Automatic merge from submit-queue
CRI: Change dockershim to use UnixNano instead of Unix.
Fixes https://github.com/kubernetes/kubernetes/issues/34492.
This PR changes the dockershim to use `UnixNano` instead of `Unix` to return timestamp in nanoseconds.
@yujuhong
Automatic merge from submit-queue
clean api server cruft
Some cruft has developed over refactors. Remove that cruft.
@liggitt probably last in the chain so far
Automatic merge from submit-queue
Add --delete flag when rsyncing into container.
If you delete a source file, we want to reflect that in the build container. We
only use --delete going that one way as we don't want to accidentally delete
files in the user's source tree.
Automatic merge from submit-queue
filter informer actions when inspecting controller unit test reactions
fixes https://github.com/kubernetes/kubernetes/issues/34547
There's a race where the informer tries to start list/watching and that can happen faster than the reaction test. This simply filters it.
@kargakis @ncdc @eparis flake fix ptal
Automatic merge from submit-queue
remove [Conformance] flag on some e2es
Downstream distributions that absorb the upstream tests would like to give their customers a standard mechanism to validate their clusters, post setup. As of today [Conformance] works for most things, but there are a known set of tests that vary due to opinionated differences around networking, security, etc... and providing a complete skip list can be cumbersome. To address this, we've simply modified the flag on some tests to [Conformance:Variant]. All existing behavior should be maintained.
Fixes: #34105
Kubelet does not sync the mirror pods once they have terminated. If, for some
reason, that such mirror pods get deleted once they have terminated (either by
the node controller or by users), kubelet will not attempt to recreate them.
However, when kubelet restarts, it will examine the static pods, sync once,
and create a mirror pod. This has led to unexpected pod counts in disruptive
tests where kubelet gets restarted on purpose (see #34003).
This change disregard such mirror pods when totaling the pods to fix the test
flake until we have time to implement a long-term solution.
this is the same criteria that is currently applied for ascertaining ownership other resources ( eg: security groups, which are also deleted in a similar fashion)
We are now respecting existing cluster namespace isolation rules.
If you delete a source file, we want to reflect that in the build container. We
only use --delete going that one way as we don't want to accidentally delete
files in the user's source tree.
Automatic merge from submit-queue
Include DaemonSets and Deployments in Namespace deletion
More generic deletion should be added next week.
cc: @quinton-hoole
Automatic merge from submit-queue
convert deployment controller to shared informers
Converts the deployment controller to shared informers.
@kargakis I think you've been in here. Pretty straight forward swap.
Fixes#27687
Automatic merge from submit-queue
Add version cache for cri APIVersion
ref https://github.com/kubernetes/kubernetes/issues/29478
1. Added a version cache for `APIVersion()` by using object cache., with ttl=1 min
2. Leaving `Version()` as it is today
Automatic merge from submit-queue
Ubuntu: download client and server tarballs instead of mondo-tarball
Part of #28629 / #28435.
This should be functionally the same, except that you will download ~1/3 the bytes.
cc @WIZARD-CXY
Automatic merge from submit-queue
Update godeps for libcontainer+cadvisor
Needed to unblock more progress on pod cgroup.
/cc @vishh @dchen1107 @timstclair
Automatic merge from submit-queue
etcd3: use PrevKV to remove additional get
ref: #https://github.com/kubernetes/kubernetes/issues/33653
We are trying to test using PrevKV feature and see if it improves performance.
In order to test this, we will need etcd v3.1 (alpha) image.
Blockers:
- update gcr.io image (version v3.0.12)
Automatic merge from submit-queue
Kubelet: Use RepoDigest for ImageID when available
```release-note
Use manifest digest (as `docker-pullable://`) as ImageID when available (exposes a canonical, pullable image ID for containers).
```
Previously, we used the docker config digest (also called "image ID"
by Docker) for the value of the `ImageID` field in the container status.
This was not particularly useful, since the config manifest is not
what's used to identify the image in a registry, which uses the manifest
digest instead. Docker 1.12+ always populates the RepoDigests field
with the manifest digests, and Docker 1.10 and 1.11 populate it when
images are pulled by digest.
