Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Send correct resource version for delete events from watch cache
Fixes#58545
the watch cache filtering is returning the previous object content intact, including resource version. this is the logic the watch cache uses:
```go
switch {
case curObjPasses && !oldObjPasses:
watchEvent = watch.Event{Type: watch.Added, Object: event.Object.DeepCopyObject()}
case curObjPasses && oldObjPasses:
watchEvent = watch.Event{Type: watch.Modified, Object: event.Object.DeepCopyObject()}
case !curObjPasses && oldObjPasses:
watchEvent = watch.Event{Type: watch.Deleted, Object: event.PrevObject.DeepCopyObject()}
}
```
when processing a delete event, we should be sending the old object's content *but* with the event's resource version set in it. corresponding logic exists in the uncached stores:
77ac663df4/staging/src/k8s.io/apiserver/pkg/storage/etcd/etcd_watcher.go (L401-L403)77ac663df4/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher.go (L373-L378)
```release-note
Fixes an issue where the resourceVersion of an object in a DELETE watch event was not the resourceVersion of the delete itself, but of the last update to the object. This could cause clients receiving the watch event to revert to an old "last observed" resource version, and disrupt their ability to re-establish watches properly.
```
Automatic merge from submit-queue (batch tested with PRs 58144, 57149). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make quota reusable
Quota is logically a re-useable component so that replenishment and admission can be done in constituent servers. This makes it possible to embed. More cleanup is probably required, but this is the minimum.
Since we are transitioning to external cloud provider, we need a way
to use the existing cinder volume plugin (from kubelet). With external
cloud manager kubelet will be run with --cloud=provider=external and
no --cloud-config file will be in the command line. So we need a way
to load the openstack config file from somewhere.
Taking a cue from kubeadm, which currently is picking up "/etc/kubernetes/cloud-config"
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/phases/controlplane/manifests.go#L44
let's support the scenario where we fall back to this static location if
there is no cloud provider specified in the command line.
This has been tested with local-up-cluster using the following params:
EXTERNAL_CLOUD_PROVIDER=true
CLOUD_PROVIDER=openstack
CLOUD_CONFIG=/etc/kubernetes/cloud-config
Automatic merge from submit-queue (batch tested with PRs 57896, 58070). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Don't remove APIService from apiHandlerManager when its Available Conditions is not True
**What this PR does / why we need it**:
I use my own apiserver works together with `kube-apiserver`, i have a custom resource: `databases` and created a `database` named: `db-name-1`.
When this apiserver is down(for example: OOMKilled), `kubectl get databases db-name-1 -v 10` returns `404 NotFound`:
```
[{
"metadata": {},
"status": "Failure",
"message": "the server could not find the requested resource (get databases.core.example.com db-name-1)”,
"reason": "NotFound",
"details": {
"name": “db-name-1”,
"group": "core.example.com",
"kind": “databases”,
"causes": [
{
"reason": "UnexpectedServerResponse",
"message": "404 page not found"
}
]
},
"code": 404
}]
```
But it is not really `NotFound`.
So if the APIService is not available, just return 503.
There was a PR related with this: #57943
**Release note**:
```release-note
kube-apiserver: requests to endpoints handled by unavailable extension API servers (as indicated by an `Available` condition of `false` in the registered APIService) now return `503` errors instead of `404` errors.
```
Automatic merge from submit-queue (batch tested with PRs 57896, 58070). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use /proc/net/nf_conntrack.
/proc/net/ip_conntrack was finally removed from linux 4.9 onwards,
instead we should use /proc/net/nf_conntrack (see commit message at
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=adf0516845bcd0e626323c858ece28ee58c74455)
Signed-off-by: Chris Glass <chris.glass@canonical.com>
**What this PR does / why we need it**:
This PR fixes a test failure from linux kernels 4.9 onwards. The alternative interface used in this PR has been available for 10 years, so it is unlikely not to be available.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make IsConnectionReset work with more error implementations.
**What this PR does / why we need it**:
This fixes the code to correctly navigate error hierarchy, and actually
work.
