Automatic merge from submit-queue (batch tested with PRs 63886, 63857, 63824). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
vSphere Cloud Provider: add SAML token authentication support
**What this PR does / why we need it**:
The vSphere cloud provider currently supports username+password based authentication, this PR adds an option to use token based authentication.
**Which issue(s) this PR fixes**:
Fixes#63209
**Special notes for your reviewer**:
For now the config structs and validation are left as-is and
the LoginByToken method is used if the username value is PEM encoded.
In this case of username field configured with the public key, the password
field is expected to be configured with the private key.
In a follow-up PR we can look at collapsing the auth related fields into
a common struct to avoid duplication of field merging and validation.
And then add separate fields for the public and private keys.
**Release note**:
```release-note
vSphere Cloud Provider: add SAML token authentication support
```
Automatic merge from submit-queue (batch tested with PRs 63886, 63857, 63824). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor cache based manager
This is support to be no-op refactoring. It will only allow to share code between secret and configmap managers.
Automatic merge from submit-queue (batch tested with PRs 63886, 63857, 63824). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[GCE] Check for NEG healthcheck
**What this PR does / why we need it**:
In `backendMode`, also check for HealthCheck with the same name as BackendService.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63865, 57849, 63932, 63930, 63936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Extract connection rotating dialer into a package
**What this PR does / why we need it**: This will be re-used for exec auth plugin to rotate connections on
credential change.
**Special notes for your reviewer**: this was split from https://github.com/kubernetes/kubernetes/pull/61803 to simplify review
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63865, 57849, 63932, 63930, 63936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implement `kubeadm init diff`
**What this PR does / why we need it**:
Some users want to see the changes `kubeadm` woulda apply before actually running `kubeadm upgrade apply`. This shows the changes that will be made to the static pod manifests before applying them. This is a narrower case than `kubeadm upgrade apply --dry-run`, which specifically focuses on the static pod manifests.
**Which issue(s) this PR fixes**:
Part of [kubeadm/489](https://github.com/kubernetes/kubeadm/issues/489#issuecomment-388974795)
**Special notes for your reviewer**:
**Release note**:
```release-note
adds the `kubeadm upgrade diff` command to show how static pod manifests will be changed by an upgrade.
```
Automatic merge from submit-queue (batch tested with PRs 63865, 57849, 63932, 63930, 63936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
bzl: cleanup some no longer need visibilities
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63865, 57849, 63932, 63930, 63936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Eviction Node e2e test checks for eviction reason
**What this PR does / why we need it**:
Currently, the eviction test simply ensures that pods are marked `Failed`. However, this could occur because of an OOM, rather than an eviction.
To ensure that pods are actually being evicted, check for the Reason in the pod status to ensure it is evicted.
**Release note**:
```release-note
NONE
```
cc @kubernetes/sig-node-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 63865, 57849, 63932, 63930, 63936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Minor fixes for kubeadm reset
This set of fixes was proposed by @neolit123 in [PR 63849](https://github.com/kubernetes/kubernetes/pull/63849) review
comments:
- Capitalized output after [reset]
- Used %v format for Go errors
- Fixed spelling: Trying using -> Trying to use
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use 'docker/default' as default seccomp profile for unprivileged PodSecurityPolicy
**What this PR does / why we need it**:
This PR sets the default seccomp profile for unprivileged PodSecurityPolicy to 'docker/default'. This PR is a followup of [#62662](https://github.com/kubernetes/kubernetes/pull/62662). We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When default seccomp profile is applied later, we can remove those annotations.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#39845
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix formatting for kubelet memcg notification threshold
/kind bug
**What this PR does / why we need it**:
This fixes the following errors (found in [this node_e2e serial test log](https://storage.googleapis.com/kubernetes-jenkins/logs/ci-kubernetes-node-kubelet-serial/4118/artifacts/tmp-node-e2e-49baaf8a-cos-stable-63-10032-71-0/kubelet.log)):
`eviction_manager.go:256] eviction manager attempting to integrate with kernel memcg notification api`
`threshold_notifier_linux.go:70] eviction: setting notification threshold to 4828488Ki`
`eviction_manager.go:272] eviction manager: failed to create hard memory threshold notifier: invalid argument`
**Special notes for your reviewer**:
This needs to be cherrypicked back to 1.10.
This regression was added in https://github.com/kubernetes/kubernetes/pull/60531, because the `quantity` being used was changed from a DecimalSI to BinarySI, which changes how it is printed out in the String() method. To make it more explicit that we want the value, just convert Value() to a string.
