Automatic merge from submit-queue (batch tested with PRs 45200, 45203)
Allow certificate manager to be initialized with no certs.
Adds support to the certificate manager so it can be initialized with no
certs and only a connection to the certificate request signing API. This
specifically covers the scenario for the kubelet server certificate,
where there is a request signing client but on first boot there is no
bootstrapping or local certs.
Automatic merge from submit-queue (batch tested with PRs 45508, 44258, 44126, 45441, 45320)
Print a newline after ginkgo tests so the test infra doesn't think th…
Fixes#45279
Print a newline after ginkgo tests so the test infra doesn't think that they fail
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45508, 44258, 44126, 45441, 45320)
Use existing global var criSupportedLogDrivers
**What this PR does / why we need it**:
Use existing global var `criSupportedLogDrivers` defined in docker_service.go. If CRI supports other log drivers in the future, we will only need to modify that global var.
cc @Random-Liu
Automatic merge from submit-queue (batch tested with PRs 45508, 44258, 44126, 45441, 45320)
cloud initialize node in external cloud controller
@thockin This PR adds support in the `cloud-controller-manager` to initialize nodes (instead of kubelet, which did it previously)
This also adds support in the kubelet to skip node cloud initialization when `--cloud-provider=external`
Specifically,
Kubelet
1. The kubelet has a new flag called `--provider-id` which uniquely identifies a node in an external DB
2. The kubelet sets a node taint - called "ExternalCloudProvider=true:NoSchedule" if cloudprovider == "external"
Cloud-Controller-Manager
1. The cloud-controller-manager listens on "AddNode" events, and then processes nodes that starts with that above taint. It performs the cloud node initialization steps that were previously being done by the kubelet.
2. On addition of node, it figures out the zone, region, instance-type, removes the above taint and updates the node.
3. Then periodically queries the cloudprovider for node addresses (which was previously done by the kubelet) and updates the node if there are new addresses
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41903, 45311, 45474, 45472, 45501)
Adds a helper to convert componentconfig into a configmap
**What this PR does / why we need it**:
Adds a utility function that will be used by self-hosted components such as `kubeadm` but is also a step towards https://github.com/kubernetes/kubernetes/issues/44857
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @bsalamat
Automatic merge from submit-queue (batch tested with PRs 41903, 45311, 45474, 45472, 45501)
Display <none> when port is empty.
**What this PR does / why we need it**:
If container ports are not specified, `kubectl describe` displays `<none>` instead of empty.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41903, 45311, 45474, 45472, 45501)
Fetch VM UUID from - /sys/class/dmi/id/product_serial
**What this PR does / why we need it**:
Current code fetch VM uuid using uuid reported at `'/sys/devices/virtual/dmi/id/product_uuid'.` This doesn't work with all the distros like Ubuntu 16.04 and Fedora.
updating code to fetch VM uuid from `/sys/class/dmi/id/product_serial`
**Which issue this PR fixes**
fixes #
**Special notes for your reviewer**:
Verified UUID is matching with VM UUID on ubuntu 16.04, Cent OS 7.3 , and Photon OS
@BaluDontu @tusharnt
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44727, 45409, 44968, 45122, 45493)
Separate healthz server from metrics server in kube-proxy
From #14661, proposal is on kubernetes/community#552.
Couple bullet points as in commit:
- /healthz will be served on 0.0.0.0:10256 by default.
- /metrics and /proxyMode will be served on port 10249 as before.
- Healthz handler will verify timestamp in iptables mode.
/assign @nicksardo @bowei @thockin
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
adds log when gpuManager.start() failed
If gpuManager.start() returns error, there is no log.
We confused with scheduler do not schedule any pod(with gpu) to one node.
kubectl describe node xxx shows there is no gpu on that node, because the gpu driver do not work on that node, gpuManager.start() failed, but we can not see anything in log.
Automatic merge from submit-queue
Remove unnecessary constants and add type to secret
**What this PR does / why we need it**:
Adds the type field to the secret for the `persistent-volume-provisioning` example of Quobyte. Also remove unnecessary constants in Quobyte Code base.
FYI
@rootfs @saad-ali @quolix
Automatic merge from submit-queue
refactor names for the apiserver handling chain
The names and structure around the handling chain got a bit confused. This simplifies it back out into a single struct with three parts: overall handler, gorestful handler, pathrecording mux and makes the delegate wiring simpler
Automatic merge from submit-queue
Clean up petset
**What this PR does / why we need it**:
Rename legacy petset to statefulset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
util/iptables: grab iptables locks if iptables-restore doesn't support --wait
When iptables-restore doesn't support --wait (which < 1.6.2 don't), it may
conflict with other iptables users on the system, like docker, because it
doesn't acquire the iptables lock before changing iptables rules. This causes
sporadic docker failures when starting containers.
To ensure those don't happen, essentially duplicate the iptables locking
logic inside util/iptables when we know iptables-restore doesn't support
the --wait option.
Unfortunately iptables uses two different locking mechanisms, one until
1.4.x (abstract socket based) and another from 1.6.x (/run/xtables.lock
flock() based). We have to grab both locks, because we don't know what
version of iptables-restore exists since iptables-restore doesn't have
a --version option before 1.6.2. Plus, distros (like RHEL) backport the
/run/xtables.lock patch to 1.4.x versions.
