Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
verify no extra RS was created when re-creating a deployment
**What this PR does / why we need it**:
This PR verifies no extra RS was created when re-creating a deployment to adopt previously orphaned RS by improving existing `testDeploymentsControllerRef` e2e test. This also verifies that collision avoidance mechanism works as expected.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59213
**Release note**:
```release-note
NONE
```
/sig apps
Automatic merge from submit-queue (batch tested with PRs 59010, 59212, 59281, 59014, 59297). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Replace nominateNodeName annotation with PodStatus.NominatedNodeName
**What this PR does / why we need it**:
Replaces nominateNodeName annotation with PodStatus.NominatedNodeName in scheudler's logic. We don't expect any logic/behavior changes.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
ref #57471
/sig scheduling
cc: @k82cn @aveshagarwal @resouer
Automatic merge from submit-queue (batch tested with PRs 59010, 59212, 59281, 59014, 59297). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix deployment's collision avoidance mechanism
**What this PR does / why we need it**:
This PR modifies deployment's collision avoidance mechanism to take into account a replicaset's `.Labels` field change. This ensures that the mechanism can be triggered when the user updates only the `.Labels` field of the replicaset without modifying the replicaset's PodTemplateSpec.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
xref #59213
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59010, 59212, 59281, 59014, 59297). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix flaky AdmissionWebhook e2e-crd tests
**What this PR does / why we need it**: Several of the tests("It") in the e2e suite reuse the CRD.
However they each try to setup and tear down the CRD independently.
Since these tests can be running in parallel, causing intermittant
failures.
Changes the test to set up one shared CRD and reuse.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58855
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Patch ingress upgrade test to ignore checking certain GCP resources
**What this PR does / why we need it**:
In certain situations, GCP resources after an upgrade or downgrade will be different because of semantic changes to the glbc. Therefore in the test, we need to account for this difference and make sure the test does not fail because of it.
```release-note
None
```
cc @MrHohn
/assign @bowei
Automatic merge from submit-queue (batch tested with PRs 59276, 51042, 58973, 59377, 59472). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix local PV node affinity tests and only run once
**What this PR does / why we need it**:
* Don't look for specific scheduling error messages for the NodeAffinity tests. Unit/integration will cover that.
* Move PV NodeAffinity tests outside the local volume loop. Mounts are not involved so don't need to be tested per volume type.
* Move mount failure tests outside the local volume loop.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59369
**Release note**:
```release-note
NONE
```
@kubernetes/sig-storage-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 59276, 51042, 58973, 59377, 59472). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Container Runtime Interface to use enumerated namespace modes
**What this PR does / why we need it**: This updates the CRI as described in the [Shared PID Namespace](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/pod-pid-namespace.md#container-runtime-interface-changes) proposal. This change to the alpha API is not backwards compatible: implementations of the CRI will need to update to the new API version.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
WIP #1615
**Special notes for your reviewer**:
/assign @yujuhong
**Release note**:
```release-note
[action-required] The Container Runtime Interface (CRI) version has increased from v1alpha1 to v1alpha2. Runtimes implementing the CRI will need to update to the new version, which configures container namespaces using an enumeration rather than booleans.
```
Automatic merge from submit-queue (batch tested with PRs 59276, 51042, 58973, 59377, 59472). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow passing request-timeout from NewRequest all the way down
**What this PR does / why we need it**:
Currently if you pass `--request-timeout` it's not passed all the way down to the actual request object. There's a separate field on the `Request` object that allows setting that timeout, but it's not taken from that flag.
@smarterclayton @deads2k ptal, this is coming from https://github.com/openshift/origin/pull/13701
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Do not recycle volumes that are used by pods
**What this PR does / why we need it**:
Recycler should wait until all pods that use a volume are finished.
Consider this scenario:
1. User creates a PVC that's bound to a NFS PV.
2. User creates a pod that uses the PVC
3. User deletes the PVC.
Now the PV gets `Released` (the PVC does not exists) and recycled, however the PV is still mounted to a running pod. PVC protection won't help us, because it puts finalizers on PVC that is under user's control and user can remove it.
This PR checks that there is no pod that uses a PV before it recycles it.
**Release note**:
```release-note
NONE
```
/sig storage
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove a todo which is out of date
**What this PR does / why we need it**:
fix todo: move container.go to e2e/framework
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
This also incorporates the version string into the package name so
that incompatibile versions will fail to connect.
Arbitrary choices:
- The proto3 package name is runtime.v1alpha2. The proto compiler
normally translates this to a go package of "runtime_v1alpha2", but
I renamed it to "v1alpha2" for consistency with existing packages.
