Automatic merge from submit-queue
Kubelet CRI: move seccomp from annotations to security context
**What this PR does / why we need it**:
This is the final step for #39130, which moves seccomp from annotations to linux container security context. And it also fixes#36997 by set the full seccomp profile path for node-installed profiles.
Note it doesn't include spec the seccomp profile format, which should be addressed at #39128. And a following PR is required for implementing in kuberuntime and dockershim.
**Which issue this PR fixes**
Fixes#39130Fixes#36997
**Special notes for your reviewer**:
**Release note**:
```release-note
Kubelet CRI: move seccomp from annotations to security context.
```
Automatic merge from submit-queue (batch tested with PRs 48494, 48733)
Never prevent deletion of resources as part of namespace lifecycle
Namespace lifecycle should not prevent deletion of resources... its purpose is to prevent creation of resources in a terminating namespace, or create/update of resources in a non-existent namespace.
Fixes#49027
Automatic merge from submit-queue (batch tested with PRs 48494, 48733)
Move test-webserver from contrib/for-demos to kubernetes/test/images
**What this PR does / why we need it**:
This PR is for
- Moving the https://github.com/kubernetes/contrib/tree/master/for-demos/test-webserver to kubernetes/test/images - Refer https://github.com/kubernetes/contrib/pull/2544 for more information
- Multi architecture support for test-webserver image
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 48991, 48908)
Group every two services into one in load test
Ref https://github.com/kubernetes/kubernetes/issues/48938
Following from discussion with @bowei and @freehan .
This reduces #services to 8200 while keeping no. of backends same.
/cc @wojtek-t @gmarek
Automatic merge from submit-queue
Remove old, core/v1 specific constructs from RESTClient
Now that metav1 is abstracted from the APIs, RESTClient should also be agnostic to the core API.
* Remove `LabelSelectorParam` and `FieldSelectorParam` - use `VersionedParams` with `ListOptions`
* Remove `UintParam`
* Remove all legacy field selector logic from `VersionedParams` - ParameterCodec now handles that
* Remove special parameters (like `timeout`) which is no longer set by most clients
Automatic merge from submit-queue (batch tested with PRs 48262, 48805)
[Scheduler] Use const value maxPriority instead of immediate value 10
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
Use const value maxPriority instead of immediate value 10.
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48262, 48805)
Fix condition in autoscaler e2e
Fix off-by-one in cluster-autoscaler that made the test trivially
pass (without actually requiring scale-up to happen).
Automatic merge from submit-queue
forget pod first after binding failed
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
In the implementation of scheduler cache, `FinishBinding` marks Pod expired, and then pod would be cleaned in ttl seconds. While `ForgetPod` checks Pod whether assumed, if not, it reports an error.
So if binding failed and ttl(now 30s) is too short, the error will occur when `ForgetPod`, thus we won't record `BindingRejected` event.
Although it's rare, we shouldn't depend on the value of ttl.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Changes to fix the node eviction flake
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#39975
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Log error when failed to renew lease.
**What this PR does / why we need it**:
Log detailed error when leaderelection can not renew release.
It would add a little bit help to find direct reason of failing renew lease
```
E0626 15:23:06.269198 46443 leaderelection.go:263] Failed to update lock: etcdserver: request timed out
E0626 15:23:07.528206 46443 leaderelection.go:263] Failed to update lock: Operation cannot be fulfilled on endpoints "kube-scheduler": the object has been modified; please apply yo
ur changes to the latest version and try again
E0626 15:23:07.528260 46443 event.go:259] Could not construct reference to: '&v1.Endpoints{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"", GenerateN
ame:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*
v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]str
ing(nil), ClusterName:""}, Subsets:[]v1.EndpointSubset(nil)}' due to: 'selfLink was empty, can't make reference'. Will not report event: 'Normal' 'LeaderElection' 'gd6-k8s-noah-prod0
01-master-s0004 stopped leading'
I0626 15:23:07.528391 46443 leaderelection.go:208] failed to renew lease kube-system/kube-scheduler
F0626 15:23:07.528422 46443 server.go:134] lost master
```
Automatic merge from submit-queue (batch tested with PRs 47309, 47187)
Add IPv6 test cases to kube-proxy server test.
**What this PR does / why we need it**: This change adds some IPv6 test cases for the kube-proxy server. Also adds some test cases for negative conditions for better test coverage.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47313
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 48381, 48274)
Fix completions for --namespace to override kubectl flags
**What this PR does / why we need it**:
This PR fixes completions for --namespace to override kubectl flags. Due to not using __kubectl_parse_get, __kubectl_get_namespaces doesn't support to override kubectl flags.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Support completion for kubectl config delete-cluster
**What this PR does / why we need it**:
This PR supports completion for kubectl config delete-cluster.
```
$ kubectl config delete-cluster <tab>
cluster01 minikube
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Support completion for kubectl config delete-cluster
```
Automatic merge from submit-queue (batch tested with PRs 46091, 48280)
allow output patch string in edit command
**What this PR does / why we need it**:
allow user to get the patch from edit command if user is not familiar with the patch format.
```
# ./cluster/kubectl.sh create role a --verb=get,list --resource=no
role "a" created
# ./cluster/kubectl.sh edit role a --output-patch=true
Patch: {"rules":[{"apiGroups":[""],"resources":["nodes"],"verbs":["get","list","delete"]}]}
role "a" edited
# ./cluster/kubectl.sh create role b --verb=get,list --resource=no
role "b" created
# ./cluster/kubectl.sh patch role b -p '{"rules":[{"apiGroups":[""],"resources":["nodes"],"verbs":["get","list","delete"]}]}'
role "b" patched
```
**Which issue this PR fixes**: fixes#47173
**Special notes for your reviewer**:
**Release note**:
```release-note
Could get the patch from kubectl edit command
```
Automatic merge from submit-queue (batch tested with PRs 47417, 47638, 46930)
Added scheduler integration test owners.
