Commit Graph

67542 Commits (3155ea2a1832819f18669d3742fabbf5c69e7e77)

Author SHA1 Message Date
Kubernetes Submit Queue 3155ea2a18
Merge pull request #65549 from gnufied/fix-flexvolume-containers
Automatic merge from submit-queue (batch tested with PRs 65456, 65549). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix flexvolume in containerized kubelets

Fixes flex volumes in containerized kubelets.

cc @jsafrane @chakri-nelluri @verult 

Note to reviewers : e2e tests pass in local containarized cluster. 

```release-note
Fix flexvolume in containarized kubelets
```
2018-07-09 06:24:06 -07:00
Kubernetes Submit Queue 9cb2ee0992
Merge pull request #65456 from wenlxie/upstream.master.csivolumemode
Automatic merge from submit-queue (batch tested with PRs 65456, 65549). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add volume mode field to constructed volume spec for CSI plugin

Add volume mode filed to constructed Volume Spec for CSI plugin

```release-note
Add volume mode filed to constructed volume spec for CSI plugin
```
2018-07-09 06:24:03 -07:00
Kubernetes Submit Queue 40806a2660
Merge pull request #65823 from loburm/fix_truncate
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix truncating and batch backends integration.

Truncating backend was not starting batch thread that is responsible for reading events from the channel.

Fixes https://github.com/kubernetes/kubernetes/pull/65819

```release-note
None
```
2018-07-09 04:28:58 -07:00
Kubernetes Submit Queue 32dc6cc08a
Merge pull request #65945 from luxas/kubeadm_initconfig
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Rename `MasterConfiguration` to `InitConfiguration` in the kubeadm v1alpha3 Config API

**What this PR does / why we need it**:
In v1alpha3, we have made the design decision that `MasterConfiguration` will be renamed `InitConfiguration`. This PR implements that change.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes/kubeadm#911
Depends on:
 - [x] https://github.com/kubernetes/kubernetes/pull/65776
 - [x] https://github.com/kubernetes/kubernetes/pull/65628
 - [x] https://github.com/kubernetes/kubernetes/pull/65629
 - [x] https://github.com/kubernetes/kubernetes/pull/65631
 - [x] https://github.com/kubernetes/kubernetes/pull/65940
 - [x] https://github.com/kubernetes/kubernetes/pull/65787

**Special notes for your reviewer**:
Most of the code is autogenerated, using just find and replace.
Please only review commits:
 - `Automated rename from MasterConfiguration to InitConfiguration`
 - `Rename MasterConfiguration to InitConfiguration in v1alpha3, but support both names for this release of kubeadm`

**Release note**:

```release-note
[action required] The `MasterConfiguration` kind in the kubeadm v1alpha2 API has been renamed `InitConfiguration` in v1alpha3
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
2018-07-09 01:58:52 -07:00
Marian Lobur 20fb0b5eb1 Fix truncating and buffering backends integration. 2018-07-09 10:25:41 +02:00
Kubernetes Submit Queue 4bb3a2a557
Merge pull request #65911 from wongma7/crap
Automatic merge from submit-queue (batch tested with PRs 63194, 65911). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove crappy fmt.Println

Remove @gnufied's debug message https://github.com/kubernetes/kubernetes/pull/64527
```release-note
NONE
```
2018-07-09 00:32:59 -07:00
Kubernetes Submit Queue e943d09fa3
Merge pull request #63194 from m1093782566/cni-ts
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Adding traffic shaping support for CNI network driver

**What this PR does / why we need it**:

Adding traffic shaping support for CNI network driver - it's also a sub-task of kubenet deprecation work.

Design document is available here: https://github.com/kubernetes/community/pull/1893

**Which issue(s) this PR fixes**:
Fixes #

**Special notes for your reviewer**:

/cc @freehan @jingax10 @caseydavenport @dcbw 

/sig network
/sig node

**Release note**:

```release-note
Support traffic shaping for CNI network driver
```
2018-07-08 23:54:25 -07:00
Lucas Käldström 23ac814999
autogenerated 2018-07-09 04:56:34 +03:00
Lucas Käldström c48dfa6fe9
Rename MasterConfiguration to InitConfiguration in v1alpha3, but support both names for this release of kubeadm 2018-07-09 04:55:45 +03:00
Lucas Käldström 52f0591ad9
Automated rename from MasterConfiguration to InitConfiguration 2018-07-09 04:55:02 +03:00
liangwei 34d848eb1a add cni bandwidth test 2018-07-09 09:51:33 +08:00
Kubernetes Submit Queue ac99da5e3e
Merge pull request #65787 from luxas/kubeadm_split_componentconfig_from_api
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm: Use separate YAML docs for the kubelet and kube-proxy ComponentConfigs

**What this PR does / why we need it**:
This PR makes kubeadm load the ComponentConfig for the kubelet and kube-proxy from separate YAML documents in the `kubeadm init` config file. This is backwards-compatible with `v1alpha2`. The ComponentConfigs are stored internally in the internal kubeadm `MasterConfiguration` struct, but when marshalling the componentconfigs are written as separate YAML documents.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes/kubeadm#911
Depends on:
 - [x] https://github.com/kubernetes/kubernetes/pull/65776
 - [x] https://github.com/kubernetes/kubernetes/pull/65628
 - [x] https://github.com/kubernetes/kubernetes/pull/65629
 - [x] https://github.com/kubernetes/kubernetes/pull/65631
 - [x] https://github.com/kubernetes/kubernetes/pull/65940

**Special notes for your reviewer**:
Only review the last five commits please. (The last commit is purely autogenerated, so can be skipped)

**Release note**:

```release-note
kubeadm: Use separate YAML documents for the kubelet and kube-proxy ComponentConfigs
```
@kubernetes/sig-cluster-lifecycle-pr-reviews 
/assign @timothysc
2018-07-08 14:14:04 -07:00
Lucas Käldström 0be8955466
autogenerated 2018-07-08 21:33:56 +03:00
Lucas Käldström 699949fc87
Update the kubeadm config API roundtrip yaml files 2018-07-08 21:33:28 +03:00
Lucas Käldström 17b3b28190
Update unit tests 2018-07-08 21:32:51 +03:00
Lucas Käldström 495ac9883d
Make kubeadm support {un,}marshalling ComponentConfig structs as different YAML documents 2018-07-08 21:32:28 +03:00
Lucas Käldström 5aef95ebe1
Remove the ComponentConfig structs from the external v1alpha3 API. Use the new componentconfigs pkg for validation and conversion 2018-07-08 21:31:35 +03:00
Lucas Käldström f96ada0c04
Add a new package for handling all ComponentConfig-related code 2018-07-08 21:27:53 +03:00
Kubernetes Submit Queue 5028577360
Merge pull request #65940 from luxas/kubeadm_internal_componentconfigs
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm: Start using internal versions for ComponentConfigs in the internal API

**What this PR does / why we need it**:
This PR changes kubeadm to store the internal API versions of the ComponentConfig APIs, in order to in the future be able to read multiple external versions with conversion. It also moves all the ComponentConfigs to a common struct instead of splitting them out in many. This makes it possible to more easily host more ComponentConfigs in the future. In v1alpha3, the ComponentConfigs will later be removed from the external version of the API (see: https://github.com/kubernetes/kubernetes/pull/65787), but for this PR no changes to the external API are made.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes/kubeadm#911
Depends on:
 - [x] https://github.com/kubernetes/kubernetes/pull/65776
 - [x] https://github.com/kubernetes/kubernetes/pull/65628
 - [x] https://github.com/kubernetes/kubernetes/pull/65629
 - [x] https://github.com/kubernetes/kubernetes/pull/65631

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
2018-07-08 07:45:52 -07:00
m1093782566 8038a0dfa6 add traffic shaping support for CNI network driver 2018-07-08 22:22:25 +08:00
Lucas Käldström 5e6be9de77
autogenerated 2018-07-08 09:55:33 +03:00
Lucas Käldström 71eda34c01
Update the config API roundtrip tests 2018-07-08 09:50:34 +03:00
Lucas Käldström 3594d2ca39
Update unit tests 2018-07-08 09:50:10 +03:00
Lucas Käldström 35673da7c5
Start using the new path in the internal config for the ComponentConfig structs 2018-07-08 09:49:34 +03:00
Lucas Käldström 8004aad307
kubeadm: Embed the internal variants of the componentconfigs in the internal kubeadm API with conversions 2018-07-08 09:42:46 +03:00
Kubernetes Submit Queue 4d98735562
Merge pull request #65929 from yujuhong/add-warning
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add a README in test/e2e/node with a warning

**What this PR does / why we need it**:

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-07-07 18:56:39 -07:00
Kubernetes Submit Queue fc09e89d1c
Merge pull request #65927 from BenTheElder/fix-visibility
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

fix visibility of testdata for //test/cmd:legacy-script

**What this PR does / why we need it**: fixes some BUILD visibility, albeit for a relatively unused target

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-07-07 18:41:15 -07:00
Kubernetes Submit Queue a936cafb92
Merge pull request #60549 from brahmaroutu/conf_serviceaccount
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Adding details to Conformance Tests using RFC 2119 standards.

This PR is part of the conformance documentation. This is to provide more formal specification using RFC 2119 keywords to describe the test so that who ever is running conformance tests do not have to go through the code to understand why and what is tested.
The documentation information added here into each of the tests eventually result into a document which is currently checked in at location https://github.com/cncf/k8s-conformance/blob/master/docs/KubeConformance-1.9.md

I would like to have this PR reviewed for v1.10 as I consider it important to strengthen the conformance documents.
2018-07-07 18:41:12 -07:00
Kubernetes Submit Queue 28e78ec987
Merge pull request #65755 from wojtek-t/optimize_kube_proxy
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Avoid printing some service comments in iptables rules

According to some profiles, with large number of endpoints in the system, comments mentioning the service in appropriate iptables rules may be responsible for 40% of all iptables contents.

Given that ~70% of memory usage of kube-proxy seems to be because of generated iptables rules, the overall saving may be at the level of 30% or so.

OTOH, we sacrifise a bit understandability of iptables, but this PR only changes some of iptables that contribute to the most painful rules.

@thockin @danwinship @dcbw - thoughts?

Ref #65441
2018-07-07 18:41:09 -07:00
Kubernetes Submit Queue bac20f7f93
Merge pull request #65896 from aojea/issue#65784
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fail update-godep-licenses if bash version lower than 4

**What this PR does / why we need it**:
trying to update godeps on mac OSX fails without any information, this patch exits the script with a return error code just after printing the cause of the failure in the screen to the user

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #65784 

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-07-07 18:41:06 -07:00
Kubernetes Submit Queue 08ed3a81f5
Merge pull request #65882 from cblecker/verify-gen-files
Automatic merge from submit-queue (batch tested with PRs 65882, 65896, 65755, 60549, 65927). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add script to verify generated files

**What this PR does / why we need it**:
This is probably *really* heavy handed fix to this, but it will catch issues in presubmit.

Basically, takes a copy of the repo, clears out anything that is ignored from the git tree, runs `make generated_files`, and looks for a git diff. If there is one, error. Anything that is properly gitignored won't cause a diff, but anything that is *supposed* to be checked in, but is different, this will catch.

**Special notes for your reviewer**:
I'm open to more elegant answers, but this will at least stop it from happening for now.

**Release note**:
```release-note
NONE
```
2018-07-07 18:41:03 -07:00
Kubernetes Submit Queue d51bfcd4aa
Merge pull request #65920 from dims/pause-image-should-be-arch-agnostic
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm: pause image should be arch agnostic, as it is a manifest list

Signed-off-by: Davanum Srinivas <davanum@gmail.com>



**What this PR does / why we need it**:

`pause` image is backed by a manifest list. so we should not use the arch image when reporting using say `kubeadm config image list`

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/962

**Special notes for your reviewer**:

**Release note**:

```release-note
kubeadm: Fix pause image to not use architecture, as it is a manifest list
```
2018-07-07 16:25:17 -07:00
Kubernetes Submit Queue 5b052de486
Merge pull request #65906 from liggitt/union-authz-message
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Improve multi-authorizer errors

Fixes #52279 

Includes an indication from the RBAC authorizer that it attempted to authorize the request. this reduces confusion when combined with a webhook authorizer that returns specific reasons for rejection

/sig auth

```release-note
NONE
```
2018-07-07 16:25:14 -07:00
Kubernetes Submit Queue c899ccf441
Merge pull request #65913 from dougm/vcp-logout-race
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

vSphere Cloud Provider: avoid read race during logout

**What this PR does / why we need it**:

The `go test -race` will sometimes detect a read race in the vSphere Cloud Provider logout function, causing tests to fail.

**Which issue(s) this PR fixes**:
Fixes #65696

**Special notes for your reviewer**:

The Client nil check was added in 6d1c4a3 , but there was not any
go test coverage of that code path until e22f9ca

**Release note**:

```release-note
none
```
2018-07-07 16:25:11 -07:00
Kubernetes Submit Queue 8e2fdb32bc
Merge pull request #65904 from deads2k/api-02-trackscheme
Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

track schemes by name for error reporting

Getting an error message about a type not being in the scheme is hard to fix if you don't know which scheme is failing.  This adds a name to the scheme which can be set during creation or can be set based on the calling stack.  If you use the old constructor a name is generated for you based on the stack.  Something like "k8s.io/client-go/dynamic/scheme.go:28" for instance.

Also moves a typer to its point of use.  This was debt from previous refactors which I noticed going through.

@kubernetes/sig-api-machinery-misc 
@sttts 

```release-note
NONE
```
2018-07-07 16:25:08 -07:00
Kubernetes Submit Queue 60c44af9ce
Merge pull request #65946 from cblecker/fix-godeps-65707
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove unneeded deps

**What this PR does / why we need it**:
#65707 removed reliance on `github.com/google/cadvisor/http` (and it's dependencies), but we forgot to clean up the dep. This is causing failures in batches and postsubmits.

**Release note**:
```release-note
NONE
```

/cc @BenTheElder @dims @dashpole @luxas @philips @yujuhong
2018-07-07 16:13:14 -07:00
Christoph Blecker f97fdf76dc
Remove unneeded deps 2018-07-07 12:20:46 -07:00
Kubernetes Submit Queue 2d288a7da4
Merge pull request #65802 from xlgao-zju/improve-output
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

[kubeadm] Print required flags when running kubeadm upgrade plan

**What this PR does / why we need it**:
print required flags when running kubeadm upgrade plan

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Close [kubernetes/kubeadm#935](https://github.com/kubernetes/kubeadm/issues/935)

**Special notes for your reviewer**:
/assign @chuckha 
/assign @neolit123 

**Release note**:

```release-note
kubeadm: print required flags when running kubeadm upgrade plan
```
2018-07-07 12:06:43 -07:00
Kubernetes Submit Queue 097f300a4d
Merge pull request #65707 from dims/remove-deprecated-cadvisor-port
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove --cadvisor-port - has been deprecated since v1.10

**What this PR does / why we need it**:

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #56523

**Special notes for your reviewer**:
- Deprecated in https://github.com/kubernetes/kubernetes/pull/59827 (v1.10)
- Disabled in https://github.com/kubernetes/kubernetes/pull/63881 (v1.11)

**Release note**:

```release-note
[action required] The formerly publicly-available cAdvisor web UI that the kubelet started using `--cadvisor-port` is now entirely removed in 1.12. The recommended way to run cAdvisor if you still need it, is via a DaemonSet.
```
2018-07-07 05:28:13 -07:00
Kubernetes Submit Queue cb9ddd3456
Merge pull request #65495 from sjenning/add-reviewer
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add sjenning to sig-node-reviewers

Request to be added to sig-node-reviewers

Sponsor @derekwaynecarr 

PR activity (~75 merged PRs):
https://github.com/kubernetes/kubernetes/pulls?q=is%3Apr+author%3Asjenning

QoS-level memory limits:
https://github.com/kubernetes/kubernetes/pull/41149

QoS pod status field:
https://github.com/kubernetes/kubernetes/pull/37968
https://github.com/kubernetes/kubernetes/pull/38989

Memcg threshold notification for eviction:
https://github.com/kubernetes/kubernetes/pull/38989

Areas of focus:
Kubelet sync loop and pod lifecycle
QoS/Pod level cgroup manager
systemd cgroup driver
CRI
dockershim
Volume manager
SELinux
cAdvisor

Member since: Feb 2016
2018-07-07 00:05:04 -07:00
Kubernetes Submit Queue f634f7dae4
Merge pull request #65926 from Random-Liu/fix-run-as-group
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix RunAsGroup.

For https://github.com/kubernetes/features/issues/213
See https://github.com/containerd/cri/issues/836

In https://github.com/containerd/cri/issues/836, people thought that this is a containerd issue. However, it turns out that this feature doesn't work at all. @krmayankk

Without the fix:
```
• Failure [10.125 seconds]
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
  should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] [It]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112