Related: https://github.com/kubernetes/kubernetes/pull/43575
See also: https://github.com/openshift/origin/pull/13845
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1417234
@kubernetes/rh-networking @kubernetes/sig-network-misc @eparis @knobunc @danwinship @thockin @freehan
Automatic merge from submit-queue
fix the typos of e.g.
fix the typos of e.g.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
[GCE] Collect latency metric on get/list calls
**What this PR does / why we need it**:
Collects latency & count measurements on GET and LIST operations to GCE cloud.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43006, 45305, 45390, 45412, 45392)
Update go-restful dependency
This is required by #44787. But because both this and the changes in 44787 need constant rebase, I am trying to get this one in separately to make less rebases.
The change is only a dependency update.
Automatic merge from submit-queue
Fix crash on Pods().Get() failure
**What this PR does / why we need it**:
Fixes a potential crash in syncPod when Pods().Get() returns an error other than NotFound. This is unlikely to occur with the standard client, but easily shows up with a stub kube client that returns Unimplemented to everything. Updates the unit test as well.
**Release note**:
`NONE`
- /healthz will be served on 0.0.0.0:10256 by default.
- /metrics and /proxyMode will be served on port 10249
as before.
- Healthz handler will verify timestamp in iptables mode.
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Use dedicated UnixUserID and UnixGroupID types
**What this PR does / why we need it**:
DRYs up type definitions by using the dedicated types in apimachinery
**Which issue this PR fixes**
#38120
**Release note**:
```release-note
UIDs and GIDs now use apimachinery types
```
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Fix onlylocal endpoint's healthcheck nodeport logic
I was in the middle of rebasing #41162, surprisingly found the healthcheck nodeport logic in kube-proxy is still buggy. Separate this fix out as it isn't GA related.
/assign @freehan @thockin
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)
Refactor volume operation log and error messages
What this PR does / why we need it:
Adds wrappers for volume-specific error and log messages. Each message has a simple version that can be displayed to the user and a detailed version that can be used in logs. The messages that are used for events was also cleaned up. @msau42
Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes#40905
Special notes for your reviewer:
pkg/kubelet/volumemanager/reconciler/reconciler.go can be refactored. I can do that refactoring after this one.
Release note:
NONE
Automatic merge from submit-queue
Kubectl taint node based on label selector
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #44522
**Release note**:
```
Taints the node based on label selector
```
Automatic merge from submit-queue (batch tested with PRs 45322, 44770, 45411)
Fix and make TaintManager harder to break before we move it out of NC
Fix#45342
cc @gyliu513
Automatic merge from submit-queue
add set rolebinding/clusterrolebinding command
add command to set user/group/serviceaccount in rolebinding/clusterrolebinding /cc @liggitt @deads2k
Automatic merge from submit-queue
OWNERS: add directxman12 to pkg/apis/autoscaling
Added directxman12 (current SIG lead of SIG-autoscaling) as a reviewer for pkg/apis/autoscaling.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 43732, 45413)
Extend timeouts in timed_workers_test
Fix#45375
If it won't be enough I'll rewrite it to allow injectable timers.
Automatic merge from submit-queue (batch tested with PRs 43732, 45413)
Handle maxUnavailable larger than spec.replicas
**What this PR does / why we need it**:
Handle maxUnavailable larger than spec.replicas
**Which issue this PR fixes**
fixes#42479
**Special notes for your reviewer**:
None
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Edge based userspace proxy
Second last PR from my changes to kube-proxy to make it event-based.
This is switching userspace proxy to be even-based similarly to what we already did with iptables.
Automatic merge from submit-queue (batch tested with PRs 45362, 45159, 45321, 45238)
Remove redundent GetObjectKind() defined on types
Embedding TypeMeta is enough.
Automatic merge from submit-queue
remove useless code in kubelet
**What this PR does / why we need it**:
This code has logical error as the etc-hosts file will be recreated even it already exists. In addition, if do not recreate etc-hosts file when it exists, the pod ip in it will be out of date when pod ips change. So remove this code as it is not needed.
**Which issue this PR fixes**:
**Special notes for your reviewer**:
xrefer: #44481, #44473
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
use our own serve mux that directs how we want
alternative to https://github.com/kubernetes/kubernetes/pull/44405
I really wanted to avoid writing my own, but the gorilla mux works via redirect, which would be a change. This does exact pattern matches only unless someone explicitly requests a prefix match.
@liggitt happier?
Automatic merge from submit-queue (batch tested with PRs 45316, 45341)
Pass NoOpLegacyHost to dockershim in --experimental-dockershim mode
This allows dockershim to use network plugins, if needed.
/cc @Random-Liu
Automatic merge from submit-queue
use of --local should completely eliminate communication with API server
This PR is a bug fix for #45223
It allows --local flag to completely avoid communication with api server.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes#45223
This is a simple change, to set the value of boolean flag "local" on o.Local variable
Automatic merge from submit-queue
Use Docker API Version instead of docker version
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#42492
**Special notes for your reviewer**:
**Release note**:
`Update cadvisor to latest head to use docker APIversion exposed by cadvisor`
Automatic merge from submit-queue (batch tested with PRs 45056, 44904, 45312)
CRI: clarify the behavior of PodSandboxStatus and ContainerStatus
**What this PR does / why we need it**:
Currently, we define that ImageStatus should return `nil, nil` when requested image doesn't exist, and kubelet is relying on this behavior now.
However, we haven't clearly defined the behavior of PodSandboxStatus and ContainerStatus. Currently, they return error when requested sandbox/container doesn't exist, and kubelet is also relying on this behavior.
