Automatic merge from submit-queue
kubeadm: add dmmcquay as a reviewer
**What this PR does / why we need it**: add dmmcquay (myself) as a reviewer to kubeadm.
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
This change makes kubelet to use the CRI implementation by default,
unless the users opt out explicitly by using --enable-cri=false.
For the rkt integration, the --enable-cri flag will have no effect
since rktnetes does not use CRI.
Also, mark the original --experimental-cri flag hidden and deprecated,
so that we can remove it in the next release.
Automatic merge from submit-queue (batch tested with PRs 41216, 41362, 41275, 41277, 41412)
kubeadm: test-cmd: join{config, discovery}
**What this PR does / why we need it**: Adding test-cmds for kubeadm join {config, discovery}. Will followup with more test-cmds for other flags as soon as validation for the flags works.
Adding tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41216, 41362, 41275, 41277, 41412)
kubeadm: test-cmd: init{config, version, api-port}
**What this PR does / why we need it**: Adding test-cmds for kubeadm init {config, version, api-port}. Will followup with more test-cmds for other flags as soon as validation for the flags works.
Adding tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41216, 41362, 41275, 41277, 41412)
kubeadm: added unit tests for discovery pkg
**What this PR does / why we need it**: added tests to discovery pkg and raised coverage from ~25% to ~71%.
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: test-cmd: token{delete}
**What this PR does / why we need it**: Adding test-cmds for kubeadm ex token delete. Will followup with more test-cmds for other flags as soon as validation for the flags works.
Adding tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41382, 41407, 41409, 41296, 39636)
Update the DNS spec from upstream
**What this PR does / why we need it**:
Updates kubeadm to use the latest DNS spec.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
@bowei @MrHohn @thockin In the future, kubedns changes should be applied to this kubeadm file as well
**Release note**:
```release-note
NONE
```
@pires @errordeveloper @dmmcquay @mikedanese
Automatic merge from submit-queue (batch tested with PRs 41337, 41375, 41363, 41034, 41350)
kubeadm: adding tests for util/tokens.go
**What this PR does / why we need it**: added tests to util pkg and raised coverage from ~48% to ~67%. Will get better coverage once migration to client-go is complete. Included a fix for a logic error in tokens.go found through writing tests
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Remove all aggregator dependencies on k8s.io/kubernetes
This removes the last links to k8s.io/kubernetes for the aggregator.
@sttts last commit.
Automatic merge from submit-queue
Change default attach_detach_controller reconciler sync period to 1 minute
When default reconciler sync period is set to 5 second, we often see
rateLimit issue for a large cluster. This PR is changing the period to 1
minute to mitigate this problem.
Make this period longer means that there might be some period of time
that the cached information in master's attach_detach_controller is out
of date. The node might use this information to mount to the wrong
device. For GCE PD, since device path is uniquely associated with volume
id, so mount operation will just fail because of this outdated
information. For AWS, before kubelet might mount to the wrong volume
because device path could be reused immediately once it is available.
But after PR #38818, device path will only be reused after all device
paths have been explored. That means it is very unlikely that kubelet will
mount to a wrong volume that is using the old device path that had been
assigned to the same node.
**Release note**:
```release-note
We change the default attach_detach_controller sync period to 1 minute to reduce the query frequency through cloud provider to check whether volumes are attached or not.
```
Automatic merge from submit-queue (batch tested with PRs 41342, 41257, 41295, 41367, 41230)
kubeadm: unit tests for apis/kubeadm/validation
**What this PR does / why we need it**: added tests to apis/kubeadm/validation pkg and raised coverage from ~21% to 100%.
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41342, 41257)
kubeadm: fix to avoid panic if token not provided
**What this PR does / why we need it**: Prior to this, kubeadm would panic if no token was provided running `kubeadm ex token delete`. This does a check to verify an arg has been passed and prints out a more reasonable message if it is not provided.
