Automatic merge from submit-queue
Apiserver don't log stacktrace when proxying
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**:
When we are proxying unexpected status from a service or a pod, we print the stack traces (which is not the wanted behaviour). This is an attempt at fixing the issue #32747,
With the `RequestInfoResolver` struct, it's possible to inspect the request and get the `Verb`. In this case, the `proxy` value is what I was looking for to avoid logging stack traces.
I'm wrapping the `.Log()` call with an `if` statement to remove all stack traces logging when the call is a proxy from a service or a pod
Another approach would have been to add another kind of `StacktracePred` in the `httplog` package. I found this path to be trickier to code as it's currently only accepting int values.
**Which issue this PR fixes** : fixes#32747
**Special notes for your reviewer**: N/A
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Send recycle events from pod to pv.
This allows users to diagnose what's wrong with recycler. Recycler pods are started automatically with a cryptic name and they are deleted immediately when they finish.
e.g, `kubectl describe pv` could show that NFS cannot be mounted (and how many pods have tried it):
```
FirstSeen LastSeen Count From SubobjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
59m 59m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(5421800e-347b-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
53m 53m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(3c9809e5-347c-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
46m 46m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(250dd2a2-347d-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
40m 40m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(0d84ea33-347e-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
33m 33m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(f5fb63bf-347e-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
27m 27m 1 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Unable to mount volumes for pod "recycler-for-nfs_default(de7128fd-347f-11e6-a79b-3c970e965218)": timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
1h 3m 75 {persistentvolume-controller } Normal RecyclerPod Recycler pod: Successfully assigned recycler-for-nfs to 127.0.0.1
1h 3m 76 {persistentvolume-controller } Normal RecyclerPod Recycler pod: Pod was active on the node longer than specified deadline
1h 1m 12 {persistentvolume-controller } Warning RecyclerPod Recycler pod: Error syncing pod, skipping: timeout expired waiting for volumes to attach/mount for pod "recycler-for-nfs"/"default". list of unattached/unmounted volumes=[vol]
20m 1m 4 {persistentvolume-controller } Warning RecyclerPod (events with common reason combined)
```
These steps were necessary:
- added event watcher to volume.RecycleVolumeByWatchingPodUntilCompletion
- pass all these events through volume plugins to volume controller
- rework volume.RecycleVolumeByWatchingPodUntilCompletion unit tests to a table (too much copy-paste)
- fix all unit tests along the way
The GC needs to build clients based only on Resource or Kind. Hoist the
restmapper out of the controller and the clientpool, support a new
ClientForGroupVersionKind and ClientForGroupVersionResource, and use the
appropriate one in both places.
Automatic merge from submit-queue
Add port forwarding for rkt with kvm stage1
Port forwarding for rkt kvm using `socat`.
cc @yifan-gu @euank @pskrzyns @lukasredynk
Attempt at closing #32747,
With the `RequestInfoResolver` struct, it's possible to inspect the
request and get the `Verb`. In this case, the `proxy` value is what I
was looking for to avoid logging stacktraces.
I'm wrapping the `.Log()` call with an `if` statement to remove all
stacktrace logging when we proxied through the apiserver
Another approach would have been to add another kind of
`StacktracePred` in the `httplog` package. I found this path to be
trickier to code as it's currently only accepting int values.
Automatic merge from submit-queue
Fix FakeNodeHandler Update behaviour
Two problems:
1. Get is always using Existing nodes slice, and you will for sure miss any updated data
2. Each Update adds a duplicate node entry to UpdatedNodes slice
For the 1st, we will try to find a node in UpdatedNodes slice (same as for the List).
2nd - append only if there is no node with same name as updated, if there is we will replace object in UpdatedNodes slice.
Automatic merge from submit-queue
Correct versioned.Event output in Swagger
Fixes#24240
```release-note
The value of the `versioned.Event` object (returned by watch APIs) in the Swagger 1.2 schemas has been updated from `*versioned.Event` which was not expected by many client tools. The new value is consistent with other structs returned by the API.
