Automatic merge from submit-queue
IPv6 support for hexCIDR()
Includes these changes:
- Modified so that IPv6 CIDRs can be converted correctly.
- Added test cases for IPv6 addresses.
- Split UTs for hexCIDR() and asciiCIDR() so that masking can be tested.
- Add UTs for failure cases.
Note: Some code that calls hexCIDR() builds a CIDR from the pod IP string
and the concatenation of "/32". These should, in the future, use "128",
if/when the pod IP is IPv6. Not addressed as part of this commit.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45906
**Special notes for your reviewer**:
**Release note**:
```release-noteNONE
```
Automatic merge from submit-queue
Log kubefed operations at log level 4 in our test environments.
This is useful for debugging test failures that involve federation control plane turn up/down.
**Release note**:
```release-note
NONE
```
/assign @perotinus @csbell
/sig federation
cc @kubernetes/sig-federation-pr-reviews
Automatic merge from submit-queue
Initialize cloud providers with a K8s clientBuilder
**What this PR does / why we need it**:
This PR provides each cloud provider the ability to generate kubernetes clients. Either the full access or service account client builder is passed from the controller manager. Cloud providers could need to retrieve information from the cluster that isn't provided through defined interfaces, and this seems more preferable to adding parameters.
Please leave your thoughts/comments.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
[Federation] Fix bad logic of deletion error handling for federated updater
Reverts a change accidentally added in #45364.
cc: @kubernetes/sig-federation-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
remove useless flags from hack/verify-flags/known-flags.txt
Flags in known-flags.txt is used to check misspelling from "-" to "_" in
workspace, so a flag with out "-" should not show up in this file.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
NodeRestriction admission plugin
Adds an optional `NodeRestriction` admission plugin that limits identifiable kubelets to mutating their own Node object, and Pod objects bound to their node.
This is the admission portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279
```release-note
The `NodeRestriction` admission plugin limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission plugin, kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
```
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
add CRD finalizer to remove CRs
Fixes https://github.com/kubernetes/kubernetes/issues/45878
This adds a finalizer for customresourcedefinitions to prevent CRD deletion until all CR instances are gone.
@sdminonne I lost track of your issue, but here's the fix
I'm at a loss for how to test this. It's tested from the outside by ensuring that a CRD delete removes its instances (integration test) and we could add more integration tests, but for unit tests I can't seem to find a mock `dynamic.ClientPool` and its not easily writeable at the moment. I'm thinking about saying we just add more black box tests given the options.
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
kubelet/envvars: Adding brackets to IPv6 addresses
Signed-off-by: André Martins <aanm90@gmail.com>
**What this PR does / why we need it**: This adds IPv6 brackets on environments variables pods
**Special notes for your reviewer**:
Since the IP is a string I think the fastest way to detect if it's an IPv6 was to check for the presence of `:` in it. Let me know what you think.
Automatic merge from submit-queue
let client-gen understand vendor
This is extracted from #44784, where we move external api types to k8s.io/api. After the move, the types will locate at vendor/k8s.io/api/xxx. However, gengo index the parsed package using the import path, which is stripped of the vendor/ prefix, so we'll need to strip the vendor/ prefix as necessary in client-gen.
This PR doesn't produce any change to the generated clientset yet since all types are still in the kubernetes repo.
Automatic merge from submit-queue
Advanced audit logging API
This is an initial implementation of the API proposed in https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md
This deviates from the exact API specified in the proposal in a number of ways. Here's a list of some of the changes I made, and why:
- General API conformance (`metav1.{Type,List}Meta`, +optional, etc.)
- Dropped fields that won't be part of the initial implementation (storage objects & filters), to be added later
- {Request,Response}Body -> {Request,Response}Object - This is actually what the proposal originally had, and will be much better for adding Filters later, and provides a less protocol-dependent API. Note that there is currently no way to include Response body for non-resource requests.
- Drop HttpMethod - redundant with verb
- Response{StatusCode,ErrorMessage} collapsed into `ResponseStatus *metav1.Status` - This is the standard response type for resourec errors, but can hold genereric error responses too. Note that this is part of the `Metadata` Level.