**Which issue(s) this PR fixes**
An improvement for #55860
**Special notes for your reviewer**:
Integration-testing this code is somewhat hard. What I did to reproduce this
condition reliably was:
1. use iptables to let the TCP handshake packets through but reject
payload-carrying packets with:
```
sudo iptables -t raw -I PREROUTING -d localhost --protocol tcp --dport 443 -j NOTRACK
sudo iptables -t filter -I INPUT -d localhost --protocol tcp --dport 443 -m string --algo bm --string http -j REJECT --reject-with tcp-reset
```
2. start a dummy server with: `nc -l -4 localhost 443`
3. make the client issue a GET on localhost:443
Then I added instrumentation to the place in k8s.io/client-go/rest/request.go
which calls this code, to discover the actual error hierarchy.
I think another way to test this would be to run a dummy server which would
listen() on a socket, accept() and then close() the incoming connection
straight away.
**Release note**:
```release-note
Correctly handle transient connection reset errors on GET requests from client library.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
GCE: invalid location was used in regional and zonal operations
Location was set to the full URL instead of the short name. Adds
logging to the operations to make future issues easier to debug.
Big thanks to nick for root causing this bug! I merged your patch in with the logging changes and chose to pass key instead of manipulating the compute API struct directly.
/assign @nicksardo
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
dockershim: remove the use of kubelet's internal API
We let dockershim implement the kubelet's internal (CRI) API as an
intermediary step before transitioning fully to communicate using gRPC.
Now that kubelet has been communicating to the runtime over gRPC for
multiple releases, we can safely retire the extra interface in
dockershim.
This PR also moves the legacy functions to a separate file and clean up
the interfaces.
Automatic merge from submit-queue (batch tested with PRs 58300, 58530, 57942, 58543). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix provider-id bad param in local-up-cluster
**What this PR does / why we need it**:
mea culpa .. provider-id should be in kubelet not controller manager
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58300, 58530, 57942, 58543). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix nodeport localhost martian source error
**What this PR does / why we need it**:
kube-proxy NodePort access via localhost, with externalTrafficPolicy=Local will trigger martian source error.
This PR fixes nodeport localhost martian source error.
**Which issue(s) this PR fixes**:
Fixes#57922
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58300, 58530, 57942, 58543). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Benchmarking script pretty-prints results into a separate file
Towards https://github.com/kubernetes/kubernetes/issues/58154
Here's how the results would be printed into a file with this change:
```
benchmark iter time/iter bytes alloc allocs
--------- ---- --------- ----------- ------
BenchmarkScheduling/100Nodes/0Pods-12 300 3.51 ms/op 451788 B/op 5050 allocs/op
BenchmarkScheduling/100Nodes/1000Pods-12 200 5.40 ms/op 604585 B/op 7465 allocs/op
BenchmarkScheduling/1000Nodes/0Pods-12 100 31.41 ms/op 2391316 B/op 27358 allocs/op
BenchmarkScheduling/1000Nodes/1000Pods-12 100 39.77 ms/op 3037734 B/op 39370 allocs/op
BenchmarkSchedulingAntiAffinity/500Nodes/250Pods-12 250 62.14 ms/op 3611034 B/op 28690 allocs/op
BenchmarkSchedulingAntiAffinity/500Nodes/5000Pods-12 250 208.25 ms/op 37093899 B/op 241132 allocs/op
```
/cc @wojtek-t @porridge - Could one of you please review?
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58300, 58530, 57942, 58543). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ability to specify OS_* variables for OpenStack configuration
**What this PR does / why we need it**:
When we convert the OpenStack cloud provider to run in an external
process, we should be able to use kubernetes Secrets capability to
inject the OS_* variables. This way we can specify the cloud
configuration as a configmap, specify secrets for the userid/password
information. The configmap can be mounted as a file. the secrets can
be made available as environment variables. the external controller
itself can run as a pod/daemonset.
For backward compat, we preload all the OS_* variables, if anything
is in the config file, then that overrides the environment variables.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Authentication information for OpenStack cloud provider can now be specified as environment variables
```
Automatic merge from submit-queue (batch tested with PRs 58221, 58529, 57800). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Skip log path tests when they are expected to fail.
**What this PR does / why we need it**:
The log path test is not expected to pass unless the Docker is using the JSON logging driver, since that's what the log path is trying to find. When Docker is using the journald logging driver, there will be no JSON files in the logging directories for it to find.
Furthermore, when SELinux support is enabled in the Docker daemon, SELinux will prevent containers to access files owned by other containers (which is what this test is trying to accomplish), so skip this test in case SELinux support is enabled too.