- kubelet/apis/cri is used as "internalapi". I left it alone and put the
public "runtimeapi" in kubelet/apis/cri/runtime.
Automatic merge from submit-queue (batch tested with PRs 59394, 58769, 59423, 59363, 59245). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-scheduler: Use default predicates/prioritizers if they are unspecified in the policy config
**What this PR does / why we need it**:
The scheduler has built-in default sets of predicate/prioritizer that are applied on pod scheduling. It can also take a policy config file where predicate/prioritizer and extender settings can be specified. The current behavior is that if we want to configure an extender using the policy config, we have to also provide the default predicate/prioritizer settings. Otherwise, the empty predicate/prioritizer sets will be used.
This is inconvenient, and it's hard to keep the policy config up to date with the scheduler's defaults. This PR changes the scheduler to use the default predicate/prioritizer sets if they are unspecified in the policy config. But an empty list would bypass non-mandatory predicates/prioritizers.
This will change the behavior of a policy config that does not specify (but not empty list) predicate/prioritizer, but it's unlike someone is using such config in practice.
**Special notes for your reviewer**:
I think it makes sense to have this in 1.9 as well because
- It's safe, given the scope of this change and the fact that it's very unlikely that someone is using a policy config with empty predicates/prioritizers.
- Compared with the risk, asking users to provide the default predicate/prioritizer sets for is error-prone and may cause other issues.
**Release note**:
```release-note
kube-scheduler: Use default predicates/prioritizers if they are unspecified in the policy config
```
/sig scheduling
/assign @bsalamat
/cc @vishh
Several of the tests("It") in the e2e suite reuse the CRD.
However they each try to setup and tear down the CRD independently.
Since these tests can be running in parallel, causing intermittant
failures.
Added a new framework utility for creating CRDs per test.
Then making the relevant tests use the utility to prevent name
collision/race.
Fixed bazel build.
Factored in fixes for @caesarxuchao
Making suggested change for @janetkuo
Automatic merge from submit-queue (batch tested with PRs 52942, 58415). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve messaging on volume expansion
- we now provide clear message to user what to do when cloudprovider resizing is finished
and file system resizing is needed.
- add a event when resizing is successful
- Use PATCH both in controller-manager and kubelet for updating PVC status
- Remove code duplication between controller-manager and kubelet for updating PVC status
- Only remove conditions that are managed by resize controller
```release-note
Improve messages user gets during and after volume resizing is done.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase RSS limit for runtime from 300MB to 350MB on test creating 100 pods per node.
**What this PR does / why we need it**:
In recent COS image (cos-dev-65), the typical RSS increased a bit. It seems it was already close to the limit and now surpassed it.
I looked at some samples of failures of the test... In [some cases](https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-cosdev-k8sbeta-serial/1270) it seems very close (<1%), a [more representative example](https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-cosdev-k8sbeta-serial/1266) goes up about ~5% but in [some](https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-cosdev-k8sbeta-serial/1269) [cases](https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-cosdev-k8sbeta-serial/1267) it did go up to close or above 340MB.
I did some tests using just "docker" on the machines, creating 100 "pause" containers. I didn't really see much difference in RSS, though after killing the containers RSS was a bit higher on the host running cos-dev.
I looked at some possible reasons that would explain that:
- Transparent huge pages: confirmed they were disabled;
- Version of docker: same on cos-65, cos-64 and cos-63;
- Version of Go: same, 1.9.2 on cos-64 and cos-65, while 1.9.1 on cos-63 but 64 was already using same as current version;
- Version of systemd (maybe due to systemd libraries linked into Docker?): same on the three images.
I don't really know what can explain this increase... So cc @adityakali in case he has something to add here. Also cc @yguo0905 with whom I discussed the testgrid.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
N/A
**Special notes for your reviewer**:
N/A
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59373, 59379, 59252, 58295, 57786). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
GCE: Check nodeports are covered by firewall rule with port ranges
**What this PR does / why we need it**:
When testing firewalls for GCE ingresses, we should assert that particular nodeports are covered by individual ports or port ranges. Currently, port ranges are not acceptable input.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Will fix the currently erroring `ingress-gce-e2e` tests
**Special notes for your reviewer**:
/cc @MrHohn
/assign @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55986, 59375, 59334, 59348, 58027). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add minimal types for service account TokenRequest API
Adds parts of the types in https://github.com/kubernetes/community/pull/1460. ValidityDuration is omitted because we are still discussing how to surface non-expiring tokens but it should be easy to add in a backwards compatibly.