**Release note**:
```release-note
Fix memory cgroup notifications, and reduce associated log spam.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
diff: Fix broken `Local()` logic
Local and Live functions where doing and returning the same thing,
giving empty results by default. Fix the local function by copying the
objects before fetching the live version.
**What this PR does / why we need it**: Diff prints empty output by default. Fixes it.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubernetes/issues/61145
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Remove the `.CloudProvider` and `.PrivilegedPods` configuration option
**What this PR does / why we need it**:
Removes the `.CloudProvider` option, it has been experimental for a long time. People should now use external cloud providers, which is beta in v1.11. Most importantly, you can get the exact same behavior in the API by utilizing the `.*ExtraArgs` and `.*ExtraVolumes` fields.
Removes `.PrivilegedPods` as that serves a super small edge case with the legacy cloud provider, and only for openstack.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of https://github.com/kubernetes/community/pull/2131
**Special notes for your reviewer**:
Depends on PRs:
- [x] #63799
- [x] #63788
**Release note**:
```release-note
[action required] In the new v1alpha2 kubeadm Configuration API, the `.CloudProvider` and `.PrivilegedPods` fields don't exist anymore.
Instead, you should use the out-of-tree cloud provider implementations which are beta in v1.11.
If you have to use the legacy in-tree cloud providers, you can rearrange your config like the example below.
If you need to use the `.PrivilegedPods` functionality, you can still edit the manifests in
`/etc/kubernetes/manifests/`, and set `.SecurityContext.Privileged=true` for the apiserver
and controller manager.
---
kind: MasterConfiguration
apiVersion: kubeadm.k8s.io/v1alpha2
apiServerExtraArgs:
cloud-provider: "{cloud}"
cloud-config: "{path}"
apiServerExtraVolumes:
- name: cloud
hostPath: "{path}"
mountPath: "{path}"
controllerManagerExtraArgs:
cloud-provider: "{cloud}"
cloud-config: "{path}"
controllerManagerExtraVolumes:
- name: cloud
hostPath: "{path}"
mountPath: "{path}"
---
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @dims @liztio
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adds a kubeadm config images pull command
This command will use crictl or docker to pull images locally.
The dockerfall back is needed because in some cases the kubelet is not
yet running so there is no CRI dockershim socket available.
Fixeskubernetes/kubeadm#812
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR adds a command to the `kubeadm config images` subcommand to pull images using either crictl or docker.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#812
**Special notes for your reviewer**:
**Release note**:
```release-note
Adds a `kubeadm config images pull` command to pull container images used by kubeadm.
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
Local and Live functions where doing and returning the same thing,
giving empty results by default. Fix the local function by copying the
objects before fetching the live version.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Retry certificate approval on conflict errors
We already check preconditions. We were seeing a non-trivial number of conflicts when using the command from automation.
Fixesopenshift/origin#19430
@mikedanese @mfojtik
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Restore pre-1.10 openstack instance naming behavior
As noted in https://github.com/kubernetes/kubernetes/pull/61890#issuecomment-377282182 and https://github.com/kubernetes/kubernetes/issues/62295#issuecomment-389374492, the 1.10 changes to the openstack cloud provider node name computation (in #58502, #61000, and #61890) broke existing deployments that provisioned instances with credentials matching their instance names. It also did not account for version skewed kubelets, which can run 1.8 and 1.9 versions against a 1.10 master, and still register based on instance name.
This PR reverts the incompatible changes to restore pre-1.10 behavior.
Further improvements to handle instances with names that cannot be used as node names are tracked in https://github.com/kubernetes/kubernetes/issues/62295
/assign @dims
/sig openstack
/kind bug
```release-note
Restores the pre-1.10 behavior of the openstack cloud provider which uses the instance name as the Kubernetes Node name. This requires instances be named with RFC-1123 compatible names.
```
This command will use crictl or docker to pull images locally.
The dockerfall back is needed because in some cases the kubelet is not
yet running so there is no CRI dockershim socket available.
Fixeskubernetes/kubeadm#812
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
Automatic merge from submit-queue (batch tested with PRs 63875, 63817). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
NFS support for default storage
**What this PR does / why we need it**:
Adds NFS support for kubernetes-worker charm allowing default storage for NFS charms.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Added support for NFS relations on kubernetes-worker charm.
```
Automatic merge from submit-queue (batch tested with PRs 63875, 63817). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make TestGetServerGroupsWithTimeout more reliable
Stops overriding a global variable in a test and tolerates a different kind of timeout message you can see.
/assign @soltysh
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate InfluxDB cluster monitoring
InfluxDB cluster monitoring addon will no longer be supported and will be removed in k8s 1.12.
Default monitoring solution will be changed to `standalone`.
