Automatic merge from submit-queue
kubeadm: Upload configuration used at 'kubeadm init' time to ConfigMap for easier upgrades
**What this PR does / why we need it**:
Uploads config used to a ConfigMap so we can upgrade a cluster seamlessly without forcing the user to re-specify all options they specified the first time.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/373
**Special notes for your reviewer**:
This should be a cherrypick-candidate for easier upgrading to v1.8
cc @wojtek-t
**Release note**:
```release-note
kubeadm: Upload configuration used at 'kubeadm init' time to ConfigMap for easier upgrades
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc
Automatic merge from submit-queue (batch tested with PRs 50016, 49583, 49930, 46254, 50337)
Break up node controller into packages
This change does NO actual code changes other than moving constituent
parts into packages.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50016, 49583, 49930, 46254, 50337)
Alpha Dynamic Kubelet Configuration
Feature: https://github.com/kubernetes/features/issues/281
This proposal contains the alpha implementation of the Dynamic Kubelet Configuration feature proposed in ~#29459~ [community/contributors/design-proposals/dynamic-kubelet-configuration.md](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/dynamic-kubelet-configuration.md).
Please note:
- ~The proposal doc is not yet up to date with this implementation, there are some subtle differences and some more significant ones. I will update the proposal doc to match by tomorrow afternoon.~
- ~This obviously needs more tests. I plan to write several O(soon). Since it's alpha and feature-gated, I'm decoupling this review from the review of the tests.~ I've beefed up the unit tests, though there is still plenty of testing to be done.
- ~I'm temporarily holding off on updating the generated docs, api specs, etc, for the sake of my reviewers 😄~ these files now live in a separate commit; the first commit is the one to review.
/cc @dchen1107 @vishh @bgrant0607 @thockin @derekwaynecarr
```release-note
Adds (alpha feature) the ability to dynamically configure Kubelets by enabling the DynamicKubeletConfig feature gate, posting a ConfigMap to the API server, and setting the spec.configSource field on Node objects. See the proposal at https://github.com/kubernetes/community/blob/master/contributors/design-proposals/dynamic-kubelet-configuration.md for details.
```
Improve GC discovery sync performance by only syncing when discovered
resource diffs are detected. Before, the GC worker pool was shut down
and monitors resynced unconditionally every sync period, leading to
significant processing delays causing test flakes where otherwise
reasonable GC timeouts were being exceeded.
Related to https://github.com/kubernetes/kubernetes/issues/49966.
Automatic merge from submit-queue (batch tested with PRs 50173, 50324, 50288, 50263, 50333)
Honor --use-service-account-credentials and warn when missing private key
Fixes#50275 by logging a warning and failing to start rather than continue to run ignoring the user's specified config
Automatic merge from submit-queue
kubeadm: Centralize commonly used paths/constants to the constants pkg
**What this PR does / why we need it**:
Before there were constants defined for the control plane components in three different places:
- images
- phases/controlplane
- phases/selfhosting
Now they are in one centralized place. I also moved funcs for building common paths to that lib.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Dependency for: https://github.com/kubernetes/kubernetes/pull/48899
**Special notes for your reviewer**:
Most of this PR really is autogenerated with a replace tool. I tested this and things work just normally as well.
**Release note**:
```release-note
NONE
```
@timothysc @dmmcquay @pipejakob @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 50254, 50174, 50179)
kubeadm: Add back labels for the Static Pod control plane
**What this PR does / why we need it**:
This Labels section has been removed now for a short period during the v1.8 dev cycle, but I found a good use-case for it; namely filtering Mirror Pods by the `component=kube-*` label when waiting for the self-hosted control plane to come up after an upgrade. It's not _really_ neccessary, but nice to have.
Also noticed the lack of coverage for this func, so added a small unit test.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Dependency for: https://github.com/kubernetes/kubernetes/pull/48899
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @dmmcquay @timothysc @mattmoyer
Automatic merge from submit-queue (batch tested with PRs 50208, 50259, 49702, 50267, 48986)
provide the failing health as part of the controller error
When the controllers fail to start because the master is unhealthy, the healthz message is a useful starting point for debugging. This provides it in the error returned.
Automatic merge from submit-queue (batch tested with PRs 47416, 47408, 49697, 49860, 50162)
kubeadm: Replace *clientset.Clientset with clientset.Interface
**What this PR does / why we need it**:
Needed for https://github.com/kubernetes/kubernetes/pull/48899
We should always use `clientset.Interface` instead of `*clientset.Clientset`, for better testability and all the other benefits of using an interface.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Should be straightforward to merge
**Release note**:
```release-note
NONE
```
@timothysc @dmmcquay @pipejakob
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Move remaining cert helper functions from pkg/serviceaccount to client-go/util/cert
**What this PR does / why we need it**:
Unifies all remaining certificate helper functions from pkh/serviceaccount to client-go/util/cert. Private key functions were moved in #40907
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#40807
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Fail on swap enabled and deprecate experimental-fail-swap-on flag
**What this PR does / why we need it**:
* Deprecate the old experimental-fail-swap-on
* Add a new flag fail-swap-on and set it to true
Before this change, we would not fail when swap is on. With this
change we fail for everyone when swap is on, unless they explicitly
set --fail-swap-on to false.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#34726
**Special notes for your reviewer**:
**Release note**:
```release-note
Kubelet will by default fail with swap enabled from now on. The experimental flag "--experimental-fail-swap-on" has been deprecated, please set the new "--fail-swap-on" flag to false if you wish to run with /proc/swaps on.
```
Automatic merge from submit-queue (batch tested with PRs 48237, 50084, 50019, 50069, 50090)
Fix comment of isHTTPSURL
**What this PR does / why we need it**:
fix comment of isHTTPSURL
Automatic merge from submit-queue
Add test for kube-proxy running with "--cleanup-iptables=true"
**What this PR does / why we need it**:
Add test to prevent such kube-proxy panic to happen again.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48177
**Special notes for your reviewer**:
Forgot to add this in last PR #48183. Should we also add this to v1.7 milestone?
/cc @ncdc @dchen1107
**Release note**:
```release-note
NONE
```
- Move public key functions to client-go/util/cert
- Move pki file helper functions to client-go/util/cert
- Standardize on certutil package alias
- Update dependencies to client-go/util/cert
Automatic merge from submit-queue
Add --feature-gate flags to kubeadm
**What this PR does / why we need it**:
Adds `--feature-gates` in similar manner to other `cmd` binaries
**Which issue this PR fixes**
https://github.com/kubernetes/kubeadm/issues/323
**Special notes for your reviewer**:
This results in a lot of probably unnecessary feature flags. I'm guessing a lot of kubeadm users will be confused when they see:
```
Flags:
--feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIResponseCompression=true|false (ALPHA - default=false)
Accelerators=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllowExtTrafficLocalEndpoints=true|false (default=true)
AppArmor=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (ALPHA - default=false)
DynamicVolumeProvisioning=true|false (ALPHA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
LocalStorageCapacityIsolation=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (ALPHA - default=false)
PodPriority=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (ALPHA - default=false)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
-h, --help help for kubeadm
```
However the feature flags used in the core pkg is global, so I don't think it can be overriden. So we have a few options:
1. Allow these flags for kubeadm
2. Refactor feature pkg to allow granular features
3. Roll our own feature gating for kubeadm
/cc @luxas
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)
certificate manager: close existing client conns once cert rotates
After the kubelet rotates its client cert, it will keep connections to the API server open indefinitely, causing it to use its old credentials instead of the new certs. Because the API server authenticates client certs at the time of the request, and not the handshake, this could cause the kubelet to start hitting auth failures even if it rotated its certificate to a new, valid one.