#58790
@kubernetes/sig-auth-api-reviews
Automatic merge from submit-queue (batch tested with PRs 58184, 59307, 58172). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix todo: migrate to use AddOrUpdateLabelOnNode and RemoveLabelOffNode replace of updateNodeLabels
**What this PR does / why we need it**:
fix todo: migrate to use framework.AddOrUpdateLabelOnNode/framework.RemoveLabelOffNode replace of updateNodeLabels
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
This PR is the first part of redesign of volume reconstruction work. The
changes include
1. Remove dependency on volume spec stored in actual state for volume
cleanup process (UnmountVolume and UnmountDevice)
Modify AttachedVolume struct to add DeviceMountPath so that volume
unmount operation can use this information instead of constructing from
volume spec
2. Modify reconciler's volume reconstruction process (syncState). Currently workflow
is when kubelet restarts, syncState() is only called once before
reconciler starts its loop.
a. If volume plugin supports reconstruction, it will use the
reconstructed volume spec information to update actual state as before.
b. If volume plugin cannot support reconstruction, it will use the
scanned mount path information to clean up the mounts.
In this PR, all the plugins still support reconstruction (except
glusterfs), so reconstruction of some plugins will still have issues.
The next PR will modify those plugins that cannot support reconstruction
well.
This PR addresses issue #52683, #54108 (This PR includes the changes to
update devicePath after local attach finishes)
Automatic merge from submit-queue (batch tested with PRs 59158, 38320, 59059, 55516, 59357). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Promote v1alpha1 meta to v1beta1
No code changes, just renames. We can discuss if there are any field / naming changes here or in a follow-up
Parent #58536Fixes#53224
Prereq to #55637
@kubernetes/sig-api-machinery-pr-reviews @deads2k
```release-note
The `meta.k8s.io/v1alpha1` objects for retrieving tabular responses from the server (`Table`) or fetching just the `ObjectMeta` for an object (as `PartialObjectMetadata`) are now beta as part of `meta.k8s.io/v1beta1`. Clients may request alternate representations of normal Kubernetes objects by passing an `Accept` header like `application/json;as=Table;g=meta.k8s.io;v=v1beta1` or `application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1`. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their `Accept` header like `application/json` - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
reopen#58913 Fix TODO move GetPauseImageNameForHostArch func
**What this PR does / why we need it**:
reopen#58913 Fix TODO move GetPauseImageNameForHostArch func,because of I squash to a single commit wrong,so recommit one,and close the #58913
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @liggitt
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58645, 59211). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixing node labels assignment for random order tests execution
**What this PR does / why we need it**:
For some vsphere cloud provider e2e test cases, we are setting node labels to control pod scheduling on specific node.
When these e2e tests are executed in random order from testsuite, they are overwriting node labels, so some tests were failing to schedule pod on desired node. Tests are failing with following error.
```
“FailedScheduling: No nodes are available that match all of the predicates: MatchNodeSelector (5), NodeUnschedulable (1).
```
This PR is fixing the above issue with setting distinct node label key for each test group within test suite.
**Which issue(s) this PR fixes**
Fixes #
**Special notes for your reviewer**:
Executed testsuites containing tests from both files using following script.
```
GINKGO_FOCUS[0]="Volume\sPlacement"
GINKGO_FOCUS[1]="Volume\sDisk\sFormat"
REGEX="--ginkgo.focus="$(IFS='|' ; echo "${GINKGO_FOCUS[*]}")
go run hack/e2e.go --check-version-skew=false --v --test --test_args="${REGEX}"
```
All test passed.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55606, 59185, 58763, 59072, 59251). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Introduce apiserver profile-gathering in our testing framework
This enables automatic collection of CPU/Memory profiles for apiserver - saving us some effort while doing scalability experiments.
/cc @wojtek-t @porridge @kubernetes/sig-scalability-misc
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55439, 58564, 59028, 59169, 59259). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add basic functionality deployment integration tests
**What this PR does / why we need it**:
This PR adds basic deployment integration tests.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
xref #52113
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make predicate errors more human readable
**What this PR does / why we need it**:
Make predicate errors more human readable
Thanks.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref #58546
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Perform resize of mounted volume if necessary
Under certain conditions - we must perform resize of volume even when it is mounted. This enables us to get around problem of resizing volumes used by deployments etc.
```release-note
Allow expanding mounted volumes
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[e2e ingress-gce] Retrieve the correct health check resource
**What this PR does / why we need it**:
Previously the test retrieves a random health check resource and assumes it belongs to the test ingress, which is wrong when multiple ingress tests are running simultaneously.
Example failure: https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-ingress-gce-e2e/533
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @rramkumar1 @nicksardo
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure that the runtime mounts RO volumes read-only
**What this PR does / why we need it**:
This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.
It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.
Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.