```
Automatic merge from submit-queue
Move image pull throttling logic to pkg/kubelet/images
This is part of #31458
This allows runtimes in different packages (dockertools, rkt, kuberuntime) to
share the same logic. Before this change, only dockertools support this
feature. Now all three packages support image pull throttling.
/cc @kubernetes/sig-node
Automatic merge from submit-queue
Remove closing audit log file and add error check when writing to audit
This picks the order fix from #33164. Additionally I've removed entirely closing the log file, since it didn't make sense where it was. I've also added error checks when actually writing to audit logs.
@sttts ptal
**1.4 justification:**
Risk: the code only runs if auditing is enabled with an apiserver flag. So the risk is low.
Rollback: nothing should depend on this
Cost: the auditing feature is broken because the impersonation filter is applied before and you might not see the proper user when using `--as` flag. Additionally no errors are logged if writing to audit fails.
Automatic merge from submit-queue
Refactor cert utils into one pkg, add funcs from bootkube for kubeadm to use
**What this PR does / why we need it**:
We have ended-up with rather incomplete and fragmented collection of utils for handling certificates. It may be worse to consider using `cfssl` for doing all of these things, but for now there is some functionality that we need in `kubeadm` that we can borrow from bootkube. It makes sense to move the utils from bookube into core, as discussed in #31221.
**Special notes for your reviewer**: I've taken the opportunity to review names of existing funcs and tried to make some improvements in that area (with help from @peterbourgon).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
move registry packages for all API groups
This continues the pattern of `registry/<group>/resource` for our backing storage. This entire pull is nothing but moves. I'll reswizzle the actual storage next, but these are cargo-culted everywhere, so I want to lay this down early.
@sttts @ncdc
Automatic merge from submit-queue
Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
to talk to the api server
* Add a new authenticator that checks for this specific bearer token
Fixes#13598
Automatic merge from submit-queue
don't mutate original master->kubelet TLS config
fixes https://github.com/kubernetes/kubernetes/issues/33140
```release-note
Resolves x509 verification issue with masters dialing nodes when started with --kubelet-certificate-authority
```
This allows runtimes in different packages (dockertools, rkt, kuberuntime) to
share the same logic. Before this change, only dockertools support this
feature. Now all three packages support image pull throttling.
Resources are currently filtered (in order to prevent printing) at print
time in their HumanReadablePrinter handlers. This design makes it not
possible to filter objects when they are printed using any other
printer, such as YAML, JSON, or the NamePrinter.
This patch removes any filters previously added at the printer level for
pods and adds a way to define resource-specific filters before they are
sent to a printer handler. A woking filter handler for pods has also
been
implemented.
Filters affect resources being printed through the HumanReadablePrinter,
YAML, JSON, and `--template` printers.
Automatic merge from submit-queue
Behave gracefully in kubectl if /version returns 404
Fixes https://github.com/kubernetes/kubernetes/issues/32679.
It's only about caching the swagger spec here. So it's safe to fall back to non-caching mode and continue.
Automatic merge from submit-queue
simplify RC and SVC listers
Make the RC and SVC listers use the common list functions that more closely match client APIs, are consistent with other listers, and avoid unnecessary copies.
Automatic merge from submit-queue
controller: enhance timeout error message for Recreate deployments
Makes the error message from https://github.com/kubernetes/kubernetes/issues/29197 more obvious
@kubernetes/deployment
This commit moves away from using a global variable for default
configuration checking, and instead exposes a method on LoadingRules to
determine whether a particular restclient.Config should be considered
"default". This allows kubectl to provide its own defaults (the same
as before, KUBERNETES_MASTER and the static localhost:8080 values) while
allowing other clients to avoid defining them.
In-cluster config defaulting is now easier to read.
Automatic merge from submit-queue
Move generated openAPI specs out of genericapiserver and make it configurable
A follow up to #31468
Generated OpenAPI Spec does not belong to genericapiserver package. A new package "generated" created in hope of all generated codes goes into it in future. Openapi folder of that package contains generated definitions and generic API server will accept the definition map as a configuration parameter.