When the kubelet rotates its cert, close down existing connections to force a new TLS handshake.
Ref https://github.com/kubernetes/features/issues/266
Updates https://github.com/kubernetes-incubator/bootkube/pull/663
```release-note
After a kubelet rotates its client cert, it now closes its connections to the API server to force a handshake using the new cert. Previously, the kubelet could keep its existing connection open, even if the cert used for that connection was expired and rejected by the API server.
```
/cc @kubernetes/sig-auth-bugs
/assign @jcbsmpsn @mikedanese
Automatic merge from submit-queue (batch tested with PRs 49989, 49806, 49649, 49412, 49512)
This adds an etcd health check endpoint to kube-apiserver
addressing https://github.com/kubernetes/kubernetes/issues/48215.
**What this PR does / why we need it**:
This ensures kube-apiserver `/healthz` endpoint fails whenever connectivity cannot be established to etcd, also ensures the etcd preflight checks works with unix sockets
**Which issue this PR fixes**: fixes#48215
**Special notes for your reviewer**:
This PR does not use the etcd client directly as the client object is wrapped behind the storage interface and not exposed directly for use, so I decided to reuse what's being done in the preflight. So this will only check fail for connectivity and not etcd auth related problems. I did not write tests for the endpoint because I couldn't find examples that I could follow for writing tests for healthz related endpoints, I'll be willing to write those tests if someone can point me at a relevant one.
**Release note**:
```release-note
Add etcd connectivity endpoint to healthz
```
@deads2k please help review, thanks!
* Deprecate the old experimental-fail-swap-on
* Add a new flag fail-swap-on and set it to true
Before this change, we would not fail when swap is on. With this
change we fail for everyone when swap is on, unless they explicitly
set --fail-swap-on to false.
Automatic merge from submit-queue (batch tested with PRs 50029, 48517, 49739, 49866, 49782)
Update generated deepcopy code
**What this PR does / why we need it**:
In generated deepcopy code, the method names in comments do not match the real method names.
**Which issue this PR fixes**: fixes#49755
**Special notes for your reviewer**:
/assign @sttts @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Emit event and retry when fail to start healthz server on kube-proxy
**What this PR does / why we need it**: Enhance kube-proxy's logic when fail to start healthz server.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: From #49263.
**Special notes for your reviewer**:
/assign @thockin @nicksardo @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Reintegrate aggregation support for OpenAPI
Reintegrating changes of #46734
Changes summary:
- Extracted all OpenAPI specs to new repo `kube-openapi`
- Make OpenAPI spec aggregator to copy and rename any non-requal model (even with documentation change only).
- Load specs when adding APIServices and retry on failure until successful spec retrieval or a 404.
- Assumes all Specs except aggregator's Spec are static
- A re-register of any APIService will result in updating the spec for that service (Suggestion for TPR: they should be registered to aggregator API Server, Open for discussion if any more changes needed for another PR.)
fixes#48548
Automatic merge from submit-queue (batch tested with PRs 49871, 49422, 49092, 49858, 48999)
adding kube-apiserver starting option tests
**What this PR does / why we need it**:
There is only one test for `--enable-swagger-ui` option in `cmd/kube-apiserver/app/options/options_test.go`, I have expanded this test with more kube-apiserver starting options.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Automatic merge from submit-queue (batch tested with PRs 49870, 49416, 49872, 49892, 49908)
Make "kubeadm version" json format output more readable.
**What this PR does / why we need it**:
Add indent to json format output.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
ref: #43750#46598
**Special notes for your reviewer**:
output example:
```
#kubeadm version -o json
{
"clientVersion": {
"major": "1",
"minor": "8+",
"gitVersion": "v1.8.0-alpha.2.1026+d8205661b700c6-dirty",
"gitCommit": "d8205661b700c6f99c33ea0ac1e5ed3e49c202b2",
"gitTreeState": "dirty",
"buildDate": "2017-07-31T12:14:28Z",
"goVersion": "go1.8.3",
"compiler": "gc",
"platform": "linux/amd64"
}
}
```
**Release note**:
```release-note
NONE
```
After the kubelet rotates its client cert, it will keep connections
to the API server open indefinitely, causing it to use its old
credentials instead of the new certs
When the kubelet rotates its cert, close down existing connections
to force a new TLS handshake.
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Lowercases hostname for kubeadm cert slice
**What this PR does / why we need it**:
Previously, unit tests on master were failing due to this error:
```
--- FAIL: TestSubCmdApiServerFlags (0.99s)
certs_test.go:149: APIserverCert.DNSNames[0] is danehans-m-c1kp instead of DANEHANS-M-C1KP
```
The PR fixes the TestSubCmdApiServerFlags test, which uses the OS hostname to compare the apiserver serving cert and fails if the OS hostname is in caps.
**Which issue this PR fixes**: fixes # https://github.com/kubernetes/kubeadm/issues/361
**Special notes for your reviewer**:
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Enable garbage collection of custom resources
Enhance the garbage collector to periodically refresh the resources it monitors (via discovery) to enable custom resource definition GC (addressing #44507 and reverting #47432).
This is a replacement for #46000.
/cc @lavalamp @deads2k @sttts @caesarxuchao
/ref https://github.com/kubernetes/kubernetes/pull/48065
```release-note
The garbage collector now supports custom APIs added via CustomeResourceDefinition or aggregated apiservers. Note that the garbage collector controller refreshes periodically, so there is a latency between when the API is added and when the garbage collector starts to manage it.
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Use the core client with version
**What this PR does / why we need it**:
Replace the **deprecated** `clientSet.Core()` with `clientSet.CoreV1()`.
**Which issue this PR fixes**: fixes#49535
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45813, 49594, 49443, 49167, 47539)
Deprecate keep-terminated-pod-volumes
It was discussed and agreed by sig-storage that
this flag causes unnecessary confusion and is hard to keep
synchornized with controller's attach/detach functionality.
Fixes https://github.com/kubernetes/kubernetes/issues/45615
```release-note
keep-terminated-pod-volumes flag on kubelet is deprecated.
```
Enhance the garbage collector to periodically refresh the resources it
monitors (via discovery) to enable custom resource definition GC.
This implementation caches Unstructured structs for any kinds not
covered by a shared informer. The existing meta-only codec only supports
compiled types; an improved codec which supports arbitrary types could
be introduced to optimize caching to store only metadata for all
non-informer types.
