Peter Hunt
17521f04a4
PSA: allow procMount type Unmasked in baseline
...
a masked proc mount has traditionally been used to prevent untrusted containers from accessing leaky kernel APIs.
However, within a user namespace, typical ID checks protect better than masked proc. Further, allowing unmasked proc
with a user namespace gives access to a container mounting sub procs, which opens avenues for container-in-container use cases.
Update PSS for baseline to allow a container to access an unmasked /proc, if it's in a user namespace and if the UserNamespacesPodSecurityStandards feature is enabled.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
2024-07-23 12:01:06 -04:00
Nadia Pinaeva
2ec3929134
[kube-proxy:nftables] Add partial sync unit test.
...
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
2024-07-23 17:32:30 +02:00
Nadia Pinaeva
3ccf5b8a55
[kube-proxy:nftables] Add partialSync mode to only transact changed
...
objects.
Change the order of operations to stop current iteration if no changes
to the service chains are needed.
Bump syncProxy frequency to 1 hour.
In a test kind cluster creation of 10K services, 2 endpoints each,
takes ~25m before the fix and ~9min after. Maximum memory usage
during creation is ~650MiB and 260MiB respectively.
Another important metric is the time it takes to create 1 new service
when 10K svc already exist. It used to take ~8m before the fix,
with partialSync it takes ~141ms.
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
2024-07-23 17:32:30 +02:00
Nadia Pinaeva
dc13e42f56
[kube-proxy:nftables] cleanup: remove unused parameter and fix typo.
...
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
2024-07-23 17:32:29 +02:00
Kubernetes Prow Robot
fc03f3e74c
Merge pull request #126125 from mprahl/stop-idempotent
...
Allow calling Stop multiple times on RetryWatcher
2024-07-23 08:16:24 -07:00
Connor Catlett
796ae44c08
Return new PVC in WaitForVolumeModification to prevent stale comparison
...
Signed-off-by: Connor Catlett <conncatl@amazon.com>
2024-07-23 14:34:34 +00:00
Daman Arora
3d589bd18a
kube-proxy: internal config: remove PortRange
...
Remove PortRange for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784 .
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-07-23 19:56:23 +05:30
Peter Hunt
ce13ce5f76
disable ProcMountType by default
...
to follow suite of UserNamespacesSupport, which it relies on
Signed-off-by: Peter Hunt <pehunt@redhat.com>
2024-07-23 10:25:11 -04:00
Daman Arora
c57e1156f5
kube-proxy: internal config: refactor ClusterCIDR
...
Refactor ClusterCIDR for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784 .
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-07-23 19:45:29 +05:30
Daman Arora
380adb93cc
kube-proxy: internal config: consolidate SyncPeriod and MinSyncPeriod
...
Consolidate SyncPeriod and MinSyncPeriod for internal configuration
of kube-proxy adhering to the v1alpha2 version specifications as
detailed in https://kep.k8s.io/784 .
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-07-23 19:34:40 +05:30
Kubernetes Prow Robot
1854839ff0
Merge pull request #126067 from tenzen-y/implement-job-success-policy-e2e
...
Graduate the JobSuccessPolicy to Beta
2024-07-23 06:14:23 -07:00
Yuki Iwai
0d4f18bd5b
Job: Implement E2E tests for the JobSuccessPolicy
...
Signed-off-by: Yuki Iwai <yuki.iwai.tz@gmail.com>
2024-07-23 21:05:50 +09:00
Stanislav Láznička
18f4fa0f1a
cosmetic - test/integration/examples/apiserver_test.go - put test functions first
...
The file is too big, test functions should be put first for clarity.
2024-07-23 13:01:32 +02:00
Stanislav Láznička
5a15ae03f2
test:integration: split Wardle test server run
...
Split running the Wardle aggregated API into preparation and
running phase. This allows reusing the prepared options and
makes it possible for us to introduce additional hooks into
the server authorization flow.
2024-07-23 13:00:53 +02:00
Kubernetes Prow Robot
2171bcb789
Merge pull request #124815 from carlory/remove-some-InTreePluginXXXUnregister
...
remove some InTreePluginXXXUnregister
2024-07-23 03:16:23 -07:00
Kubernetes Prow Robot
43691598da
Merge pull request #126227 from sanposhiho/queueing_hint_execution_duration_seconds
...
feature: support queueing_hint_execution_duration_seconds metric
2024-07-23 02:12:29 -07:00
Kubernetes Prow Robot
bb350f7111
Merge pull request #125661 from mjudeikis/mjudeikis/poststarthookctx.stopch.cleanup
...
Clean deprecated context.StopCh
2024-07-23 02:12:22 -07:00
Maciej Skoczeń
c15cdf7431
Init etcd and apiserver per test case in scheduler_perf integration tests
2024-07-23 09:10:01 +00:00
Kensei Nakada
3f59d9fc4c
fix typo
2024-07-23 17:43:21 +09:00
Sascha Grunert
479a7c34fe
ImageVolumeSource: mention that fsGroupChangePolicy has no effect
...
A small documentation follow-up based on the review:
https://github.com/kubernetes/kubernetes/pull/125660#discussion_r1686859866
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2024-07-23 10:15:18 +02:00
carlory
3a6a4830df
pvc bind pv with vac
2024-07-23 15:04:11 +08:00
Dr. Stefan Schimanski
17970b291a
generic-controlplane: add generic-controlplane apiserver sample
...
