The zone parameter provided in a Storage Class may erroneously be an empty string or contain only spaces and tab characters. Such situation shall be detected and reported as an error.
That's why the func ValidateZone was added.
An admin shall be able to configure a comma separated list of zones for a StorageClass.
That's why the func ZonesToSet (string) (set.String, error) is added. The func ZonesToSet converts a string containing a comma separated list of zones to a set. In case the list contains an empty zone an error is returned.
Automatic merge from submit-queue (batch tested with PRs 45891, 46147)
Watching ClusterId from within GCE cloud provider
**What this PR does / why we need it**:
Adds the ability for the GCE cloud provider to watch a config map for `clusterId` and `providerId`.
WIP - still needs more testing
cc @MrHohn @csbell @madhusudancs @thockin @bowei @nikhiljindal
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45891, 46147)
fix typo
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45514, 45635)
refactor certificate controller to break it into two parts
Break pkg/controller/certificates into:
* pkg/controller/certificates/approver: containing the group approver
* pkg/controller/certificates/signer: containing the local signer
* pkg/controller/certificates: containing shared infrastructure
```release-note
Break the 'certificatesigningrequests' controller into a 'csrapprover' controller and 'csrsigner' controller.
```
GenericPLEG's 1s relist() loop races against pod network setup. It
may be called after the infra container has started but before
network setup is done, since PLEG and the runtime's SyncPod() run
in different goroutines.
Track network setup status and don't bother trying to read the pod's
IP address if networking is not yet ready.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1434950
Mar 22 12:18:17 ip-172-31-43-89 atomic-openshift-node: E0322
12:18:17.651013 25624 docker_manager.go:378] NetworkPlugin
cni failed on the status hook for pod 'pausepods22' - Unexpected
command output Device "eth0" does not exist.
Runtimes should never return "" and nil errors, since network plugin
drivers need to treat netns differently in different cases. So return
errors when we can't get the netns, and fix up the plugins to do the
right thing.
Namely, we don't need a NetNS on pod network teardown. We do need
a netns for pod Status checks and for network setup.
This reverts commit fee4c9a7d9.
This is not the correct fix for the problem; and it causes other problems
like continuous:
docker_sandbox.go:234] NetworkPlugin cni failed on the status hook for pod
"someotherdc-1-deploy_default": Unexpected command output nsenter: cannot
open : No such file or directory with error: exit status 1
Because GetNetNS() is returning an empty network namespace. That is
not helpful nor should really be allowed; that's what the error return
from GetNetNS() is for.
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312)
Remove kubectl's dependence on pkg/api/helper
**What this PR does / why we need it**:
Remove kubectl's dependence on pkg/api/helper, as part of
broader effort to isolate kubectl from the rest of k8s.
In this case, the code becomes private to kubectl; nobody else uses it.
**Which issue this PR fixes**
Part of a series of PRs to address kubernetes/community#598
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312)
[Federation] Use service accounts instead of the user's credentials when accessing joined clusters' API servers.
Fixes#41267.
Release notes:
```release-note
Modifies kubefed to create and the federation controller manager to use credentials associated with a service account rather than the user's credentials.
```
Automatic merge from submit-queue
Fix some typo of comment in kubelet.go
**What this PR does / why we need it**:
The PR is to fix some typo in kubelet.go
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
N/A
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
remove init blocks from all admission plugins
**What this PR does / why we need it**:
removes init blocks from all admission plugins
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46149, 45897, 46293, 46296, 46194)
GC: update required verbs for deletable resources, allow list of ignored resources to be customized
The garbage collector controller currently needs to list, watch, get,
patch, update, and delete resources. Update the criteria for
deletable resources to reflect this.
Also allow the list of resources the garbage collector controller should
ignore to be customizable, so downstream integrators can add their own
resources to the list, if necessary.
cc @caesarxuchao @deads2k @smarterclayton @mfojtik @liggitt @sttts @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
Double `StopContainer` request timeout.
Doubled `StopContainer` request timeout to leave some time for `SIGKILL` container.
@yujuhong @feiskyer
Automatic merge from submit-queue (batch tested with PRs 45587, 46286)
fix typo in kubelet
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45587, 46286)
PDB Max Unavailable Field
Completes https://github.com/kubernetes/features/issues/285
```release-note
Adds a MaxUnavailable field to PodDisruptionBudget
```
Individual commits are self-contained; Last commit can be ignored because it is autogenerated code.
cc @kubernetes/sig-apps-api-reviews @kubernetes/sig-apps-pr-reviews
Allow the list of resources the garbage collector controller should
ignore to be customizable, so downstream integrators can add their own
resources to the list, if necessary.
Automatic merge from submit-queue
Add `auto_unmount` mount option for glusterfs fuse mount.
libfuse has an auto_unmount option which, if enabled, ensures that
the file system is unmounted at FUSE server termination by running a
separate monitor process that performs the unmount when that occurs.
(This feature would probably better be called "robust auto-unmount",
as FUSE servers usually do try to unmount their file systems upon
termination, it's just this mechanism is not crash resilient.)
This change implements that option and behavior for glusterfs.
This option will be only supported for clients with version >3.11.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Automatic merge from submit-queue
vSphere storage policy support for dynamic volume provisioning
Till now, vSphere cloud provider provides support to configure persistent volume with VSAN storage capabilities - kubernetes#42974. Right now this only works with VSAN.
