2
Service: Fix semantics for Update wrt allocations
...
It is not uncommon for users to Create a Service and not specify things
like ClusterIP and NodePort, which we then allocate for them. They same
that YAML somewhere and later use it again in an Update, but then it
fails.
That's because we detected them trying to set a ClusterIP from a value
to "", which is not allowed. If it was just NodePort, they would
actually succeed and reallocate a new port.
After this change, we try to "patch" updates where the user did not
specify those values from the old object.
2021-07-07 17:09:12 -07:00
Kubernetes Prow Robot
818ed1afff
Merge pull request #103552 from liggitt/podsecurity-code
...
PodSecurity: use code/reason/details from admission library
2021-07-07 17:05:56 -07:00
Kubernetes Prow Robot
075ce33452
Merge pull request #103487 from novahe/fix/fixture-data-race
...
client-go: fix fixture data race
2021-07-07 17:05:48 -07:00
Kubernetes Prow Robot
7bfd0b0503
Merge pull request #103467 from thockin/svc-alloc-lb-nodeports-bug
...
Fix small bug with AllocateLoadBalancerNodePorts
2021-07-07 17:05:40 -07:00
Kubernetes Prow Robot
10ba908d74
Merge pull request #103419 from natasha41575/upgradeKust4.2
...
Upgrade kustomize-in-kubectl to v4.2.0
2021-07-07 17:05:31 -07:00
Kubernetes Prow Robot
6ed98b60f0
Merge pull request #103383 from Huang-Wei/move-up-pods
...
sched: provide an option for plugin developers to move pods to activeQ
2021-07-07 17:05:22 -07:00
Kubernetes Prow Robot
8e56a34195
Merge pull request #102966 from SergeyKanzhelev/deprecateDynamicKubeletConfig
...
deprecate and disable by default DynamicKubeletConfig feature flag
2021-07-07 17:05:15 -07:00
Kubernetes Prow Robot
785d9f028a
Merge pull request #102188 from alculquicondor/fasterselector
...
Improve slice allocation in LabelSelectorAsSelector
2021-07-07 17:05:06 -07:00
Kubernetes Prow Robot
e3234f3d6b
Merge pull request #101604 from pacoxu/tuning-grpc
...
use PermitWithoutStream=true for etcd: send pings even without active stream
2021-07-07 17:04:53 -07:00
Lubomir I. Ivanov
6cf3e36c37
kubeadm: statically default the "from cluster" InitConfiguration
...
During operations such as "upgrade", kubeadm fetches the
ClusterConfiguration object from the kubeadm ConfigMap.
However, due to requiring node specifics it wraps it in an
InitConfiguration object. The function responsible for that is:
app/util/config#FetchInitConfigurationFromCluster().
A problem with this function (and sub-calls) is that it ignores
the static defaults applied from versioned types
(e.g. v1beta3/defaults.go) and only applies dynamic defaults for:
- API endpoints
- node registration
- etc...
The introduction of Init|JoinConfiguration.ImagePullPolicy now
has static defaulting of the NodeRegistration object with a default
policy of "PullIfNotPresent". Respect this defaulting by constructing
a defaulted internal InitConfiguration from
FetchInitConfigurationFromCluster() and only then apply the dynamic
defaults over it.
This fixes a bug where "kubeadm upgrade ..." fails when pulling images
due to an empty ("") ImagePullPolicy. We could assume that empty
string means default policy on runtime in:
cmd/kubeadm/app/preflight/checks.go#ImagePullCheck()
but that might actually not be the user intent during "init" and "join",
due to e.g. a typo. Similarly, we don't allow empty tokens
on runtime and error out.
2021-07-08 02:52:11 +03:00
Kubernetes Prow Robot
e67979eaf6
Merge pull request #103550 from tkashem/apf-bootstrap-log-message
...
apf: fix bootstrap ensurer log message
2021-07-07 14:20:36 -07:00
Kubernetes Prow Robot
a392ca0f25
Merge pull request #103543 from liggitt/implement-check_dropCapabilities.go
...
Implement check drop capabilities.go
2021-07-07 14:20:23 -07:00