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
Should not set struct pointer directly to interface which may cause potential panic
fix https://github.com/kubernetes/kubernetes/issues/43127 to avoid potential kubelet panic.
In our old implemention, interface `kubeDeps.EventClient ` (interface) will never equals to `nil` even if `eventClient `(struct pointer )was set to `nil`. `kubeDeps.ExternalKubeClient` and `kubeDeps.KubeClient` also have same potential risk.
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
Add apps/v1beta2.ReplicaSet
~Depends on #48746~ (merged)
~Depends on #49357~ (merged)
xref: #49135
```release-note
Add a new API object apps/v1beta2.ReplicaSet
```
Automatic merge from submit-queue (batch tested with PRs 49665, 49689, 49495, 49146, 48934)
make it possible to allow discovery errors for controllers
Update the discovery client to return partial discovery information *and* an error. Since we can aggregate API servers, discovery of some resources can fail independently. Callers of this function who want to tolerate the errors can, existing callers will still get an error and fail in normal blocks.
@kubernetes/sig-api-machinery-misc @sttts
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
Use presence of kubeconfig file to toggle standalone mode
Fixes#40049
```release-note
The deprecated --api-servers flag has been removed. Use --kubeconfig to provide API server connection information instead. The --require-kubeconfig flag is now deprecated. The default kubeconfig path is also deprecated. Both --require-kubeconfig and the default kubeconfig path will be removed in Kubernetes v1.10.0.
```
/cc @kubernetes/sig-cluster-lifecycle-misc @kubernetes/sig-node-misc
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
Remove duplicated import and wrong alias name of api package
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes#48975
**Special notes for your reviewer**:
/assign @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
add reflector metrics
This adds metrics (optionally prometheus) to reflectors so that you can see when one reflector is behaving poorly and just how poorly its doing.
@eparis
```release-note
Adds metrics for checking reflector health.
```
Automatic merge from submit-queue (batch tested with PRs 49286, 49550)
use demorgans to make startRouteController implementation more readable
Signed-off-by: allencloud <allen.sun@daocloud.io>
**What this PR does / why we need it**:
When I was learning controller manager, I found that there is a `TODO` which is to use demorgans to make code more readable. So I try to make it work.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
ping @deads2k
Automatic merge from submit-queue (batch tested with PRs 49498, 49192)
kubeadm: Make sure --config can be mixed with --skip-* flags
**What this PR does / why we need it**:
fixes: https://github.com/kubernetes/kubeadm/issues/352
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Should be a cherrypick candidate
**Release note**:
```release-note
kubeadm: Fixes a small bug where `--config` and `--skip-*` flags couldn't be passed at the same time in validation.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @ericchiang @wojtek-t
Automatic merge from submit-queue
Remove flags low-diskspace-threshold-mb and outofdisk-transition-frequency
issue: #48843
This removes two flags replaced by the eviction manager. These have been depreciated for two releases, which I believe correctly follows the kubernetes depreciation guidelines.
```release-note
Remove depreciated flags: --low-diskspace-threshold-mb and --outofdisk-transition-frequency, which are replaced by --eviction-hard
```
cc @mtaufen since I am changing kubelet flags
cc @vishh @derekwaynecarr
/sig node
Automatic merge from submit-queue (batch tested with PRs 48636, 49088, 49251, 49417, 49494)
Fix issues for local storage allocatable feature
This PR fixes the following issues:
1. Use ResourceStorageScratch instead of ResourceStorage API to represent
local storage capacity
2. In eviction manager, use container manager instead of node provider
(kubelet) to retrieve the node capacity and reserved resources. Node
provider (kubelet) has a feature gate so that storagescratch information
may not be exposed if feature gate is not set. On the other hand,
container manager has all the capacity and allocatable resource
information.
This PR fixes issue #47809
Replaces use of --api-servers with --kubeconfig in Kubelet args across
the turnup scripts. In many cases this involves generating a kubeconfig
file for the Kubelet and placing it in the correct location on the node.
Automatic merge from submit-queue (batch tested with PRs 49326, 49394, 49346, 49379, 49399)
Make client-go authoritative
client-go now is authoritative except for `client-go/pkg/version`, which I think we can leave as is for a while.
Automatic merge from submit-queue (batch tested with PRs 46210, 48607, 46874, 46598, 49240)
kubeadm: Make the hostPath volume mount code more secure
**What this PR does / why we need it**:
- Refactors the hostpath volume mounting code for the Static Pods
- Splits out the functionality that was in a big function to something testable
- Unit test a lot
- Adds support for mounting external etcd CA/cert/key files in an other path than `/etc/ssl/certs`. Before this you **had** to have your files in there or the apiserver would crashloop
- Significantly improves comment coverage
- Now only mounts the bare essentials instead of nearly everything. For example, don't mount full `/etc/kubernetes` when the only thing you need is `/etc/kubernetes/scheduler.conf`
- Make everything but the etcd datadir read-only for components.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/341
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Add a new API version apps/v1beta2
xref: #49135
This PR adds a new API version `apps/v1beta2` which contains a copy (of types, conversions, and defaults) of `apps/v1beta1` StatefulSet, Deployment, and their subresources. Note that `apps/v1beta2` is still WIP and we will make breaking changes to it before releasing 1.8.
Moving core controllers (StatefulSet, Deployment, ReplicaSet, DaemonSet) to `apps/v1beta2` is the first step of moving them to `apps/v1` (GA).
This PR is a starting point for DaemonSet and ReplicaSet to move from `/extensions` to `/apps` and for Deployment and StatefulSet to make some breaking changes (e.g. new defaults and/or remove deprecated fields).
```release-note
Add a new API version apps/v1beta2
```
Automatic merge from submit-queue (batch tested with PRs 49328, 49285, 49307, 49127, 49163)
kubeadm: don't customize etcd selinux label
The original change that added the unconfined label included a comment
indicating it won't be needed in the future.
See: https://github.com/kubernetes/kubernetes/pull/33555#issuecomment-251126908
That time is now. https://github.com/kubernetes/kubernetes/pull/33663
has landed and means we no longer have to go out of our way to make that
work.
Removing the label also increases security since there wasn't really a
good reason for etcd to be run with such broad selinux privileges.
This also will allow kubeadm to avoid errors on distros without an spc_t
type, such as Gentoo and Container Linux (at the time of writing at
least).
Fixes https://github.com/kubernetes/kubeadm/issues/269
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49107, 47177, 49234, 49224, 49227)
tighten quota controller interface
While debugging a quota performance problem, I had to chase some references deeper than necessary because the interfaces were overly broad. This tightens them.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49114, 48810)
Unify fuzzers and roundtrip tests
- reorganize apimachinery/pkg/api/testing package to avoid circular imports
- make fuzzers modular per apigroup
- add roundtrip test for meta types
- add roundtrip test for a couple of staging apigroups
Follow-up:
- split `pkg/api` tests by apigroup
Automatic merge from submit-queue (batch tested with PRs 48377, 48940, 49144, 49062, 49148)
support fc volume attach and detach
**What this PR does / why we need it**:
Support FC volume attach and detach to enforce RWO access
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48953
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add PriorityClass API object under new "scheduling" API group
**What this PR does / why we need it**: This PR is a part of a series of PRs to add pod priority to Kubernetes. This PR adds a new API group called "scheduling" with a new API object called "PriorityClass". PriorityClass maps the string value of priority to its integer value.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: Given the size of this PR, I will add the admission controller for the PriorityClass in a separate PR.