**Which issue(s) this PR fixes**
Fixes#58719
**Release note**:
```release-note
Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously,
container modifications to files in these types of volumes were temporary and reverted by the kubelet
during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will
preserve the old behavior.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[GCE Ingress e2e] Add test for pre-shared certificate
**What this PR does / why we need it**:
Add an e2e test for the pre-shared certificate feature (`ingress.gcp.kubernetes.io/pre-shared-cert`). Also made some changes to ingress_util.go mostly for certificate generation and polling on ingress.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @rramkumar1 @nicksardo
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Postpone PV deletion with finalizer when it is being used
Postpone PV deletion if it is bound to a PVC
xref: https://github.com/kubernetes/community/pull/1608
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#33355
**Special notes for your reviewer**:
**Release note**:
```release-note
Postpone PV deletion when it is being bound to a PVC
```
WIP, assign to myself first
/assign @NickrenREN
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add V1beta1 VolumeAttachment API
**What this PR does / why we need it**:
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58461
**Special notes for your reviewer**:
**Release note**:
```release-note
Add V1beta1 VolumeAttachment API, co-existing with Alpha API object
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix flaky AdmissionWebhook e2e tests.
**What this PR does / why we need it**: Several of the tests("It") in the e2e suite reuse the config name.
Since these tests can be running in parallel, causing intermittant
failures.
Changes the test so each test uses a different name.
Restructured the tests to make it easier to make sure the name in a
test is being used consistently.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58855
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Add a feature gate ReadOnlyAPIDataVolumes to a provide a way to
disable the new behavior in 1.10, but for 1.11, the new
behavior will become non-optional.
Also, update E2E tests for downwardAPI and projected volumes
to mount the volumes somewhere other than /etc.
Automatic merge from submit-queue (batch tested with PRs 57683, 59116, 58728, 59140, 58976). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use node-e2e framework for testing cadvisor
**What this PR does / why we need it**:
With cadvisor checked out in your gopath, we can now run cadvisor integration tests: `make test-e2e-node TEST_SUITE=cadvisor`.
This has a number of advantages:
* we can use the same images to test both, configured the same way.
* we will now get cadvisor logs from the integration test.
* we can now use the familiar node-e2e arguments to specify images to test with cadvisor
* no more managing snowflake VMs for cadvisor.
**Special notes for your reviewer**:
cadvisor doesnt currently produce junit* files, so I removed that as a requirement.
This wont actually work until https://github.com/google/cadvisor/pull/1868 is merged as well.
Related issue:
https://github.com/kubernetes/test-infra/issues/190
**Release note**:
```release-note
NONE
```
/assign @Random-Liu
/sig node
/priority important-soon
/kind cleanup
Automatic merge from submit-queue (batch tested with PRs 59106, 58985, 59068, 59120, 59126). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Integration tests for envelop encryption/decryption of secrets.
**What this PR does / why we need it**:
Provides integration tests between KubeAPI Server and etcd (in the context of encrypting secrets at rest). Concretely, tests assert that:
1. Secrets are stored encrypted in ectcd
2. Secrets are decrypted on reads
when --experimental-encryption-provider-config flag is passed to KubeAPI server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
This PR does not address any specific issues, but rather provides integration testing coverage for the [encrypt/encryption](https://github.com/kubernetes/kubernetes/blob/release-1.9/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go) feature.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
PVC Protection E2E Tests for Failed Scheduling
**What this PR does / why we need it**:
Change in scheduler that causes that scheduling of a pod that uses PVC that is being deleted fails was introduced in:
- https://github.com/kubernetes/kubernetes/pull/55957
This PR adds an E2E test for the above merged PR.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
N/A
**Special notes for your reviewer**:
N/A
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix PodPidsLimit and ConfigTrialDuration on internal KubeletConfig type
They should both follow the convention of not being a pointer on the internal type.
This required adding a conversion function between `int64` and `*int64`. A side effect is this removes a warning in the generated code for the apps API group.
@dims
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add gce-ingress e2e test for sync failure case
**What this PR does / why we need it**:
Add a test that verifies sync failures on some inrgesses would not stop gce ingress controller from syncing others.
Basically:
- Create two ingresses each has something wrong (TLS missing, backend missing etc.).
- Create a normal ingress and test it works.
- Update this ingress and test it takes effect.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
Ref https://docs.google.com/document/d/1E2ufxZGujFCYKYOsvBjb4VMNjBy8CM-MMycoT_UVwIs/edit#heading=h.wxzdzliw64t8.