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
generic
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
2024-07-23 08:38:33 +02:00
carlory
0260c7d023
Promote VolumeAttributesClass to beta
2024-07-23 13:58:14 +08:00
Krzysztof Wilczyński
030f28e125
KEP-4191: Split Image Filesystem promotion to Beta
...
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
2024-07-23 13:43:18 +09:00
Kubernetes Prow Robot
1bb62cd275
Merge pull request #126277 from danwinship/knftables-v0.0.17
...
bump knftables to v0.0.17
2024-07-22 20:50:27 -07:00
Kubernetes Prow Robot
0344f29e83
Merge pull request #125778 from haitch/haitao/controllermgr-emulatever
...
add emulated-version flag to kube-controller-manager to control the feature gate.
2024-07-22 20:50:21 -07:00
Cici Huang
5420b2fe9a
Hot fix for panic on schema conversion. ( #126167 )
2024-07-22 19:43:45 -07:00
carlory
21a3226925
remove some InTreePluginXXXUnregister
2024-07-23 09:25:15 +08:00
Yuki Iwai
551931c6a8
Graduate the JobSuccessPolicy to beta
...
Signed-off-by: Yuki Iwai <yuki.iwai.tz@gmail.com>
2024-07-23 09:29:06 +09:00
Yuki Iwai
6e8dc2c250
Job: Extend the jobs_finished_total metric reason label with SuccessPolicy and CompletionsReached
...
Signed-off-by: Yuki Iwai <yuki.iwai.tz@gmail.com>
2024-07-23 09:29:02 +09:00
Kubernetes Prow Robot
04cc0a1034
Merge pull request #126187 from seans3/portforward-websockets-metrics
...
Adds metrics to PortForward Websockets
2024-07-22 16:53:25 -07:00
Kubernetes Prow Robot
f753a444a5
Merge pull request #126091 from seans3/ws-err-extra-info
...
Adds extra error information from response to bad handshake error when possible
2024-07-22 16:53:16 -07:00
Kubernetes Prow Robot
3d78fe25a7
Merge pull request #121849 from carlory/add-e2e-vac
...
vac add e2e test
2024-07-22 16:53:03 -07:00
Haitao Chen
1d92758ef0
implement emulated-version for kube-controller-manager
2024-07-22 16:07:18 -07:00
Kubernetes Prow Robot
3e9a73d558
Merge pull request #126058 from AnishShah/patch-2
...
Deflake kubernetes-node-swap-fedora-serial jobs
2024-07-22 15:48:42 -07:00
Kubernetes Prow Robot
581a073dc4
Merge pull request #125663 from saschagrunert/oci-volumesource-kubelet
...
[KEP-4639] Add `ImageVolumeSource` implementation
2024-07-22 15:48:33 -07:00
Dan Winship
4effb05741
bump knftables to v0.0.17
2024-07-22 17:30:32 -04:00
Kubernetes Prow Robot
233bc735b5
Merge pull request #126056 from googs1025/refactor_namespace
...
use ktesting.NewTestContext(t) ctx instead of context.TODO() for namespace integration
2024-07-22 14:25:56 -07:00
Kubernetes Prow Robot
6e52e705d0
Merge pull request #125374 from pwschuurman/kep-3335-stable
...
Promote StatefulSetStartOrdinal to stable in 1.31
2024-07-22 14:25:49 -07:00
Sean Sullivan
f387f0b69a
Adds extra error information from response to bad handshake error when possible
2024-07-22 14:12:01 -07:00
Sean Sullivan
90d70ed73d
Adds metrics to PortForward Websockets
2024-07-22 14:08:42 -07:00
Patrick Ohly
eaa1cad7fa
resource quota: clone PVC quota evaluator for DRA
2024-07-22 21:20:08 +02:00
Kubernetes Prow Robot
d21b17264e
Merge pull request #125488 from pohly/dra-1.31
...
DRA for 1.31
2024-07-22 11:45:55 -07:00
Kubernetes Prow Robot
f458a749e7
Merge pull request #125277 from iholder101/swap/skip_critical_pods
...
[KEP-2400]: Restrict access to swap for containers in high priority Pods
2024-07-22 11:45:48 -07:00
Kubernetes Prow Robot
887def08b6
Merge pull request #126237 from cici37/promoteMetrics
...
Promote metrics for VAP and CRD validation rules to beta.
2024-07-22 10:17:49 -07:00
Sascha Grunert
979863d15c
Add ImageVolumeSource implementation
...
This patch adds the kubelet implementation of the image volume source
feature.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2024-07-22 18:46:46 +02:00
Dr. Stefan Schimanski
b6aebb0e4b
options/authentication: fix serviceaccount TokenGetter with ServiceAccountTokenNodeBindingValidation
...
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
2024-07-22 18:21:26 +02:00
Dr. Stefan Schimanski
dc0bcd62e3
options/authentication: revert extra serviceaccount TokenGetter function silently enabling serviceaccounts
...
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
2024-07-22 18:21:26 +02:00
Kubernetes Prow Robot
0caeba5cbe
Merge pull request #126204 from vrutkovs/unsafeRecordQueried-atomicPointer
...
feature_gate: avoid extra copy when queried feature is already stored, use Set instead of map
2024-07-22 09:09:42 -07:00
Patrick Ohly
d11b58efe6
DRA kubelet: refactor gRPC call timeouts
...
Some of the E2E node tests were flaky. Their timeout apparently was chosen
under the assumption that kubelet would retry immediately after a failed gRPC
call, with a factor of 2 as safety margin. But according to
0449cef8fd
2024-07-22 18:09:34 +02:00
