Addresses: kubernetes/features#88
This commit starts breaking the controller manager into two pieces, namely,
1. cloudprovider dependent piece
2. coudprovider agnostic piece
the controller manager has the following control loops -
- nodeController
- volumeController
- routeController
- serviceController
- replicationController
- endpointController
- resourcequotacontroller
- namespacecontroller
- deploymentController etc..
among the above controller loops,
- nodeController
- volumeController
- routeController
- serviceController
are cloud provider dependent. As kubernetes has evolved tremendously, it has become difficult
for different cloudproviders (currently 8), to make changes and iterate quickly. Moreover, the
cloudproviders are constrained by the kubernetes build/release lifecycle. This commit is the first
step in moving towards a kubernetes code base where cloud providers specific code will move out of
the core repository, and will be maintained by the cloud providers themselves.
Finally, along with the controller-manager, the kubelet also has cloud-provider specific code, and that will
be addressed in a different commit/issue.
Automatic merge from submit-queue
remove unneeded authenticator dependencies from genericapiserver
Refactors the authenticator options to remove unneeded dependencies.
@sttts
Automatic merge from submit-queue
extend err info when authorize failed
if rolebinding related to a non-existent role, kubectl get po will return a error.
old result:
```shell
$ kubectl --token=/test get po
Error from server (InternalError): an error on the server ("Internal Server Error: \"/api/v1/namespaces/default/pods\"") has prevented the request from succeeding (get pods)
```
new result (output the reason):
```shell
$ kubectl --token=hi/test get po
Error from server (Forbidden): User "hi" cannot list pods in the namespace "default".: "role.rbac.authorization.k8s.io \"admin-resource-role\" not found" (get pods)
```
test.yaml
```
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admin-resource-binding
namespace: default
subjects:
- kind: Group
name: test
roleRef:
kind: Role
name: admin-resource-role
```
Automatic merge from submit-queue (batch tested with PRs 39146, 39094)
cleanup last e2e authorization failures
Builds on https://github.com/kubernetes/kubernetes/pull/39080. This adds rbac role bindings during e2e tests for test that use SA permissions to loopback to the API server.
Assigned to me until its ready.
Automatic merge from submit-queue
Make fluentd pods critical
Related to https://github.com/kubernetes/kubernetes/issues/38322
Make fluentd critical so it will be evicted with less probability.
CC @piosz @fgrzadkowski
Automatic merge from submit-queue
Add liveness probe for fluentd-gcp
It's known that fluentd can hung up during execution until manual restart.
Liveness probe fixes this problem in the following way: if no buffer chunks were sent or created in the last 5 minutes, fluentd is hanging and should be restarted.
CC @piosz
Automatic merge from submit-queue (batch tested with PRs 39114, 36004)
Revert #32751 and #35840 in 1.6
Revert backward compatibility hacks (#36004, #32751) that are no-longer needed in release 1.6
@kubernetes/sig-api-machinery @liggitt
Automatic merge from submit-queue (batch tested with PRs 39114, 36004)
assign -998 as the oom_score_adj for critical pods (e.g. kube-proxy)
I also validated this with a testing cluster: Fresh built cluster, and kill kube-proxy pod, etc.
```
root 2660 2643 0 Dec21 ? 00:00:00 /bin/sh -c kube-proxy --master=https://104.198.79.64 --kubeconfig=/var/lib/kube-proxy/kubeconfig --cluster-cidr=10.180.0.0/14 --resource-container="" --v=4 1>>/var/log/kube-proxy.log 2>&1
root 2667 2660 0 Dec21 ? 00:03:14 kube-proxy --master=https://104.198.79.64 --kubeconfig=/var/lib/kube-proxy/kubeconfig --cluster-cidr=10.180.0.0/14 --resource-container= --v=4
# cat /proc/2660/oom_score_adj
-998
# cat /proc/2667/oom_score_adj
-998
```
In this pr, I also include a small fix for import cycle issue. The right fix should remove the dependency on qos package from pkg/apis/componentconfig/v1alpha1. But since we plan to cherrypick this pr to both 1.5 and 1.4 (possible), I want touch the source as little as possible.