**Release note**:
```release-note
Add PriorityClass API object under new "scheduling" API group
```
ref/ #47604
ref/ #48646
Automatic merge from submit-queue (batch tested with PRs 48981, 47316, 49180)
Added golint check for pkg/kubelet.
**What this PR does / why we need it**:
Added golint check for pkg/kubelet, and make golint happy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47315
**Release note**:
```release-note-none
```
Automatic merge from submit-queue (batch tested with PRs 49058, 49072, 49137, 49182, 49045)
check for nil value in interface for proxier health
golang allows for a non-nil interface to have a nil value (not type). This results in an NPE at runtime.
@sttts remember that bit about go? Trivia becomes real :(
Automatic merge from submit-queue (batch tested with PRs 48043, 48200, 49139, 36238, 49130)
expose RegisterAllAdmissionPlugins so that admission chains can be reused
Exposes the admission plugin registration functions so that sets of plugins can be re-used.
@sttts @p0lyn0mial
Automatic merge from submit-queue (batch tested with PRs 48043, 48200, 49139, 36238, 49130)
expose method to allow externally setting defaults on an external type
The options are an exposed type. This allows you to set the defaults on them.
@derekwaynecarr who normally owns this bit?
Automatic merge from submit-queue (batch tested with PRs 49055, 49128, 49132, 49134, 49110)
OpenAPI bug: Array/Map Ptr Elements' handing was incorrect
If you have an array of map of pointers, OpenAPI spec generation would fail.
fixes: #49074
Automatic merge from submit-queue (batch tested with PRs 48481, 48256)
Refactor: pkg/util into sub-pkgs
**What this PR does / why we need it**:
- move code in pkg/util into sub-pkgs
- delete some unused funcs
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#15634
**Special notes for your reviewer**:
This is the final work of #15634. It will close that issue.
/cc @thockin
**Release note**:
```release-note
NONE
```
Add PriorityClass to pkg/registry
Add PriorityClass to pkg/master/master.go
Add PriorityClass to import_know_versions.go
Update linted packages
minor fix
Automatic merge from submit-queue (batch tested with PRs 46094, 48544, 48807, 49102, 44174)
add InstanceID to fake cadvisor (used in Kubemark)
This change is for setting Node.Spec.ProviderID field in Kubemark hollow nodes. It shouldn't affect other tests using cadvisor.Fake as field is nil by default.
cc @gmarek
Automatic merge from submit-queue (batch tested with PRs 46094, 48544, 48807, 49102, 44174)
Static deepcopy – phase 1
This PR is the follow-up of https://github.com/kubernetes/kubernetes/pull/36412, replacing the
dynamic reflection based deepcopy with static DeepCopy+DeepCopyInto methods on API types.
This PR **does not yet** include the code dropping the cloner from the scheme and all the
porting of the calls to scheme.Copy. This will be part of a follow-up "Phase 2" PR.
A couple of the commits will go in first:
- [x] audit: fix deepcopy registration https://github.com/kubernetes/kubernetes/pull/48599
- [x] apimachinery+apiserver: separate test types in their own packages #48601
- [x] client-go: remove TPR example #48604
- [x] apimachinery: remove unneeded GetObjectKind() impls #48608
- [x] sanity check against origin, that OpenShift's types are fine for static deepcopy https://github.com/deads2k/origin/pull/34
TODO **after** review here:
- [x] merge https://github.com/kubernetes/gengo/pull/32 and update vendoring commit
Automatic merge from submit-queue (batch tested with PRs 48333, 48806, 49046)
kubeadm: Split out markmaster to its own phase
**What this PR does / why we need it**:
Splits out related and atomic code into its own phase that can be invokable easily from the CLI.
Makes the code much easier to read by not using recursion and `wait.InfinitePoll` _inside_ of a recursing function, etc.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/53
Part of this more long-term goal: https://github.com/kubernetes/kubeadm/issues/148
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 49019, 48919, 49040, 49018, 48874)
kubeadm: Remove the old KubernetesDir envparam
**What this PR does / why we need it**:
The last piece of https://github.com/kubernetes/kubernetes/issues/48053 for moving the env params into the API, and the KubernetesDir into a constant.
After this pretty mechanical change, we might offer short-hand functions in constants like `GetStaticPodManifestDir()` etc easily in order to centralize the `filepath.Join` logic into one place.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes https://github.com/kubernetes/kubeadm/issues/326
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews @fabriziopandini
Automatic merge from submit-queue
kubeadm: Remove some old comments
**What this PR does / why we need it**:
Removes old and outdated comments.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@dmmcquay
Automatic merge from submit-queue (batch tested with PRs 48231, 47377, 48797, 49020, 49033)
Migrate kubelet and linked code from clientset_generated to client-go
Ran a script in the kubernetes repo to migrate kubelet and linked code from clientset_generated package imports to client-go imports.
**NOTE:** There are also some manual changes that were made in order to accommodate some
differences between clientset_generated and client-go. The manual changes are isolated into a
single commit titled "Manual changes."
```sh
#! /bin/bash
for file in $(find . \( -name "clientset_generated" -o -name "informers_generated" \) -prune -o -type f -name "*.go"); do
if [[ -d $file ]]; then
continue
fi
if [[ $file == "./cmd/libs/go2idl/informer-gen/main.go" ]]; then
continue
fi
sed -i '
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"|clientset "k8s.io/client-go/kubernetes"|;