**Which issue this PR fixes**
Fixes#44885.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
bump(golang.org/x/oauth2): a6bd8cefa1811bd24b86f8902872e4e8225f74c4
As I tackle https://github.com/kubernetes/kubernetes/issues/42654 kubectl's OpenID Connect plugin will start using golang.org/x/oauth2 for refreshing, instead of go-oidc's own hand rolled oauth2 implementation. In preparation, update golang.org/x/oauth2 to include 7374b3f1ec which fixes refreshing with Okta.
We also somehow removed the dependency on `google.golang.org/appengine`. Maybe 8cf58155e4?
cc @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 45314, 45250, 41733)
CRI: add ImageFsInfo API
**What this PR does / why we need it**:
kubelet currently relies on cadvisor to get the ImageFS info for supported runtimes, i.e., docker and rkt. This PR adds ImageFsInfo API to CRI so kubelet could get the ImageFS correctly for all runtimes.
**Which issue this PR fixes**
First step for #33048 ~~also reverts temporary ImageStats in #33870~~.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The test was originally in docker_manager_test.go (now removed). I
copied and adapated the logic for the new test.
Also move the original test fixtures needed for the test.
Automatic merge from submit-queue (batch tested with PRs 45283, 45289, 45248, 44295)
Azure disk: dealing with missing disk probe
**What this PR does / why we need it**:
While Azure disks are expected to attach to SCSI host 3 and above on general purpose instances, on certain Azure instances disks are under SCSI host 2.
This fix searches all LUNs but excludes those used by Azure sys disks, based on udev rules [here](https://raw.githubusercontent.com/Azure/WALinuxAgent/master/config/66-azure-storage.rules)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Remove imports of k8s.io/client-go/pkg/api
k8s.io/client-go/pkg/api will be eliminated by #44784, so we need to remove all imports of it.
This PR is large, but mostly simple changes, like:
* using constants defined in the v1 package instead of those in the internal package
* using k8s.io/client-go/kubernetes/scheme.Codecs/Schemes instead of those in k8s.io/client-go/pkg/api
* using `v1.SchemeGroupVersion` instead of `api.Registry.GroupOrDie(api.GroupName).GroupVersion` in tests
* importing `k8s.io/kubernetes/pkg/api` instead of `k8s.io/client-go/pkg/api` if possible
With this PR https://github.com/kubernetes/kubernetes/pull/45159, the only remaining imports of `k8s.io/client-go/pkg/api` are from k8s.io/metrics.
``` bash
$ git grep "\"k8s.io/client-go/pkg/api\"" | grep -v "staging/src/k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/apis/custom_metrics/install/install.go:25: "k8s.io/client-go/pkg/api"
Binary file staging/src/k8s.io/metrics/pkg/apis/custom_metrics/types.generated.go matches
staging/src/k8s.io/metrics/pkg/apis/custom_metrics/types.go:22: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/apis/metrics/install/install.go:26: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/apis/metrics/types.go:21: "k8s.io/client-go/pkg/api"
Binary file staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/zz_generated.conversion.go matches
Binary file staging/src/k8s.io/metrics/pkg/apis/metrics/zz_generated.deepcopy.go matches
staging/src/k8s.io/metrics/pkg/client/clientset_generated/clientset/fake/clientset_generated.go:24: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/client/custom_metrics/client.go:26: "k8s.io/client-go/pkg/api"
staging/src/k8s.io/metrics/pkg/client/custom_metrics/fake/fake_client.go:24: "k8s.io/client-go/pkg/api"
```
Automatic merge from submit-queue
Fix flake in sandbox garbage collection
**What this PR does / why we need it**:
Sorry for introducing a flakiness in #43053: the creation time is not set in `makeGCSandbox`, which caused the garbage collection removes sandboxes randomly if there are more than one dead sandboxes belonging to same pod.
This PR fixes the flakiness in sandbox garbage collection.
**Which issue this PR fixes**
Fixes#45281#45274.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc/ @Random-Liu @shashidharatd @kubernetes/sig-node-bugs
Automatic merge from submit-queue
allow kubectl proxy to handle specified reject methods and default to…
What this PR does / why we need it:
"kubect proxy" command had a bug and was not supporting feature to reject http methods
--reject-methods='POST,PUT,PATCH'
this was due to missing filter for RejectMethods in kubectl/cmd/proxy.go
This PR adds the desired flag, however to retain the current behaviour of "kubectl proxy" the Default Rejected methods are changed from 'POST,PUT,PATCH' to '^$' i.e. none.
Issue not created and no existing issue found
Automatic merge from submit-queue (batch tested with PRs 45272, 45115)
apimachinery: make explicit that meta.KindToResource is only a guess
All non-test code using `KindToResource` is suspicious and should be fixed with a real RESTMapper.
Automatic merge from submit-queue (batch tested with PRs 45005, 43053)
kubelet: fix sandbox garbage collection
**What this PR does / why we need it**:
Currently, kuberuntime garbage collection can't distinguish just-created sandboxes from failed sandboxes. Especially when the time from sandbox creation to ready is longer than GC's minAge. In such cases, those sandboxes may be garbage collected early before they are ready.
This PR removes `sandboxMinGCAge` and only garbage collect sandboxes when
* they are containing no containers at all
* and not the latest sandbox if it is belonging to an existing pod.
**Which issue this PR fixes**
Fixes#42856.