Also there might be other use cases:
- The user might need a way to configure a policy on other datastores like VMFS, NFS etc.
- Use Storage IO control, VMCrypt policies for a persistent disk.
We can achieve about 2 use cases by using existing storage policies which are already created on vCenter using the Storage Policy Based Management service. The user will specify the SPBM policy ID as part of dynamic provisioning
- resultant persistent volume will have the policy configured with it.
- The persistent volume will be created on the compatible datastore that satisfies the storage policy requirements.
- If there are multiple compatible datastores, the datastore with the max free space would be chosen by default.
- If the user specifies the datastore along with the storage policy ID, the volume will created on this datastore if its compatible. In case if the user specified datastore is incompatible, it would error out the reasons for incompatibility to the user.
- Also, the user will be able to see the associations of persistent volume object with the policy on the vCenter once the volume is attached to the node.
For instance in the below example, the volume will created on a compatible datastore with max free space that satisfies the "Gold" storage policy requirements.
```
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
name: fast
provisioner: kubernetes.io/vsphere-volume
parameters:
diskformat: zeroedthick
storagepolicyName: Gold
```
For instance in the below example, the vSphere CP checks if "VSANDatastore" is compatible with "Gold" storage policy requirements. If yes, volume will be provisioned on "VSANDatastore" else it will error that "VSANDatastore" is not compatible with the exact reason for failure.
```
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
name: fast
provisioner: kubernetes.io/vsphere-volume
parameters:
diskformat: zeroedthick
storagepolicyName: Gold
datastore: VSANDatastore
```
As a part of this change, 4 commits have been added to this PR.
1. Vendor changes for vmware/govmomi
2. Changes to the VsphereVirtualDiskVolumeSource in the Kubernetes API. Added 2 additional fields StoragePolicyName, StoragePolicyID
3. Swagger and Open spec API changes.
4. vSphere Cloud Provider changes to implement the storage policy support.
**Release note**:
```release-note
vSphere cloud provider: vSphere Storage policy Support for dynamic volume provisioning
```
Automatic merge from submit-queue (batch tested with PRs 46201, 45952, 45427, 46247, 46062)
kubectl: fix deprecation warning bug
**What this PR does / why we need it**:
Some kubectl commands were deprecated but would fail to print the
correct warning message when a flag was given before the command name.
# Correctly prints the warning that "resize" is deprecated and
# "scale" is now preferred.
kubectl resize [...]
# Should print the same warning but no warning is printed.
kubectl --v=1 resize [...]
This was due to a fragile check on os.Args[1].
This commit implements a new function deprecatedCmd() that is used to
construct new "passthrough" commands which are marked as deprecated and
hidden.
Note that there is an existing "filters" system that may be preferable
to the system created in this commit. I'm not sure why the "filters"
array was not used for all deprecated commands in the first place.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46201, 45952, 45427, 46247, 46062)
Use shared informers in gc controller if possible
Modify the garbage collector controller to try to use shared informers for resources, if possible, to reduce the number of unique reflectors listing and watching the same thing.
cc @kubernetes/sig-api-machinery-pr-reviews @caesarxuchao @deads2k @liggitt @sttts @smarterclayton @timothysc @soltysh @kargakis @kubernetes/rh-cluster-infra @derekwaynecarr @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 46022, 46055, 45308, 46209, 43590)
Eviction does not evict unless the previous pod has been cleaned up
Addresses #43166
This PR makes two main changes:
First, it makes the eviction loop re-trigger immediately if there may still be pressure. This way, if we already waited 10 seconds to delete a pod, we dont need to wait another 10 seconds for the next synchronize call.
Second, it waits for the pod to be cleaned up (including volumes, cgroups, etc), before moving on to the next synchronize call. It has a timeout for this operation currently set to 30 seconds.
Automatic merge from submit-queue (batch tested with PRs 46022, 46055, 45308, 46209, 43590)
Remove Save() from iptables interface
This is what @thockin requested in one of the reviews.
Automatic merge from submit-queue (batch tested with PRs 46022, 46055, 45308, 46209, 43590)
More cli sanity verifications
Adds some more `kubectl` command sanity checks to improve consistency and avoid the need of code reviews for some of our CLI style and standards.
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cli-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 38990, 45781, 46225, 44899, 43663)
Fix command exec -- COMMAND can not contain spaces
Fixes https://github.com/kubernetes/kubernetes/issues/7688
the problem is when you execute command:
`cluster/kubectl.sh exec -p client-blue-8yw37 -c client -i -t -- 'ls -t /usr'`
the args is
[`client-blue-8yw37` , `ls -t /usr`]
**instead of**
[`client-blue-8yw37`, `ls`, `-t`, `/usr`]
@kubernetes/sig-cli-pr-reviews, so I add a warning, wdyt ?
cc @ymqytw @adohe @fabianofranz
Automatic merge from submit-queue (batch tested with PRs 38990, 45781, 46225, 44899, 43663)
Support parallel scaling on StatefulSets
Fixes#41255
```release-note
StatefulSets now include an alpha scaling feature accessible by setting the `spec.podManagementPolicy` field to `Parallel`. The controller will not wait for pods to be ready before adding the other pods, and will replace deleted pods as needed. Since parallel scaling creates pods out of order, you cannot depend on predictable membership changes within your set.
```
Automatic merge from submit-queue (batch tested with PRs 38990, 45781, 46225, 44899, 43663)
kubectl: fixes issues #45736 and #45737
**What this PR does / why we need it**:
This PR improves the help displayed by the `kubectl proxy` command.