Heapster will still be deployed for backward compatibility of `kubectl top`
```release-note
Stop using InfluxDB as default cluster monitoring
InfluxDB cluster monitoring is deprecated and will be removed in v1.12
```
cc @piosz
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Add (duplicated) v1alpha2 Config API
**What this PR does / why we need it**:
Work in progress PR to add a (initially duplicated) `v1alpha2` we can iterate on during the cycle.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of https://github.com/kubernetes/community/pull/2131
**Special notes for your reviewer**:
This PR depends on:
- [x] #63782
- [x] #63783
- [x] #63787
- [x] #63799
The first commit is from #63799.
The second commit duplicates v1alpha1, but updates timestamps, and doesn't require the `upgrade.go`.
The third commit does the mechanical bump of using v1alpha1 -> v1alpha2
The fourth commit updates bazel
**Release note**:
```release-note
[action required] kubeadm now uses an upgraded API version for the configuration file, `kubeadm.k8s.io/v1alpha2`. kubeadm in v1.11 will still be able to read `v1alpha1` configuration, and will automatically convert the configuration to `v1alpha2` internally and when storing the configuration in the ConfigMap in the cluster.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @liztio
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable checking whether ipvs modules are built-in or not
**What this PR does / why we need it**:
Enable checking whether ipvs modules are built-in or not.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63801
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Auto-calculate allowed-not-ready-nodes in test framework
Actually we (sig-scalability) are pretty much the only users of this flag.
This reduces the overhead of having to provide its value based on num-nodes each time we run our tests.
/cc @wojtek-t
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63696, 59632). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
abstract duplicated code in ipvs proxier and reduce the comments
**What this PR does / why we need it**:
Abstract duplicated code in ipvs proxier and reduce the comments.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gce: Prefer MASTER_ADVERTISE_ADDRESS in apiserver setup
MASTER_ADVERTISE_ADDRESS is used to set the --advertise-address flag
for the apiserver. It's useful for running the apiserver behind a load
balancer.
However, if PROJECT_ID, TOKEN_URL, TOKEN_BODY, and NODE_NETWORK are
all set, the GCE VM's external IP address will be fetched and used
instead and MASTER_ADVERTISE_ADDRESS will be ignored.
Change this behavior so that MASTER_ADVERTISE_ADDRESS takes precedence
because it's more specific. We still fall back to using the VM's
external IP address if the other variables are set.
Also: Move the setting of --ssh-user and --ssh-keyfile based on
PROXY_SSH_USER) to a top-level block because this is common to all
codepaths.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63167, 63357). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Install and use crictl in gce kube-up.sh
Download and use crictl in gce kube-up.sh.
This PR:
1. Downloads crictl `v1.0.0-beta.0` onto the node, which supports CRI v1alpha2. We'll upgrade it to `v1.0.0-beta.1` soon after the release is cut.
2. Change `kube-docker-monitor` to `kube-container-runtime-monitor`, and let it use `crictl` to do health monitoring.
3. Change `e2e-image-puller` to use `crictl`. Because of https://github.com/kubernetes/kubernetes/issues/63355, it doesn't work now. But in `crictl v1.0.0-beta.1`, we are going to statically link it, and the `e2e-image-puller` should work again.
4. Use `systemctl kill --kill-who=main` instead of `pkill`, the reason is that:
a. `pkill docker` will send `SIGTERM` to all processes including `dockerd`, `docker-containerd`, `docker-containerd-shim`. This is not a problem for Docker 17.03 CE, because `containerd-shim` in containerd 0.2.x doesn't exit with SIGERM (see [code](https://github.com/containerd/containerd/blob/v0.2.x/containerd-shim/main.go#L123)). However, `containerd-shim` in containerd 1.0+ does exit with SIGTERM (see [code](https://github.com/containerd/containerd/blob/master/cmd/containerd-shim/main_unix.go#L200)). This means that `pkill docker` and `pkill containerd` will kill all shim processes for Docker 17.11+ and containerd 1.0+.
b. We can use `pkill -x` instead. However, docker systemd service name is `docker`, but daemon process name is `dockerd`. We have to introduce another environment variable to specify "daemon process name". Given so, it seems easier to just use `systemctl kill` which only requires systemd service name. `systemctl kill --kill-who=main` will make sure only main process receives SIGTERM.
Signed-off-by: Lantao Liu <lantaol@google.com>
/cc @filbranden @yujuhong @feiskyer @mrunalp @kubernetes/sig-node-pr-reviews @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Kubernetes cluster on GCE have crictl installed now. Users can use it to help debug their node. The documentation of crictl can be found https://github.com/kubernetes-incubator/cri-tools/blob/master/docs/crictl.md.
```
wojtekt