# Correct a couple of unique cases.
s|clientset clientset "k8s.io/client-go/kubernetes"|clientset "k8s.io/client-go/kubernetes"|;
s|cs clientset "k8s.io/client-go/kubernetes"|clientset "k8s.io/client-go/kubernetes"|;
s|VersionedClientSetPackage: clientset "k8s.io/client-go/kubernetes"|VersionedClientSetPackage: "k8s.io/client-go/kubernetes"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1"|"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1"|"k8s.io/client-go/kubernetes/typed/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/extensions/v1beta1"|"k8s.io/client-go/kubernetes/typed/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/autoscaling/v1"|"k8s.io/client-go/kubernetes/typed/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authentication/v1"|"k8s.io/client-go/kubernetes/typed/authentication/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authorization/v1beta1"|"k8s.io/client-go/kubernetes/typed/authorization/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/apps/v1beta1"|"k8s.io/client-go/kubernetes/typed/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/rbac/v1beta1"|"k8s.io/client-go/kubernetes/typed/rbac/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/fake"|"k8s.io/client-go/kubernetes/fake"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1/fake"|"k8s.io/client-go/kubernetes/typed/core/v1/fake"|;
s|k8s.io/kubernetes/pkg/client/clientset_generated/clientset|k8s.io/client-go/kubernetes|;
s|informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"|"k8s.io/client-go/informers"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/core/v1"|"k8s.io/client-go/informers/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/apps/v1beta1"|"k8s.io/client-go/informers/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/extensions/v1beta1"|"k8s.io/client-go/informers/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/batch/v1"|"k8s.io/client-go/informers/batch/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/autoscaling/v1"|"k8s.io/client-go/informers/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/policy/v1beta1"|"k8s.io/client-go/informers/policy/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/certificates/v1beta1"|"k8s.io/client-go/informers/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/storage/v1"|"k8s.io/client-go/informers/storage/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/core/v1"|"k8s.io/client-go/listers/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/apps/v1beta1"|"k8s.io/client-go/listers/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/extensions/v1beta1"|"k8s.io/client-go/listers/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/autoscaling/v1"|"k8s.io/client-go/listers/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/batch/v1"|"k8s.io/client-go/listers/batch/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/certificates/v1beta1"|"k8s.io/client-go/listers/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/storage/v1"|"k8s.io/client-go/listers/storage/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/policy/v1beta1"|"k8s.io/client-go/listers/policy/v1beta1"|;
' $file
done
hack/update-bazel.sh
hack/update-gofmt.sh
```
Automatic merge from submit-queue (batch tested with PRs 49017, 45440, 48384, 45894, 48808)
Make sure that image tags contain only allowed characters.
**What this PR does / why we need it**:
Version strings can contain symbols that are not allowed
as part of image tags. Replace those with underscores.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Part of work related to usage of CI images which has versions like "v1.8.0-alpha.1.910+5ca03d674e1495" but image tags in registry are "v1.8.0-alpha.1.910_5ca03d674e1495"
Attn @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47309, 47187)
Add IPv6 test cases to kube-proxy server test.
**What this PR does / why we need it**: This change adds some IPv6 test cases for the kube-proxy server. Also adds some test cases for negative conditions for better test coverage.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47313
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44129, 48030, 48906)
Add default=false to usage of kube-apiserver allow-privileged flag
**What this PR does / why we need it**:
Users will be clear about default value of `allow-privileged` flag.
Automatic merge from submit-queue
remove some people from OWNERS so they don't get reviews anymore
These are googlers who don't work on the project anymore but are still
getting reviews assigned to them:
- @bprashanth
- @rjnagal
- @vmarmol
Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090)
kubeadm: change the default bootstrap token TTL to 24 hours
**What this PR does / why we need it**:
This PR changes the TTL for the default bootstrap token generated by `kubeadm init` (without the `--token-ttl` parameter) and `kubeadm token create` (without the `--ttl` flag). Previously, the default TTL was infinite. After this change it is 24 hours.
~~The reasoning for 2 hours as a default is that it's 1) long enough that someone manually using kubeadm (copy-pasting) shouldn't have any issues and 2) short enough that if something is going to break, it should break while the user/admin is still paying attention to the cluster. I'm open to bikeshedding about the exact value, 2 hours is a bit of a strawman.~~
**Edit: updated this to 24 hours instead of 2 hours.**
This is a breaking change if you rely on infinite TTL tokens (e.g., if you had an ASG group of worker nodes). The old behavior is easily restored by passing `--token-ttl 0` to `kubeadm init` or the `--ttl 0` flag to `kubeadm token create`.
**Which issue this PR fixes**: fixes https://github.com/kubernetes/kubeadm/issues/343
**Special notes for your reviewer**:
This was discussed earlier today in SIG-cluster-lifecycle
**Release note**:
```release-note
Change the default kubeadm bootstrap token TTL from infinite to 24 hours. This is a breaking change. If you require the old behavior, use `kubeadm init --token-ttl 0` / `kubeadm token create --ttl 0`.
```
cc @jbeda
Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090)
kubeadm: add a warning about the default token TTL changing in 1.8
**What this PR does / why we need it**:
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL.
The actual default change is in https://github.com/kubernetes/kubernetes/pull/48783. This change is separate so we can cherry pick the warning into the `release-1.7` branch.
**Which issue this PR fixes**: ref https://github.com/kubernetes/kubeadm/issues/343
**Special notes for your reviewer**:
This change is blocked on https://github.com/kubernetes/kubeadm/issues/343. These warnings should probably be removed in the 1.9 cycle.
**Release note**:
```release-note
Add a runtime warning about the kubeadm default token TTL changes in 1.8.
```
/assign @luxas
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL.
The actual default change is in https://github.com/kubernetes/kubernetes/pull/48783. This change is separate so we can cherry pick the warning into the release-1.7 branch.
This code was changed in ea196490a0 to validate that `--config` wasn't passed along with other flags. Unfortunately, the implementation was checking `PersistentFlags()`, which was not parsed at the point it was being validated. The result was that `--config` was _always_ rejected, not just when it was specified alongside other flags.
The fix is to use `Flags()` instead, which contains the expected data.
This PR fixes the following issues:
1. Use ResourceStorageScratch instead of ResourceStorage API to represent
local storage capacity
2. In eviction manager, use container manager instead of node provider
(kubelet) to retrieve the node capacity and reserved resources. Node
provider (kubelet) has a feature gate so that storagescratch information
may not be exposed if feature gate is not set. On the other hand,
container manager has all the capacity and allocatable resource
information.
Automatic merge from submit-queue (batch tested with PRs 48781, 48817, 48830, 48829, 48053)
kubeadm: Start to remove old envparams
**What this PR does / why we need it**:
Historically, the envparams feature was used as a way to easily debug `kubeadm` while developing it in the v1.3-v1.4 timeframe. Since then some parameters have been hanging around and not being moved into the API as they should have.
Note: This is a temporary step; moving things into the API. Still, the API is gonna change, this is not the end state. But this is better than keeping the envparams.
I'm gonna deal with `KubernetesDir` in the next PR.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: kubernetes/kubeadm#326
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@timothysc @pipejakob
Automatic merge from submit-queue
Add node-name flag to `init` phase
**What this PR does / why we need it**: Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Partially fix: kubernetes/kubeadm#64
**Release note**:
```release-note
Added new flag to `kubeadm init`: --node-name, that lets you specify the name of the Node object that will be created
```
Automatic merge from submit-queue
kubeadm: begin polling for bootstrap cluster info immediately
**What this PR does / why we need it**:
This PR changes the behavior of the `kubeadm` loop that polls the API server waiting for discovery information (`cluster-info`). The previous (inadvertent?) behavior was to sleep for `constants.DiscoveryRetryInterval` (5 seconds) before the first request ([`PollInfinite`](https://godoc.org/k8s.io/apimachinery/pkg/util/wait#PollInfinite) vs. [`PollImmediateInfinite`](https://godoc.org/k8s.io/apimachinery/pkg/util/wait#PollImmediateInfinite)).
After this change, `kubeadm` begins does the first check immediately before it moves into the slower polling mode. This takes around 5 seconds off the average time for a new node to join.