Reference: #13414
Automatic merge from submit-queue
stop etcd watcher when watch chan is closed
When startWatching() stops due to the watch chan is closed, the watcher could still keeps running in the background. When this case happen, we should stop the watcher entirely and close ResultChan() too.
Prior to this, we would approve eviction as long as the current state of
the pods matched the budget. The new version requires that after the
eviction, the pods would still match the budget.
Also update tests to match.
Automatic merge from submit-queue
Fix backward compatibility issue caused by promoting initcontainers f…
#31026 moves init-container feature from alpha to beta, but only took care the backward compatibility for pod specification, not deal with status. For status, it simply moved from `pods.beta.kubernetes.io/init-container-statuses` to
`pods.beta.kubernetes.io/init-container-statuses` instead of introducing one more pods.beta.kubernetes.io/init-container-statuses. This breaks when the cluster is running with 1.4, but the user is still running with kubectl 1.3.x.
Fixed#32711
Automatic merge from submit-queue
Move HighWaterMark to the top of the struct in order to fix arm
I haven't tested this yet, but let's see how e2e tests react.
It should be no difference at all except for that it will fix arm.
etcd has had to do this some times (and I think there are some fixes like this that are needed for etcd as well)
For reference see: https://golang.org/pkg/sync/atomic/
This should be a cherrypick-candidate for v1.4.1 (as I understand it, v1.4.0 has clearly left the cherrypickable state)
@lavalamp @pwittrock @xiang90 @smarterclayton
Automatic merge from submit-queue
fix a spell mistake
**What this PR does / why we need it**:
this should be "every" not 'ever'
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Add storage api group to hack/update-codegen.sh
Add it to the script then run it in the second commit. 1.4 needs the same change, I'll do it in my other PR.
Automatic merge from submit-queue
separate RESTStorage by API group
This demonstrates how we could start separating the description of `RESTStorage` from `pkg/master`. Each API group owns constructing its own RESTStorage. Since `pkg/registry` is where we place all packages that create RESTStorage, it seems reason to split the package by `pkg/registry/<api group>/storage` to create RESTStorage and `pkg/registry/<api group>/<resource>` to support each individual resource.
The interface to construct this RESTStorage is dependent upon some `genericapiserver` types now, but we could (should?) move those items to a different location.
@kubernetes/sig-api-machinery
@lavalamp can you weigh in on how I've split these packages? I think we agree that we need better segregation, but we haven't spoken about how to spell it.
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
to talk to the api server
* Add a new authenticator that checks for this specific bearer token
Fixes#13598
Automatic merge from submit-queue
kubenet: SyncHostports for both running and ready to run pods.
This fixes the race that happens in rktnetes when pod B invokes
'kubenet.SetUpPod()' before another pod A becomes actually running.
The second 'kubenet.SetUpPod()' call will not pick up the pod A
and thus overwrite the host port iptable rules that breaks pod A.
This PR fixes the case by listing all 'active pods' (all non-exited
pods) instead of only running pods.
Fix https://github.com/kubernetes/kubernetes/issues/27975
Originally discussed in https://github.com/kubernetes/kubernetes/pull/27914#issuecomment-228140108
cc @euank @freehan @dcbw
Automatic merge from submit-queue
Extend all to more resources
Added more things from the list here:
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cmd.go#L159
Update the devel/kubectl-conventions.md with the rules mentioned by
a few folks on which resources could be added to the special 'all' alias
Automatic merge from submit-queue
Add godoc on using FakeClient with subresources
Add a little godoc on using FakeClient with subresources, hoping to prevent future occurences of #32127.
Automatic merge from submit-queue
make --include-extended-apis deprecated and remove plumbing
Marks a dead CLI parameter as deprecated and removes the plumbing for it.