@yguo0905
Tested:
- With Docker daemon started using --log-driver=journald:
```
S [SKIPPING] in Spec Setup (BeforeEach) [8.193 seconds]
[k8s.io] ContainerLogPath
Pod with a container
printed log to stdout
should print log to correct log path [BeforeEach]
Jan 3 18:33:44.869: Skipping because Docker daemon is using a logging driver other than "json-file": journald
```
- With Docker daemon started using --selinux-enabled:
```
S [SKIPPING] in Spec Setup (BeforeEach) [8.488 seconds]
[k8s.io] ContainerLogPath
Pod with a container
printed log to stdout
should print log to correct log path [BeforeEach]
Jan 3 18:35:58.909: Skipping because Docker daemon is running with SELinux support enabled
```
- With Docker started using JSON logging driver and with SELinux disabled:
```
• [SLOW TEST:16.352 seconds] (passed)
[k8s.io] ContainerLogPath
Pod with a container
printed log to stdout
should print log to correct log path
Ran 1 of 256 Specs in 36.428 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 255 Skipped
```
**Release note**:
```release-note NONE```
Automatic merge from submit-queue (batch tested with PRs 58221, 58529, 57800). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Show all the annotations in ingress rules
**What this PR does / why we need it**:
This change prints all the annotation in Ingress when `kubectl describe ingress` is executed.
Right now kubectl assumes all the ingress annotations start with `ingress`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump metadata proxy to v0.1.9
**What this PR does / why we need it**: Bump GCE metadata proxy to v1.9 to pick up GoogleCloudPlatform/k8s-metadata-proxy#15.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Bump GCE metadata proxy to v0.1.9 to pick up security fixes.
```
Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
GCE: check key is valid when calling the API
GCE: check key is valid when calling the API
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
return reason for allowed rbac authorizations
includes the binding, role, and subject that allowed a request so audit can make use of it
xref #56209#58083
### example reasons
> allowed by ClusterRoleBinding "system:controller:cronjob-controller" of ClusterRole "system:controller:cronjob-controller" to ServiceAccount "cronjob-controller/kube-system"
> allowed by RoleBinding "bob-viewer/default" of ClusterRole "view" to User "bob"
### perf impact
```shell
go test ./plugin/pkg/auth/authorizer/rbac/ -run foo -bench . -benchmem
```
on master:
```
BenchmarkAuthorize/allow_list_pods-8 500000 2674 ns/op 1632 B/op 27 allocs/op
BenchmarkAuthorize/allow_update_pods/status-8 500000 2858 ns/op 1632 B/op 27 allocs/op
BenchmarkAuthorize/forbid_educate_dolphins-8 500000 2654 ns/op 1632 B/op 27 allocs/op
```
with this PR:
```
BenchmarkAuthorize/allow_list_pods-8 500000 2697 ns/op 1664 B/op 28 allocs/op
BenchmarkAuthorize/allow_update_pods/status-8 500000 2873 ns/op 1680 B/op 29 allocs/op
BenchmarkAuthorize/forbid_educate_dolphins-8 500000 2687 ns/op 1664 B/op 28 allocs/op
```
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
tolerate more than one gvklist item
Some third-party resources could be part of more than one api group.
Allow this to be the case when adding openapi models to openapi data,
and default to the first item as the gvk key for that model.
Related downstream issue: https://github.com/openshift/origin/issues/17872
**Release note**:
```release-note
NONE
```
cc @deads2k @soltysh
Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[kubeadm] Bump kube-dns to 1.14.8
**What this PR does / why we need it**:
Bump kube-dns to 1.14.8 for kubeadm. Ref https://github.com/kubernetes/kubernetes/pull/57918.
cc @rramkumar1
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Utilize transport defaults from API machinery for http calls inside kubeadm
**What this PR does / why we need it**:
Default Go HTTP transport does not allow to use CIDR notations in
NO_PROXY variables, thus for certain HTTP calls that is done inside
kubeadm user needs to put explicitly multiple IP addresses. For most of
calls done via API machinery it is get solved by setting different Proxy
resolver. This patch allows to use CIDR notations in NO_PROXY variables
for currently all other HTTP calls that is made inside kubeadm.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes/kubeadm#324
**Special notes for your reviewer**:
Based on discussion in #52788, replacing this patch replacing all calls inside kubeadm that are done via DefaultTransport to explicitly defined and initialized with API machinery defaults Transport and http client.
**Release note**:
```release-note
- kubeadm now supports CIDR notations in NO_PROXY environment variable
```