#### Before (~5.5s)
```
root@worker:~# time kubeadm join --token abc.123 192.168.42.10:6443
[...]
real 0m5.523s
user 0m0.112s
sys 0m0.124s
```
#### After (~0.5s)
```
root@worker:~# time kubeadm join --token abc.123 192.168.42.10:6443
[...]
real 0m0.587s
user 0m0.092s
sys 0m0.132s
```
**Which issue this PR fixes**:
**Special notes for your reviewer**:
This is my first Kubernetes PR, so please let me know if it's formatted correctly.
**Release note**:
```release-note
NONE
```
Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
Partially fix: kubernetes/kubeadm#64
Automatic merge from submit-queue
kube-apiserver: tests for aggregation and CRDs via delegation
In our integration tests we do not use the real kube-apiserver setup code, but mock our own. Here I use the actual `cmd/kube-apiserver/app.Run()` func with an testing etcd server. This can test the whole delegation chain of aggregator, apiextensions and kube-apiserver.
Automatic merge from submit-queue (batch tested with PRs 47232, 48625, 48613, 48567, 39173)
Include leaderelection in client-go;
Fix#39117
Fix https://github.com/kubernetes/client-go/issues/28
This PR:
* includes the leaderelection to the staging client-go
* to avoid conflict with golang's testing package, renames package /testing to /testutil, and renames cache/testing to cache/testframework
```release-note
client-go now includes the leaderelection package
```
Automatic merge from submit-queue (batch tested with PRs 47232, 48625, 48613, 48567, 39173)
Make kube-proxy's MetricsBindAddress configurable via flag
**What this PR does / why we need it**: From #48600, `MetricsBindAddress` used to be configurable through flag (coupled with `HealthzBindAddress`). But this functionality went away after #44968 separated healthz server from metrics server. This PR adds that functionality back.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
/assign @ncdc
cc @bowei @r0bj
**Release note**:
```release-note
none
```
Automatic merge from submit-queue
Removed mesos as cloud provider from Kubernetes.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47205
**Special notes for your reviewer**:
**Release note**:
```release-note
Move Mesos Cloud Provider out of Kubernetes Repo
```
Automatic merge from submit-queue (batch tested with PRs 48196, 42783, 48507, 47719, 46138)
kubeadm: Allows to use versions like 1.6.4 instead v1.6.4
**What this PR does / why we need it**:
As part of issue kubernetes/kubeadm#292 discussion, it
turned out that for users it is not always obvious that
version specification parameter must be in form "vX.Y.Z".
This patch allows to specify it in form "X.Y.Z" and
converts it internally to normal semantic version which
expected in the rest of the code.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
- kubeadm now can accept versions like "1.6.4" where previously it strictly required "v1.6.4"
```
Automatic merge from submit-queue (batch tested with PRs 48196, 42783, 48507, 47719, 46138)
add extra args validate
`ExtraArgsCheck` return warnings not errors. because kubeadm may create the newer version control plane, there are new arguments that kubeadm doesn't know.
Automatic merge from submit-queue
kubeadm: Implementing the certificates phase fully
**What this PR does / why we need it:**
This contains implementation of certs phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage.
The original proposal for this activity can be found [here](https://github.com/kubernetes/kubeadm/pull/156/files) and related comments.
Kubeadm phase implementation checklist is defined [here](https://github.com/kubernetes/kubeadm/issues/267)
Common implementation guidelines and principles for all phases are defined [here](https://docs.google.com/document/d/1VQMyFIVMfRGQPP3oCUpfjiWtOr3pLxp4g7cP-hXQFXc/edit?usp=sharing)
This PR implements:
- [x] kubeadm phase certs
- [x] kubeadm phase certs all
- [x] kubeadm phase certs ca
- [x] kubeadm phase certs apiserver
- [x] kubeadm phase certs apiserver-kubelet-client
- [x] kubeadm phase certs sa
- [x] kubeadm phase certs front-proxy-ca
- [x] kubeadm phase certs front-proxy-client
**Which issue this PR fixes:**
none
**Special notes for your reviewer:**
This PR resubmits the work of #45617, and already includes @luxas reviews.
Please note that:
- the API - phase\certs.go - is now totally free by any UX concerns, and implements only the core logic for cert generation.
- the UX - cmd\phase\certs.go - now takes charge of UX commands and kubeadm own's rules for placing certs in the certificate dir (e.g. create only if exists)
Automatic merge from submit-queue
controller-manager: fix horizontal-pod-autoscaler-use-rest-clients fl…
…ag help info
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48497, 48604, 48599, 48560, 48546)
remove dead code
This removes the dead code cruft since we stopped serving TPRs.
ref #48152
Automatic merge from submit-queue (batch tested with PRs 48374, 48524, 48519, 42548, 48615)
Kubelet run() should accept partial KubeletDeps
This is used by integrators that want to perform partial overrides of
key interfaces. Refactors the run() method to fit the existing style and
preserve the existing behavior, but allow (for instance) client
bootstrap and cert refresh even when some dependencies are injected.
@derekwaynecarr hit while reviewing client bootstrap code
Automatic merge from submit-queue (batch tested with PRs 48518, 48525, 48269)
Move the kubelet certificate management code into a single package
Code is very similar and belongs together. Will allow future cert callers to potentially make this more generic, as well as to make it easier reuse code elsewhere.
Automatic merge from submit-queue (batch tested with PRs 47435, 46044)
kubeadm: Make self-hosting work and split it out to a phase
**What this PR does / why we need it**:
- Removes the old self-hosting code
- Puts the new self-hosting code in `phases/selfhosting`
- The new code reads manifests from disk (static pods)...
- ...mutates the PodSpec as necessary...
- ...and posts the DaemonSet to the API Server...
- ...and waits for it to come up
- Uses DaemonSets for all control plane components
- Creates a `kubeadm alpha phase selfhosting` command that can be invoked against any kubeadm-cluster after install.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/127
(large part of at least)
**Special notes for your reviewer**:
Please only review the fourth commit, based on https://github.com/kubernetes/kubernetes/pull/47345
**Release note**:
```release-note
kubeadm: Make self-hosting work by using DaemonSets and split it out to a phase that can be invoked via the CLI
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @jbeda
This is used by integrators that want to perform partial overrides of
key interfaces. Refactors the run() method to fit the existing style and
preserve the existing behavior, but allow (for instance) client
bootstrap and cert refresh even when some dependencies are injected.
Automatic merge from submit-queue
Add node-name flag to `join` phase
**What this PR does / why we need it**: Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partially fixeskubernetes/kubeadm#64
**Special notes for your reviewer**:
**Release note**:
```release-note
Added new flag to `kubeadm join`: --node-name, that lets you specify the name of the Node object that's gonna be created
```
Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
Partially fix: kubernetes/kubeadm#64
As part of issue kubernetes/kubeadm#292 discussion, it
turned out that for users it is not always obvious that
version specification parameter must be in form "vX.Y.Z".
This patch allows to specify it in form "X.Y.Z" and
converts it internally to normal semantic version which
expected in the rest of the code.