Automatic merge from submit-queue
controller: a couple of fixes for csr
Fixes:
* delete resource handler wasn't taking into account tombstones
* csr would requeue twice on update failure
@deads2k @mikedanese ptal
Automatic merge from submit-queue
add GenericAPIServer posthooks for initialization
Adds the concept of a `PostStartHook` to the `GenericAPIServer` to allow post-server start hooks. This gives a standard location to perform post-start bootstrapping tasks. The common case usage we have downstream are security related bootstrapping tasks that are performed on the "empty etcd" initialization cases. The RBAC authorizer is a good example of this in kube. It needs a location to create default policies to start a server which is capable of being accessed.
Kube is also likely to hit this for things like PSP and breaking the monolithic controller user into separate, scoped service accounts.
@kubernetes/sig-api-machinery for the `GenericAPIServer` bits
@kubernetes/sig-auth for the particular clusterrole bootstrapping. I've only done one to start, but I suspect we'll start making more and probably introduce a binding so that the RBAC super-user doesn't remain a special case forever.
Automatic merge from submit-queue
CRI: Add missing sandbox in runningPod.
Add a container that represents pod sandbox when converting the
pod status to runningPod.
Without the change, `kubeGenericRuntimeManager.killPodWithSyncResult()` will not kill any sandboxes.
cc @feiskyer @Random-Liu @yujuhong
The new flag, if specified, and if --container-runtime=docker, switches
kubelet to use the new CRI implementation for testing. This is hidden flag
since the feature is still under heavy development and the flag may be changed
in the near future.
Automatic merge from submit-queue
etcd watcher: centralize error handling
We should centralize error handling in watcher in run(). Otherwise this could silently return.
Also we don't need the grpc code checking anymore. It's fixed.
Automatic merge from submit-queue
fix a spell mistake
**What this PR does / why we need it**:
fixed a spell mistake
**Which issue this PR fixes** :
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Check init containers in PodContainerRunning
Sometimes when an init container runs and terminates quickly, PodContainerRunning can go into a
state where the pod indicates it's still running, but the container is already terminated. Handle
that condition by returning ErrContainerTerminated when it happens.
See also #29952
@smarterclayton @fabianofranz
Automatic merge from submit-queue
Support Quobyte as StorageClass
This PR allows Users to use Quobyte as StorageClass for dynamic volume provisioning and implements the Provisioner/Deleter Interface.
@quolix @kubernetes/sig-storage @rootfs
Automatic merge from submit-queue
Support for storage class for vSphere volume plugin. Custom disk format for dynamic provisioning.
This PR does following,
1. Add support for storage class for vSphere volume plugin.
2. Add option for user to provision disk with different disk formats. Format choices are
"thin" (default), "zeroedthick", "eagerzeroedthick".
Sample storageclass (yaml):
```
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
name: slow
provisioner: kubernetes.io/vsphere-volume
parameters:
diskformat: thin
```
Automatic merge from submit-queue
api: types: document NodeSpec ID fields
Document MachineID as the preferred field from the discussion here:
https://groups.google.com/d/msg/kubernetes-sig-node/_3mXXB1ohZs/EuYtCzHvBgAJ
I couldn't get the generated things to update. I ran:
```
hack/update-generated-runtime.sh
hack/update-codegen.sh
hack/update-generated-swagger-docs.sh
hack/update-generated-protobuf.sh
hack/update-codecgen.sh
```
What did I miss?!
cc @dchen1107 @thockin
Automatic merge from submit-queue
[Controller Manager] Fix endpoint controller hot loop and use utilruntime.HandleError to replace glog.Errorf
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**Why**:
Fix endpoint controller hot loop and use `utilruntime.HandleError` to replace `glog.Errorf`
**What**
1. Fix endpoint controller hot loop in `pkg/controller/endpoint`
2. Fix endpoint controller hot loop in `contrib/mesos/pkg/service`
3. Sweep cases of `glog.Errorf` and use `utilruntime.HandleError` instead.
**Which issue this PR fixes**
Fixes#32843
Related issue is #30629
**Special notes for your reviewer**:
@deads2k @derekwaynecarr
The changes on `pkg/controller/endpoints_controller.go` and `contrib/mesos/pkg/service/endpoints_controller.go` are almost the same except `contrib/mesos/pkg/service/endpoints_controller.go` does not pass `podInformer` as the parameter of `NewEndpointController()`.