**What this PR does / why we need it**:
Add OWNER file into scheduler integration test.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # N/A
**Release note**:
```release-note-none
```
Automatic merge from submit-queue (batch tested with PRs 47417, 47638, 46930)
update the err of hostPorts in psp
**What this PR does / why we need it**:
change `Allowed ports: [{8000 8080}]` to `Allowed ports: [8000-8080]`
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47417, 47638, 46930)
print non-existent key in configmap
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#41573
**Special notes for your reviewer**:
carry from #41574
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47360, 48930)
Sig-instrumentation e2e tests refactoring
Consolidate all sig-intrumentation-owned tests to one directory with clean owners.
/cc @piosz
Automatic merge from submit-queue
GCP Fluentd Logging of node-problem-detector
**What this PR does / why we need it**:
This PR adds `node-problem-detector` logging to the gcp fluentd configmap.
Adding this logging GCE can now capture events and alert on process `OOMKilling` conditions when applying memory limits to containers.
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Renamed nodeutil to v1node.
**What this PR does / why we need it**:
Renamed `nodeutil` to `v1node` as there's already another similar package named `utilnode`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #N/A
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46973, 48556)
Improve error reporting when flex driver has failed to initialize
**What this PR does / why we need it**:
This PR improves error reporting for the case when flex driver is failing to initialize. There are 2 improvements:
1) show only the plugin name instead of a full struct. This makes a message shorter and removes useless and internal information.
Before:
>E0605 16:44:59.330215 26786 plugins.go:359] Failed to load volume plugin &{k8s/nfs /usr/libexec/kubernetes/kubelet-plugins/volume/exec/k8s~nfs %!s(*kubelet.kubeletVolumeHost=&{0xc431ea5800 {{1 0} map[kubernetes.io/downward-api:0xc431ee3f20 kubernetes.io/aws-ebs:0xc431ee3eb0 kubernetes.io/git-repo:0xc431ee3ef0 kubernetes.io/host-path:0xc430e985f0 kubernetes.io/rbd:0xc42bfab840 kubernetes.io/quobyte:0xc431ee3f00 kubernetes.io/fc:0xc42bfab980 kubernetes.io/empty-dir:0xc431ee3ed0 kubernetes.io/nfs:0xc430e98640 kubernetes.io/iscsi:0xc42bfab720 kubernetes.io/glusterfs:0xc430faaba0 kubernetes.io/cinder:0xc42bfab8c0 kubernetes.io/gce-pd:0xc431ee3ee0 kubernetes.io/secret:0xc42bfab6a0 kubernetes.io/flocker:0xc431ee3f30 kubernetes.io/cephfs:0xc431ee3f10]} 0xc42698cf40}) %!s(*exec.executor=&{}) {%!s(int32=0) %!s(uint32=0)} []}, error: unexpected end of JSON input
After:
>E0605 16:59:45.520185 29041 plugins.go:359] Failed to load volume plugin k8s/nfs, error: unexpected end of JSON input
2) quote script output. In case the output was empty, messages look a bit better:
Before:
> E0605 16:44:59.330077 26786 driver-call.go:212] Failed to unmarshal output for command: init, **output: **, error: unexpected end of JSON input
> W0605 16:44:59.330170 26786 driver-call.go:140] FlexVolume: driver call failed: executable: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/k8s\~nfs/nfs, args: [init], error: fork/exec /usr/libexec/kubernetes/kubelet-plugins/volume/exec/k8s\~nfs/nfs: permission denied, **output: **
After:
>E0605 16:59:45.519906 29041 driver-call.go:212] Failed to unmarshal output for command: init, **output: ""**, error: unexpected end of JSON input
>W0605 16:59:45.520109 29041 driver-call.go:140] FlexVolume: driver call failed: executable: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/k8s\~nfs/nfs, args: [init], error: fork/exec /usr/libexec/kubernetes/kubelet-plugins/volume/exec/k8s\~nfs/nfs: permission denied, **output: ""**
Automatic merge from submit-queue (batch tested with PRs 44129, 48030, 48906)
Add default=false to usage of kube-apiserver allow-privileged flag
**What this PR does / why we need it**:
Users will be clear about default value of `allow-privileged` flag.
Automatic merge from submit-queue
Fix comments and typo in the error message
**What this PR does / why we need it**:
This PR fixes outdated comments and typo in the error message.
**Release note**:
```release-note
NONE
```
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 46318, 48978)
Mark sig-scheduling tests with [sig-scheduling] so they can be selected for the testdash dashboard
**What this PR does / why we need it**:
Mark sig-scheduling tests with [sig-scheduling] so they can be selected for the testdash dashboard
(see kubernetes/test-infra#3529 for sig-scheduling dashboard definition).
cc/ @bsalamat @kubernetes/sig-scheduling-pr-reviews
Automatic merge from submit-queue
Allow setting service account with kubectl run
As more containers need to make use of the API, and more clusters are RBAC-enabled, which service account is used to run a particular container becomes more important.
This adds support to existing generators for setting the service account name in the pod spec.
```release-note
`kubectl run` learned how to set a service account name in the generated pod spec with the `--serviceaccount` flag.
```
related to #45147
Automatic merge from submit-queue
Improved code coverage for equivalence cache.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Yang Guo