This is a little more computationally expensive but reduces the
likelihood of a potentially malicious cache collision.
Signed-off-by: Nic Cope <nicc@rk0n.org>
Part of the API discovery cache uses an HTTP RoundTripper that
transparently caches responses to disk. The upstream implementation of
the disk cache is hard coded to call Sync() on every file it writes.
This has noticably poor performance on modern Macs, which ask their disk
controllers to flush all the way to persistant storage because Go uses
the `F_FULLFSYNC` fnctl. Apple recommends minimizing this behaviour in
order to avoid degrading performance and increasing disk wear.
The content of the discovery cache is not critical; it is indeed just a
cache and can be recreated by hitting the API servers' discovery
endpoints. This commit replaces upstream httpcache's diskcache
implementation with a similar implementation that can use CRC-32
checksums to detect corrupted cache entries at read-time. When such an
entry is detected (e.g. because it was only partially flushed to
permanent storage before the host lost power) the cache will report a
miss. This causes httpcache to fall back to its underlying HTTP
transport (i.e. the real API server) and re-cache the resulting value.
Apart from adding CRC-32 checksums and avoiding calling fsync this
implementation differs from upstream httpcache's diskcache package in
that it uses FNV-32a hashes rather than MD5 hashes of cache keys in
order to generate filenames.
Signed-off-by: Nic Cope <nicc@rk0n.org>
This benchmark is intended to demonstrate a performance improvement
gained by removing fsyncs. Refer to the below issue for more detail.
https://github.com/kubernetes/kubernetes/issues/110753
Signed-off-by: Nic Cope <nicc@rk0n.org>
`getClientSet` is used by both cmd `token` and `reset`, move this
method to cmd utils to decouple it from one specific cmd.
Signed-off-by: Dave Chen <dave.chen@arm.com>
Reimplement IsNotMountpoint as IsMountPoint and return appropriate
error when a mount point is not detected.
IsMountPoint depends on MountedFast function in moby/sys/mountinfo
that uses openat2 call in kernel versions5.10 to detect
mount points without falling back to /proc/mounts.
Mark IsNotMountPoint as deprecated in order to ask the users to
use IsMountPoint directly.
Also add entrypoints for verifying and updating a test file for easier
debugging. This is considerably faster than running the stablity checks
against the entire Kubernetes codebase.
Change-Id: I5d5e5b3abf396ebf1317a44130f20771a09afb7f
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Currently, the plugin Watcher checks if a file is a socket or not by
running mode&os.ModeSocket != 0, which can't be True on Windows.
util.IsUnixDomainSocket should be used instead.
The "pause" pods that are being run in the scheduling tests are
sometimes launched in system namespaces. Therefore even if a test
is considered to be running on a "baseline" Pod Security admission
level, its "baseline" pods would fail to run if the global PSa
enforcement policy is set to "restricted" - the system namespaces
have no PSa labels.
The "pause" pods run by this test can actually easily run with
"restricted" security context, and so this patch turns them
into just that.
This dependency was updated in 6b864dc4e1, but using
a version that's 1 commit ahead of the latest (v1.0.1) release. As a consequence,
any project that uses k8s.io/component-base as a dependency, but that prefers to
use tagged releases, will be required to add a `replace` rule in their `go.mod`.
Looking at the difference between the currently used version and the last release,
the only difference is the addition of a `go.mod`:
https://github.com/matttproud/golang_protobuf_extensions/compare/v1.0.1...c182affec369
While it can help to have a `go.mod` to resolve the minimum version of (indirect)
dependencies, in this case, the (minimum) versions of dependencies defined in this
module's `go.mod` are quite a bit behind the version defined in k8s' own go.mod,
so would already be up-to-date.
Based on the above, it looks like the `go.mod` (currently) doesn't provide much
value, and it would be safe to roll back 1 commit to use the tagged/released
version of this module.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Refactor common validation into methods that validate a single container
and call these methods when iterating the three types of container
lists. Move initContainer-specific validation from validateContainers to
validateInitContainers.
This resolves issues where init and ephemeral containers would return
duplicate or incorrectly formatted errors for problems detected by
validateContainers.
Adds missing tests based on KUBE_COVER and checks that errors returned
by validation are of the type and for the field expected. Fixes tests
that had multiple errors so later failures aren't masked if there's
a regression in only one of the errors.
This introduces no changes to unit tests other than to switch from
map-based to struct-based tables in TestValidateContainers and
TestValidateInitContainers in order to make diffs for later commits
easier to read.
