Volume that failed Detach() should not be marked as attached, CSI
external-attacher is probably still trying to detach it.
Mark it uncertain instead and wait for Detach() to succeed.
The subpath could be passed a powershell subexpression which would be executed by kubelet with privilege. Switching to pass the arguments via environment variables means the subexpression won't be evaluated.
Signed-off-by: James Sturtevant <jstur@microsoft.com>
PVC and containers shared the same ResourceRequirements struct to define their
API. When resource claims were added, that struct got extended, which
accidentally also changed the PVC API. To avoid such a mistake from happening
again, PVC now uses its own VolumeResourceRequirements struct.
The `Claims` field gets removed because risk of breaking someone is low:
theoretically, YAML files which have a claims field for volumes now
get rejected when validating against the OpenAPI. Such files
have never made sense and should be fixed.
Code that uses the struct definitions needs to be updated.
This replaces deprecated ioutil variables and functions as follows:
* ioutil.ReadDir -> os.ReadDir
* ioutil.ReadFile -> os.ReadFile
* ioutil.TempDir -> os.MkdirTemp
* ioutil.TempFile -> os.CreateTemp
* ioutil.WriteFile -> os.WriteFile
The ReadDir conversion involves an API change, the replacement
function returns a slice of fs.DirEntry instead of fs.FileInfo.
Where appropriate, the surrounding code has been adjusted; mostly,
that means using DirEntry.Type() instead of FileInfo.Mode().
Applying this change to the IoUtil interface would mean changing its
API, so this is left for later.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
GetFileType is meant to return the type of the given file by using os.Stat.
However, os.Stat doesn't work on Windows for Unix Sockets, causing an error to occur:
[2-Socket Test] unexpected error :
CreateFile C:\Users\Administrator\AppData\Local\Temp\test-get-filetype-2776877299\mt.sock:
The file cannot be accessed by the system.
This is a known issue and we're already using a workaround for this in
pkg/kubelet/util/util_windows.go.
This commit fixes this issue for GetFileType on Windows.
When size limit is specified subsequent invocations will fail because
ibytes is changed to -1 and stored internally in quotaSizeMap during the
first call. Later invocation will see that the requested size doesn't
match the actual stored value and it will fail.
Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
The function does not necessarily choose class based on the creation
timestamp but can also pick alphabetically first if the timestamps are
equal. The info message should not say it's choosing the newest because
it is misleading.
Now KEP-127 relies on idmap mounts to do the ID translation and we won't
do any chowns in the kubelet.
This patch just removes the usage of GetHostIDsForPod() in
operationexecutor to do the chown, and also removes the
GetHostIDsForPod() method from the kubelet volume interface.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
File system quota monitoring setup fails on subsequent invocations,
each time quota setup is invoked a new random UID is generated for
each pod and compared with the previously stored UID for the folder.
Fix it by keeping track of mapping between internal uid generated
for a pod and actual external pod uid.
Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
When a block device, say /dev/sdc, is unexpectedly disconnected from a node,
the corresponding backing file path found at /sys/block/loop*/backing_file gets
a "(deleted)" suffix. This patch trims that suffix out, allowing the Kubelet to
unmount the volume correctly.
This change fixes a race condition that was caused by setting the file owner,
group and mode non-atomically, after the updated files had been published.
Users who were running non-root containers, without GID 0 permissions, and
had removed read permissions from other users by setting defaultMode: 0440 or
similar, were getting intermittent permission denied errors when accessing
files on secret or configmap volumes or service account tokens on projected
volumes during update.
Currently, there are some unit tests that are failing on Windows due to
various reasons:
- paths not properly joined (filepath.Join should be used).
- files not closed, which means that they cannot be removed / renamed.
- time.Now() is not as precise on Windows, which means that 2
consecutive calls may return the same timestamp.
This change will leverage the new PreFilterResult
to reduce down the list of eligible nodes for pod
using Bound Local PVs during PreFilter stage so
that only the node(s) which local PV node affinity
matches will be cosnidered in subsequent scheduling
stages.
Today, the NodeAffinity check is done during Filter
which means all nodes will be considered even though
there may be a large number of nodes that are not
eligible due to not matching the pod's bound local
PV(s)' node affinity requirement. Here we can
reduce down the node list in PreFilter to ensure that
during Filter we are only considering the reduced
list and thus can provide a more clear message to
users when node(s) are not available for scheduling
since the list only contains relevant nodes.
If error is encountered (e.g. PV cache read error) or
if node list reduction cannot be done (e.g. pod uses
no local PVs), then we will still proceed to consider
all nodes for the rest of scheduling stages.
Signed-off-by: Yibo Zhuang <yibzhuang@gmail.com>
