PR #10643 Started adding the dns names for the kubernetes master to self
sign certs which were created. The kubelet uses this same code, and thus
the kubelet cert started saying it was valid for these name as well.
While hardless, the kubelet cert shouldn't claim to be these things. So
make the caller explicitly list both their ip and dns subject alt names.
port-forward needs socat on the node hosts; we technically
don't need it today on the master, but this seems the right
place to put it, and socat is a small dependency.
This is a partial reversion of #9728, and should fix#10612.
9728 used the AWS instance id as the node name. But proxy, logs
and exec all used the node name as the host name for contacting the minion.
It is possible to resolve a host to the IP, and this fixes logs. But
exec and proxy also require an SSL certificate match on the hostname,
and this is harder to fix.
So the sensible fix seems to be a minimal reversion of the changes in #9728,
and we can revisit this post 1.0.
GCE does this in its per-provider scripts; this does the same for AWS and lets
other providers do the same; I believe kube2sky requires 10.0.0.1 as a SAN.
The namespace test is currently taking about 18 minutes because it
creates and deletes namespaces sequentially, and for various reasons it
takes at least 10 seconds for each namespace.
By parallelizing the creation and deletion of namespaces, this test now
takes about 2-3 minutes.
ImagePullKeys -> ImagePullSecret
Explain that overwriting the /root/.dockercfg not recommended for GKE.
Give detailed and tested steps for distributing a .dockercfg.
Report an error if someone asks for --all-namespaces
when getting a thing that is not namespaced.
This is in preparation for a subsequent commit which prints namespace
as its own column.
Restructured test to expect an error for non-namespaced things.
Dropped the part where it was trying to test that not printing
namespace didn't contain namespace. Some other test can cover that.
The test verifies that kubelet deletes the pods/containers within a reasonable
time. It queries the kubelet /runningpods endpoint to retrieve a list of
running pods directly. The outline of the test is:
- Create an RC
- Wait until all pods are running (based on the pod status)
- Verify pods are running by querying the /runningpods
- Delete the RC
- Check all pods are deleted by querying /runningpods