/assign @rramkumar1 @nicksardo
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[e2e util] Remove static IP functions based on gcloud
**What this PR does / why we need it**:
Use GCE library for static IP instead of calling gcloud in e2e test.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Do not use ifupdown commands
**What this PR does / why we need it**:
The ifupdown commands (ifup and ifdown) are not useful on many modern
distributions. Instead, the "ip link set" set of commands are standard
linux utilities and should be available everywhere (see
http://baturin.org/docs/iproute2/).
ipupdown utilities have the added quirk that they return 0 on failure,
which makes the changed line fail silently in case ifdown didn't bring
the network down.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The ifupdown commands (ifup and ifdown) are not useful on many modern
distributions. Instead, the "ip link set" set of commands are standard
linux utilities and should be available everywhere (see
http://baturin.org/docs/iproute2/).
ipupdown utilities have the added quirk that they return 0 on failure,
which makes the changed line fail silently in case ifdown didn't bring
the network down.
After the interface was brought back up, renew DHCP requests to ensure
the network is actually useable.
Signed-off-by: Chris Glass <chris.glass@canonical.com>
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes ci-ingress-gce-upgrade-e2e
**What this PR does / why we need it**:
This PR fixes the broken ci-ingress-gce-upgrade-e2e job. The issue was that the ingress was being deleted by the test framework before the upgraded ingress could properly sync. Therefore, the resources were never cleaned up, which caused test failure.
```release-note
None
```
cc @MrHohn
/assign @bowei
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes for HostIPC tests to work when Docker has SELinux support enabled.
**What this PR does / why we need it**:
Fixes for HostIPC tests to work when Docker has SELinux support enabled.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
N/A
**Special notes for your reviewer**:
The core of the matter is to use `ipcs` from util-linux rather than the one from busybox. The typical SELinux policy has enough to allow Docker containers (running under svirt_lxc_net_t SELinux type) to access IPC information by reading the contents of the files under /proc/sysvipc/, but not by using the shmctl etc. syscalls.
The `ipcs` implementation in busybox will use `shmctl(0, SHM_INFO, ...)` to detect whether it can read IPC info (see source code [here](https://git.busybox.net/busybox/tree/util-linux/ipcs.c?h=1_28_0#n138)), while the one in util-linux will prefer to read from the /proc files directly if they are available (see source code [here](https://github.com/karelzak/util-linux/blob/v2.27.1/sys-utils/ipcutils.c#L108)).
It turns out the SELinux policy doesn't allow the shmctl syscalls in an unprivileged container, while access to it through the /proc interface is fine. (One could argue this is a bug in the SELinux policy, but getting it fixed on stable OSs is hard, and it's not that hard for us to test it with an util-linux `ipcs`, so I propose we do so.)
This PR also contains a refactor of the code setting IpcMode, since setting it in the "common options" function is misleading, as on containers other than the sandbox, it ends up always getting overwritten, so let's only set it to "host" in the Sandbox.
It also has a minor fix for the `ipcmk` call, since support for size suffix was only introduced in recent versions of it.
**Release note**:
```release-note
NONE
```
They should both follow the convention of not being a pointer on the
internal type. This required adding a conversion function between
`int64` and `*int64`.
A side effect is this removes a warning in the generated code for the
apps API group.
DeferredDiscoveryRESTMapper won't automatically `Reset` itself before its
initial use, since actually trying to construct the delegate will error
out before it gets a chance to `Reset` itself. Ergo, we have to
manually call `Reset` before use.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
code cleanup in integration test framework
**What this PR does / why we need it**:
code cleanup
**Special notes for your reviewer**:
/kind cleanup
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Build using go1.9.3
**What this PR does / why we need it**: more minor bugfixes, which I guess we probably want. https://github.com/golang/go/issues?q=milestone%3AGo1.9.3
**Special notes for your reviewer**: I haven't built/pushed the crossbuild image yet, but will do so if we think this is a good idea. I don't have plans to rebuild the test images.
**Release note**:
```release-note
Build using go1.9.3.
```
Who are good people to review this?
/assign @cblecker @luxas
(for lack of better ideas)
Automatic merge from submit-queue (batch tested with PRs 57322, 57723, 58706, 59004, 58857). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Skip rescheduler test.
Skip the rescheduler test per discussion https://github.com/kubernetes/kubernetes/issues/59002.
The test `[sig-scheduling] Rescheduler [Serial] should ensure that critical pod is scheduled in case there is no resources available` has failing for a long time. And the serial suite is never green because of it. https://k8s-testgrid.appspot.com/google-gce#gci-gce-serial
@kubernetes/sig-scheduling-misc
Signed-off-by: Lantao Liu <lantaol@google.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 57322, 57723, 58706, 59004, 58857). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding downgrade test for ingress-gce
**What this PR does / why we need it**:
This PR improves the existing downgrade e2e test for ingress-gce. Specifically, we add a test which downgrades ingress from an image built from HEAD to the latest release image.