Partial fix: #38322
Automatic merge from submit-queue (batch tested with PRs 39115, 39111)
Make one of the go2idl unit tests pass in a sandbox.
Not sure how important this is.
Automatic merge from submit-queue (batch tested with PRs 39115, 39111)
Node E2E: Do not use sudo when untar node e2e tar ball.
`sudo tar -x` will [extract files with original file ownership](http://unix.stackexchange.com/questions/264464/sudo-tar-changes-extracted-files-ownership-to-unknown-user), which is not what we want.
This also causes problem to https://github.com/kubernetes/test-infra/issues/1348.
Because in https://github.com/kubernetes/test-infra/issues/1348 we move node e2e runner into a docker container. Inside the container, the user is `root` by default, so the tar ball has `root` ownership.
If we untar the tar ball with `sudo`, it will recover the `root` ownership and the following operation may not have enough permission.
No matter what, we should not recover the file ownership inside the tar ball because:
* We don't care it.
* It may even not exist on the host.
@krzyzacy
Automatic merge from submit-queue
Disable verify-test-owners.sh and make `go vet` more obvious
**What this PR does / why we need it**: I and others keep seeing the verify-test-owners.sh failure and think that's why the PR failed checks. Rather than making verify-test-owners.sh pass with errors, just skip it entirely.
Also print out the `go vet` command we're running, to make that failure more obvious.
cc @k82cn @saad-ali
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Enforce the RBAC authorizer in e2e for controllers and proxy
Turns on RBAC and updates the GCE controllers to use discrete service accounts.
Opening pull to start completing roles.
Automatic merge from submit-queue
Node E2E: Set user with `--ssh-user` flag when running remote node e2e.
This PR unblocks https://github.com/kubernetes/test-infra/issues/1348.
In our test environment, we must login test instance as user `jenkins` because of the service account. Node e2e is always using the default user on the host, which works fine till now, because it is always run as `jenkins` in our test environment.
However, now we moved the test runner into a docker container, inside the container user is `root` by default, which will cause error:
```
Permission denied (publickey)
```
This PR added a flag `--ssh-user` to explicitly specify the user used to ssh into test instance. The dockerized test runner can set user to `jenkins` with this flag.
@krzyzacy @ixdy
Automatic merge from submit-queue
Fix DaemonSet cache mutation
**What this PR does / why we need it**: stops the DaemonSetController from mutating the DaemonSet shared informer cache
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#38985
cc @deads2k @mikedanese @lavalamp @smarterclayton
Automatic merge from submit-queue (batch tested with PRs 39079, 38991, 38673)
Support systemd based pod qos in CRI dockershim
This PR makes pod level QoS works for CRI dockershim for systemd based cgroups. And will also fix#36807
- [x] Add cgroupDriver to dockerService and use docker info api to set value for it
- [x] Add a NOTE that detection only works for docker 1.11+, see [CHANGE LOG](https://github.com/docker/docker/blob/master/CHANGELOG.md#1110-2016-04-13)
- [x] Generate cgroupParent in syntax expected by cgroupDriver
- [x] Set cgroupParent to hostConfig for both sandbox and user container
- [x] Check if kubelet conflicts with cgroup driver of docker
cc @derekwaynecarr @vishh
Automatic merge from submit-queue (batch tested with PRs 39061, 39079)
Fixed cluster validation: added -q flag to gcloud.
Fixed cluster validation in multi-zone mode: added -q flag to gcloud.
Automatic merge from submit-queue
Fix typo for federation/*
**What this PR does / why we need it**:
Increase code readability for this new member in v1.5
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
Could we develop a typo-fix bot along with a k8s terminology dictionary ?
**Release note**:
```release-note
```
Automatic merge from submit-queue
Validate numberReady in DaemonSet status
In #32781 numberReady was introduced but it wasn't validated.
@kargakis @mikedanese it's a very small change. Please take a look.
wlan0