In order to avoid noisy / false positive CVE image scanning, Conformance
image is now be built based on Distroless.
Signed-off-by: Wilson Husin <whusin@vmware.com>
Add support to the endpoint slice mirroring controller to mirror
annotations, in addition to labels, but don´t mirror endpoint
triggertime annotation.
Also, fix a bug in the endpointslice mirroring controller, that
wasn't updating the mirrored slice with the new labels, in case
that only the endpoint labels were modified.
If available, then the MaximumVolumeSize is a better indicator whether
creating a volume has a chance to succeed than the total (?) Capacity,
which is potentially larger and less well-defined.
We still need the alpha API for testing with current
external-provisioner, but then should remove it shortly after the 1.21
release once the external-provisioner is updated to use the beta API.
That VolumeAttachment is still defined in the alpha API looks like an
oversight. To minimize changes during the beta graduation of
CSIStorageCapacity it is left in place with a deprecation notification
in 1.21.
This is the result of
UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true go test k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy
after enabling the CSIStorageCapacity feature. This enables
additional RBAC entries for reading CSIDriver and
CSIStorageCapacity.
That the object was registered depending on the feature gate was
called out as unusual during the 1.21 review. Previously, all beta
storage APIs were unders such feature gate checks, but its better to
drop that to be consistent with the rest of Kubernetes.
Defaults and validation are such that the field has to be set when
the feature is enabled, just as for the other boolean fields. This
was missing in some tests, which was okay as long as they ran
with the feature disabled. Once it gets enabled, validation will
flag the missing field as error.
Other tests didn't run at all.
It's easy to get update conflict when processing a DaemonSet
continuously. storeDaemonSetStatus had a retry logic that it gets the
resource from apiserver to update the DaemonSet with the latest resource
version. However, it never really retried because of a wrong check and
always made an useless get call. This patch fixes the logic to allow
the function retry once on update error.