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41115, 41212, 41346, 41340, 41172)
Add informers to client-go
Adds informers and listers to client-go so that you can build a controller on it.
@sttts @caesarxuchao @kubernetes/sig-api-machinery-misc
When default reconciler sync period is set to 5 second, we often see
rateLimit issue for a large cluster. This PR is change the period to 1
minute to mitigate this problem.
Make this period longer means that there might be some period of time
that the cached information in master's attach_detach_controller is out
of date. The node might use this information to mount to the wrong
device. For GCE PD, since device path is uniquely associated with volume
id, so mount operation will just fail because of this outdated
information. For AWS, before kubelet might mount to the wrong volume
because device path could be reused immediately once it is available.
But after PR #38818, device path will only be reused after all device
paths have been explored. That means it is very unlikely that kubelet will
mount to a wrong volume that is using the old device path that had been
assigned to the same node.
Automatic merge from submit-queue
copy pkg/util/logs to apiserver
This is a copy, not a move. API servers need to be able to init the logs, but so do clients. It would be weird to have the client-side commands depending on the server side logs utilities.
I updated all the server side references, but left the client-side ones.
@sttts @kubernetes/sig-api-machinery-pr-reviews acceptable?
Automatic merge from submit-queue (batch tested with PRs 41137, 41268)
Allow the CertificateController to use any Signer implementation.
**What this PR does / why we need it**:
This will allow developers to create `CertificateController`s with arbitrary `Signer`s, instead of forcing the use of `CFSSLSigner`. It matches the behavior of allowing an arbitrary `AutoApprover` to be passed in the constructor.
**Release note**:
```release-note
NONE
```
CC @mikedanese
Automatic merge from submit-queue (batch tested with PRs 41259, 41260)
kubeadm: changed manifest files to yaml
**What this PR does / why we need it**: Static Pods are currently stored as .json files in /etc/kubernetes/manifests. This PR instead writes them as YAML, as requested by the SIG.
**Which issue this PR fixes**: fixes #https://github.com/kubernetes/kubeadm/issues/153
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 38252, 41122, 36101, 41017, 41264)
Fix cluster-cidr flag
**What this PR does / why we need it**:
Fixes the kube-proxy daemonset config when using the `pod-network-cidr flag`. The return value of `getClusterCIDR` should be prefixed with a `-`.
**Special notes for your reviewer**:
None
@luxas
Automatic merge from submit-queue (batch tested with PRs 38252, 41122, 36101, 41017, 41264)
Add alternative names for the server binaries to hyperkube
**What this PR does / why we need it**:
Right now one can't swap a server image to the hyperkube image without touching the `command` field in the yaml spec, and that's daunting and leading to extra and unnecessary logic for example in kubeadm.
This makes the hyperkube image directly swappable, so now `/usr/local/bin/kube-*` is a portable first argument (or simply `kube-*` if there's a shell).
**Special notes for your reviewer**:
**Release note**:
```release-note
Align the hyperkube image to support running binaries at /usr/local/bin/ like the other server images
```
@jessfraz @thockin @ixdy
Automatic merge from submit-queue (batch tested with PRs 38252, 41122, 36101, 41017, 41264)
BootstrapSigner and TokenCleaner controllers
This is part of https://github.com/kubernetes/features/issues/130 and is an implementation of https://github.com/kubernetes/community/pull/189.
Work that needs to be done yet in this PR:
* [ ] ~~e2e tests~~ Will come in new PR.
* [x] flag to disable this by default
```release-note
Native support for token based bootstrap flow. This includes signing a well known ConfigMap in the `kube-public` namespace and cleaning out expired tokens.
```
@kubernetes/sig-cluster-lifecycle @dgoodwin @roberthbailey @mikedanese
Automatic merge from submit-queue (batch tested with PRs 41223, 40892, 41220, 41207, 41242)
kubeadm: preflight should only warn about unresolvable hostnames
**What this PR does / why we need it**:
This is quite often the case on AWS, and we really don't care if
the hostname is resolvable or not. It's not an easy requirement
to ask user to fix, and there is no functional penalty at the
Kubernetes level, also it's possible that users fixes their host
resolution eventually, we don't have to make them do so.