**Which issue this PR fixes**:
fixes#45736, fixes#45737
**Special notes for your reviewer**:
NONE
**Release note**:
NONE
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 38990, 45781, 46225, 44899, 43663)
migrate set generation to go_genrule
Depends on https://github.com/kubernetes/release/pull/238
Automatic merge from submit-queue
Fix kubelet event recording
**What this PR does / why we need it**:
There are numerous areas where the kubelet was not properly recording events due to an incorrect type.
To keep this small, I updated all references to `RefManager` that result in throwing an event to ensure it does a conversion.
**Which issue this PR fixes**
Fixes https://github.com/kubernetes/kubernetes/issues/46241Fixes#44348Fixes#44652
**Special notes for your reviewer**:
I updated all references I could find to the existing RefManager in kubelet.
**Release note**:
```release-note
fix kubelet event recording for selected events.
```
Automatic merge from submit-queue
LocalStorage api
**What this PR does / why we need it**:
API changes to support persistent local volumes, as described [here](https://github.com/kubernetes/community/pull/306)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Part of #43640
**Special notes for your reviewer**:
There were a few items I was concerned about. Will add review comments in those places.
**Release note**:
NONE
Note will be added in subsequent PR with the volume plugin changes
Automatic merge from submit-queue
Moved qos to api.helpers.
**What this PR does / why we need it**:
The `GetPodQoS` is also used by other components, e.g. kube-scheduler and it's not bound to kubelet; moved it to api helpers so client-go.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #N/A
**Release note**:
```release-note-none
```
Created OWNERS_ALIASES called sig-apps-reviewers from the union of reviewers in:
pkg/controller/{cronjob,deployment,daemon,job,replicaset,statefulset}/OWNERS
except removed inactive user bprashanth
Created OWNERS_ALIASES called sig-apps-api-reviewers as the intersection
of sig-apps-reviewers and the approvers from pkg/api/OWNERS.
Used those OWNERS_ALIASES as the reviewers/approvers for the disruption controller,
and API.
libfuse has an auto_unmount option which, if enabled, ensures that
the file system is unmounted at FUSE server termination by running a
separate monitor process that performs the unmount when that occurs.
(This feature would probably better be called "robust auto-unmount",
as FUSE servers usually do try to unmount their file systems upon
termination, it's just this mechanism is not crash resilient.)
This change implements that option and behavior for glusterfs.
This option will be only supported for clients with version >3.11.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Automatic merge from submit-queue (batch tested with PRs 46164, 45471, 46037)
NS controller: don't stop deleting GVRs on error
**What this PR does / why we need it**:
If the namespace controller encounters an error trying to delete a
single GroupVersionResource, add the error to an aggregated list of
errors and continue attempting to delete all the GroupVersionResources
instead of stopping at the first error. Return the aggregated error list
(if any) when done. This allows us to delete as much of the content in
the namespace as we can in each pass.
**Special notes for your reviewer**:
This may help with some of the namespace deletions taking too long in our e2e tests.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 46164, 45471, 46037)
validate oidc flags
This change validate oidc flags for kube-apiserver.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```NONE
```
authorization-rbac-super-user is deprecated now. So we can remove
the vaiable. Further more the comment about this variable is wrong.
Remove them also.
Automatic merge from submit-queue
Use TabWriter to keep output of "kubectl get xx -w" aligned.
Use TabWriter to keep output of "kubectl get xx -w" aligned.
fixed#43126
Remove kubectl's dependence on pkg/api/helper, as part of
broader effort to isolate kubectl from the rest of k8s.
In this case, the code becomes private to kubectl; nobody else uses it.
**Which issue this PR fixes**
Part of a series of PRs to address kubernetes/community#598
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Includes:
- A new volume type, LocalVolumeSource. This only supports
file-based local volumes for now.
- New alpha annotation in PV: NodeAffinity
- Validation + tests for specifying LocalVolumeSource and PV
NodeAffinity
- Alpha feature gate
Automatic merge from submit-queue
fix pleg relist time
This PR fix pleg reslist time. According to current implementation, we have a `Healthy` method periodically check the relist time. If current timestamp subtracts latest relist time is longer than `relistThreshold`(default is 3 minutes), we should return an error to indicate the error of runtime.
`relist` method is also called periodically. If runtime(docker) hung, the relist method should return immediately without updating the latest relist time. If we update latest relist time no matter runtime(docker) hung(default timeout is 2 minutes), the `Healthy` method will never return an error.
```release-note
Kubelet PLEG updates the relist timestamp only after successfully relisting.
```
/cc @yujuhong @Random-Liu @dchen1107
Automatic merge from submit-queue
Adapt loadbalancer deleting/updating when using cloudprovider openstack in openstack/liberty
**What this PR does / why we need it**:
Make an extra verification on the returned listeners and pools because gophercloud query doesn't filter the results by loadbalancerID / listenerID respectively when using **openstack/librerty**.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
#33759
**Special notes for your reviewer**:
#33759 it's supposed to have a pull request which fixes this problem but in the release 1.5 loadbalancers doesn't use that patched code.
**Release note**:
NONE
```release-note
```
Automatic merge from submit-queue
Move the remaining controllers to shared informers
Completes work done in 1.6 to move the last two hold outs to shared informers - tokens controller and scheduler. Adds a few more tools to allow informer reuse (like filtering the informer, or maintaining a mutation cache).