  Expected error:
      <*errors.errorString | 0xc42185bcd0>: {
          s: "expected \"gid=2002\" in container output: Expected\n    <string>: uid=1002 gid=1002\n    \nto contain substring\n    <string>: gid=2002",
      }
      expected "gid=2002" in container output: Expected
          <string>: uid=1002 gid=1002
          
      to contain substring
          <string>: gid=2002
  not to have occurred

/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/util.go:2325
```

With the fix:
```
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[k8s.io] [sig-node] Security Context [Feature:SecurityContext] 
  should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
[BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141
STEP: Creating a kubernetes client
Jul  6 15:38:43.994: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig
STEP: Building a namespace api object, basename security-context
Jul  6 15:38:44.024: INFO: No PodSecurityPolicies found; assuming PodSecurityPolicy is disabled.
STEP: Waiting for a default service account to be provisioned in namespace
[It] should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser
Jul  6 15:38:44.027: INFO: Waiting up to 5m0s for pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hwm7l" to be "success or failure"
Jul  6 15:38:44.029: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.17106ms
Jul  6 15:38:46.031: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003308423s
Jul  6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005287901s
STEP: Saw pod success
Jul  6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure"
Jul  6 15:38:48.034: INFO: Trying to get logs from node 127.0.0.1 pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil>
STEP: delete the pod
Jul  6 15:38:48.047: INFO: Waiting for pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 to disappear
Jul  6 15:38:48.049: INFO: Pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 no longer exists
[AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142
Jul  6 15:38:48.049: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "e2e-tests-security-context-hwm7l" for this suite.
Jul  6 15:38:54.057: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered
Jul  6 15:38:54.084: INFO: namespace: e2e-tests-security-context-hwm7l, resource: bindings, ignored listing per whitelist
Jul  6 15:38:54.107: INFO: namespace e2e-tests-security-context-hwm7l deletion completed in 6.056285097s

• [SLOW TEST:10.113 seconds]
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
  should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[k8s.io] [sig-node] Security Context [Feature:SecurityContext] 
  should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
[BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141
STEP: Creating a kubernetes client
Jul  6 15:38:54.108: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig
STEP: Building a namespace api object, basename security-context
STEP: Waiting for a default service account to be provisioned in namespace
[It] should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser
Jul  6 15:38:54.137: INFO: Waiting up to 5m0s for pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hs2vr" to be "success or failure"
Jul  6 15:38:54.138: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.374422ms
Jul  6 15:38:56.140: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003249942s
Jul  6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005110799s
STEP: Saw pod success
Jul  6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure"
Jul  6 15:38:58.143: INFO: Trying to get logs from node 127.0.0.1 pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil>
STEP: delete the pod
Jul  6 15:38:58.149: INFO: Waiting for pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 to disappear
Jul  6 15:38:58.152: INFO: Pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 no longer exists
[AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142
Jul  6 15:38:58.152: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "e2e-tests-security-context-hs2vr" for this suite.
Jul  6 15:39:04.157: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered
Jul  6 15:39:04.175: INFO: namespace: e2e-tests-security-context-hs2vr, resource: bindings, ignored listing per whitelist
Jul  6 15:39:04.193: INFO: namespace e2e-tests-security-context-hs2vr deletion completed in 6.039953722s

• [SLOW TEST:10.085 seconds]
[k8s.io] [sig-node] Security Context [Feature:SecurityContext]
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
  should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
  /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
------------------------------
SSSSJul  6 15:39:04.193: INFO: Running AfterSuite actions on all node
Jul  6 15:39:04.193: INFO: Running AfterSuite actions on node 1

Ran 2 of 1007 Specs in 50.246 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 1005 Skipped PASS

Ginkgo ran 1 suite in 50.482926642s
Test Suite Passed
2018/07/06 15:39:04 process.go:155: Step './hack/ginkgo-e2e.sh -host=https://localhost:6443 --ginkgo.focus=RunAsGroup' finished in 50.523613088s
2018/07/06 15:39:04 e2e.go:83: Done
```

We should cherry-pick this to 1.10 and 1.11. /cc @kubernetes/sig-node-bugs 