**Release note**:
```release-note
NONE
```
cc @yujuhong @Random-Liu
Automatic merge from submit-queue (batch tested with PRs 45013, 45166)
CRI: remove PodSandboxStatus.Linux.Namespaces.Network
**What this PR does / why we need it**:
PodSandboxStatus.Linux.Namespaces.Network is not used, so this PR removes it from CRI.
**Which issue this PR fixes**
Closes: #44972
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove PodSandboxStatus.Linux.Namespaces.Network from CRI.
```
/assign @Random-Liu @yujuhong
Automatic merge from submit-queue (batch tested with PRs 40544, 44338, 45225)
Use ObjectGetter Interface instead of clientset.Interface for leaderelection pkg
**What this PR does / why we need it**:
We plan to reuse leaderelection pkg to add leader election function to federation controller manager, but the current implementation uses kubernetes clientset.Interface and federation clientset does not satisfy all the interface methods. It would be better if the leaderelection package use rest.Interface which is also supported by federation clientset.
This pr is to refactor leaderelection pkg to use rest.Interface instead of clientset.Interface
**Special notes for your reviewer**:
This is a sub-task of bigger work to add leader election to federation controller manager as documented in #44283
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Fixes broken link in PodSpec
The PodSpec reference to NodeSelector misses
the `.md` extension in the file.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45227, 43003, 45231)
separate discovery from the apiserver
This decouples the API discovery handlers from the core API server code. It separates the code into a new package and clarifies interfaces with existing TPR code.
@kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 45077, 45180, 34727, 45079, 45177)
Refactor kube-proxy configuration
This is a proof of concept refactoring of the configuration and startup of kube-proxy. Most flags have been removed and replaced by a single config file, specified by `--config`. This is in regards to the component configuration improvement suggestions listed in #32215.
Also during this effort, I discovered that Hyperkube is roughly reimplementing portions of cobra, and that the current cobra command definitions are solely used to generated docs and man pages. I would like to move the individual commands as well as Hyperkube to using cobra, but that is a separate issue and discussion.
cc @mikedanese @liggitt @deads2k @eparis @sttts @smarterclayton @dgoodwin @timothysc
Automatic merge from submit-queue (batch tested with PRs 45077, 45180, 34727, 45079, 45177)
Move k8s.io/metrics to staging/
This is to break the cyclic dependency in our code base: kubernetes depends on k8s.io/metrics, which depends on kubernetes/staging/client-go.
@DirectXMan12 i actually moved it to staging because we will need the flexibility to update metrics code directly to do many planned refactors, so the copy of metrics in kubernetes has to be the source of truth.
client-gen is not enabled for the code yet, we can enable it after you port your changes to client-gen.
`make generated_files` is enabled for metrics.
Adds support to the certificate manager so it can be initialized with no
certs and only a connection to the certificate request signing API. This
specifically covers the scenario for the kubelet server certificate,
where there is a request signing client but on first boot there is no
bootstrapping or local certs.
Previously we exported many constants and functions in dockertools to
share with the dockershim package. This change moves such
constants/functions to dockershim and unexport them.
This change involves only mechnical changes and should not have any
functional impact.
Automatic merge from submit-queue
Restructure unit tests for more cert/keys.
Just changing the unit tests so there is multiple cert/key pairs to be used.
No functional change, no new tests. Follow on PRs will make more use
of the multiple cert/key pairs.
This commit deletes code in dockertools that is only used by
DockerManager. A follow-up change will rename and clean up the rest of
the files in this package.
The commit also sets EnableCRI to true if the container runtime is not
rkt. A follow-up change will remove the flag/field and all references to
it.
Automatic merge from submit-queue
Fix nil pointer issue when making mounts for container
When rebooting one of the nodes in my colleague's cluster, two panics were discovered:
```
E1216 04:07:00.193058 2394 runtime.go:52] Recovered from panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/runtime/runtime.go:58
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/runtime/runtime.go:51
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/runtime/runtime.go:41
/usr/local/go/src/runtime/asm_amd64.s:472
/usr/local/go/src/runtime/panic.go:443
/usr/local/go/src/runtime/panic.go:62
/usr/local/go/src/runtime/sigpanic_unix.go:24
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/kubelet.go:1313
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/kubelet.go:1473
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/dockertools/docker_manager.go:1495
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/dockertools/docker_manager.go:2125
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/dockertools/docker_manager.go:2093
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/kubelet.go:1971
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/kubelet.go:530
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/pod_workers.go:171
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/pod_workers.go:154
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/pod_workers.go:215
/usr/local/go/src/runtime/asm_amd64.s:1998
E1216 04:07:00.275030 2394 runtime.go:52] Recovered from panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/runtime/runtime.go:58
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/runtime/runtime.go:51
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/runtime/runtime.go:41
/usr/local/go/src/runtime/asm_amd64.s:472
/usr/local/go/src/runtime/panic.go:443
/usr/local/go/src/runtime/panic.go:62
/usr/local/go/src/runtime/sigpanic_unix.go:24
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/server/stats/volume_stat_caculator.go:98
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/server/stats/volume_stat_caculator.go:63
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/wait/wait.go:86
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/util/wait/wait.go:87
/usr/local/go/src/runtime/asm_amd64.s:1998
```
kubectl version
```
Client Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.8", GitCommit:"693ef591120267007be359f97191a6253e0e4fb5", GitTreeState:"clean", BuildDate:"2016-09-28T03:03:21Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.8", GitCommit:"693ef591120267007be359f97191a6253e0e4fb5", GitTreeState:"clean", BuildDate:"2016-09-28T02:52:25Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}
```
The second panic had already been fixed by #33616 and #34251. Not sure what caused the first nil pointer issue and whether it has been fixed yet in the master branch. Just fix it by ignoring the nil pointer when making mounts.
