Automatic merge from submit-queue (batch tested with PRs 39114, 36004)
Revert #32751 and #35840 in 1.6
Revert backward compatibility hacks (#36004, #32751) that are no-longer needed in release 1.6
@kubernetes/sig-api-machinery @liggitt
Automatic merge from submit-queue (batch tested with PRs 39114, 36004)
assign -998 as the oom_score_adj for critical pods (e.g. kube-proxy)
I also validated this with a testing cluster: Fresh built cluster, and kill kube-proxy pod, etc.
```
root 2660 2643 0 Dec21 ? 00:00:00 /bin/sh -c kube-proxy --master=https://104.198.79.64 --kubeconfig=/var/lib/kube-proxy/kubeconfig --cluster-cidr=10.180.0.0/14 --resource-container="" --v=4 1>>/var/log/kube-proxy.log 2>&1
root 2667 2660 0 Dec21 ? 00:03:14 kube-proxy --master=https://104.198.79.64 --kubeconfig=/var/lib/kube-proxy/kubeconfig --cluster-cidr=10.180.0.0/14 --resource-container= --v=4
# cat /proc/2660/oom_score_adj
-998
# cat /proc/2667/oom_score_adj
-998
```
In this pr, I also include a small fix for import cycle issue. The right fix should remove the dependency on qos package from pkg/apis/componentconfig/v1alpha1. But since we plan to cherrypick this pr to both 1.5 and 1.4 (possible), I want touch the source as little as possible.
Partial fix: #38322
Automatic merge from submit-queue (batch tested with PRs 39115, 39111)
Make one of the go2idl unit tests pass in a sandbox.
Not sure how important this is.
Automatic merge from submit-queue (batch tested with PRs 39115, 39111)
Node E2E: Do not use sudo when untar node e2e tar ball.
`sudo tar -x` will [extract files with original file ownership](http://unix.stackexchange.com/questions/264464/sudo-tar-changes-extracted-files-ownership-to-unknown-user), which is not what we want.
This also causes problem to https://github.com/kubernetes/test-infra/issues/1348.
Because in https://github.com/kubernetes/test-infra/issues/1348 we move node e2e runner into a docker container. Inside the container, the user is `root` by default, so the tar ball has `root` ownership.
If we untar the tar ball with `sudo`, it will recover the `root` ownership and the following operation may not have enough permission.
No matter what, we should not recover the file ownership inside the tar ball because:
* We don't care it.
* It may even not exist on the host.
@krzyzacy
Automatic merge from submit-queue
Disable verify-test-owners.sh and make `go vet` more obvious
**What this PR does / why we need it**: I and others keep seeing the verify-test-owners.sh failure and think that's why the PR failed checks. Rather than making verify-test-owners.sh pass with errors, just skip it entirely.
Also print out the `go vet` command we're running, to make that failure more obvious.
cc @k82cn @saad-ali
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Enforce the RBAC authorizer in e2e for controllers and proxy
Turns on RBAC and updates the GCE controllers to use discrete service accounts.
Opening pull to start completing roles.
Automatic merge from submit-queue
Node E2E: Set user with `--ssh-user` flag when running remote node e2e.
This PR unblocks https://github.com/kubernetes/test-infra/issues/1348.
In our test environment, we must login test instance as user `jenkins` because of the service account. Node e2e is always using the default user on the host, which works fine till now, because it is always run as `jenkins` in our test environment.
However, now we moved the test runner into a docker container, inside the container user is `root` by default, which will cause error:
```
Permission denied (publickey)
```
This PR added a flag `--ssh-user` to explicitly specify the user used to ssh into test instance. The dockerized test runner can set user to `jenkins` with this flag.