The mutation cache is identical to #45838 and will be removed when that merges
@ncdc @deads2k extracted from openshift/origin#14086
The alpha field podManagementPolicy defines how pods are created,
deleted, and replaced. The new `Parallel` policy will replace pods
as fast as possible, not waiting for the pod to be `Ready` or providing
an order. This allows for advanced clustered software to take advantage
of rapid changes in scale.
Tokens controller previously needed a bit of extra help in order to be
safe for concurrent use. The new MutationCache allows it to keep a local
cache and still use a shared informer. The filtering event handler lets
it only see changes to secrets it cares about.
Automatic merge from submit-queue (batch tested with PRs 46033, 46122, 46053, 46018, 45981)
Command tree and exported env in kubectl plugins
This is part of `kubectl` plugins V1:
- Adds support to several env vars passing context information to the plugin. Plugins can make use of them to connect to the REST API, access global flags, get the path of the plugin caller (so that `kubectl` can be invoked) and so on. Exported env vars include
- `KUBECTL_PLUGINS_DESCRIPTOR_*`: the plugin descriptor fields
- `KUBECTL_PLUGINS_GLOBAL_FLAG_*`: one for each global flag, useful to access namespace, context, etc
- ~`KUBECTL_PLUGINS_REST_CLIENT_CONFIG_*`: one for most fields in `rest.Config` so that a REST client can be built.~
- `KUBECTL_PLUGINS_CALLER`: path to `kubectl`
- `KUBECTL_PLUGINS_CURRENT_NAMESPACE`: namespace in use
- Adds support for plugins as child of other plugins so that a tree of commands can be built (e.g. `kubectl myplugin list`, `kubectl myplugin add`, etc)
**Release note**:
```release-note
Added support to a hierarchy of kubectl plugins (a tree of plugins as children of other plugins).
Added exported env vars to kubectl plugins so that plugin developers have access to global flags, namespace, the plugin descriptor and the full path to the caller binary.
```
@kubernetes/sig-cli-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 45346, 45903, 45958, 46042, 45975)
ResourceQuota admission control injects registry
**What this PR does / why we need it**:
The `ResourceQuota` admission controller works with a registry that maps a GroupKind to an Evaluator. The registry used in the existing plug-in is not injectable, which makes usage of the ResourceQuota plug-in in other API server contexts difficult. This PR updates the code to support late injection of the registry via a plug-in initializer.
Automatic merge from submit-queue (batch tested with PRs 45346, 45903, 45958, 46042, 45975)
Azure disk api
This is to update the AzureDiskApi and split it from the implementation which is caught in rebase hell...
Once this is merged, we'll get the implementation in.
@smarterclayton suggested this as a way to break the rebase hell logjam. request for a quick review.
Thanks!
Automatic merge from submit-queue
Don't try to attach volumes which are already attached to other nodes
This PR is a replacement for https://github.com/kubernetes/kubernetes/pull/40148. I was not able to push fixes and rebases to the original branch as I don't have access to the Github organization anymore.
CC @saad-ali You probably have to update the PR link in [Q2 2017 (v1.7)](https://docs.google.com/spreadsheets/d/1t4z5DYKjX2ZDlkTpCnp18icRAQqOE85C1T1r2gqJVck/edit#gid=14624465)
I assume the PR will need a new "ok to test"
**ORIGINAL PR DESCRIPTION**
This PR fixes an issue with the attach/detach volume controller. There are cases where the `desiredStateOfWorld` contains the same volume for multiple nodes, resulting in the attach/detach controller attaching this volume to multiple nodes. This of course fails for volumes like AWS EBS, Azure Disks, ...
I observed this situation on Azure when using Azure Disks and replication controllers which start to reschedule PODs. When you delete a POD that belongs to a RC, the RC will immediately schedule a new POD on another node. This results in a short time (max a few seconds) where you have 2 PODs which try to attach/mount the same volume on different nodes. As the old POD is still alive, the attach/detach controller does not try to detach the volume and starts to attach the volume to the new POD immediately.
This behavior was probably not noticed before on other clouds as the bogus attempt to attach probably fails pretty fast and thus is unnoticed. As the situation with the 2 PODs disappears after a few seconds, a detach for the old POD is initiated and thus the new POD can attach successfully.
On Azure however, attaching and detaching takes quite long, resulting in the first bogus attach attempt to already eat up much time.
When attaching fails on Azure and reports that it is already attached somewhere else, the cloud provider immediately does a detach call for the same volume+node it tried to attach to. This is done to make sure the failed attach request is aborted immediately. You can find this here: https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/azure/azure_storage.go#L74
The complete flow of attach->fail->abort eats up valuable time and the attach/detach controller can not proceed with other work while this is happening. This means, if the old POD disappears in the meantime, the controller can't even start the detach for the volume which delays the whole process of rescheduling and reattaching.
Also, I and other people have observed very strange behavior where disks ended up being "attached" to multiple VMs at the same time as reported by Azure Portal. This results in the controller to fail reattaching forever. It's hard to figure out why and when this happens and there is no reproducer known yet. I can imagine however that the described behavior correlates with what I described above.
I was not sure if there are actually cases where it is perfectly fine to have a volume mounted to multiple PODs/nodes. At least technically, this should be possible with network based volumes, e.g. nfs. Can someone with more knowledge about volumes help me here? I may need to add a check before skipping attaching in `reconcile`.
