Commit Graph

102468 Commits

Author SHA1 Message Date
Akihiro Suda
26e83ac4d4
kubelet: ignore /dev/kmsg error when running in userns
oomwatcher.NewWatcher returns "open /dev/kmsg: operation not permitted" error,
when running with sysctl value `kernel.dmesg_restrict=1`.

The error is negligible for KubeletInUserNamespace.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-07 14:23:31 +09:00
Akihiro Suda
192790c52f
kube-proxy: allow running in userns
Ignore an error during setting RLIMIT_NOFILE.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-07 14:23:31 +09:00
Akihiro Suda
dbe0155139
kubelet/cm: ignore sysctl error when running in userns
Errors during setting the following sysctl values are ignored:
- vm.overcommit_memory
- vm.panic_on_oom
- kernel.panic
- kernel.panic_on_oops
- kernel.keys.root_maxkeys
- kernel.keys.root_maxbytes

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-07 14:23:29 +09:00
Akihiro Suda
b16323e37c
New feature gate: KubeletInUserNamespace
Enables support for running kubelet in a user namespace.
The user namespace has to be created before running kubelet.
All the node components such as CRI need to be running in the same user namespace.

See kubernetes/enhancements PR 1371 (merged) and issue 2033.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-07 14:22:55 +09:00
Kubernetes Prow Robot
656d00e894
Merge pull request #103496 from neolit123/1.22-add-defaulting-v1beta3-imagepull
kubeadm: statically default ImagePullPolicy in v1beta3
2021-07-06 22:11:48 -07:00
Kubernetes Prow Robot
72f28fb8b3
Merge pull request #103445 from tallclair/podsecurity-attrs
Move pod-security-admission to an external Attributes interface
2021-07-06 22:11:39 -07:00
Samuel Roth
9e87082b85
[Pod Security] Baseline + restricted policy checks for seccomp (#103341)
* podsecurity: add seccomp policy checks

* podsecurity: generated seccomp fixtures
2021-07-06 22:11:28 -07:00
Kubernetes Prow Robot
2547c5bb97
Merge pull request #103307 from aojea/kubelet_podIPs
podIPs order match node IP family preference (Downward API)
2021-07-06 22:11:20 -07:00
Kubernetes Prow Robot
561959f682
Merge pull request #102823 from ehashman/kep-2400-swap
Alpha node swap support
2021-07-06 22:11:11 -07:00
Kubernetes Prow Robot
99f77725c8
Merge pull request #102677 from yuzhiquan/deprecated-warning-for-drain
Deprecated message for ignore-errors flag
2021-07-06 22:11:03 -07:00
Kubernetes Prow Robot
60475ee5c2
Merge pull request #102181 from enj/enj/i/deprecate_gcp_azure
Deprecate azure and gcp in-tree auth plugins
2021-07-06 22:10:55 -07:00
Kubernetes Prow Robot
7df432f78f
Merge pull request #99582 from chendave/fix_config
custom plugin config should take precedence over default plugin config
2021-07-06 22:10:43 -07:00
astraw99
af19d7f415 fix delete nil pointer panic 2021-07-07 12:45:13 +08:00
Kubernetes Prow Robot
1affd894cf
Merge pull request #98431 from wawa0210/fix-98253
fix kubectl alpha debug node does not work on tainted(NoExecute) nodes
2021-07-06 21:04:42 -07:00
Shiming Zhang
d8fe255f41 Add test for validateProbe 2021-07-07 11:31:23 +08:00
Shiming Zhang
e378600c90 Add validation for Prober TerminationGracePeriodSeconds 2021-07-07 10:51:30 +08:00
Shiming Zhang
1ff5ae2cb5 Regenerate 2021-07-07 10:48:55 +08:00
Shiming Zhang
20de04d6c3 Update API documents 2021-07-07 10:48:29 +08:00
Kubernetes Prow Robot
e1acbbd8fd
Merge pull request #99961 from margocrawf/master
Introduce Impersonate-UID header
2021-07-06 18:46:43 -07:00
Ben Swartzlander
00dba76918 Add DataSourceRef field to PVC spec
Modify the behavior of the AnyVolumeDataSource alpha feature gate to enable
a new field, DataSourceRef, rather than modifying the behavior of the
existing DataSource field. This allows addition Volume Populators in a way
that doesn't risk breaking backwards compatibility, although it will
result in eventually deprecating the DataSource field.
2021-07-06 21:17:41 -04:00
Tim Hockin
5b787aa184 Clean up testing of AllocateLoadBalancerNodePorts
We only need one "tweak" function, and it should be set automatically in
most cases.
2021-07-06 16:36:51 -07:00
Tim Hockin
eae4a19bd3 Fix small bug with AllocateLoadBalancerNodePorts
If the user specified a port, DO reserve it, even if they asked you not
to allocate new ports.
2021-07-06 16:36:51 -07:00
Kubernetes Prow Robot
ca0c8275b4
Merge pull request #103484 from wojtek-t/pf_queue_picker
Update the logic to pick the best queue in P&F
2021-07-06 16:22:22 -07:00
Kubernetes Prow Robot
15222a599f
Merge pull request #103244 from verult/fsgroup-to-csi
Delegate applying FSGroup to CSI driver through NodeStageVolume and NodePublishVolume
2021-07-06 16:22:10 -07:00
Antonio Ojea
a7469cf680 sort and filter exposed Pod IPs
runtimes may return an arbitrary number of Pod IPs, however, kubernetes
only takes into consideration the first one of each IP family.