@krzyzacy @ixdy
Automatic merge from submit-queue
Fix DaemonSet cache mutation
**What this PR does / why we need it**: stops the DaemonSetController from mutating the DaemonSet shared informer cache
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#38985
cc @deads2k @mikedanese @lavalamp @smarterclayton
Automatic merge from submit-queue (batch tested with PRs 39079, 38991, 38673)
Support systemd based pod qos in CRI dockershim
This PR makes pod level QoS works for CRI dockershim for systemd based cgroups. And will also fix#36807
- [x] Add cgroupDriver to dockerService and use docker info api to set value for it
- [x] Add a NOTE that detection only works for docker 1.11+, see [CHANGE LOG](https://github.com/docker/docker/blob/master/CHANGELOG.md#1110-2016-04-13)
- [x] Generate cgroupParent in syntax expected by cgroupDriver
- [x] Set cgroupParent to hostConfig for both sandbox and user container
- [x] Check if kubelet conflicts with cgroup driver of docker
cc @derekwaynecarr @vishh
Automatic merge from submit-queue (batch tested with PRs 39061, 39079)
Fixed cluster validation: added -q flag to gcloud.
Fixed cluster validation in multi-zone mode: added -q flag to gcloud.
Automatic merge from submit-queue
Fix typo for federation/*
**What this PR does / why we need it**:
Increase code readability for this new member in v1.5
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
Could we develop a typo-fix bot along with a k8s terminology dictionary ?
**Release note**:
```release-note
```
Automatic merge from submit-queue
Validate numberReady in DaemonSet status
In #32781 numberReady was introduced but it wasn't validated.
@kargakis @mikedanese it's a very small change. Please take a look.
Automatic merge from submit-queue
Fixing 'systemd restart docker' command in kubemark master
We try to restart docker after assembling it's flags in kubemark master using `systemd`, while it doesn't exist on the gci image. Changed it to `systemctl` instead.
This means that docker wasn't getting restarted in gci after changing DOCKER_OPTS all this while and hence not flushing the nat iptable didn't really matter.
But now, since we have the flag `--ip-masq=false` in DOCKER_OPTS taking effect, flushing the nat table makes sense, in order to make both of them consistent wrt masquerading.
Also, do you think that this might have anything to do with the failing kubemark tests (if there were some containers that did not want to allow iptable modification / masquerading)?
@kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue
register batch/jobs to federation-apiserver
register batch/jobs api objects to federation-apiserver
**Release note**:
```release-note
Federation: Add `batch/jobs` API objects to federation-apiserver
```
@quinton-hoole @nikhiljindal @deepak-vij
#34261
Automatic merge from submit-queue
Added 'hollow'-node-problem-detector to hollow-nodes in kubemark
Added node-problem-detector container in kubemark hollow-nodes, which takes in a 'hollow' (having an empty list of rules and conditions) kernel monitor config.
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)
Convert * users/groups to system:authenticated group in ABAC
Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.
This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.
Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992
```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
Automatic merge from submit-queue
To add local registry to libvirt_coreos
`libvirt_coreos` is quick way to have a multi-node cluster on a linux laptop for development purpouse.
This PR adds local registry to libvirt_coreos cluster. Mind have a look?
@roberthbailey since you reviewed my last PR on dns for libvirt_coreos
Automatic merge from submit-queue (batch tested with PRs 36888, 38180, 38855, 38590)
dnsprovider: Expose route53 constructor
This enables testing when the dnsprovider is used externally (with a
mock Route53 API, as we do in kops), and also might be useful for
constructing with a particular client instance with extra options.
Automatic merge from submit-queue (batch tested with PRs 36888, 38180, 38855, 38590)
Fix variable shadowing in exponential backoff when deleting volumes
While https://github.com/kubernetes/kubernetes/pull/38339 implemented exponential backoff on
volume deletion, that PR suffers from a minor bug when error thrown on volume deletion is anything other than `VolumeInUse` errors - in which case exponential backoff will not work.
This PR fixes that. This PR also makes unit tests more deterministic because exponential backoff changed the way operations are permitted.
CC @jsafrane @childsb @wongma7