CC @colemickens @rootfs
-->
```release-note
Don't try to attach volume to new node if it is already attached to another node and the volume does not support multi-attach.
```
Automatic merge from submit-queue (batch tested with PRs 45996, 46121, 45707, 46011, 45564)
add "admission" API group
This commit is an initial pass at providing an admission API group.
The API group is required by the webhook admission controller being
developed as part of https://github.com/kubernetes/community/pull/132
and could be used more as that proposal comes to fruition.
**Note:** This PR was created by following the [Adding an API Group](https://github.com/kubernetes/community/blob/master/contributors/devel/adding-an-APIGroup.md) documentation.
cc @smarterclayton
Automatic merge from submit-queue (batch tested with PRs 45996, 46121, 45707, 46011, 45564)
Fix kuberuntime GetPods.
The `ImageID` is not populated from `GetPods` in kuberuntime.
Image garbage collector is using this field, https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/images/image_gc_manager.go#L204.
Without this fix, image garbage collector will try to garbage collect all images every time. Because docker will not allow that, it should be fine. However, I'm not sure whether the unnecessary remove will cause any problem, e.g. overload docker image management system and make docker hang.
@dchen1107 @yujuhong @feiskyer Do you think we should cherry-pick this?
Two new behaviors are tested:
1. The output message that deprecatedAlias gives when it is called must
include the word "deprecatated" and the name of the new function
that the user should use instead.
2. The correct function must be called by the alias (alias should "fall
back" to the functionality of the original.
Automatic merge from submit-queue
Correct spelling in comment
**What this PR does / why we need it**:
Corrects two misspelled names in a comment.
**Which issue this PR fixes**:
N/A
**Special notes for your reviewer**:
NONE
**Release note**:
NONE
This PR provides support for tagging AWS ELBs using information in an
annotation and provided as a list of comma separated key-value pairs.
Closes https://github.com/kubernetes/community/pull/404
Automatic merge from submit-queue (batch tested with PRs 44606, 46038)
Fix serialization of EnforceNodeAllocatable
EnforceNodeAllocatable being `nil` and `[]` are treated in different
ways by kubelet. Namely, `nil` is replaced with `[]string{"pods"}` by
the defaulting mechanism.
E.g. if you run kubelet in Docker-in-Docker environment
you may need to run it with the following options:
`--cgroups-per-qos=false --enforce-node-allocatable=`
(this corresponds to EnforceNodeAllocatable being empty array and not
null) If you then grab kubelet configuration via /configz and try to
reuse it for dynamic kubelet config, kubelet will think that
EnforceNodeAllocatable is null, failing to run in the
Docker-in-Docker environment.
Encountered this while updating Virtlet for Kubernetes 1.6
(the dev environment is based on kubeadm-dind-cluster)
Automatic merge from submit-queue (batch tested with PRs 45908, 44898)
While calculating pod's cpu limits, need to count in init-container.
Need to count in init-container when calculating a pod's cpu limits.
Otherwise, may cause pod start failure due to "invalid argument"
error while trying to write "cpu.cfs_quota_us" file.
Fixed#44697
Release note:
```
NONE
```
This commit is an initial pass at providing an admission API group.
The API group is required by the webhook admission controller being
developed as part of https://github.com/kubernetes/community/pull/132
and could be used more as that proposal comes to fruition.
Automatic merge from submit-queue
IPv6 support for hexCIDR()
Includes these changes:
- Modified so that IPv6 CIDRs can be converted correctly.
- Added test cases for IPv6 addresses.
- Split UTs for hexCIDR() and asciiCIDR() so that masking can be tested.
- Add UTs for failure cases.
Note: Some code that calls hexCIDR() builds a CIDR from the pod IP string
and the concatenation of "/32". These should, in the future, use "128",
if/when the pod IP is IPv6. Not addressed as part of this commit.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45906
**Special notes for your reviewer**:
**Release note**:
```release-noteNONE
```
Need to count in init-container when calculating a pod's cpu limits.
Otherwise, may cause pod start failure due to "invalid argument"
error while trying to write "cpu.cfs_quota_us" file.
Automatic merge from submit-queue
Initialize cloud providers with a K8s clientBuilder
**What this PR does / why we need it**:
This PR provides each cloud provider the ability to generate kubernetes clients. Either the full access or service account client builder is passed from the controller manager. Cloud providers could need to retrieve information from the cluster that isn't provided through defined interfaces, and this seems more preferable to adding parameters.
Please leave your thoughts/comments.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
NodeRestriction admission plugin
Adds an optional `NodeRestriction` admission plugin that limits identifiable kubelets to mutating their own Node object, and Pod objects bound to their node.
This is the admission portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279
```release-note
The `NodeRestriction` admission plugin limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission plugin, kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
```
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
kubelet/envvars: Adding brackets to IPv6 addresses
Signed-off-by: André Martins <aanm90@gmail.com>
**What this PR does / why we need it**: This adds IPv6 brackets on environments variables pods
**Special notes for your reviewer**:
Since the IP is a string I think the fastest way to detect if it's an IPv6 was to check for the presence of `:` in it. Let me know what you think.
Some kubectl commands were deprecated but would fail to print the
correct warning message when a flag was given before the command name.
# Correctly prints the warning that "resize" is deprecated and
# "scale" is now preferred.
kubectl scale [...]