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 57467, 58996). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set generate-kubelet-config-file to true by default.
This should fix the flaky suite.
https://k8s-testgrid.appspot.com/sig-node-kubelet#kubelet-flaky-gce-e2e
@mtaufen /cc @kubernetes/sig-node-bugs
Signed-off-by: Lantao Liu <lantaol@google.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 57467, 58996). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove flaky label from Eviction tests
**What this PR does / why we need it**:
All eviction tests in the flaky suite are no longer flaky. Remove the flaky label to move them from the flaky suite to the serial suite.
I removed the QoS-based memory eviction test since it does not reflect the current eviction strategy.
**Release note**:
```release-note
NONE
```
/assign @mtaufen @Random-Liu
/sig node
/priority important-soon
/kind cleanup
Several of the tests("It") in the e2e suite reuse the config name.
Since these tests can be running in parallel, causing intermittant
failures.
Changes the test so each test uses a different name.
Restructured the tests to make it easier to make sure the name in a
test is being used consistently.
Fix feedback from @caesarxuchao
Fixed format.
Automatic merge from submit-queue (batch tested with PRs 58777, 58978, 58977, 58775). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Skip NoNewPrivileges test when SELinux is enabled
**What this PR does / why we need it**:
A bug in the SELinux policy prevented NoNewPrivileges from working on Docker with SELinux support enabled.
The problem has been fixed upstream (see projectatomic/container-selinux#45)
But hasn't been backported yet (a fix might come in RHEL 7.5)
For now, let's skip the NoNewPrivileges test when SELinux support is enabled in Docker.
Tested:
- Before this commit, the test fails:
```
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux enabled)
• [SLOW TEST:22.798 seconds] (passed)
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when true
• Failure [16.539 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should not allow privilege escalation when false [It]
wait for pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" to success
Expected success, but got an error:
<*errors.errorString | 0xc4204e26d0>: {
s: "pod \"alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009\" failed with reason: \"\", message: \"\"",
}
pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" failed with reason: "", message: ""
• [SLOW TEST:26.572 seconds] (passed)
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when not explicitly set and uid != 0
Ran 3 of 257 Specs in 45.364 seconds
FAIL! -- 2 Passed | 1 Failed | 0 Pending | 254 Skipped
Ginkgo ran 1 suite in 49.389123442s
Test Suite Failed
```
- After this commit, the test is skipped:
```
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux enabled)
S [SKIPPING] in Spec Setup (BeforeEach) [12.452 seconds]
S [SKIPPING] in Spec Setup (BeforeEach) [16.298 seconds]
S [SKIPPING] in Spec Setup (BeforeEach) [18.183 seconds]
Ran 0 of 257 Specs in 39.174 seconds
SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 257 Skipped
Ginkgo ran 1 suite in 43.570630357s
Test Suite Passed
```
- No changes when SELinux is disabled:
```
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux disabled)
• [SLOW TEST:15.013 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should not allow privilege escalation when false
• [SLOW TEST:19.155 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when true
• [SLOW TEST:21.087 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when not explicitly set and uid != 0
Ran 3 of 259 Specs in 38.560 seconds
SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 256 Skipped
Ginkgo ran 1 suite in 41.937918928s
Test Suite Passed
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
N/A
**Special notes for your reviewer**:
N/A
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes the remainder from ScalerFor method
**What this PR does / why we need it**:
this PR removes existing scalers from `ScalerFor` method
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 56995, 58498, 57426, 58902, 58863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cleanup enable/disable api resources code
**What this PR does / why we need it**:
After #57228, `runtime-config` flag has stop support enable/disable resources of a specific groupVersion,
so this pr does some clean work about this.
Mainly delete unused code in `k8s.io/apiserver/pkg/server/storage/resource_config.go`
**Special notes for your reviewer**:
/assign @deads2k @sttts
**Release note**:
```release-note
NONE
```
/kind cleanup
Automatic merge from submit-queue (batch tested with PRs 56995, 58498, 57426, 58902, 58863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubelet: remove the rktshim directory
This package contains only placeholders without actual implementation.
Since it is not currently under active development, remove it to avoid
unnecessary change needed whenever the interface is changed.
- we now provide clear message to user what to do when cloudprovider resizing is finished
and file system resizing is needed.
- add a event when resizing is successful.
- Use Patch for updating PVCs in both kubelet and controller-manager
- Extract updating pvc util function in one place.
- Only update resize conditions on progress
all remaining scalers were replaced by GenericScaler exept JobScaler.