/cc @kubernetes/sig-auth-api-reviews @kubernetes/api-reviewers
Automatic merge from submit-queue
Same internal and external ip for vSphere Cloud Provider
Currently, vSphere Cloud Provider reports internal ip as container ip addresses. This PR modifies vSphere Cloud Provider to report same ip address as both internal and external that is provided by vmware infrastructure.
cc @pdhamdhere @tusharnt @BaluDontu @divyenpatel @luomiao
Automatic merge from submit-queue
Pass pod metadata to flex plugin
Normal volume plugins get the pod spec to pull information from when setting up their volume, but flex plugins do not.
If a flex volume wants to set up things unique to the pod, or limited in permission based on the service account, the pod namespace, name, uid, and service account name are needed.
This PR adds pod uid, name, namespace, and service account name to the options passed to the plugin available during mounting
```release-note
The options passed to a flexvolume plugin's mount command now contains the pod name (`kubernetes.io/pod.name`), namespace (`kubernetes.io/pod.namespace`), uid (`kubernetes.io/pod.uid`), and service account name (`kubernetes.io/serviceAccount.name`).
```
Automatic merge from submit-queue
Add approvers to vsphere cloudprovider
This PR adds approvers for vSphere Cloud provider.
cc @pdhamdhere @tusharnt @BaluDontu @divyenpatel @luomiao
Automatic merge from submit-queue
Use beta GCP API instead of alpha in CloudCIDR controller
The feature we are using has been promoted to beta.
```release-note
NONE
```
Automatic merge from submit-queue
Remove ObjectNameFunc from custom resources
@deads2k as far as I can tell these `ObjectNameFunc`s are unnecessary.
Signed-off-by: Monis Khan <mkhan@redhat.com>
**Release note**:
```
NONE
```
Automatic merge from submit-queue
More owners from SIG-CLI
Adds SIG-CLI as reviewers and approvers of `cmd/clicheck/` and adds me + @pwittrock as approvers in `hack/` (mostly for `test-cmd` and some `hack/verify*.sh` and `hack/update*.sh` scripts).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Api-extensions server integraton test: etcd storage
@deads2k
here is the test we talked about yesterday.
Few comments:
SelfLink for CR Instances looks broken (my first test was not enough, sorry) please have a look [here](https://github.com/sdminonne/kubernetes/blob/apiextensions-server-storage/staging/src/k8s.io/kube-apiextensions-server/test/integration/registration_test.go#L435) and [here](https://github.com/sdminonne/kubernetes/blob/apiextensions-server-storage/staging/src/k8s.io/kube-apiextensions-server/test/integration/registration_test.go#L409)
Not fully sure about the way etcd client works.
I had to concatenate two times the prefix to get the value. The first time from the caller ([example](https://github.com/sdminonne/kubernetes/blob/apiextensions-server-storage/staging/src/k8s.io/kube-apiextensions-server/test/integration/registration_test.go#L428)) and the second time in the [get function](https://github.com/sdminonne/kubernetes/blob/apiextensions-server-storage/staging/src/k8s.io/kube-apiextensions-server/test/integration/registration_test.go#L473).