# Should print the same warning but no warning is printed.
kubectl --v=1 scale [...]
This was due to a fragile check on os.Args[1].
This commit implements a new function deprecatedCmd() that is used to
construct new "passthrough" commands which are marked as deprecated and
hidden.
Note that there is an existing "filters" system that may be preferable
to the system created in this commit. I'm not sure why the "filters"
array was not used for all deprecated commands in the first place.
Automatic merge from submit-queue
Advanced audit logging API
This is an initial implementation of the API proposed in https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md
This deviates from the exact API specified in the proposal in a number of ways. Here's a list of some of the changes I made, and why:
- General API conformance (`metav1.{Type,List}Meta`, +optional, etc.)
- Dropped fields that won't be part of the initial implementation (storage objects & filters), to be added later
- {Request,Response}Body -> {Request,Response}Object - This is actually what the proposal originally had, and will be much better for adding Filters later, and provides a less protocol-dependent API. Note that there is currently no way to include Response body for non-resource requests.
- Drop HttpMethod - redundant with verb
- Response{StatusCode,ErrorMessage} collapsed into `ResponseStatus *metav1.Status` - This is the standard response type for resourec errors, but can hold genereric error responses too. Note that this is part of the `Metadata` Level.
/cc @kubernetes/sig-auth-api-reviews @kubernetes/api-reviewers
Automatic merge from submit-queue
Same internal and external ip for vSphere Cloud Provider
Currently, vSphere Cloud Provider reports internal ip as container ip addresses. This PR modifies vSphere Cloud Provider to report same ip address as both internal and external that is provided by vmware infrastructure.
cc @pdhamdhere @tusharnt @BaluDontu @divyenpatel @luomiao
Automatic merge from submit-queue
Pass pod metadata to flex plugin
Normal volume plugins get the pod spec to pull information from when setting up their volume, but flex plugins do not.
If a flex volume wants to set up things unique to the pod, or limited in permission based on the service account, the pod namespace, name, uid, and service account name are needed.
This PR adds pod uid, name, namespace, and service account name to the options passed to the plugin available during mounting
```release-note
The options passed to a flexvolume plugin's mount command now contains the pod name (`kubernetes.io/pod.name`), namespace (`kubernetes.io/pod.namespace`), uid (`kubernetes.io/pod.uid`), and service account name (`kubernetes.io/serviceAccount.name`).
```
Automatic merge from submit-queue
Add approvers to vsphere cloudprovider
This PR adds approvers for vSphere Cloud provider.
cc @pdhamdhere @tusharnt @BaluDontu @divyenpatel @luomiao
Automatic merge from submit-queue
Use beta GCP API instead of alpha in CloudCIDR controller
The feature we are using has been promoted to beta.
```release-note
NONE
```
If the namespace controller encounters an error trying to delete a
single GroupVersionResource, add the error to an aggregated list of
errors and continue attempting to delete all the GroupVersionResources
instead of stopping at the first error. Return the aggregated error list
(if any) when done. This allows us to delete as much of the content in
the namespace as we can in each pass.
Automatic merge from submit-queue
Make real proxier in hollow-proxy optional (default=true)
Ref https://github.com/kubernetes/kubernetes/pull/45622
This allows using real proxier for hollow proxy, but we use the fake one by default.
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue
avoid concrete examples for missingResourceError
missingResourceError uses pod and services as an example in error message. However some sub-commands doesn't support pod/service, this change use `<resource> <name>` instead of concrete examples.
Before this change:
```console
$ kubectl set subject
error: You must provide one or more resources by argument or filename.
Example resource specifications include:
'-f rsrc.yaml'
'--filename=rsrc.json'
'pods my-pod'
'services'
```
After this change:
```console
$ kubectl set subject
error: You must provide one or more resources by argument or filename.
Example resource specifications include:
'-f rsrc.yaml'
'--filename=rsrc.json'
'<resource> <name>'
'<resource>'
```
**Release note**:
```release-note
avoid concrete examples for missingResourceError
```
Automatic merge from submit-queue
Fix the issue in Windows kube-proxy when processing unqualified name. This is for DNS client such as ping or iwr that validate name in response and original question.
**What this PR does / why we need it**:
This PR is an additional fix to #41618 and [the corresponding commit](b9dfb69dd7). The DNS client such as nslookup does not validate name matching in response and original question. That works fine when we append DNS suffix to unqualified name in DNS query in Windows kube-proxy. However, for DNS client such as ping or Invoke-WebRequest that validates name in response and original question, the issue arises and the DNS query fails although the received DNS response has no error.
This PR fixes the additional issue by restoring the original question name in DNS response. Further, this PR refactors DNS message routines by using miekg's DNS library.
This PR affects the Windows kube-proxy only.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#42605
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix DNS suffix search list support in Windows kube-proxy.
```
Automatic merge from submit-queue
Move defaulting logic for ExternalTrafficPolicy into defaults.go
Link #45812.
Per [#45812/comment](https://github.com/kubernetes/kubernetes/issues/45812#issuecomment-301632807), move defaulting logic to defaults.go so that federation will get the same code.
This PR does not have any functional change :)
/assign @freehan @thockin
/cc @madhusudancs @nikhiljindal @shashidharatd
Also /cc @caesarxuchao per the client-go changes.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45990, 45544, 45745, 45742, 45678)
Refactor reconciler volume log and error messages
**What this PR does / why we need it**:
Utilizes volume-specific error and log messages introduced in #44969, inside files that also log volume information.
