Automatic merge from submit-queue (batch tested with PRs 58422, 58229, 58421, 58435, 58475). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix flake8 lint error in kubernetes-master charm
**What this PR does / why we need it**:
This trivial whitespace change fixes a lint error from flake8 on the kubernetes-master charm:
```
reactive/kubernetes_master.py:140:1: E302 expected 2 blank lines, found 1
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58422, 58229, 58421, 58435, 58475). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add handling for method that use Pages() to retrieve results
- Add handling for method that use Pages() to retrieve results
- Make functions take in *Key rather than value type.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58422, 58229, 58421, 58435, 58475). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
inject 60 second interval in deployment rollout
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58422, 58229, 58421, 58435, 58475). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubelet: imagegc: exempt sandbox image
The image GC logic currently does not consider the sandbox image to be in-use by pods, since it isn't explicitly listed in the pod spec. However, it is trivially in-use if there are any pods running on the node.
This change adds logic to exempt the sandbox image from GC by always considering it as in-use.
**Reviewer Note**
I am changing `(m *kubeGenericRuntimeManager) GetImageRef` to return the ID always rather than the first tag if it exists. Seemed ok to me. Makes some error messages a little less readable in that the ID will be printed and not the tag. Just wanted to see what reviewers think about this.
@derekwaynecarr @dashpole
Automatic merge from submit-queue (batch tested with PRs 58422, 58229, 58421, 58435, 58475). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update gce call to use wrapper in gce_loadbalancer_external
**What this PR does / why we need it**:
Ack https://github.com/kubernetes/kubernetes/pull/58368#discussion_r162139441, replacing some direct compute api calls to use wrapper.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @nicksardo
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use Fatalf instead of Fatal while formatting the output is needed
**What this PR does / why we need it**:
Should use Fatalf instead of Fatal while formatting the output is needed
**Release note**:
NONE
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 57868, 58284, 56370, 58400, 58439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix decoding of admission config file
Fixes#584261a552bbe14 (diff-eb9532eb476083e1ab31da9dd6f83eceR41) attempted to use a locally constructed scheme, but the name `scheme` was shadowed by a function arg.
Attempts to run the apiserver with a structured plugin config file would fail to decode (since the passed scheme didn't know about the AdmissionConfiguration type), then fall back to treating the file as a legacy config, and silently continue without correct config
```release-note
kube-apiserver: fixes loading of `--admission-control-config-file` containing AdmissionConfiguration apiserver.k8s.io/v1alpha1 config object
```
Automatic merge from submit-queue (batch tested with PRs 57868, 58284, 56370, 58400, 58439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix a little typo in BalancedResourceAllocation
Signed-off-by: Reficul <xuzhenglun@gmail.com>
**What this PR does / why we need it**:
fix a little typo in `BalancedResourceAllocation` of scheduler algorithm
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57868, 58284, 56370, 58400, 58439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor service controller to common controller pattern
**What this PR does / why we need it**:
The service controller currently uses a non-standard controller pattern that adds unneeded complexity. This PR moves the service controller to use common tools like the rate limited queue with exponential backoff versus tracking retry backoff in the cachedService object.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#55528
**Special notes for your reviewer**:
This does change the retry backoff from a linear backoff to an exponential backoff. The min and max retry delay stays the same.
There was only one case where we didn't want to retry, which was when we updated the service status since that handled retries itself. In that case I moved to the common pattern of using `runtime.HandleError`.
**Release note**:
```release-note
NONE
```
/cc @luxas @wlan0 @andrewsykim @thockin
@prydie
/sig cluster-lifecycle
/sig networking
/kind cleanup
Automatic merge from submit-queue (batch tested with PRs 57868, 58284, 56370, 58400, 58439). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Show findmnt command output in case of error
**What this PR does / why we need it**:
We don't print the error output from the `findmnt` command, which makes it pretty hard to debug.
The current implementation just print:
`
I0115 11:59:36.078285 18230 nsenter_mount.go:168] Failed findmnt command for path /var/lib/origin/openshift.local.volumes/pods/8d723ec8-f9e9-11e7-bc52-025000000001/volumes/kubernetes.io~secret/pvinstaller-token-bxh42: exit status 1
`
With this patch, we can actually see the error:
`
I0115 12:04:30.908164 23301 nsenter_mount.go:168] Failed findmnt command for path /var/lib/origin/openshift.local.volumes/pods/8ff8bb98-f9e9-11e7-bc52-025000000001/volumes/kubernetes.io~secret/deployer-token-g4sg9: nsenter: failed to execute /findmnt: No such file or directory
exit status 1
`
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix ipvs proxy mode kubeadm usage
**What this PR does / why we need it**:
Fix ipvs proxy mode usage of kubeadm in ipvs README file.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable privileged containers for apiserver and controller
**What this PR does / why we need it**:
In OpenStack environment, when there is no metadata service, we
look at the config drive to figure out the metadata. Since we need
to run commands like blkid, we need to ensure that api server and
kube controller are running in the privileged mode.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#47392
Fixes https://github.com/kubernetes/kubeadm/issues/588
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix issue when using OpenStack config drive for node metadata
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add FSType for CSI volume source
**What this PR does / why we need it**:
Add FSType for CSI volume source to specify filesystems (alpha defaults to `ext4`)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58183
**Special notes for your reviewer**:
**Release note**:
```release-note
Add FSType for CSI volume source to specify filesystems
```
/assign @saad-ali
cc @vladimirvivien
Automatic merge from submit-queue (batch tested with PRs 56258, 58398). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make the controller manager create and use a valid cobra command
The controller manager was returning an invalid cobra command that couldn't be executed and then side-stepped it by adding flags separately. This brings it into line.