So, I didn't wait `podStoreSynced` before `syncService()`(Just leave it as it was). Will it lead to a problem?
Automatic merge from submit-queue
[kubelet] Fix oom-score-adj policy in kubelet
Fixes#32238
We have been having this regression since v1.3. It is critical for GKE/GCE deployments of k8s because docker daemon has a high likelihood of being OOM killed which will end up nuking all containers.
The reason for moving from mnt to pid is that docker daemon moves itself into a new mnt namespace with systemd based deployments.
Automatic merge from submit-queue
Improve error message when kubectl rolling-update fail due to version skew
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**: follow up #32751, we should print the real error message first, the workaround later
**Before:**
```console
$ kubectl rolling-update nginx --image=redis
Created nginx-6ee4372891ec51a97dfbf83ed0846886
Scaling up nginx-6ee4372891ec51a97dfbf83ed0846886 from 0 to 1, scaling down nginx from 1 to 0 (keep 1 pods available, don't exceed 2 pods)
Scaling nginx-6ee4372891ec51a97dfbf83ed0846886 up to 1
Scaling nginx down to 0
Update succeeded. Deleting old controller: nginx
Renaming nginx-6ee4372891ec51a97dfbf83ed0846886 to nginx
Error from server: Note: if you are using "kubectl rolling-update" and your kubectl version is older than v1.4.0, your rolling-update has probably failed, though the pods are correctly updated. Please see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md#kubectl-rolling-update for a workaround. : object is being deleted: replicationcontrollers "nginx" already exists
```
**After:** (see the error message)
```console
$ kubectl rolling-update nginx --image=redis
Created nginx-12b5782bcdff627fca46537e9e1045f8
Scaling up nginx-12b5782bcdff627fca46537e9e1045f8 from 0 to 1, scaling down nginx from 1 to 0 (keep 1 pods available, don't exceed 2 pods)
Scaling nginx-12b5782bcdff627fca46537e9e1045f8 up to 1
Scaling nginx down to 0
Update succeeded. Deleting old controller: nginx
Renaming nginx-12b5782bcdff627fca46537e9e1045f8 to nginx
Error from server: object is being deleted: replicationcontrollers "nginx" already exists: if you're using "kubectl rolling-update" with kubectl version older than v1.4.0, your rolling update has failed, though the pods are correctly updated. Please see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md#kubectl-rolling-update for a workaround
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
NONE
```
Print the real error message first, the workaround later
@lavalamp @gmarek
Automatic merge from submit-queue
Allow kubectl describe ns to pass if server does not support resource quotas and limit ranges
Fixes https://github.com/kubernetes/kubernetes/issues/32629
Context: federation-apiserver does not support limit ranges and resource quotas. Hence `kubectl describe ns` fails right now.
Fixing it so that `kubectl describe ns` does not error out and atleast prints information about the namespace.
cc @kubernetes/sig-cluster-federation @kubernetes/kubectl
Automatic merge from submit-queue
delete a unused function in the 'pkg/kubectl/cmd/util/helpers.go'
Delete the function `getFlag` in the `pkg/kubectl/cmd/util/helpers.go`, because it is not used anywhere in the project.
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
Automatic merge from submit-queue
make rbac authorizer use rule comparison, not covers
Updates the rbac authorizer to use rule comparisons and not a covers check to perform authorization.
Automatic merge from submit-queue
change factorization of listers to make them easier to add
`Listers` have a tremendous amount of duplicate code. This factors that out.
@smarterclayton ptal.
Automatic merge from submit-queue
Fixes#30562: Refactor kubectl command options to use common struct for common file params
Fixes#30562 : Refactor common go struct options in pkg/kubectl/cmd/*.go.
@pwittrock
This fixes the race that happens in rktnetes when pod B invokes
'kubenet.SetUpPod()' before another pod A becomes actually running.
The second 'kubenet.SetUpPod()' call will not pick up the pod A
and thus overwrite the host port iptable rules that breaks pod A.