Specifically:
- pkg/kubelet/volumemanager/reconciler/reconciler.go,
- pkg/controller/volume/attachdetach/reconciler/reconciler.go, and
- pkg/kubelet/volumemanager/populator/desired_state_of_world_populator.go
**Which issue this PR fixes** : fixes#40905
**Special notes for your reviewer**:
**Release note**:
```release-note
```
NONE
Automatic merge from submit-queue
[Bug Fix] Return quantity freed even when an error exists
bug was added by #44986. If we get an error from deleteImages, we try and use the bytes freed in a calculation.
That PR changed the behavior from evicting a pod upon error, to panicking because of the nil pointer.
This should fix inode eviction tests
/assign @dchen1107
Automatic merge from submit-queue (batch tested with PRs 45977, 45890)
add test to cover more in kubectl create service
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45977, 45890)
kuberuntime: report StartedAt regardless of container states
This fixes#45943
**Release note**:
```release-note
Fix the bug where StartedAt time is not reported for exited containers.
```
Automatic merge from submit-queue (batch tested with PRs 45953, 45889)
Add /metrics and profiling handlers to kube-proxy
Also expose "syncProxyRules latency" as a prometheus metrics.
Fix https://github.com/kubernetes/kubernetes/issues/45876
Includes these changes:
- Modified so that IPv6 CIDRs can be converted correctly.
- Added test cases for IPv6 addresses.
- Split UTs for hexCIDR() and asciiCIDR() so that masking can be tested.
- Add UTs for failure cases.
Note: Some code that calls hexCIDR() builds a CIDR from the pod IP string
and the concatenation of "/32". These should, in the future, use "128",
if/when the pod IP is IPv6. Not addressed as part of this commit.
Automatic merge from submit-queue (batch tested with PRs 45852, 45965, 45941)
Update k8s.io/gengo dependency
**What this PR does / why we need it**:
Brings in changes to improve type checker and deep copy
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Remove the deprecated --babysit-daemons kubelet flag
```release-note
Removes the deprecated kubelet flag --babysit-daemons
```
This flag has been deprecated for over a year (git blame says marked deprecated on March 1, 2016).
Relatively easy removal - nothing in the Kubelet relies on it anymore.
There was still some stuff in the provisioning scripts. It was easy to rip out, but in general we probably need to be more disciplined about updating the provisioning scripts at the same time that we initially mark things deprecated.
Automatic merge from submit-queue
Move all API related annotations into annotation_key_constants.go
Separate from #45869. See https://github.com/kubernetes/kubernetes/pull/45869#discussion_r116839411 for details.
This PR does nothing but move constants around :)
/assign @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45709, 41939)
delete err when return _
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44520, 45253, 45838, 44685, 45901)
API for server side tabular output
These are the APIs necessary to implement propsoal kubernetes/community#363
They consist of a new meta group (v1alpha1) that indicates these are alpha apis for the server as a whole, a new kind `TableList` which is a simple row + header arranged table capable of returning both object and columnar data, a `TableListOptions` for altering the behavior of the return, and `PartialObjectMetadata` which is an "interface" style API object which allows a client to ask any object for their metadata (without having to know how to parse the object or perform gymnastics).
Extracted from #40848
A few minor tweaks still required.
Automatic merge from submit-queue (batch tested with PRs 45247, 45810, 45034, 45898, 45899)
kubectl plugin: Expand environment variables in the command of plugin.yaml
**What this PR does / why we need it**:
This commit improves kubectl plugins to expand environment variables in the command of plugin.yaml.
I'd like to use environment variables in the command of plugin.yaml as follows:
```yaml
name: hello
shortDesc: "The hello plugin"
longDesc: >
The hello plugin is a new
plugin used by test-cmd
to test multiple plugin locations.
command: $HOME/path/to/plugins/hello.sh
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45247, 45810, 45034, 45898, 45899)
Apiregistration v1alpha1→v1beta1
Promoting apiregistration api from v1alpha1 to v1beta1.
API Registration is responsible for registering an API `Group`/`Version` with
another kubernetes like API server. The `APIService` holds information
about the other API server in `APIServiceSpec` type as well as general
`TypeMeta` and `ObjectMeta`. The `APIServiceSpec` type have the main
configuration needed to do the aggregation. Any request coming for
specified `Group`/`Version` will be directed to the service defined by
`ServiceReference` (on port 443) after validating the target using provided
`CABundle` or skipping validation if development flag `InsecureSkipTLSVerify`
is set. `Priority` is controlling the order of this API group in the overall
discovery document.
The return status is a set of conditions for this aggregation. Currently
there is only one condition named "Available", if true, it means the
api/server requests will be redirected to specified API server.
```release-note
API Registration is now in beta.
```
Automatic merge from submit-queue (batch tested with PRs 45374, 44537, 45739, 44474, 45888)
Update 'More info' links on API types and fields
> **Please just review the first commit, the rest is generated files.**
Recent docs website shuffling during 1.6 caused majority of links in the API
types and fields to break. Since we do not have server-side 301 redirects, user
has to click an extra link, and the #target fragment in the URL will be lost. (This is
because GitHub’s redirect_from feature is not ideal.)