The order of the IPs are the one defined by the Kubelet:
- default prefer IPv4
- if NodeIPs are defined, matching the first nodeIP family

PodIP is always the first IP of PodIPs.

The downward API must expose the same IPs and in the same order than
the pod.Status API object.
2021-07-07 00:15:31 +02:00
Tim Allclair
cf6ba6096f Move pod-security-admission to an external Attributes interface 2021-07-06 15:15:15 -07:00
Monis Khan
6bfaeaf916
Deprecate azure and gcp in-tree auth plugins
With the client-go credential plugin functionality going GA in 1.22,
it is now time to deprecate these legacy integrations.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-06 17:18:25 -04:00
Elana Hashman
5584725605
Explicitly set LimitedSwap case with fallthrough 2021-07-06 13:50:09 -07:00
Kubernetes Prow Robot
59e5b849c9
Merge pull request #103517 from liggitt/podsecurity-fixture-cleanup
Podsecurity fixture cleanup
2021-07-06 13:16:31 -07:00
Kubernetes Prow Robot
15b4498e34
Merge pull request #101767 from damemi/random-downscale-beta
Promote LogarithmicScaleDown to Beta
2021-07-06 13:16:19 -07:00
Clayton Coleman
3eadd1a9ea
Keep pod worker running until pod is truly complete
A number of race conditions exist when pods are terminated early in
their lifecycle because components in the kubelet need to know "no
running containers" or "containers can't be started from now on" but
were relying on outdated state.

Only the pod worker knows whether containers are being started for
a given pod, which is required to know when a pod is "terminated"
(no running containers, none coming). Move that responsibility and
podKiller function into the pod workers, and have everything that
was killing the pod go into the UpdatePod loop. Split syncPod into
three phases - setup, terminate containers, and cleanup pod - and
have transitions between those methods be visible to other
components. After this change, to kill a pod you tell the pod worker
to UpdatePod({UpdateType: SyncPodKill, Pod: pod}).

Several places in the kubelet were incorrect about whether they
were handling terminating (should stop running, might have
containers) or terminated (no running containers) pods. The pod worker
exposes methods that allow other loops to know when to set up or tear
down resources based on the state of the pod - these methods remove
the possibility of race conditions by ensuring a single component is
responsible for knowing each pod's allowed state and other components
simply delegate to checking whether they are in the window by UID.

Removing containers now no longer blocks final pod deletion in the
API server and are handled as background cleanup. Node shutdown
no longer marks pods as failed as they can be restarted in the
next step.

