Commit Graph

104603 Commits

Author SHA1 Message Date
Jordan Liggitt
09e9ba99ab PodSecurity: add resource quota for clusters that limit cluster-critical by default 2021-10-27 13:54:19 -04:00
Jordan Liggitt
a356c32797 PodSecurity: simplify pki setup 2021-10-27 13:54:19 -04:00
Jordan Liggitt
0be8280faa PodSecurity: Set version build flags in makefile
Change-Id: I719e7ce1efce9014e24903f0ad203a52a207f892
2021-10-27 13:54:19 -04:00
Samuel Roth
2a4701c2ca PodSecurity webhook image 2021-10-27 13:54:19 -04:00
Jordan Liggitt
7c5a78bb91 PodSecurity: clean up namespace validation messages, time bounding, and add testing 2021-10-27 13:49:04 -04:00
Anago GCB
3c0ef3cc28 CHANGELOG: Update directory for v1.20.12 release 2021-10-27 17:45:21 +00:00
Kubernetes Prow Robot
aa7c6338c6
Merge pull request #105711 from VilledeMontreal/feat/multiComp
Shell completion of multiple resource names
2021-10-27 10:33:25 -07:00
Anago GCB
efa2b15269 CHANGELOG: Update directory for v1.19.16 release 2021-10-27 17:00:43 +00:00
Kubernetes Prow Robot
c7d7fce4af
Merge pull request #105938 from josephburnett/fix-metrics-server
Give metrics server permission to read node stats.
2021-10-27 08:51:37 -07:00
Kubernetes Prow Robot
12c4095462
Merge pull request #104775 from kerthcet/bug/fix-kubemark-log-defer-conflict-with-exit
fix hollownode flushlogs not working together with exit
2021-10-27 08:51:25 -07:00
Kubernetes Prow Robot
8bdf6af714
Merge pull request #105924 from Huang-Wei/revert-105712
Revert "sched: ensure --leader-elect* CLI args are honored"
2021-10-27 07:45:38 -07:00
Kubernetes Prow Robot
a0a79e3c91
Merge pull request #105906 from kerthcet/feature/remove-scheduler-plugin-node-label
remove scheduler NodeLabel plugin
2021-10-27 07:45:25 -07:00
Joseph Burnett
a9788ca9b0 Give metrics server permission to read node stats. 2021-10-27 13:32:42 +00:00
Lukasz Szaszkiewicz
86d845865a apiextentionserver: refactor returning 503 for custom resource requests during server start
Previously the customresource handler explicitly checked if the crd informer has been synced and replied with a 503 in case it hasn't.

This PR moves logic to the NotFoundHandler and WithMuxAndDiscoveryCompleteProtection filter.
2021-10-27 13:10:37 +02:00
Kubernetes Prow Robot
10988997f2
Merge pull request #102801 from CKchen0726/remove_storage_metrics_in_1.21_release
remove storageOperationErrorMetric and storageOperationStatusMetric in release 1.21
2021-10-27 01:21:26 -07:00
Wojciech Tyczyński
943bc38c0e P&F: clean up mutating work estimator tests 2021-10-27 10:05:13 +02:00
Nikhil Sharma
031dc016e6 Changed code to improve output for files under test/e2e/upgrades/apps 2021-10-27 11:41:18 +05:30
Kubernetes Prow Robot
fa6bb7cad0
Merge pull request #105921 from SergeyKanzhelev/setHostnameAsFQDNIsNodeConformance
setHostnameAsFQDN is a GA feature that does not depend on environment
2021-10-26 21:57:26 -07:00
Kubernetes Prow Robot
011aef1222
Merge pull request #105851 from VilledeMontreal/feature/compOutputFlag
Add completion to the --output/-o flag
2021-10-26 19:10:37 -07:00
kerthcet
2c5b5533bf remove scheduler NodeLabel plugin
Signed-off-by: kerthcet <kerthcet@gmail.com>
2021-10-27 10:07:35 +08:00
Marc Khouzam
7aa5cb4031 Complete multiple resource names
This commit teaches the completion function to repeat resource names
when supported by the command. The logic checks if a resource name
has already been specified by the user and does not include it again
when repeating the completion.