This commit changes `ImageID` to point to the the manifest digest when
available, using the prefix `docker-pullable://` (instead of
`docker://`)
Related to #32159
Automatic merge from submit-queue
Fix upgrade.sh image setup
The original fix (#33147) sourced the correct `node-helper.sh` but set
`node_os_distribution` instead of `NODE_OS_DISTRIBUTION`. The
`set-node-image` function is imported indirectly via `source
"${KUBE_ROOT}/cluster/kube-util.sh"`, which in turn (in the GCE case)
sources `cluster/gce/util.sh`. Since the `set-node-image` function
relies on the `NODE_OS_DISTRIBUTION` variable, the original fix
did not have the entire intended effect.
I have confirmed that cherry-picking #33147 into the `release-1.4`
branch and layering this commit on top of it make for a successful
upgrade from a GCI based K8s 1.3 cluster to a GCI based K8s 1.4 cluster.
**NOTE:** This, along with #33147, should be cherry-picked into the `release-1.4` branch.
Automatic merge from submit-queue
Add default cluster role bindings
Add default cluster roles bindings to rbac bootstrapping. Also adds a case for allowing escalation when you have no authenticator.
@liggitt I expect you may need to make peace with this.
Automatic merge from submit-queue
Enable service account signing key rotation
fixes#21007
```release-note
The kube-apiserver --service-account-key-file option can be specified multiple times, or can point to a file containing multiple keys, to enable rotation of signing keys.
```
This PR enables the apiserver authenticator to verify service account tokens signed by different private keys. This can be done two different ways:
* including multiple keys in the specified keyfile (e.g. `--service-account-key-file=keys.pem`)
* specifying multiple key files (e.g. `--service-account-key-file current-key.pem --service-account-key-file=old-key.pem`)
This is part of enabling signing key rotation:
1. update apiserver(s) to verify tokens signed with a new public key while still allowing tokens signed with the current public key (which is what this PR enables)
2. give controllermanager the new private key to sign new tokens with
3. remove old service account tokens (determined by verifying signature or by checking creationTimestamp) once they are no longer in use (determined using garbage collection or magic) or some other algorithm (24 hours after rotation, etc). For the deletion to immediately revoke the token, `--service-account-lookup` must be enabled on the apiserver.
4. once all old tokens are gone, update apiservers again, removing the old public key.
Automatic merge from submit-queue
Run flaky tests in parallel
We should try to emulate the main CI environment in the flaky test suite so that it is clear when a test can be moved out of the flaky suite. Since a common source of flakes is unintended interactions between tests running in parallel, we should run the flaky suite in parallel to better detect such flakes.
Automatic merge from submit-queue
Bump kubeadm to use kubernetes v1.4.1
v1.4.1 is going to be released tomorrow, so make kubeadm use it by default
This will make it possible to run kubeadm on Raspberry Pi's OOTB
We should strive towards releasing a second kubeadm release this week that's stable and has the small new tweaks we've coded these two weeks.
@errordeveloper @mikedanese
Automatic merge from submit-queue
log-dump.sh: Add a LOG_DUMP_USE_KUBECTL mode, refactor
**What this PR does / why we need it**: This refactors log-dump.sh so that it can optionally just use `"kubectl get node"` output, for dumping logs off a cluster that was brought up using something other than kube-up.sh (e.g. kops or kubeadm).
Note that for obvious reasons, if the cluster is fried, it'll probably fail to hit the apiserver and all bets are off, but for the 95% case where you're debugging tests, this is good. To cover the remaining 5%, you could actually squirrel away the relevant external IPs after the e2e.go:Up stage (because we better be able to hit the apiserver then) and fetch them from cache later.
**Special notes for your reviewer**: Sorry for so many changes. :)
Automatic merge from submit-queue
Clean up the link in cassandra
**What this PR does / why we need it**:
Clean up the link in README for cassandra
**Which issue this PR fixes** :
fixes#34431
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
