Automatic merge from submit-queue
Allow NetworkPolicy.spec updates
ValidateNetworkPolicyUpdate currently prohibits changes to `spec` in an existing NetworkPolicy. We were going to fix this for 1.7 but I forgot to submit this PR after the main PR merged. Too late for 1.7? @thockin @caseydavenport @cmluciano
This only changes networking.NetworkPolicy validation at the moment... Should I change extensions.NetworkPolicy validation too?
Fixes#35911
We should add a test to the e2e NetworkPolicy test for this too if this is going to merge.
**Release note**:
```release-note
As part of the NetworkPolicy "v1" changes, it is also now
possible to update the spec field of an existing
NetworkPolicy. (Previously you had to delete and recreate a
NetworkPolicy if you wanted to change it.)
```
Automatic merge from submit-queue (batch tested with PRs 48374, 48524, 48519, 42548, 48615)
Kubelet run() should accept partial KubeletDeps
This is used by integrators that want to perform partial overrides of
key interfaces. Refactors the run() method to fit the existing style and
preserve the existing behavior, but allow (for instance) client
bootstrap and cert refresh even when some dependencies are injected.
@derekwaynecarr hit while reviewing client bootstrap code
Automatic merge from submit-queue (batch tested with PRs 48374, 48524, 48519, 42548, 48615)
flush conntrack for udp service when # of backend changes from 0
fixes: #48370
Automatic merge from submit-queue (batch tested with PRs 48374, 48524, 48519, 42548, 48615)
Add a node upgrade test for etcd statefulset with a PDB.
Tests for #38336
Automatic merge from submit-queue
Small fix for number of pods and nodes in test function
**What this PR does / why we need it**:
Small fix to have correct pods and nodes in test function.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Scheduler perf, nodes and pods number fix for 100 nodes 3k pods.
**Release note**:
```release-note
NONE
```
Now that federation of deployments is implemented with the sync
controller, the existing e2e coverage duplicates that provided by the
crudtester integration and e2e testing.
Now that replicaset federation is implemented with the sync
controller, the old replicaset-specific e2e tests duplicate coverage
provided by crudtester integration and e2e testing.
Allows the proxier to be used on an interface that's not the default route,
otherwise hostIP gets set to the default route interface even if that's
not what the user intended.
If listen IP isn't given, falls back to previous behavior.
This is part 2 of the effort to update ChoseHostInterface() to support IPv6
addresses (as part of issue 44848). This changeset includes:
- Supports finding IPv6 host addresses from default routes (but currently only
provided with IPv4 default routes).
- getRoutes() filters for default routes.
- getFinalIP() checks that IP is in requested family. Uses IsGlobalUnicast(),
instead of explicit tests for loopback, multicast, and link-local IPs.
- getIPFromInterace() checks for family requested.
- chooseHostInterfaceFromRoute()
* Quickly exits, if no default routes.
* Since only getting default routes, no check here.
* Searches all default routes for IPv4 addresses, and then searches all
default routes for IPv6 addresses (for backwards compatibility).
- More coverage in UTs (87.8% vs 62.6%).
- Better testing of error conditions/results.
- Tests for IPv6 IPs, throughout functions.
- Reduced duplicate testing for items tested at lower levels.
Commit has been rebased on top of PR46044.
Volume mounting logic introduced in #43775 and #45623 checks
for subPath existence before attempting to create a directory,
should subPath not be present.
This breaks if subPath is a dangling symlink, os.Stat returns
"do not exist" status, yet `os.MkdirAll` can't create directory
as symlink is present at the given path.
This patch makes existence check to use os.Lstat which works for
normal files/directories as well as doesn't not attempt to follow
symlink, therefore it's "do not exist" status is more reliable when
making a decision whether to create directory or not.
subPath symlinks can be dangling in situations where kubelet is
running in a container itself with access to docker socket, such
as CoreOS's kubelet-wrapper script
Automatic merge from submit-queue
Volunteer to help with OpenStack provider reviews
**What this PR does / why we need it**:
I'd like to help with keeping the OpenStack cloud provider up-to-date
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48518, 48525, 48269)
Cleanup useless metrics.go for garbagecollector
The metrics of garbagecollector are already published with the
workqueue metrics, so metrics.go is useless, let's cleanup it.
See https://github.com/kubernetes/client-go/blob/master/util/workqueue/metrics.go.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48518, 48525, 48269)
Move the kubelet certificate management code into a single package
Code is very similar and belongs together. Will allow future cert callers to potentially make this more generic, as well as to make it easier reuse code elsewhere.
Automatic merge from submit-queue (batch tested with PRs 47435, 46044)
IPv6 support for getting node IP
As part of ChooseHostInterface(), it will call a function to try to get the
global IP for the host, by looking at all the system interfaces and select
the first IP that is not a loopback, link-local, or point-to-point IP.
This commit does the following:
- Allows IPv6 non-local IPs to be selected.
- IPv4 takes priority (checks all interfaces for IPv4 addresses and
then checks all interfaces for IPv6), for backward compatibility.
- Adds UTs for code coverage (was no coverage of underlying function),
increasing from 62% to 85%.
- Improved logging and reporting for error conditions.
- Minor renaming of functions and variables for readability.
**What this PR does / why we need it**:
This will be part of several PRs to add IPv6 support in apimachinery area for use by Kubernetes. It partially fixes the issue.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: xref #44848
**Special notes for your reviewer**:
The intent is to break up the PR 45116 into multiple PRs to take on this change a piece at a time.
**Release note**:
```release-noteNONE
```
Automatic merge from submit-queue (batch tested with PRs 47435, 46044)
kubeadm: Make self-hosting work and split it out to a phase
**What this PR does / why we need it**:
- Removes the old self-hosting code
- Puts the new self-hosting code in `phases/selfhosting`
- The new code reads manifests from disk (static pods)...
- ...mutates the PodSpec as necessary...
- ...and posts the DaemonSet to the API Server...
- ...and waits for it to come up
- Uses DaemonSets for all control plane components
- Creates a `kubeadm alpha phase selfhosting` command that can be invoked against any kubeadm-cluster after install.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/127
(large part of at least)
**Special notes for your reviewer**:
Please only review the fourth commit, based on https://github.com/kubernetes/kubernetes/pull/47345
**Release note**:
```release-note
kubeadm: Make self-hosting work by using DaemonSets and split it out to a phase that can be invoked via the CLI
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @jbeda
This is used by integrators that want to perform partial overrides of
key interfaces. Refactors the run() method to fit the existing style and
preserve the existing behavior, but allow (for instance) client
bootstrap and cert refresh even when some dependencies are injected.