Not sure if it's a problem or not, here is the `etcdctl` output for example:
```
$ ETCDCTL_API=3 etcdctl get "" --from-key
/7b02b490-8e8e-4649-ab92-aad1173314fb/7b02b490-8e8e-4649-ab92-aad1173314fb/apiextensions.k8s.io/customresourcedefinition
s/noxus.mygroup.example.com
{"kind":"CustomResourceDefinition","apiVersion":"apiextensions.k8s.io/v1alpha1","metadata":{"name":"noxus.mygroup.exampl
e.com","selfLink":"/apis/apiextensions.k8s.io/v1alpha1/customresourcedefinitions/noxus.mygroup.example.com","uid":"9a08f
664-3b17-11e7-94b1-847beb037559","creationTimestamp":"2017-05-17T15:43:41Z"},"spec":{"group":"mygroup.example.com","vers
ion":"v1alpha1","names":{"plural":"noxus","singular":"nonenglishnoxu","shortNames":["foo","bar","abc","def"],"kind":"Wis
hIHadChosenNoxu","listKind":"NoxuItemList"},"scope":"Namespaced"},"status":{"conditions":[{"type":"NameConflict","status
":"False","lastTransitionTime":null,"reason":"NoConflicts","message":"no conflicts found"}],"acceptedNames":{"plural":"n
oxus","singular":"nonenglishnoxu","shortNames":["foo","bar","abc","def"],"kind":"WishIHadChosenNoxu","listKind":"NoxuIte
mList"}}}
/7b02b490-8e8e-4649-ab92-aad1173314fb/7b02b490-8e8e-4649-ab92-aad1173314fb/mygroup.example.com/noxus/not-the-default/foo
{"apiVersion":"mygroup.example.com/v1alpha1","content":{"key":"value"},"kind":"WishIHadChosenNoxu","metadata":{"clusterN
ame":"","creationTimestamp":"2017-05-17T15:43:41Z","deletionGracePeriodSeconds":null,"deletionTimestamp":null,"name":"fo
o","namespace":"not-the-default","selfLink":"","uid":"9a174a53-3b17-11e7-94b1-847beb037559"}}
```
Automatic merge from submit-queue (batch tested with PRs 45950, 45968)
[Federation] Remove redundant e2e for secret and daemonset
Federation of daemonset and secret types is now implemented by the sync controller, and e2e testing for each type is provided via crud lifecycle e2e tests. This renders the legacy e2e tests for these types redundant, and this commit removes those tests.
The secret wait and delete functions required by the ingress e2e tests have been retained and moved to ingress.go.
cc: @kubernetes/sig-federation-pr-reviews
Automatic merge from submit-queue
Make real proxier in hollow-proxy optional (default=true)
Ref https://github.com/kubernetes/kubernetes/pull/45622
This allows using real proxier for hollow proxy, but we use the fake one by default.
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue
Update cluster startup scripts to use gcloud beta for alias IP support
The feature has gone from alpha to beta.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45582, 45855)
move build related files out of the root directory
Turn the files in root to symlinks into build/root/
alternative to OWNERS changes. what do you guys think of this?
Automatic merge from submit-queue
avoid concrete examples for missingResourceError
missingResourceError uses pod and services as an example in error message. However some sub-commands doesn't support pod/service, this change use `<resource> <name>` instead of concrete examples.
Before this change:
```console
$ kubectl set subject
error: You must provide one or more resources by argument or filename.
Example resource specifications include:
'-f rsrc.yaml'
'--filename=rsrc.json'
'pods my-pod'
'services'
```
After this change:
```console
$ kubectl set subject
error: You must provide one or more resources by argument or filename.
Example resource specifications include:
'-f rsrc.yaml'
'--filename=rsrc.json'
'<resource> <name>'
'<resource>'
```
**Release note**:
```release-note
avoid concrete examples for missingResourceError
```
Automatic merge from submit-queue
Fix the issue in Windows kube-proxy when processing unqualified name. This is for DNS client such as ping or iwr that validate name in response and original question.
**What this PR does / why we need it**:
This PR is an additional fix to #41618 and [the corresponding commit](b9dfb69dd7). The DNS client such as nslookup does not validate name matching in response and original question. That works fine when we append DNS suffix to unqualified name in DNS query in Windows kube-proxy. However, for DNS client such as ping or Invoke-WebRequest that validates name in response and original question, the issue arises and the DNS query fails although the received DNS response has no error.
This PR fixes the additional issue by restoring the original question name in DNS response. Further, this PR refactors DNS message routines by using miekg's DNS library.
This PR affects the Windows kube-proxy only.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#42605
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix DNS suffix search list support in Windows kube-proxy.
```
Automatic merge from submit-queue
Improve pause-container warning message
Signed-off-by: Vinothkumar Siddharth <sidvin@amazon.com>
**What this PR does / why we need it**:
This just improves the warning message currently emitted by pause
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Move defaulting logic for ExternalTrafficPolicy into defaults.go
Link #45812.
Per [#45812/comment](https://github.com/kubernetes/kubernetes/issues/45812#issuecomment-301632807), move defaulting logic to defaults.go so that federation will get the same code.
This PR does not have any functional change :)
/assign @freehan @thockin
/cc @madhusudancs @nikhiljindal @shashidharatd
Also /cc @caesarxuchao per the client-go changes.
**Release note**:
```release-note
NONE
```