It is not clear whether JobScaler could use generic scaler or not.
For more details see the pull request.
Automatic merge from submit-queue (batch tested with PRs 58889, 58890). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add e2e tests for GPU monitoring.
Related to kubernetes/features#369.
This is mostly the same code as the default stackdriver test. This would need to be a separate suite because it needs to run with GPUs etc.
**Release note**:
```release-note
NONE
```
/sig instrumentation
/sig testing
/kind enhancement
/assign @vishh @kawych @piosz @jiayingz
This package contains only placeholders without actual implementation.
Since it is not currently under active development, remove it to avoid
unnecessary change needed whenever the interface is changed.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Removal of KubeletConfigFile feature gate: Step 1
This feature gate was redundant with the `--config` flag, which already
enables/disables loading Kubelet config from a file.
Since the gate guarded an alpha feature, removing it is not a violation
of our API guidelines.
Some stuff in `kubernetes/test-infra` currently sets the gate,
so removing will be a 3 step process:
1. This PR, which makes the gate a no-op.
2. Stop setting the gate in `kubernetes/test-infra`.
3. Completely remove the gate (this PR will get the release note).
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55792, 58342). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Promote Statefulset controller and its e2e tests to use apps/v1
**What this PR does / why we need it**:
Promotes the statefulset controller to use to use the latest apps group [apps/v1](https://github.com/kubernetes/kubernetes/pull/53679)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # https://github.com/kubernetes/kubernetes/issues/55714
**Special notes for your reviewer**:
* Listerexpansion for v1 `k8s.io/client-go/listers/apps/v1` (was recently done for v1beta2)
* `v1beta2` && `v1` had `ObservedGeneration` as `int64` where as `v1beta1` and rest of the code (including conversion) is expecting `ObservedGeneration` to be `*int64`
```
type StatefulSetStatus struct {
// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
// StatefulSet's generation, which is updated on mutation by the API Server.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
```
* for kubectl's `rollback` and `history` commands a couple functions have been duplicated to allow us to use `v1` version instead of `v1beta1` for statefulsets, while the older functions are still used by other controllers.
We should be able to remove these duplicates once all the controllers are moved.
If this aligns with the plan then i could move other controllers too.
cc: @kow3ns
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add binary configmap
Reviving code from https://github.com/kubernetes/kubernetes/pull/33549 submitted by @zreigz
**What this PR does / why we need it**:
Add support for binary files in ConfigMap
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#32432
**Special notes for your reviewer**:
**Release note**:
```release-note
ConfigMap objects now support binary data via a new `binaryData` field. When using `kubectl create configmap --from-file`, files containing non-UTF8 data will be placed in this new field in order to preserve the non-UTF8 data. Use of this feature requires 1.10+ apiserver and kubelets.
```
Automatic merge from submit-queue (batch tested with PRs 58713, 58841). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Tag multi-az cluster volume e2e test with sig-storage
Follow-on from #58726 to make it clear that responsibility for the test is shared between @kubernetes/sig-scheduling-pr-reviews and @kubernetes/sig-storage-pr-reviews.
```release-note
NONE
```
cc: @bsalamat @timothysc
Automatic merge from submit-queue (batch tested with PRs 58713, 58841). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Created bootstrap logic for vSphere test
**What this PR does / why we need it**:
Add bootstrapping logic and Context for vSphere tests. This context can be utilized to hold information like node-vsphere mapping, which needs to be initialized only once per test suit run.
sync.Once takes care of executing bootstrapping only once for all the specs. 'waiting' channel takes care of making sure that parallel test spec executions wait for bootstrapping to finish before moving on.
**Which issue(s) this PR fixes**
Fixes https://github.com/vmware/kubernetes/issues/437, partly
**Special notes for your reviewer**:
Successfully ran make.
Tested by added additional log messages to bootstrap process (now removed). Made sure bootstrapping logic is getting invoked just once and bootstrapping is done by the time It-blocks are executed.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58626, 58791). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
serviceaccount: check token is issued by correct iss before verifying
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.
This change helps us support multiple service account token
authenticators with different issuers.
https://github.com/kubernetes/kubernetes/issues/58790
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58302, 58782, 58555, 58741). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make it possible to override the driver installer daemonset url from test-infra.
This will enable things like kubernetes/test-infra#6430
/kind enhancement
/sig testing
/sig scheduling
**Release note**:
```release-note
NONE
```
/assign @jiayingz @vishh
This ensures the `ipcs` command from util-linux will be used, which
succeeds when Docker is running with SELinux enabled (while the one from
busybox fails.)
