A cert from GCE shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes,
- DNS:kubernetes.default
- DNS:kubernetes.default.svc
- DNS:kubernetes.default.svc.cluster.local
- DNS:e2e-test-zml-master
A similarly configured self signed cert shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes
- DNS:kubernetes.default
- DNS:kubernetes.default.svc
So we are missing the fqdn kubernetes.default.svc.cluster.local. The
apiserver does not even know the fqdn! it's defined entirely by the
kubelet! We also do not have the cluster name certificate. This may be
--cluster-name= argument to the apiserver but will take a bit more
research.
A lot of the changes in apiserver could have been represented more
cleanly - this returns the signatures to their older behavior (and
unbreaks OpenShift).
pkg/service:
There were a couple of references here just as a reminder to change the
behavior of findPort. As of v1beta3, TargetPort was always defaulted, so
we could remove findDefaultPort and related tests.
pkg/apiserver:
The tests were using versioned API codecs for some of their encoding
tests. Necessary API types had to be written and registered with the
fake versioned codecs.
pkg/kubectl:
Some tests were converted to current versions where it made sense.
These are "Bootstrap Controllers" as distinct from
the controllers in the controller-manager binary - they
are necessary for the cluster to start running.
* Add an allocator which saves state in etcd
* Perform PortalIP allocation check on startup and periodically afterwards
Also expose methods in master for downstream components to handle IP allocation
/ master registration themselves.
Makes it possible to access the following subresources:
/namespaces/<ns>/pods/<pod-name>[:port]/proxy
/namespaces/<ns>/pods/<pod-name>/exec?container=<container>&command=<cmd>
/namespaces/<ns>/pods/<pod-name>/portforward
Adds a Log subresource to Pod storage. The Log subresource implements
rest.GetterWithOptions and produces a ResourceStreamer resource that
will stream the log output from the pod's host node.
Convert the return value of pods rest.NewStorage to a struct.
This will allow returning more storage objects for a pod (sub resources)
without awkwardly adding more return values.
Dependency chain is now api -> api/rest -> apiserver. Makes the
interfaces much cleaner to read, and cleans up some inconsistenties
that crept in along the way.
In order to support graceful deletion, the resource object will
need access to the TTL value in etcd. Also, in the future we
may want to get the creation index (distinct from modifiedindex)
and expose it to clients. Change EtcdResourceVersioner to be
more type specific (objects vs lists) and provide a default
implementation that relies on the internal API convention.
Also, rename etcd_tools.go to etcd_helper.go and split a few
things up.
Allows POST to create a binding as a child. Also refactors internal
and v1beta3 Binding to be more generic (so that other resources can
support Bindings).
PUT /api/v1beta3/namespaces/default/pods/foo/status
{
"metadata": {...}, // allowed for valid values
"spec": {}, // ignored
"status": {...}, // allowed, except for Host
}
Exposes the simplest possibly change. Needs a slight refactoring
to RESTUpdateStrategy to split merging which can be done in a
follow up.
They will still show up in etcd. They never were available
through the API.
A subsequent PR(s) will rip out all BoundPods code.
Working in small increments.
This PR will cause users on lagging cloud providers
to not get env vars in their pods if they update to this code.
They have already been warned via email.
Removed unit tests of BasicBoundPodFactory.
There is adequate coverage in pkg/kubelet/kubelet_test.go.
* Rename a field to make it more obvious.
* Fix some comments and other minor artifacts.
Verified by hitting the service on 443, and by hitting the master on 8080,
6443, and 7080.
Allow the master to have pod/node cache timeouts controlled via a config
flag for integration tests.
Move integration test to '127.0.0.1' so that it correctly returns a health
check, and enable health check testing on the integration test.
Make pod status update every 5 seconds instead of every 30 to mask the issue #3952. I suspect (but haven't confirmed) that #3927 doesn't completely address the issue since it will still happily cache a Pending status for up to 30 seconds even though the pod may have transitioned to Running already.
The list of valid paths is computed from http.ServeMux and
restful.WebService.
Adding a mux helper - wrapper over mux, that keeps track of the paths
handled by mux.
Reduces some chatter in test suites where we are confident this code
already works. Also removed any logging which is obvious from swagger.
Finally, rolls up InstallREST related errors all the way back to master,
which will glog.Fatalf (coding errors).
- Separating out index, version and api handlers into independent web
services. Moved the index handler to /welcome, version handler to
/version and the api handler to /api,
This exposes the proper v1beta3 API endpoint when the user specifies
the --runtime_config=api/v1beta3 argument to the apiserver. v1beta3
is still considered experimental and subject to change.
--runtime_config is a map of string keys and values, that can be
specified by providing
--runtime_config=a=b,b=c,d,e
Only the key must be specified, the value can be omitted.