For example, the get command can receive multiple pods names, therefore
with this commit we have:
  kubectl get pod pod1 [tab]
will provide completion of pod names again, but not show 'pod1' since
it is already part of the command-line.

The improvement affects the following commands:
- annotate
- apply edit-last-applied
- apply view-last-applied
- autoscale
- delete
- describe
- edit
- expose
- get
- label
- patch
- rollout history
- rollout pause
- rollout restart
- rollout resume
- rollout undo
- scale
- taint

Note that "rollout status" only accepts a single resource name, unlike
the other "rollout ..." commands; this required the creation of a
special completion function that did not repeat just for that case.

Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
2021-10-26 21:50:11 -04:00
Kubernetes Prow Robot
3141c984a1
Merge pull request #105907 from kerthcet/feature/remove-scheduler-plugin-nodePreferAvoidPods
remove scheduler NodePreferAvoidPods plugin
2021-10-26 18:07:41 -07:00
kerthcet
a139da6b04 remove scheduler NodePreferAvoidPods plugin
Signed-off-by: kerthcet <kerthcet@gmail.com>
2021-10-27 08:05:44 +08:00
Kubernetes Prow Robot
7c715dbc68
Merge pull request #105637 from Namanl2001/ssh
adding `--ssh-key` and `--ssh-user` for kubetest2
2021-10-26 16:33:45 -07:00
Kubernetes Prow Robot
18cb34ebb2
Merge pull request #105896 from zqzten/upgrade-json-patch
upgrade json-patch to v4.12.0
2021-10-26 15:27:09 -07:00
Wei Huang
7505701044
Revert "sched: ensure --leader-elect* CLI args are honored"
This reverts commit 3c230af59c.
2021-10-26 15:18:13 -07:00
Kubernetes Prow Robot
7c53095218
Merge pull request #104748 from p0lyn0mial/not-found-handler
return 503 for aggregated APIs when the APIServiceRegistrationController hasn't finished installing all known APIServices
2021-10-26 14:25:09 -07:00
Shivanshu Raj Shrivastava
3c87c43cef
Migrated scheduler files server.go, node_label.go, csi.go, non_csi.go to structured logging (#105855)
* migrated server.go

* fixed migration

* resolving review comments

* added storageClass

* review comments

* review comments
2021-10-26 13:21:22 -07:00
Kubernetes Prow Robot
99ad414127
Merge pull request #104832 from zc2638/fix/kubectl-env-update
add unit tests for `updateEnv`
2021-10-26 13:21:10 -07:00
Jordan Liggitt
c65a0793cd
[PodSecurity] Aggregate identical warnings for multiple pods in a namespace (#105889)
* [PodSecurity] Aggregate identical warnings for multiple pods in a namespace

* Make warning order deterministic, limit accumulated pod name data

Co-authored-by: njuptlzf <li.zhifeng@zte.com.cn>
2021-10-26 11:43:09 -07:00
Kubernetes Prow Robot
0fec47582c
Merge pull request #105911 from pohly/generic-ephemeral-volume-test
volume e2e: block volume metrics fix, II
2021-10-26 10:39:30 -07:00
Patrick Ohly
194b31019d volume e2e: block volume metrics fix, II
Copying from pvcBlock swapped name and namespace (breaking the PVC test case)
and some references to the pvcBlock variable were left unchanged (incorrect
annotations for test failures).
2021-10-26 17:36:02 +02:00
David Eads
c8f87a6a24 retry PV create in e2e-test on API quota failure 2021-10-26 09:47:16 -04:00
Kubernetes Prow Robot
20ff5381ce
Merge pull request #105507 from claudiubelu/tests/refactor-daemonset
tests: Refactors daemonset utils into framework
2021-10-26 05:01:30 -07:00
Francesco Romani
b382b6cd0a node: e2e: add test for the checkpoint recovery
Add a e2e test to exercise the checkpoint recovery flow.
This means we need to actually create a old (V1, pre-1.20) checkpoint,
but if we do it only in the e2e test, it's still fine.