```release-note
Fix `RunAsGroup` which doesn't work since 1.10.
```
2018-07-06 22:45:12 -07:00
Kubernetes Submit Queue 3e5b902cd9
Merge pull request #65252 from jingax10/script_cleanup_branch
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove echo cmd when overwriting a file from an Env var.

**What this PR does / why we need it**:

Cleanup the shell script.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
"NONE"
```
2018-07-06 21:26:02 -07:00
Yu-Ju Hong e5bd6b1e8e Add a README in test/e2e/node with a warning 2018-07-06 16:48:35 -07:00
Benjamin Elder 2583c12268 delete copied comment 2018-07-06 16:26:56 -07:00
Benjamin Elder 0b43710604 switch to glob 2018-07-06 16:25:28 -07:00
Benjamin Elder ca79547e92 fix visibility of testdata for //test/cmd:legacy-script 2018-07-06 16:08:20 -07:00
Lantao Liu 3193a4a469 Fix RunAsGroup. 2018-07-06 15:42:26 -07:00
Kubernetes Submit Queue 5114d4e0b0
Merge pull request #65815 from wojtek-t/kube_proxy_less_allocations
Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Reduce number of memory allocations when parsing iptables
2018-07-06 12:25:13 -07:00
Kubernetes Submit Queue d1608c2ea1
Merge pull request #65856 from deads2k/controller-01-ignored
Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

only need to ignore resources that match discovery conditions

GC and quota controllers ignore resources that are too expensive to manage.  In kube this is only events.  The incompatible resources should now be excluded on the basis of discovery.  We should actually reflect that in the RESTStorage (done for GC for events) and discovery too.

@liggitt 
@kubernetes/sig-api-machinery-bugs 

```release-note
NONE
```
2018-07-06 12:25:09 -07:00
Kubernetes Submit Queue 5b9cc7fb79
Merge pull request #65909 from liggitt/rbac-escalation-msg
Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

make RBAC escalation error message more useful

Fixes #65804

Tested by granting a namespaced admin role to a user, then attempt to grant a broader role as that user:

```
kubectl create rolebinding user1-admin --clusterrole=admin --user=user1
kubectl create rolebinding user2-volume --as=user1 --clusterrole=system:volume-scheduler --user=user2
```

before:
> Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "user2-volume" is forbidden: attempt to grant extra privileges: [{[get] [] [persistentvolumes] [] []} {[list] [] [persistentvolumes] [] []} {[patch] [] [persistentvolumes] [] []} {[update] [] [persistentvolumes] [] []} {[watch] [] [persistentvolumes] [] []} {[get] [storage.k8s.io] [storageclasses] [] []} {[list] [storage.k8s.io] [storageclasses] [] []} {[watch] [storage.k8s.io] [storageclasses] [] []}] user=&{user1  [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]} {[create delete deletecollection get list patch update watch] [] [pods pods/attach pods/exec pods/portforward pods/proxy] [] []} {[create delete deletecollection get list patch update watch] [] [configmaps endpoints persistentvolumeclaims replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy] [] []} {[get list watch] [] [bindings events limitranges namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[get list watch] [] [namespaces] [] []} {[impersonate] [] [serviceaccounts] [] []} {[create delete deletecollection get list patch update watch] [apps] [daemonsets deployments deployments/rollback deployments/scale replicasets replicasets/scale statefulsets statefulsets/scale] [] []} {[create delete deletecollection get list patch update watch] [autoscaling] [horizontalpodautoscalers] [] []} {[create delete deletecollection get list patch update watch] [batch] [cronjobs jobs] [] []} {[create delete deletecollection get list patch update watch] [extensions] [daemonsets deployments deployments/rollback deployments/scale ingresses networkpolicies replicasets replicasets/scale replicationcontrollers/scale] [] []} {[create delete deletecollection get list patch update watch] [policy] [poddisruptionbudgets] [] []} {[create delete deletecollection get list patch update watch] [networking.k8s.io] [networkpolicies] [] []} {[create] [authorization.k8s.io] [localsubjectaccessreviews] [] []} {[create delete deletecollection get list patch update watch] [rbac.authorization.k8s.io] [rolebindings roles] [] []}] ruleResolutionErrors=[]

after
> Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "user2-volume" is forbidden: user "user1" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held:
> {APIGroups:[""], Resources:["persistentvolumes"], Verbs:["get" "list" "patch" "update" "watch"]}
> {APIGroups:["storage.k8s.io"], Resources:["storageclasses"], Verbs:["get" "list" "watch"]}
2018-07-06 12:25:05 -07:00