cc @jingxu97 @yujuhong
Automatic merge from submit-queue (batch tested with PRs 45110, 45148)
write HostAliases to hosts file
**What this PR does / why we need it**: using the PodSpec's `HostAliases`, we write entries into the Kubernetes-managed hosts file.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#43632
**Special notes for your reviewer**:
Previous PRs in this series:
- https://github.com/kubernetes/kubernetes/pull/44572 isolates the logic of creating the file and writing the file
- https://github.com/kubernetes/kubernetes/pull/44641 introduces the `HostAliases` field in PodSpec along with validations
**Release note**:
```release-note
PodSpec's `HostAliases` now write entries into the Kubernetes-managed hosts file.
```
@thockin @yujuhong
Thanks for reviewing!
Automatic merge from submit-queue (batch tested with PRs 45110, 45148)
Make timeouts in the Kubelet slightly offset to aid debugging
Several of these loops overlap, and when they are the reason a failure
is happening it is difficult to sort them out. Slighly misalign these
loops to make their impact obvious.
We are seeing exactly 2 minute pod worker timeouts in a wide range of test flake scenarios, and I want to be confident we know exactly which one is the culprit.
Automatic merge from submit-queue
Add HostAliases to PodSpec to support adding entires to a Pod's hosts file
**What this PR does / why we need it**:
Adds a new field to PodSpec `HostAliases ` to support adding entries to a Pod's hosts file. A PR to incorporate this logic into [`ensureHostsFile`](2899f47bc8/pkg/kubelet/kubelet_pods.go (L208-L227)) in kubelet will be next in order to isolate the discussion on the API.
**Which issue this PR fixes**:
A step into fixing #43632
**Special notes for your reviewer**:
- The API was suggested in https://github.com/kubernetes/kubernetes/issues/43632#issuecomment-293471293
- Concerns with compatible with `hostNetwork: true` Pods are addressed with an validation. https://github.com/kubernetes/kubernetes/issues/43632#issuecomment-293750410
**Release note**:
```release-note
A new field `hostAliases` has been added to `pod.spec` to support adding entries to a Pod's /etc/hosts file.
```
**Testing done**:
- Unit tests pass for validations
- Ran all automated updates, and compared against another PR which added a field in PodSpec to make sure the PR contains all the updated generated code
Automatic merge from submit-queue
stateful_pod_control.go: format the code
**What this PR does / why we need it**:
1.Improve the quality of the code.
2.Reduce reduandant parameters
3.add one comma
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Delete "hard-coded" default value in flags usage.
**What this PR does / why we need it**:
Some flags of kubernetes components have "hard-coded" default values in their usage info. In fact, [pflag pkg](https://github.com/kubernetes/kubernetes/blob/master/vendor/github.com/spf13/pflag/flag.go#L602-L608) has already added a string `(default value)` automatically in the usage info if the flag is initialized. Then we don't need to hard-code the default value in usage info. After this PR, if we want to update the default value of a flag, we only need to update the flag where it is initialized. `pflag` will update the usage info for us. This will avoid inconsistency.
For example:
Before
```
kubelet -h
...
--node-status-update-frequency duration Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s (default 10s)
...
```
After
```
kubelet -h
...
--node-status-update-frequency duration Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. (default 10s)
...
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR doesn't delete some "hard-coded" default values because they are not explicitly initialized. We still need to hard-code them to give users friendly info.
```
--allow-privileged If true, allow containers to request privileged mode. [default=false]
```
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 41583, 45117, 45123)
Implement shared PID namespace in the dockershim
**What this PR does / why we need it**: Defaults the Docker CRI to using a shared PID namespace for pods. Implements proposal in https://github.com/kubernetes/community/pull/207 tracked by #1615.
//cc @dchen1107 @vishh @timstclair
**Special notes for your reviewer**: none
**Release note**:
```release-note
Some container runtimes share a process (PID) namespace for all containers in a pod. This will become the default for Docker in a future release of Kubernetes. You can preview this functionality if running with the CRI and Docker 1.13.1 by enabling the --experimental-docker-enable-shared-pid kubelet flag.
```
Automatic merge from submit-queue (batch tested with PRs 44044, 44766, 44930, 45109, 43301)
add APIService conditions
Adds conditions to the APIServiceStatus struct and fixes up generators that appear to have slipped.
The first condition is "ServiceAvailable" which will provide the status currently derived in the discovery handler that decides about whether to expose the version in discovery.
@kubernetes/sig-api-machinery-pr-reviews @liggitt @ncdc
Automatic merge from submit-queue (batch tested with PRs 44044, 44766, 44930, 45109, 43301)
Fixes get -oname for unstructured objects
Fixes https://github.com/kubernetes/kubernetes/issues/44832
Make sure we display kind in `kubectl get -o name` for unknown resource types.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Log warning when invalid dir passed to kubectl proxy --www
**Release note**:
```
Log warning when invalid directory is passed to `kubectl proxy --www`
```
Automatic merge from submit-queue (batch tested with PRs 45033, 44961, 45021, 45097, 44938)
Cleanup orphan logging that goes on in the sync loop.
**What this PR does / why we need it**:
Fixes#44937
**Before this PR** The older logs were like this:
```
E0426 00:06:33.763347 21247 kubelet_volumes.go:114] Orphaned pod "35c4a858-2a12-11e7-910c-42010af00003" found, but volume paths are still present on disk.