This PR fixes the case by listing all 'active pods' (all non-exited
pods) instead of only running pods.
Automatic merge from submit-queue
Disambiguate unsupported metrics from metrics errors
**What this PR does / why we need it**:
Stop logging "metrics are not supported for MetricsNil Volumes" as it spams the log.
**Which issue this PR fixes**
fixes#20676, fixes#27373
**Special notes for your reviewer**:
None
**Release note**:
```release-note
Don't log "metrics are not supported for MetricsNil Volumes"
```
Automatic merge from submit-queue
convert daemonset controller to shared informers
Convert the daemonset controller completely to `SharedInformers` for its list/watch resources.
@kubernetes/rh-cluster-infra @ncdc
Automatic merge from submit-queue
Cleanup non-rest apiserver handlers
- rename MuxHelper -> PathRecorderMux
- move non-rest handlers into routes packages within genericapiserver and `pkg/routes` (those from master)
- move ui and logs handlers out of genericapiserver (they are
not generic)
- make version handler configurable (`config.EnableVersion`)
Automatic merge from submit-queue
Switch ScheduledJob controller to use clientset
**What this PR does / why we need it**:
This is part of #25442. I've applied here the same fix I've applied in the manual client in #29187, see the 1st commit for that (@caesarxuchao we've talked about it in #29856).
@deads2k as promised
@janetkuo ptal
Automatic merge from submit-queue
Add the uid in a delete event to the absentOwnerCache
This is a small optimization to further reduce the traffic sent by the GC.
In #31167, GC caches the non-existent owners when it processes the dirtyQueue. As discovered in #32571, there is still small inefficiency, because there are multiple goroutines processing the dirtyQueue, many of them might send a GET to the apiserver before the cache gets populated.
This PR populates the cache when GC observes an object gets deleted, which happens before the processing of the dirtyQueue, so it avoids the simultaneous GET sent by the GC workers.
cc @lavalamp
Automatic merge from submit-queue
Kubelet: add SyncPod for new runtime API
This PR adds implements of `SyncPod` for new runtime API. Note that init containers is not included, it will in another following PR.
**DO-NOT-MERGE**. Based on #31322 and #31395, only last commit is for review.
CC @yujuhong @Random-Liu and @kubernetes/sig-node @kubernetes/sig-rktnetes
Automatic merge from submit-queue
Specific error message on failed rolling update issued by older kubectl against 1.4 master
Fix#32706
`kubernetes-e2e-gke-1.4-1.3-kubectl-skew` (1.3 kubectl and 1.4 master) test suite failed with:
```
k8s.io] Kubectl client [k8s.io] Kubectl rolling-update should support rolling-update to same image [Conformance]
...
Error from server: object is being deleted: replicationcontrollers "e2e-test-nginx-rc" already exists error: exit status 1 not to have occurred
```
It's because the old RC had an orphanFinalizer, so it is not deleted from the key-value store immediately. In turn, the creation of the new RC of the same name failed.
In this failure, the RC and pods are updated, it's just that the RC is of different name, i.e., original name + a hash generated based on podTemplate. The error is confusing to user, but not that bad. So this PR just prints a warning message to instruct users how to work around.
1.4 kubectl rolling-update uses different logic so it's working.
@lavalamp @gmarek @janetkuo @pwittrock
cc @liggitt for the ctx changes.
Automatic merge from submit-queue
Handle Stream() errors consistently in restclient
We should be following the same rules for Stream() as the normal body
request flow.
Also add slightly more output on a server error - in the future we may
want to clean this up but it's potentially hiding bad responses.
Related to #32009 but isn't the fix (so far)
Automatic merge from submit-queue
Check kubeClient nil in Kubelet and bugfix
1. check kubeClient nil first before using as it maybe nil
2. configMaps and secrets map do not be used properly and should use it as cache
Automatic merge from submit-queue
Change the default volume type of GlusterFS provisioner.
At present provisioner creates 'Distribute' Volume and this patch change the default
volume type 'Distribute Replica:(3)' volume.