Signed-off-by: Francesco Romani <fromani@redhat.com>
2021-10-26 09:55:11 +02:00
Francesco Romani
2f426fdba6 devicemanager: checkpoint: support pre-1.20 data
The commit a8b8995ef2
changed the content of the data kubelet writes in the checkpoint.
Unfortunately, the checkpoint restore code was not updated,
so if we upgrade kubelet from pre-1.20 to 1.20+, the
device manager cannot anymore restore its state correctly.

The only trace of this misbehaviour is this line in the
kubelet logs:
```
W0615 07:31:49.744770    4852 manager.go:244] Continue after failing to read checkpoint file. Device allocation info may NOT be up-to-date. Err: json: cannot unmarshal array into Go struct field PodDevicesEntry.Data.PodDeviceEntries.DeviceIDs of type checkpoint.DevicesPerNUMA
```

If we hit this bug, the device allocation info is
indeed NOT up-to-date up until the device plugins register
themselves again. This can take up to few minutes, depending
on the specific device plugin.

While the device manager state is inconsistent:
1. the kubelet will NOT update the device availability to zero, so
   the scheduler will send pods towards the inconsistent kubelet.
2. at pod admission time, the device manager allocation will not
   trigger, so pods will be admitted without devices actually
   being allocated to them.

To fix these issues, we add support to the device manager to
read pre-1.20 checkpoint data. We retroactively call this
format "v1".

Signed-off-by: Francesco Romani <fromani@redhat.com>
2021-10-26 09:54:11 +02:00
Kubernetes Prow Robot
dba9975e3e
Merge pull request #105857 from liggitt/runAsNonRoot-runAsUser
PodSecurity: Add runAsUser check to restricted policy
2021-10-26 00:15:30 -07:00
Zach Zhu
20cc72344e upgrade github.com/evanphx/json-patch to v4.12.0
Fix partial negative indice support in json patch
2021-10-26 11:20:45 +08:00
Kubernetes Prow Robot
e1f62e406d
Merge pull request #105719 from yuanhh/master
sample-controller/docs: Use italics font on package name
2021-10-25 20:03:29 -07:00
Kubernetes Prow Robot
e8fcd0de98
Merge pull request #105755 from bobbypage/npd-test-cg2
Support cgroupv2 in node problem detector test
2021-10-25 17:59:29 -07:00
Sergey Kanzhelev
cf0a387774 setHostnameAsFQDN is a GA feature that does not depend on environment 2021-10-26 00:24:12 +00:00
Sergey Kanzhelev
c703725592 return value is taken from if statement instead of the function call 2021-10-26 00:11:55 +00:00
Kubernetes Prow Robot
17da6a2345
Merge pull request #105699 from yuzhiquan/remove-format-pods
Remove format.pods func, instead with klog.Kobjs
2021-10-25 15:53:30 -07:00
Kubernetes Prow Robot
fec7005de5
Merge pull request #105805 from stevekuznetsov/skuznets/fix-watch-e2e
e2e: conformance: correctly produce MODIFIED events
2021-10-25 14:38:27 -07:00
Kubernetes Prow Robot
87d8a75b0e
Merge pull request #105749 from tallclair/pod-security-cli
Add --version flag to podsecurity-webhook command
2021-10-25 13:34:25 -07:00
Jordan Liggitt
40635ca59e PodSecurity: runAsUser: generated fixtures 2021-10-25 16:17:10 -04:00
Jordan Liggitt
a476a5e00e PodSecurity: runAsUser 2021-10-25 16:17:10 -04:00
Jordan Liggitt
9b930e3728 PodSecurity: test: generate 1.23 fixtures 2021-10-25 16:17:10 -04:00
Jordan Liggitt
ef3bf86f5b PodSecurity: test: ensure fixtures are exercised for all relevant policy versions 2021-10-25 16:16:31 -04:00
Lubomir I. Ivanov
b9171aee20 kubeadm: remove the reset/update-cluster-status phase
The phase has been deprecated and a NO-OP since 1.22.
Remove the phase related code.
2021-10-25 22:47:15 +03:00