E0426 00:06:33.763400 21247 kubelet_volumes.go:114] Orphaned pod "e7676365-1580-11e7-8c27-42010af00003" found, but volume paths are still present on disk.
```
The problem being that, all the volumes were spammed w/ no summary info.
**After this PR** the logs look like this:
```
E0426 01:32:27.295568 22261 kubelet_volumes.go:129] Orphaned pod "408b060e-2a1d-11e7-90e8-42010af00003" found, but volume paths are still present on disk. : There were a total of 2 errors similar to this. Turn up verbosity to see them.
E0426 01:32:29.295515 22261 kubelet_volumes.go:129] Orphaned pod "408b060e-2a1d-11e7-90e8-42010af00003" found, but volume paths are still present on disk. : There were a total of 2 errors similar to this. Turn up verbosity to see them.
E0426 01:32:31.293180 22261 kubelet_volumes.go:129] Orphaned pod "408b060e-2a1d-11e7-90e8-42010af00003" found, but volume paths are still present on disk. : There were a total of 2 errors similar to this. Turn up verbosity to see them.
```
And with logging turned up, the extra info logs are shown with details:
```
E0426 01:34:21.933983 26010 kubelet_volumes.go:129] Orphaned pod "1c565800-2a20-11e7-bbc2-42010af00003" found, but volume paths are still present on disk. : There were a total of 3 errors similar to this. Turn up verbosity to see them.
I0426 01:34:21.934010 26010 kubelet_volumes.go:131] Orphan pod: Orphaned pod "1c565800-2a20-11e7-bbc2-42010af00003" found, but volume paths are still present on disk.
I0426 01:34:21.934015 26010 kubelet_volumes.go:131] Orphan pod: Orphaned pod "408b060e-2a1d-11e7-90e8-42010af00003" found, but volume paths are still present on disk.
I0426 01:34:21.934019 26010 kubelet_volumes.go:131] Orphan pod: Orphaned pod "e7676365-1580-11e7-8c27-42010af00003" found, but volume paths are still present on disk.
```
**Release note**
```release-note
Roll up volume error messages in the kubelet sync loop.
```
Automatic merge from submit-queue
kubectl binary plugins
**What this PR does / why we need it**:
Introduces the ability to extend `kubectl` by adding third-party plugins that will be exposed through `kubectl`.
Plugins are executable commands written in any language. To be included as a plugin, a binary or script file has to
1. be located under one of the supported plugin path locations:
1.1 `~/.kubectl/plugins` dir
1.2. one or more directory set in the `KUBECTL_PLUGINS_PATH` env var
1.3. the `kubectl/plugins` dir under one or more directory set in the `XDG_DATA_DIRS` env var, which defaults to `/usr/local/share:/usr/share`
2. in any of the plugin path above, have a subfolder with the plugin file(s)
3. in the subfolder, contain at least a `plugin.yaml` file that describes the plugin
Example:
```
$ cat ~/.kube/plugins/myplugin/plugin.yaml
name: "myplugin"
shortDesc: "My plugin's short description"
command: "echo Hello plugins!"
$ kubectl myplugin
Hello plugins!
```
~~In case the plugin declares `tunnel: true`, the plugin engine will pass the `KUBECTL_PLUGIN_API_HOST` env var when calling the plugin binary. Plugins can then access the Kube REST API in "http://$KUBECTL_PLUGIN_API_HOST/api" using the same context currently in use by `kubectl`.~~
Test plugins are provided in `pkg/kubectl/plugins/examples`. Just copy (or symlink) the files to `~/.kube/plugins` to test.
**Which issue this PR fixes**:
Related to the discussions in the proposal document: https://github.com/kubernetes/kubernetes/pull/30086 and https://github.com/kubernetes/community/pull/122.
**Release note**:
```release-note
Introduces the ability to extend kubectl by adding third-party plugins. Developer preview, please refer to the documentation for instructions about how to use it.
```
Automatic merge from submit-queue
rename variables to make sure that they conform to golang variable name conventions
rename variables to make sure that they conform to golang variable name conventions
**What this PR does / why we need it**:
there are lots of package level unexported variables in package `cmd` not conforming golang variable name conventions, such as `version_example`, in this PR i rename all of them to make sure that they conform to golang variable name conventions
Several of these loops overlap, and when they are the reason a failure
is happening it is difficult to sort them out. Slighly misalign these
loops to make their impact obvious.
Automatic merge from submit-queue
Start recording cloud provider metrics for AWS
**What this PR does / why we need it**:
This PR implements support for emitting metrics from AWS about storage operations.
**Which issue this PR fixes**
Fixes https://github.com/kubernetes/features/issues/182
**Release note**:
```
Add support for emitting metrics from AWS cloudprovider about storage operations.
```
Automatic merge from submit-queue
Log node name when error attaching volume
Helps with debugging to know immediately which node the volume failed to atach to. Went through all plugins, added this to 3. @gnufied
```release-note
NONE
```
Automatic merge from submit-queue
don't HandleError on container start failure
Failing to start containers is a common error case if there is something wrong with the container image or environment like missing mounts/configs/permissions/etc. Not only is it common; it is reoccurring as backoff happens and new attempts to start the container are made. `HandleError` it too verbose for this very common situation.