Tested: On a host with Docker running with SELinux enabled:
$ make test-e2e-node REMOTE=true FOCUS="host IPC"
• [SLOW TEST:17.272 seconds] (passed)
[k8s.io] Security Context
when creating a pod in the host IPC namespace
should show the shared memory ID in the host IPC containers
• [SLOW TEST:20.419 seconds] (passed)
[k8s.io] Security Context
when creating a pod in the host IPC namespace
should not show the shared memory ID in the non-hostIPC containers
Ran 2 of 257 Specs in 43.934 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 255 Skipped
This container will be used to exercise the HostIPC functionality in
e2e-node tests.
The version of `ipcs` shipped in busybox performs operations that get
blocked by SELinux on hosts where it is enabled. The version of `ipcs`
in util-linux does not perform those operations, rather it checks
whether the /proc files it needs are available and proceeds to reading
from them directly.
Using `ipcs` from util-linux makes these tests pass, even when running
under SELinux enabled, so let's use them here.
Tested: On a host where Docker with SELinux enabled:
- Checked that `ipcs` from busybox does not work:
$ docker run busybox ipcs -m
kernel not configured for shared memory
- Checked that the one from this container does work:
$ docker run gcr.io/kubernetes-e2e-test-images/ipc-utils-amd64:1.0 ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
Expand the use of "1M" to the corresponding number of bytes, since
support for size suffix was only added to `ipcmk` in util-linux 2.27
which is not yet available in some Linux distributions.
Tested by running `make test-e2e-node` against distributions with ipcmk
that supports and doesn't support the suffix syntax, all of them passed.
A bug in the SELinux policy prevented NoNewPrivileges from working on
Docker with SELinux support enabled.
The problem has been fixed upstream:
https://github.com/projectatomic/container-selinux/issues/45
But hasn't been backported yet (a fix might come in RHEL 7.5)
For now, let's skip the NoNewPrivileges test when SELinux support is
enabled in Docker.
Tested:
- Before this commit, the test fails:
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux enabled)
• [SLOW TEST:22.798 seconds] (passed)
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when true
• Failure [16.539 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should not allow privilege escalation when false [It]
wait for pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" to success
Expected success, but got an error:
<*errors.errorString | 0xc4204e26d0>: {
s: "pod \"alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009\" failed with reason: \"\", message: \"\"",
}
pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" failed with reason: "", message: ""
• [SLOW TEST:26.572 seconds] (passed)
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when not explicitly set and uid != 0
Ran 3 of 257 Specs in 45.364 seconds
FAIL! -- 2 Passed | 1 Failed | 0 Pending | 254 Skipped
Ginkgo ran 1 suite in 49.389123442s
Test Suite Failed
- After this commit, the test is skipped:
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux enabled)
S [SKIPPING] in Spec Setup (BeforeEach) [12.452 seconds]
S [SKIPPING] in Spec Setup (BeforeEach) [16.298 seconds]
S [SKIPPING] in Spec Setup (BeforeEach) [18.183 seconds]
Ran 0 of 257 Specs in 39.174 seconds
SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 257 Skipped
Ginkgo ran 1 suite in 43.570630357s
Test Suite Passed
- No changes when SELinux is disabled:
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux disabled)
• [SLOW TEST:15.013 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should not allow privilege escalation when false
• [SLOW TEST:19.155 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when true
• [SLOW TEST:21.087 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when not explicitly set and uid != 0
Ran 3 of 259 Specs in 38.560 seconds
SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 256 Skipped
Ginkgo ran 1 suite in 41.937918928s
Test Suite Passed
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename package deviceplugin => devicemanager.
**What this PR does / why we need it**:
Fixes#58795
/kind cleanup
Rename package `deviceplugin` to `devicemanager` for consistency.
We already have components named Container manager and CPU manager. The device plugin package similarly contains an interface called `Manager`. The fact that the manager has plugins is somewhat incidental to the purpose of the package itself.
Note that this rename only affects internal API. The external gRPC interface still exports a package called deviceplugin.
**Release note**:
```release-note
NONE
```
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.
This change helps us support multiple service account token
authenticators with different issuers.
This feature gate was redundant with the `--config` flag, which already
enables/disables loading Kubelet config from a file.
Since the gate guarded an alpha feature, removing it is not a violation
of our API guidelines.
Some stuff in `kubernetes/test-infra` currently sets the gate,
so removing will be a 3 step process:
1. This PR, which makes the gate a no-op.
2. Stop setting the gate in `kubernetes/test-infra`.
3. Completely remove the gate.
Automatic merge from submit-queue (batch tested with PRs 58412, 56132, 58506, 58542, 58394). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Instances to use generated code
```release-note
NONE
```
Hemant Kumar