Automatic merge from submit-queue (batch tested with PRs 48480, 48353)
remove tpr api access
xref https://github.com/kubernetes/kubernetes/issues/48152
TPR tentacles go pretty deep. This gets us started by removing API access and we'll move down from there.
@kubernetes/sig-api-machinery-misc
@ironcladlou this should free up the GC implementation since TPRs will no longer be present and failing.
```release-note
Removing TPR api access per https://github.com/kubernetes/kubernetes/issues/48152
```
Automatic merge from submit-queue (batch tested with PRs 48473, 48341)
remove redundant alias
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
remove redundant alias
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46928, 47345)
kubeadm: Move directory ./master to ./phases/controlplane
**What this PR does / why we need it**:
- Moves app/master into phases/controlplane. It should be in the phases directory, was just overlooked earlier
- Harmonizes the import names in phases/controlplane with the similar import names in cmd/kubeadm
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Please review only second and third commit, based on https://github.com/kubernetes/kubernetes/pull/47339
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @pipejakob
Automatic merge from submit-queue
Add timothysc to kubeadm reviewers
**What this PR does / why we need it**:
Adds timothysc to kubeadm reviewers b/c I'm working on it this cycle.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Remove old node role label that is not used by kubeadm
**What this PR does / why we need it**:
This label hasn't been used by kubeadm since v1.5.
v1.5 support was dropped when v1.6 arrived due to a potential security flaw and the earlier alpha status.
So this label hasn't been used for around three months.
It makes sense to remove it in time for v1.8, could already have been done for v1.7
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 48264, 48324, 48125, 47944, 47489)
remove unneeded variable
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
**What this PR does / why we need it**:
small fix, remove unneeded variable
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: If `--config` is set, don't allow any other option as it won't have effect
If use config in kubeadm init, cann't get other values from other arguments.
`kubeadm init --config=../kubeadm.config --token 447ad3.96cda76e3206fca0 --apiserver-bind-port 6445`
So I think we need to allow get values from command and is prior than cofig file.
Automatic merge from submit-queue (batch tested with PRs 48295, 48298, 47339, 44910, 48037)
kubeadm: Remove v1.6 version gates, cleanup unused code, etc.
**What this PR does / why we need it**:
- Removes v1.6 version gates and requires a control plane version of v1.7.0 and above
- Removes unused/unnecessary functions that got freed up as a consequence of that
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: kubernetes/kubeadm#327
**Special notes for your reviewer**:
This PR targets v1.8, can be merged first when the code freeze is lifted
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @mikedanese @pipejakob
Automatic merge from submit-queue
Fix kube-proxy panic when running with "--cleanup-iptables=true"
**What this PR does / why we need it**:
Save the `--cleanup-iptables` config for new ProxyServer when it's true.
Also check if Broadcaster and EventClient are nil to avoid other potential panic.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48177
**Special notes for your reviewer**:
/cc @ncdc @irake99
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: Start using Tolerations in yaml code again and unit-test
**What this PR does / why we need it**:
- Earlier there was a problem with decoding Tolerations from yaml. Seems to be fixed now.
- Added an unit test to catch such a failure if that regression ever happens again
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc
Automatic merge from submit-queue
kubeadm: Expose only the cluster-info ConfigMap in the kube-public ns
**What this PR does / why we need it**:
Noticed a bug; we should only expose the `cluster-info` ConfigMap.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/320
**Special notes for your reviewer**:
Cherrypick-candidate for v1.8 cc @dchen1107
Not blocking the release though...
**Release note**:
```release-note
NONE
```
@jbeda @pipejakob @timothysc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Use endpoints informer for the endpoint controller
This substantially reduces the number of API calls made by the endpoint
controller. Currently the controller makes an API call per endpoint for
each service that is synced. When the 30s resync is triggered, this
results in an API call for every single endpoint in the cluster. This
quickly exceeds the default qps/burst limit of 20/30 even in small
clusters, leading to delays in endpoint updates.
This change modifies the controller to use the endpoint informer cache
for all endpoint GETs. This means we only make API calls for changes in
endpoints. As a result, qps only depends on the pod activity in the
cluster, rather than the number of services.
**What this PR does / why we need it**:
Address endpoint update delays as described in https://github.com/kubernetes/kubernetes/issues/47597.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/47597
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
kubeadm: Make kube-proxy RollingUpgradeable
**What this PR does / why we need it**:
Sets the right updateStrategy for kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/319
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@pipejakob @timothysc @kubernetes/sig-cluster-lifecycle-pr-reviews
This substantially reduces the number of API calls made by the endpoint
controller. Currently the controller makes an API call per endpoint for
each service that is synced. When the 30s resync is triggered, this
results in an API call for every single endpoint in the cluster. This
quickly exceeds the default qps/burst limit of 20/30 even in small
clusters, leading to delays in endpoint updates.
This change modifies the controller to use the endpoint informer cache
for all endpoint GETs. This means we only make API calls for changes in
endpoints. As a result, qps only depends on the pod activity in the
cluster, rather than the number of services.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
incluster config will be used when creating external shared informers.
**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48074, 47971, 48044, 47514, 47647)
Move LoadPodFromFile to volume utils
SavePodToFile is not used anywhere and LoadPodFromFile is used only by PV
recycler.
Fix#16970
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47961, 46276)
Remove duplicate error message output in hyperkube.
**What this PR does / why we need it**:
Currently hyperkube binary will always print duplicate messages if fatal error occurs:
```
$ ./kubelet # run without permission
I0523 08:38:02.642638 25701 feature_gate.go:144] feature gates: map[]
W0523 08:38:02.642827 25701 server.go:472] No API client: no api servers specified
Error: failed to run Kubelet: error reading /var/run/kubernetes/kubelet.key, certificate and key must be supplied as a pair
Error: failed to run Kubelet: error reading /var/run/kubernetes/kubelet.key, certificate and key must be supplied as a pair
```
This is due to RunToExit will print out the error which Run has just printed. https://github.com/kubernetes/kubernetes/blob/8bee44b/cmd/hyperkube/hyperkube.go#L178-L189
This was introduced in following commit for adding GOMAXPROCS calls.
1e679f0069
The following commit removes GOMAXPROCS calls, but did not remove the corresponding error output line.
88ea80b572
**Which issue this PR fixes**
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue
kubeadm: Remove the validate phase as it's not needed
**What this PR does / why we need it**:
This validation code was added in v1.4 as a way to remove flakiness between deploying the control plane in Static Pods and deploying kube-discovery as a Deployment.
That isn't the case anymore and we're not experiencing such flakiness, as we're using other methods like checking `/healthz` to determine a healthy control plane before proceeding.
https://github.com/kubernetes/kubernetes/pull/43881 removed this logic from `kubeadm init` to having it as a phase. But that phase isn't needed or used in any way, so now I'm removing it here.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @mikedanese
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Add "alpha phase preflight" command
**What this PR does / why we need it:**
Adds "alpha phase preflight" command to kubeadm in order to run pre-flight checks independently of init phase.