See https://docs.google.com/document/d/1Pic5TPntdJnYfIpBeZndDelM-AbS4FN9H2GTLFhoJ04/edit# for details
2021-07-06 15:55:22 -04:00
Kubernetes Prow Robot
cbba6e41cc
Merge pull request #103472 from andrewsykim/deflake-quota-service-test
test/integration/quota: deflake TestQuotaLimitService
2021-07-06 12:08:19 -07:00
Raisaat Rashid
68dadd40d6 Fix pkg/api/pod/util tests to ensure feature gate is set
Fixing this led to finding a bug in how the TestDropProbeGracePeriod
unit tests were written, so this patch also includes a fix for that.

Co-Authored-By: Elana Hashman <ehashman@redhat.com>
2021-07-06 13:34:54 -05:00
wojtekt
0ecc7ba311 Update the logic to pick the best queue in P&F 2021-07-06 20:25:38 +02:00
Kubernetes Prow Robot
eae87bfe7e
Merge pull request #103483 from odinuge/revert-102508-runc-1.0
Revert "Update runc to 1.0.0"
2021-07-06 10:42:56 -07:00
Kubernetes Prow Robot
f41f3b15bc
Merge pull request #103480 from chendave/pluginconfig_issue
Readable error message on the plugin configs of the removed plugins
2021-07-06 10:42:48 -07:00
Kubernetes Prow Robot
6fc7dd5137
Merge pull request #103292 from verb/1.22-kubectl-debug-compat
Add backwards compatibility for ephemeral containers in kubectl debug
2021-07-06 10:42:39 -07:00
Kubernetes Prow Robot
3392f16908
Merge pull request #102890 from ankeesler/exec-plugin-v1
exec credential provider: add v1 struct
2021-07-06 10:42:31 -07:00
Kubernetes Prow Robot
ea3bcbc205
Merge pull request #101946 from chendave/balance_allocation
Support extended resource in NodeResourcesBalancedAllocation plugin
2021-07-06 10:42:19 -07:00
Wei Huang
4c9c761bbb
instantiates scheduler ComponentConfig after parsing feature gates 2021-07-06 10:39:12 -07:00
Margo Crawford
74f5ed6b17 This introduces an Impersonate-Uid header to server side code.
UserInfo contains a uid field alongside groups, username and extra.
This change makes it possible to pass a UID through as an impersonation header like you
can with Impersonate-Group, Impersonate-User and Impersonate-Extra.

This PR contains:

* Changes to impersonation.go to parse the Impersonate-Uid header and authorize uid impersonation
* Unit tests for allowed and disallowed impersonation cases
* An integration test that creates a CertificateSigningRequest using impersonation,
  and ensures that the API server populates the correct impersonated spec.uid upon creation.
2021-07-06 10:13:16 -07:00
Jordan Liggitt
2220fc6149 PodSecurity: clean up unnecessary passing fixtures 2021-07-06 12:44:00 -04:00
Jordan Liggitt
ea54b1b152 PodSecurity: Make check-specific passing fixtures optional 2021-07-06 12:43:56 -04:00
Kubernetes Prow Robot
2423842549
Merge pull request #103514 from soltysh/format_string
Hide long and multiline strings when printing
2021-07-06 09:35:02 -07:00
Kubernetes Prow Robot
dd8ba30877
Merge pull request #103509 from sanposhiho/test/integration/util/fix-typo
Fix(test/integration/util): fix typo on logging message
2021-07-06 09:34:55 -07:00
Kubernetes Prow Robot
7752b195f2
Merge pull request #103504 from tkashem/apf-add-additional-latency
apf: refactor width into its own struct
2021-07-06 09:34:43 -07:00
Kubernetes Prow Robot
c93e509e6f
Merge pull request #103435 from dashpole/rename_service
Change tracing service from kube-apiserver to apiserver
2021-07-06 09:34:31 -07:00
Kubernetes Prow Robot
907e2c4d46
Merge pull request #103294 from mengjiao-liu/rename-master-package
test/integration: rename package and files name from master to controlplane
2021-07-06 09:34:19 -07:00
Dave Chen
9a5237ca63 Custom plugin config should take precedence over default plugin config
Signed-off-by: Dave Chen <dave.chen@arm.com>
2021-07-06 23:16:28 +08:00
Yoav
adcfcfa2e7 add yaml separator validation and avoid silent ignoration 2021-07-06 17:55:41 +03:00