For the time being, I have manually gone through all of them to bring them up to date
and add HTTPS to those missing it. This is a docs-only change and impacts generated
code, generated swaggers, API reference docs etc.
cc: @steveperry-53 @devin-donnelly @chenopis fyi, docs links changes (even small title changes) easily breaks links in API reference, Swagger, kubectl explain, and many other places.
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Automatic merge from submit-queue (batch tested with PRs 45374, 44537, 45739, 44474, 45888)
Allow kcm and scheduler to lock on ConfigMaps.
**What this PR does / why we need it**:
Plumbs through the ability to lock on ConfigMaps through the kcm and scheduler.
**Which issue this PR fixes**
Fixes: #44857
Addresses issues with: #45415
**Special notes for your reviewer**:
**Release note**:
```
Add leader-election-resource-lock support to kcm and scheduler to allow for locking on ConfigMaps as well as Endpoints(default)
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @jamiehannaford @bsalamat @mikedanese
Automatic merge from submit-queue (batch tested with PRs 45374, 44537, 45739, 44474, 45888)
Fix attach volume to instance repeatedly
1.When volume's status is 'attaching', controllermanager will attach
it again and return err. So it is necessary to check volume's
status before attach/detach volume.
2. When volume's status is 'attaching', its attachments will be None,
controllermanager can't get device path and make some failed event.
But it is normal, so don't return err when attachments is None
Fix bug: #44536
Automatic merge from submit-queue (batch tested with PRs 45860, 45119, 44525, 45625, 44403)
Make a log line more clear in kuberuntime_manager.go.
Make a log in `podSandboxChanged` more clear.
@yujuhong @feiskyer
EnforceNodeAllocatable being `nil` and `[]` are treated in different
ways by kubelet. Namely, `nil` is replaced with `[]string{"pods"}` by
the defaulting mechanism.
E.g. if you run kubelet in Docker-in-Docker environment
you may need to run it with the following options:
`--cgroups-per-qos=false --enforce-node-allocatable=`
(this corresponds to EnforceNodeAllocatable being empty array and not
null) If you then grab kubelet configuration via /configz and try to
reuse it for dynamic kubelet config, kubelet will think that
EnforceNodeAllocatable is null, failing to run in the
Docker-in-Docker environment.
Encountered this while updating Virtlet for Kubernetes 1.6
(the dev environment is based on kubeadm-dind-cluster)
Automatic merge from submit-queue
kubelet: use the base filename to check if the filename starts with a dot
**What this PR does / why we need it**:
Fixes a bug in https://github.com/kubernetes/kubernetes/pull/39196. The goal was to ignore files that start with a dot but the value used is the full absolute filename including path.
**Which issue this PR fixes**: fixes#44450
@yujuhong
**Release note**:
```release-note
kubelet config should actually ignore files starting with dots
```
Automatic merge from submit-queue (batch tested with PRs 44326, 45768)
[CRI] Forcibly remove container
Forcibly remove the running containers in `RemoveContainer`. Since we should forcibly remove the running containers in `RemovePodSandbox`. See [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/api/v1alpha1/runtime/api.proto#L35).
cc @feiskyer @Random-Liu
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
Automatic merge from submit-queue (batch tested with PRs 45408, 45355, 45528)
Make createEndpointService() and deleteEndpointService() plugin interface methods.
Why this change?
In some setups, after creation of dynamic PVs and before mounting/using these PVs in a pod, the endpoint/service got mistakenly deleted by the user/developer. By making these methods 'plugin' specific, we can call it from mounter if there are scenarios where the endpoint and service got wiped in between accidentally.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Automatic merge from submit-queue (batch tested with PRs 45408, 45355, 45528)
Admission options spits out admission control
**What this PR does / why we need it**:
This PR adds ApplyTo method to AdmissionOptions struct. The method creates and initialises admission control to the server configuration.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
fix typo in docker_container.go
Signed-off-by: Carlory <fanbaofa@gmail.com>
**What this PR does / why we need it**:
fix typo in docker_container.go
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
describe pod: add unit test for Node
**What this PR does / why we need it**:
Add unit test for "describe pod" in order to get node info.
**Release note**:
```release-note
NONE
```
In some setups, after creation of dynamic PVs and before mounting/using
these PVs in a pod, the endpoint/service got mistakenly deleted by the
user/developer. By making these methods 'plugin' specific, we can call
it from mounter if there are scenarios where the endpoint and service
got wiped in between accidentally.
Signed-off-by: Humble Chirammal hchiramm@redhat.com
Automatic merge from submit-queue
Make fake iptables' Save operation more realistic
Ref https://github.com/kubernetes/kubernetes/pull/45622#issuecomment-301624384 (2nd point)
This would make fake IPtables actually return the iptable contents it stores.
cc @kubernetes/sig-scalability-misc @wojtek-t
Automatic merge from submit-queue
Fix kube-apiserver crash when patching TPR data
**What this PR does / why we need it**: While trying to do a strategic merge patch, kube-apiserver crashes with a nil pointer dereference because `UnsafeConvertor` is `nil` for TPR data resources here: https://github.com/kubernetes/kubernetes/blob/master/pkg/master/thirdparty/thirdparty.go#L314-L337.
This PR does not make strategic merge patch work on TPR data but makes sure that the kube-api server does not crash while trying to do so.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#44587
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Assign label to pod when exec 'kubectl run' command with flags "--expose=true" and "--restart=Never"
**What this PR does / why we need it**:
As the title says and issue #40503 mentioned.
cc @tanapoln
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#40503
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
pospispa