**Which issue this PR fixes:** fixeskubernetes/kubeadm#314
/cc @luxas
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Make different container runtimes constant
Make different container runtimes constant to avoid hardcode
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475)
kubelet should resume csr bootstrap
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue (batch tested with PRs 47922, 47195, 47241, 47095, 47401)
Run cAdvisor on the same interface as kubelet
**What this PR does / why we need it**:
cAdvisor currently binds to all interfaces. Currently the only
solution is to use iptables to block access to the port. We
are better off making cAdvisor to bind to the interface that
kubelet uses for better security.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#11710
**Special notes for your reviewer**:
**Release note**:
```release-note
cAdvisor binds only to the interface that kubelet is running on instead of all interfaces.
```
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable. Also using a list watch here eliminates a race condition
where a watch event is missed and the kubelet stalls.
Automatic merge from submit-queue
Update addons with upstream CVE fixes
**What this PR does / why we need it**: refreshes the kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-1000366
* CVE-2017-2616
* CVE-2017-9526
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47386 (yay!)
**Special notes for your reviewer**:
**Release note**:
```release-note
Update kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for CVE-2016-4448, CVE-2016-9841, CVE-2016-9843, CVE-2017-1000366, CVE-2017-2616, and CVE-2017-9526.
```
/assign @bowei @MrHohn @Q-Lee @crassirostris @dnardo
/cc @dchen1107 @timstclair
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
bump the gke-cert-controller wokers to match it's qps
This increases Issuance per second from 2.5 csrs to 5 csrs which is the theoretical limit with the current client side rate limiting.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue
Separate serviceaccount and secret storage config
Fixes#47815, and is required in order to enable the secret encryption feature with a recommended configuration
This passes distinct storage options for serviceaccounts and secrets, since secrets can now have an encrypting transformer associated with them
Automatic merge from submit-queue
kubeadm: Use the v1.7 branch by default
**What this PR does / why we need it**:
Makes kubeadm use the v1.7 branch instead of v1.6
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This should be merged right before the rc.0 is cut I guess
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
Plumb service resolver into webhook AC
This is the last piece of plumbing needed for https://github.com/kubernetes/features/issues/209
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Serialized protobuf should have stable map order
Leverage `stable_marshaller_all` tag in gogo-protobuf to ensure all of our maps have stable ordering when serialized to protobuf. This preserves the behavior from JSON that we rely on to avoid writing to etcd except when the content has changed.
Will slightly increase allocations (1 slice per non-empty map in an object) during Encode, which has a minor impact on CPU. However, avoiding writes when a client issues a blind put results in significantly less CPU across the whole cluster (avoiding a new etcd version for an Endpoints object might save ~1 core/sec on large clusters).
Fixes#47678
```release-note
The protobuf serialization of API objects has been updated to store maps in a predictable order to ensure that the representation of that object does not change when saved into etcd. This prevents the same object from being seen as being modified, even when no values have changed.
```
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Mark Static pods on the Master as critical
fixes#47277.
A known issue with static pods is that they do not interact well with evictions. If a static pod is evicted or oom killed, then it will never be recreated. To mitigate this, we do not evict static pods that are critical. In addition, non-critical pods are candidates for preemption if a critical pod is scheduled to the node. If there are not enough allocatable resources on the node, this causes the static pod to be preempted.
This PR marks all static pods in the kube-system namspace as critical.
cc @vishh @dchen1107
Automatic merge from submit-queue (batch tested with PRs 46327, 47166)
Fixed typo in comments.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # N/A
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46327, 47166)
mark --network-plugin-dir deprecated for kubelet
**What this PR does / why we need it**:
**Which issue this PR fixes** : fixes#43967
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The default marshalers from gogo-protobuf do not order keys, which means
successive serializations of the same data would result in same bytes.
Kubernetes leverages stable serialization to avoid excessive writes to
etcd when body content has not changed, which reduces the amount of
watch traffic generated by successive callers.
This will have a small memory impact on objects which have maps -
allocating a new string array for each map key. All maps must be keys
because we serialize those to JSON, so non-string types are not
relevant.
Automatic merge from submit-queue (batch tested with PRs 38751, 44282, 46382, 47603, 47606)
Add files specified in the kube config as a potential source of cert/…
Fixes#47208
Add files specified in the kube config as a potential source of cert/key data.
Without this change, the kubelet won't use certificates that are specified using file paths in the kubeconfig file. This specifically affects GCE clusters started with kube-up.sh with the RotateKubelet*Certificate feature gate flags enabled, but may affect other configurations.
This change only affects feature gated alpha code.
Internal attach/detach controller timers should be configurable and tests
should use much shorter values.
reconcilerSyncDuration is deliberately left out of TimerConfig because it's
the only one that's not a constant one, it's configurable by user.
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
kubeadm: Fix kube-proxy regression caused by #46372
**What this PR does / why we need it**:
Fixes: https://github.com/kubernetes/kubeadm/issues/306
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Required for kubeadm v1.7 to work
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @cmluciano
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
kubeadm: Fix subtle versioning ordering issue with v1.8.0-alpha.0
**What this PR does / why we need it**:
`--kubernetes-version latest` is broken since it evals to `v1.8.0-alpha.0` which actually is `v1.7.0-beta.0`, so kubeadm enables features that don't exist
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
separate group and version priority
Fixes https://github.com/kubernetes/kubernetes/issues/46322
This just modifies the API and does the minimal plumbing. I can extend this pull or do another to fix the priority problem.
It was discussed and agreed by sig-storage that
this flag causes unnecessary confusion and is hard to keep
synchornized with controller's attach/detach functionality.
Automatic merge from submit-queue (batch tested with PRs 47084, 46016, 46372)
Enable iptables -w in kubeadm selfhosted
Currently containerized kube-proxy cannot support iptables -w
unless the xtables.lock is mounted.
Related: #46103
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
**Special notes for your reviewer**:
- I need to figure out how to do some pre-setup to touch the file if it does not exist.
**Release note**:
```
support iptables -w in kubeadm containerized kube-proxy
```
Currently containerized kube-proxy cannot support iptables -w
unless the xtables.lock is mounted.
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
Automatic merge from submit-queue
fix#46039: iptables proxier need use '--bind-address' if set
**What this PR does / why we need it**:
iptables proxier need use '--bind-address' if set
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46039
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
bazel: stamp multiple packages by using x_defs instead of linkstamp in go_binary rules
**What this PR does / why we need it**: Fixes regression introduced sometime in the last few months that prevented bazel-built clusters from identifying version properly.
It does so by updating the bazelbuild/rules_go and kubernetes/repo-infra dependencies to support using stamp values in `go_binary` `x_defs`, and then changing our `go_binary` rules to use `x_defs` instead of `linkstamp`.
This whole charade is necessary because we need to stamp version information in multiple packages.
This pretty much only affects the bazel build, so it should be low risk.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45298
**Special notes for your reviewer**: depends on https://github.com/kubernetes/repo-infra/pull/18; should not be merged before it.
**Release note**:
```release-note
NONE
```
/assign @spxtr @mikedanese
Jordan Liggitt