Replace `HandleError` with `glog.V(3).Infof`
xref https://github.com/openshift/origin/issues/13889
@smarterclayton @derekwaynecarr @eparis
Automatic merge from submit-queue
Prepare for move zz_generated_deepcopy.go to k8s.io/api
This is in preparation to move deep copies to with the types to the types repo (see https://github.com/kubernetes/gengo/pull/47#issuecomment-296855818). The init() function is referring the `SchemeBuilder` defined in the register.go in the same packge, so we need to revert the dependency.
This PR depends on https://github.com/kubernetes/gengo/pull/49, otherwise verification will fail.
Automatic merge from submit-queue (batch tested with PRs 45052, 44983, 41254)
Non-controversial part of #44523
For easier review of #44523, i extracted the non-controversial part out to this PR.
Automatic merge from submit-queue (batch tested with PRs 44124, 44510)
Add metrics to all major gce operations (latency, errors)
```release-note
Add metrics to all major gce operations {latency, errors}
The new metrics are:
cloudprovider_gce_api_request_duration_seconds{request, region, zone}
cloudprovider_gce_api_request_errors{request, region, zone}
`request` is the specific function that is used.
`region` is the target region (Will be "<n/a>" if not applicable)
`zone` is the target zone (Will be "<n/a>" if not applicable)
Note: this fixes some issues with the previous implementation of
metrics for disks:
- Time duration tracked was of the initial API call, not the entire
operation.
- Metrics label tuple would have resulted in many independent
histograms stored, one for each disk. (Did not aggregate well).
```
Automatic merge from submit-queue (batch tested with PRs 44124, 44510)
Optimize the time taken to create Persistent volumes with VSAN storage capabilities at scale and handle VPXD crashes
Currently creating persistent volumes with VSAN storage capabilities at scale is taking very large amount of time. We have tested at the scale of 500-600 PVC's and its more time for all the PVC requests to go from Pending state to Bound state.
- In our current design we use a single systemVM - "kubernetes-helper-vm" as a means to create a persistent volume with the VSAN policy configured.
- Since all the operations are on a single system VM, all requests on scale get queued and executed serially on this system VM. Because of this creating a high number of PVC's is taking very large time.
- Since its a single system VM, all parallel PVC requests most of the time tend to take the same SCSI adapter on the system VM and also same unit number on the SCSI adapter. Therefore the error rate is high.
Inorder to overcome these issues and to optimize the time taken to create persistent volumes with VSAN storage capabilities at scale we have slightly modified the design which is described below:
- In this model, we create a VM on the fly for every persistent volume that is being created. Since all the reconfigure operations to create a disk with the VSAN policy configured are on their individual VM's, all of these PVC's request execute in parallel independent one other.
- With this new design, there will no error rate at all.
Also, we have overcome the problem of vpxd crashes and any other intermediate problems by checking type of the errors.
Fixes https://github.com/vmware/kubernetes/issues/122, https://github.com/vmware/kubernetes/issues/124
@kerneltime @tusharnt @divyenpatel @pdhamdhere
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 42740, 44980, 45039, 41627, 45044)
Improved code coverage for /pkg/kubelet/types
**What this PR does / why we need it**:
The test coverage for /pkg/kubelet/types was increased from 50% to 87.5%
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
The new metrics is:
cloudprovider_gce_api_request_duration_seconds{request, region, zone}
cloudprovider_gce_api_request_errors{request, region, zone}
`request` is the specific function that is used.
`region` is the target region (Will be "<n/a>" if not applicable)
`zone` is the target zone (Will be "<n/a>" if not applicable)
Note: this fixes some issues with the previous implementation of
metrics for disks:
- Time duration tracked was of the initial API call, not the entire
operation.
- Metrics label tuple would have resulted in many independent
histograms stored, one for each disk. (Did not aggregate well).
Automatic merge from submit-queue (batch tested with PRs 41106, 44346, 44929, 44979, 45027)
Add PATCH to supported list of proxy subresource verbs
Follow up to #41421 for the proxy subresources
```release-note
The proxy subresource APIs for nodes, services, and pods now support the HTTP PATCH method.
```
Automatic merge from submit-queue
Don't check in zz_generated.openapi.go.
`zz_generated.openapi.go` is the file that causes the most merge conflicts of all. In #33440, @thockin updated the makefile to support generating these files on demand, but that didn't play well with bazel/gazel.
In this PR, I add a new build macro that will generate this file with a `go_genrule`. I added support for keeping the BUILD file up to date in mikedanese/gazel#34.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Update token controller test to test async retry
Fixes#44819https://github.com/kubernetes/kubernetes/pull/44625 changed the token controller to queue a retry if the live service account's resourceVersion did not match our cache.
This updates the unit test that was testing that condition to test async queue behavior (which this condition now drives)
Automatic merge from submit-queue (batch tested with PRs 44970, 43618)
CRI: Fix StopContainer timeout
Fixes https://github.com/kubernetes/kubernetes/issues/44956.
I verified this PR with the example provided in https://github.com/kubernetes/kubernetes/issues/44956, and now pod deletion will respect grace period timeout:
```
NAME READY STATUS RESTARTS AGE
gracefully-terminating-pod 1/1 Terminating 0 6m
```
@dchen1107 @yujuhong @feiskyer /cc @kubernetes/sig-node-bugs
Automatic merge from submit-queue
Allow Partial Success for ImageGC
Fixes#44951. When the eviction manager is under disk pressure, it first attempts to reclaim disk space by deleting images. However, if there are any errors during the image deletion process, the eviction manager treats that as a failed attempt delete images--even if some were successfully deleted.