In OpenStack environment, when there is no metadata service, we
look at the config drive to figure out the metadata. Since we need
to run commands like blkid, we need to ensure that api server and
kube controller are running in the privileged mode.
So add a new field in MasterConfiguration for specifying that the
api server and controller manager (s) need extra privileges. Added
a TODO to remove this code when we fully yank out cloud provider
specific calls from these processes.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
openstack: remove orphaned routes from terminated instances
**What this PR does / why we need it**:
At the moment the openstack cloudprovider only returns routes where the `NextHop` address points to an existing openstack instance. This is a problem when an instance is terminated before the corresponding node is removed from k8s. The existing route is not returned by the cloudprovider anymore and therefore never considered for deletion by the route controller. When the route's `DestinationCIDR` is reassigned to a new node the router ends up with two routes pointing to a different `NextHop` leading to broken networking.
This PR removes skipping routes pointing to unknown next hops when listing routes. This should cause [this conditional](93dc3763b0/pkg/controller/route/route_controller.go (L208)) in the route controller to succeed and have the route removed if the route controller [feels responsible](93dc3763b0/pkg/controller/route/route_controller.go (L206)).
```release-note
OpenStack cloudprovider: Ensure orphaned routes are removed.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Reduce Metrics Server memory requirement
**What this PR does / why we need it**:
Reduces memory requirements of Metrics Server.
This was tested on GCE. On 16 - node cluster with 30 user pods per node, Metrics Server consumes ~60MB of memory. For larger clusters, the base value matters even less, and the memory utilization will be lower, therefore this change is safe.
**Release note**:
```release-note
Reduce Metrics Server memory requirement
```
Automatic merge from submit-queue (batch tested with PRs 58263, 58425, 58419). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
apps api is now stable, use it
**What this PR does / why we need it**: as of kubernetes 1.9, the apps api is stable. we should use v1 instead of v1beta2
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # none
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58263, 58425, 58419). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable --external-cloud-volume-plugin/--provider-id for local-up-cluster
See the following commit for more information about the
--external-cloud-volume-plugin flag:
070a7b5823
We need this flag for EXTERNAL_CLOUD_PROVIDER flag to work properly with
volume plugins
Also add --provider-id defaulting to hostname as we seem to pick
up the ip address otherwise causing problem with looking up the
node in the cloud provider
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix some bad url
**What this PR does / why we need it**:
fix some bad url
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rework method of updating atomic-updated data volumes
**What this PR does / why we need it**:
This change affects the way that secret, configmap, downwardAPI and projected volumes (which all use the same underlying code) implement their data update functionality.
* Instead of creating a subdirectory hierarchy that will contain symlinks to each actual data file, create only symlinks to items in the root of the volume, whether they be files or directories.
* Rather than comparing the user-visible data directory to see if an update is needed, compare with the current version of the data directory.
* Fix data dir timestamp format year
* Create `..data` symlink even when a data volume has no data so consumers can have simplified update watch logic.
**Which issue(s) this PR fixes**:
Fixes#57421
**Release note**:
```release-note
Correct issues that arise when volumes are mounted beneath another secret, configmap, downwardAPI or projected volume
```
Automatic merge from submit-queue (batch tested with PRs 53631, 56960). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unused code in UT files in pkg/
**What this PR does / why we need it**:
Remove unused code in UT files in pkg/ .
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update vendor spf13/cobra to enforce required flags
**What this PR does / why we need it**:
spf13/cobra#502 has enforced checking flags that marked as required, an error will be raised if unset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:fixes #54855
xref #48400fixeskubernetes/kubectl#121
**Special notes for your reviewer**:
/assign @liggitt @eparis
**Release note**:
```release-note
kubectl now enforces required flags at a more fundamental level
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: remove Initializers (still in alpha) from admission control
**What this PR does / why we need it**:
Currently `Initializers` is still in alpha version, which should not be enabled by default, until promoted to beta.
For kubeadm users, who still want to use `Initializers`, they can use `apiServerExtraArgs` through kubeadm config file to enable it when booting up the cluster.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#629
**Special notes for your reviewer**:
/assign @luxas
/area kubeadm
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/cc @liggitt @jamiehannaford @timothysc
**Release note**:
```release-note
Remove alpha Initializers from kubadm admission control
```
See the following commit for more information about the
--external-cloud-volume-plugin flag:
070a7b5823
We need this flag for EXTERNAL_CLOUD_PROVIDER flag to work properly with
volume plugins
Also add --provider-id defaulting to hostname as we seem to pick
up the ip address otherwise causing problem with looking up the
node in the cloud provider
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support for custom tls cipher suites in api server and kubelet
**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
**Which issue this PR fixes**
fixes#41038
**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.
If you want to test it out, this is a ciphers combination i tested without the weak ones:
```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```
If this is merged i will implement the same for the Kubelet.
**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
**What this PR does / why we need it**:
Since 1.9, `ValidatingAdmissionWebhook` and `MutatingAdmissionWebhook` are beta. Kubeadm should enable them by default.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#642
**Special notes for your reviewer**:
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9
```
Bowei Du