Automatic merge from submit-queue
Centralize install code
Trying to figure out a way to do this that makes the changes as painless to roll out as possible. This is going to be a multi-step process...
Automatic merge from submit-queue
use discovery restmapper for kubectl
Updates the `kubectl` factory to use a discovery rest mapper for locating resources. This allows generic gets.
@kargakis @sttts @fabianofranz I'll let you guys fight over it. :)
At present, provisioner creates Distribute Volume and this patch
change the default volume type to Distribute-Replica(3) volume.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Automatic merge from submit-queue
restrict discoverable versions to those that have resources
Prevents versions with no resources from appearing in discovery.
@soltysh ptal. I think you have some issues for this, mind wiring them up?
```
kubectl api-versions
apps/v1alpha1
authentication.k8s.io/v1beta1
authorization.k8s.io/v1beta1
autoscaling/v1
batch/v1
certificates.k8s.io/v1alpha1
extensions/v1beta1
policy/v1alpha1
rbac.authorization.k8s.io/v1alpha1
storage.k8s.io/v1beta1
v1
```
Fixes #29998.
- rename MuxHelper -> PathRecorderMux
- move non-rest handlers into routes packages within genericapiserver and
`pkg/routes` (those from master)
- move ui and logs handlers out of genericapiserver (they are
not generic)
- make version handler configurable (`config.EnableVersion`)
Automatic merge from submit-queue
Kubelet: add garbage collection for new runtime API
This PR adds garbage collection for new runtime API.
Note that this PR also adds `CreatedAt` and `PodSandboxId` to `ListContainers()` result.
CC @yujuhong @Random-Liu @kubernetes/sig-node @kubernetes/sig-rktnetes
Automatic merge from submit-queue
Fix audit_test regex for iso8601 timestamps
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**: The audit_test unit test fails as some iso8601 timestamps are of the form 2016-09-13T10:32:50.823081217Z and the current regex doesn't allow T's or Z's.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:NONE
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Signed-off-by: Johnny Bieren <jbieren@redhat.com>
Automatic merge from submit-queue
Do not report warning event when an unknown deleter is requested
When Kubernetes does not have a plugin to delete a PV it should wait for
either external deleter or storage admin to delete the volume instead of
throwing an error.
This is the same approach as in #32077
@kubernetes/sig-storage
Automatic merge from submit-queue
Etcd3 v3client + grpc client leak fix
This re-enables the client and plumbs through the destroyFunc to cleanup clients.
Fix for https://github.com/kubernetes/kubernetes/issues/31262
When we are mounting a lot of volumes, we frequently hit rate limits.
Reduce the frequency with which we poll the status; introduces a bit of
latency but probably matches common attach times pretty closely, and
avoids causing rate limit problems everywhere.
Also, we now poll for longer, as when we timeout, the volume is in an
indeterminate state: it may be about to complete. The volume controller
can tolerate a slow attach/detach, but it is harder to tolerate the
indeterminism.
Finally, we ignore a sequence of errors in DescribeVolumes (up to 5 in a
row currently). So we will eventually return an error, but a one
off-failure (e.g. due to rate limits) does not cause us to spuriously
fail.
Automatic merge from submit-queue
Fix clientcmd for a non-host cluster client running in a pod.
This is based on @errordeveloper's PR #32438. It fixes a case where default config is invalid and original config, i.e. `mergedConfig` is empty. It also adds a test for the case where default config is invalid and original config is neither invalid nor empty.
cc @errordeveloper @kubernetes/sig-cluster-federation @pwittrock @colhom
Automatic merge from submit-queue
Docker digest validation is too strict
Docker 1.10 does not guarantee that the pulled digest matches the digest
on disk when dealing with v1 schemas stored in a Docker registry. This
is the case for images like
centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf
which as a result of #30366 cannot be pulled by Kube from a Docker 1.10
system.
This partially reverts commit 875fd16e1e.
Automatic merge from submit-queue
Fix printing container usage in kubectl top
**What this PR does / why we need it**:
Fix a bug in kubectl top, which showed the same value of usage for all containers in a pod.