This change essentially makes the eviction manager ignore errors during image garbage collection, and instead rely solely on the quantity of resources reclaimed. If image deletion completely fails, for example, then this should still work as it would return 0 bytes freed. This allows for partial success, because any resources freed are counted, regardless of if some images fail to be deleted, for example.
This does not require any changes to the image manager, as the current behavior is already to return the disk space freed along with any errors.
```release-note
Fixes a bug where pods were evicted even after images are successfully deleted.
```
cc @dchen1107 @vishh @kubernetes/kubernetes-release-managers
note to reviewers: this is mostly whitespace changes, so it will make more sense in reviewable
Automatic merge from submit-queue (batch tested with PRs 44940, 44974, 44935)
Remove import of internal api package in generated external-versioned listers
Follow up of https://github.com/kubernetes/kubernetes/pull/44523
One line change in cmd/libs/go2idl/lister-gen/generators/lister.go, and simple changes in pkg/apis/autoscaling/v2alpha1/register.go, other changes are generated.
The internal api package will be eliminated from client-go, so these imports should be removed. Also, it's more correct to report the versioned resource in the error.
Automatic merge from submit-queue
OpenAPI support for kubectl
Support for openapi spec in kubectl.
Includes:
- downloading and caching openapi spec to a local file
- parsing openapi spec into binary serializable datastructures (10x faster load times 600ms -> 40ms)
- caching parsed openapi spec in memory for each command
```release-note
NONE
```
Automatic merge from submit-queue
Add redirect support to SpdyRoundTripper
Add support for following redirects to the SpdyRoundTripper. This is
necessary for clients using it directly (e.g. the apiserver talking
directly to the kubelet) because the CRI streaming server issues a
redirect for streaming requests.
We need this in OpenShift because we have code that executes inside our apiserver that talks directly to the node to perform an attach request, and we need to be able to follow that redirect.
This code was adapted from the upgrade-aware proxy handler.
cc @smarterclayton @sttts @liggitt @timstclair @kubernetes/sig-api-machinery-pr-reviews
Add support for following redirects to the SpdyRoundTripper. This is
necessary for clients using it directly (e.g. the apiserver talking
directly to the kubelet) because the CRI streaming server issues a
redirect for streaming requests.
Also extract common logic for following redirects.
Automatic merge from submit-queue (batch tested with PRs 44931, 44808)
Update to use Semantic.DeepEqual in regsitry
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/43402
**Release note**:
```
NONE
```
/assign @janetkuo
Automatic merge from submit-queue (batch tested with PRs 41287, 41636, 44881, 44826)
Bump to go1.8 and remove the edge GOROOT
**What this PR does / why we need it**:
Bumps to go1.8; we get:
- performance improvements
- build time improvements
- the possibility to remove the hacky edge-GOROOT for arm and ppc64le that must use go1.8
- all other awesome features that are included in go1.8: https://golang.org/doc/go1.8
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/38228
**Special notes for your reviewer**:
@ixdy Please push the image ASAP so we can see if this passes all tests
**Release note**:
```release-note
Upgrade go version to v1.8
```
cc @ixdy @bradfitz @jessfraz @wojtek-t @timothysc @spxtr @thockin @smarterclayton @bprashanth @gmarek
Automatic merge from submit-queue (batch tested with PRs 44607, 44472, 44482)
Used Pods interface for binding.
Used Pods interface for binding in scheduler.
Automatic merge from submit-queue (batch tested with PRs 44607, 44472, 44482)
update kubectl apply doc for required resource name
**What this PR does / why we need it**:
Update kubectl apply doc to illustrate that the resource name is required.
**Which issue this PR fixes** : fixes#44501
**Special notes for your reviewer**:
@liggitt @adohe @jayunit100
**Release note**:
```release-note
```
Automatic merge from submit-queue
bump bazel build to go1.8.1 and remove invalid unit tests
part of https://github.com/kubernetes/kubernetes/issues/38228
I firmly believe that unit tests that check error strings are incorrect unit tests. If we care about what type of error is returned, we need to use public error types. Anywhere we are using generic errors, we don't care other then that we saw an error.
Automatic merge from submit-queue (batch tested with PRs 44601, 44842, 44893, 44491, 44588)
Define const annotation variable once
We do not need to define the const annotation var twice in pkg/volume and pkg/volume/validation
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44601, 44842, 44893, 44491, 44588)
secret.go: add initial symbol and format err
secret.go: add initial symbol and format err
line 198: add initialization symbol
other lines: format err.
When iptables-restore doesn't support --wait (which < 1.6.2 don't), it may
conflict with other iptables users on the system, like docker, because it
doesn't acquire the iptables lock before changing iptables rules. This causes
sporadic docker failures when starting containers.
To ensure those don't happen, essentially duplicate the iptables locking
logic inside util/iptables when we know iptables-restore doesn't support
the --wait option.
Unfortunately iptables uses two different locking mechanisms, one until
1.4.x (abstract socket based) and another from 1.6.x (/run/xtables.lock
flock() based). We have to grab both locks, because we don't know what
version of iptables-restore exists since iptables-restore doesn't have
a --version option before 1.6.2. Plus, distros (like RHEL) backport the
/run/xtables.lock patch to 1.4.x versions.
Related: https://github.com/kubernetes/kubernetes/pull/43575
See also: https://github.com/openshift/origin/pull/13845
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1417234
Cole Mickens
