Using securejoin.SecureJoin() ensures that paths are bound within a
given root, but it doesn't protect from changes happening between the
construction of the path and its use. securejoin 0.3 introduces a new
Linux-specific API which avoids this by making rooted open operations
explicit; this migrates kubelet's log retrieval to use that.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
SharedDRAManager will be used by the DRA plugin to obtain DRA
objects, and to track modifications to them in-memory. The current
DRA plugin behavior will be the default implementation of
SharedDRAManager.
Plugging a different implementation will allow Cluster Autoscaler
to provide a simulated state of DRA objects to the DRA plugin when
making scheduling simulations, as well as obtain the modifications
to DRA objects from the plugin.
Mirror pods for static pods may not be created immediately during node startup
because either the node is not registered or node informer is not synced.
They will be created eventually when static pods are resynced (every 1-1.5 minutes).
However, during this delay of 1-1.5 mins, kube-scheduler might overcommit resources
to the node and eventually cause kubelet to reject pods with
OutOfCPU/OutOfMemory/OutOfPods error.
To ensure kube-scheduler is aware of static pod resource usage faster,
mirror pods are created as soon as the node registers.
A better place is the cel package because a) the name can become shorter
and b) it is tightly coupled with the compiler there.
Moving the compilation into the cache simplifies the callers.
* Refactor various hardcoded backoffs into separate constants
Signed-off-by: Laura Lorenz <lauralorenz@google.com>
* Fix comment formatting
Signed-off-by: Laura Lorenz <lauralorenz@google.com>
---------
Signed-off-by: Laura Lorenz <lauralorenz@google.com>
This expands the generic plugin support to both validating and mutating policies. It also adds the
mutating policy admission plugin using the generics plugin support.
This also implements both ApplyConfiguration and JSONPatch support.
Co-authored-by: Alexander Zielensk <alexzielenski@gmail.com>
This is closely aligned with ValidatingAdmissionPolicy
except that instead of validations that can fail with
messages, there are mutations, which can be defined
either with as an ApplyConfiguration or JSONPatch.
Co-authored-by: cici37 <cicih@google.com>
* better name variables in deployment_util
* add tests for getReplicaSetFraction in the deployment controller
- make validation more robust and make sure we do not divide by 0
* lock feature gate for PodIndexLabel and mark it GA
Signed-off-by: Alay Patel <alayp@nvidia.com>
* add emulated version if testing disabling of PodIndexLabel FG
Signed-off-by: Alay Patel <alayp@nvidia.com>
---------
Signed-off-by: Alay Patel <alayp@nvidia.com>