**Release note**:
```release-note
NONE
```
Previusly github.com/robfig/cron library did not allow passing cron spec without
seconds. Previous commit updates the library, which has additional
method ParseStandard which follows the standard cron spec, iow. minute,
hour, day of month, month, day of week.
Docker 1.10 does not guarantee that the pulled digest matches the digest
on disk when dealing with v1 schemas stored in a Docker registry. This
is the case for images like
centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf
which as a result of #30366 cannot be pulled by Kube from a Docker 1.10
system.
Instead, use RepoDigests field as the primary match, validating the
digest, and then fall back to ID (also validating the match). Adds more
restrictive matching.
Automatic merge from submit-queue
Create a flag for route reconciliation and deprecate unused node-sync-…
cc @pwittrock to decide if it can go in 1.4. It's a zero risk cleanup, that will reduce confusion about cluster configuration.
Automatic merge from submit-queue
Recombine the condition for the "shouldScale" function
The PR recombine the condition for the "shouldScale" function, abstract the common condition(hpa.Status.LastScaleTime == nil).
Two problems:
1. Get is always using Existing nodes slice, and you will for sure miss any
updated data
2. Each Update duplicates node entry in UpdatedNodes slice
For the 1st, try to find a node in UpdatedNodes slice (same as for the List).
2nd - append only if there is no node with same name as updated, if there is
just replace object.
Change-Id: I9ef1cca2788ba946eee37fa1b037c124ad76074c
Automatic merge from submit-queue
add local subject access review API
Adds a local subject access review endpoint to allow a project-admin (someone with full rights within a namespace) the power to inspect whether a person can perform an action in his namespace. This is a separate resource be factoring like this ensures that it is impossible for him to look outside his namespace and makes it possible to create authorization rules that can restrict this power to a project-admin in his own namespace. Other factorings require introspection of objects.
@kubernetes/sig-auth
Automatic merge from submit-queue
make --runtime-config=api/all=true|false work
`Passing --runtime-config=api/all=true|false to apiserver will enable/disable all registered api groups`
Previously, only api/all=false was recognized, and it only disabled groups with resources.
Bump version of golang.org/x/oauth2
Vendor google.golang.org/cloud/
Vendor google.golang.org/api/
Vendor cloud.google.com/go/compute/
Replace google.golang.org/cloud with cloud.google.com/go/
Fixes#30069
Automatic merge from submit-queue
Kubelet: remove name filter from CRI
Since #30753 and #30463, `name` is not used to identify the container/sandbox, so remove it from CRI.
cc @yujuhong @kubernetes/sig-node @kubernetes/sig-rktnetes
Automatic merge from submit-queue
Add flag to set CNI bin dir, and use it on gci nodes
**What this PR does / why we need it**:
When using `kube-up` on GCE, following #31023 which moved the workers from debian to gci, CNI just isn't working. The root cause is basically as discussed in #28563: one flag (`--network-plugin-dir`) means two different things, and the `configure-helper` script uses it for the wrong purpose.
This PR adds a new flag `--cni-bin-dir`, then uses it to configure CNI as desired.
As discussed at #28563, I have also added a flag `--cni-conf-dir` so users can be explicit
**Which issue this PR fixes** : fixes#28563
**Special notes for your reviewer**:
I left the old flag largely alone for backwards-compatibility, with the exception that I stop setting the default when CNI is in use. The value of `"/usr/libexec/kubernetes/kubelet-plugins/net/exec/"` is unlikely to be what is wanted there.
**Release note**:
```release-note
Added new kubelet flags `--cni-bin-dir` and `--cni-conf-dir` to specify where CNI files are located.
Fixed CNI configuration on GCI platform when using CNI.
```
Automatic merge from submit-queue
dockershim: add unit tests for sandbox/container status
Also add a fake clock in the FakeDockerClient to allow testing container
CreatedAt, StartedAt, FinishedAt timestamps.
Currently, only api/all=false does something (disables
all groups that have resources). Make api/all=false disable all groups
(not just those with resources), and make api/all=true enable
all groups
Daniel Smith