Enables v1beta3 in hack/local-up-cluster.sh and hack/test-cmd.sh
OpenShift would like to also enable swagger, but we need to register our
services as swagger services prior to the SwaggerAPI being started. I've
added a bool (default false) to master.Config to enable swagger, and split
the method in master out so that a downstream consumer can call it.
Replaces the client public interface but leaves old references to "minions"
for a later refactor. Selects the path "nodes" for v1beta3 and "minions"
for older versions.
Without this, tests which create a master
will panic with a nil pointer when the periodic
podCache update runs.
Deleted unused FakePodInfoGetter.
Added FakeKubeletClient.
Passed to master.New.
Required a KubeletClient in master.New.
Added basic interface for authorizer implementations.
Added default "authorize everything" and "authorize nothing
implementations.
Added authorization check immediately after authentication check.
Added an integration test of authorization at the HTTP level of
abstraction.
Callsites no longer allocate a mux.
Master now exposes method to install handlers
which use the master's auth code. Not used
but forks (openshift) are expected to use these
methods. These methods will later be a point
for additional plug-in functionality.
Integration tests now use the master-provided
handler which has auth, rather than using the mux,
which didn't. Fix TestWhoAmI now that /_whoami
sits behind auth.
Added new endpoint /_whoami for debugging authentication.
Added integration test which checks that a user is authenticated
using token authentication.
Rearranged initialization of authenticator to support preceeding.
Create a new MetadataAccessor interface that combines both
and use it where previously latest.ResourceVersioner and SelfLinker
were being used.
Adds Namespace to the get/set interface. Adds TODO about future
fast path for metadata (as per thockin's comment)
Moved code from cmd/apiserver to pkg/master.
test/integration/client_test made to use a master object,
instead of an apiserver.Handle.
Subsequent PRs will move more handler-installation into
pkg/master, with the goal that every http.Handler of a
standalone apiserver process can also be tested
in a "testing"-style go test.
In particular, a subsequent PR will test
authorization.
Allows us to define different watch versioning regimes in the future
as well as to encode information with the resource version.
This changes /watch/resources?resourceVersion=3 to start the watch at
4 instead of 3, which means clients can read a resource version and
then send it back to the server. Clients should no longer do math on
resource versions.
* Defaults to v1beta1
* apiserver takes -storage_version which controls etcd storage version
and the version of the client used to connect to other apiservers
* Changed signature of client.New to add version parameter
* All controller code and component code prefers the oldest (most common)
server version
* Make Codec separate from Scheme
* Move EncodeOrDie off Scheme to take a Codec
* Make Copy work without a Codec
* Create a "latest" package that imports all versions and
sets global defaults for "most recent encoding"
* v1beta1 is the current "latest", v1beta2 exists
* Kill DefaultCodec, replace it with "latest.Codec"
* This updates the client and etcd to store the latest known version
* EmbeddedObject is per schema and per package now
* Move runtime.DefaultScheme to api.Scheme
* Split out WatchEvent since it's not an API object today, treat it
like a special object in api
* Kill DefaultResourceVersioner, instead place it on "latest" (as the
package that understands all packages)
* Move objDiff to runtime.ObjectDiff
This is some cleanup that has been needed for a while.
There's still one more step that could usefully be done, which is to
split up our api package into the part that provides the helper
functions and the part that provides the internal types. That can come
later.
The v1beta1 package is now a good example of what an api plugin should
do to version its types.
Prepare for running multiple API versions on the same HTTP server
by decoupling some of the mechanics of apiserver. Define a new
APIGroup object which represents a version of the API.
Currently all registry implementations live in a single package,
which makes it bit harder to maintain. The different registry
implementations do not follow the same coding style and naming
conventions, which makes the code harder to read.
Breakup the registry package into smaller packages based on
the registry implementation. Refactor the registry packages
to follow a similar coding style and naming convention.
This patch does not introduce any changes in behavior.
This commit adds a Binding object. The idea is that schedulers can write
these to cause pods to be asssigned to hosts. I'll provide an implementation
along with a rudimentary scheduler plugin.
This continues k8s' tradition of phrasing all APIs as RESTful handlers.
The apiserver on initialization must be provided with a codec
for encoding and decoding all handled objects including api.Status
and api.ServerOp. In addition, the RESTStorage Extract() method
has been changed to New(), which returns a pointer object that the
codec must decode into (the internal object). Switched registry
methods to use pointers for Create/Update instead of values.
Setting up a new master.Master instance requires passing
around too many arguments.
Add a master.Config type and group related master configs.
Refactor all commands to instantiate new masters using a
master.Config struct.
Eric Paris