**Special notes for your reviewer**: @dmmcquay @luxas PTAL 👍
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 39418, 41175, 40355, 41114, 32325)
TaintController
```release-note
This PR adds a manager to NodeController that is responsible for removing Pods from Nodes tainted with NoExecute Taints. This feature is beta (as the rest of taints) and enabled by default. It's gated by controller-manager enable-taint-manager flag.
```
Automatic merge from submit-queue (batch tested with PRs 39418, 41175, 40355, 41114, 32325)
ResyncPeriod Comment
ResyncPeriod Comment:
// ResyncPeriod returns a function which generates a duration each time it is
// invoked; this is so that multiple controllers don't get into lock-step and all
// hammer the apiserver with list requests simultaneously.
Automatic merge from submit-queue (batch tested with PRs 41112, 41201, 41058, 40650, 40926)
verify: Use macOS compatible copying method
**What this PR does / why we need it**:
Similar to the fix in #34944, this fixes issues in the `make verify` tests, by using a copy method that is compatible with macOS and the bsd version of `cp`.
Before fix:
```
Verifying hack/make-rules/../../hack/verify-codegen.sh
cp: illegal option -- T
usage: cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file target_file
cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file ... target_directory
FAILED hack/make-rules/../../hack/verify-codegen.sh 0s
```
After fix:
```
Verifying hack/make-rules/../../hack/verify-codegen.sh
Building client-gen
Building lister-gen
Building informer-gen
diffing cmd/kube-aggregator/hack/../pkg against freshly generated codegen
cmd/kube-aggregator/hack/../pkg up to date.
+++ [0128 10:06:48] Building the toolchain targets:
k8s.io/kubernetes/hack/cmd/teststale
k8s.io/kubernetes/vendor/github.com/jteeuwen/go-bindata/go-bindata
+++ [0128 10:06:48] Generating bindata:
test/e2e/generated/gobindata_util.go
/opt/gopath/src/k8s.io/kubernetes /opt/gopath/src/k8s.io/kubernetes/test/e2e/generated
/opt/gopath/src/k8s.io/kubernetes/test/e2e/generated
+++ [0128 10:06:49] Building go targets for darwin/amd64:
cmd/libs/go2idl/client-gen
cmd/libs/go2idl/lister-gen
cmd/libs/go2idl/informer-gen
Building client-gen
Building lister-gen
Building informer-gen
SUCCESS hack/make-rules/../../hack/verify-codegen.sh 59s
```
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41112, 41201, 41058, 40650, 40926)
Promote TokenReview to v1
Peer to https://github.com/kubernetes/kubernetes/pull/40709
We have multiple features that depend on this API:
- [webhook authentication](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication)
- [kubelet delegated authentication](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication)
- add-on API server delegated authentication
The API has been in use since 1.3 in beta status (v1beta1) with negligible changes:
- Added a status field for reporting errors evaluating the token
This PR promotes the existing v1beta1 API to v1 with no changes
Because the API does not persist data (it is a query/response-style API), there are no data migration concerns.
This positions us to promote the features that depend on this API to stable in 1.7
cc @kubernetes/sig-auth-api-reviews @kubernetes/sig-auth-misc
```release-note
The authentication.k8s.io API group was promoted to v1
```
Automatic merge from submit-queue (batch tested with PRs 40796, 40878, 36033, 40838, 41210)
HPA v2 (API Changes)
**Release note**:
```release-note
Introduces an new alpha version of the Horizontal Pod Autoscaler including expanded support for specifying metrics.
```
Implements the API changes for kubernetes/features#117.
This implements #34754, which is the new design for the Horizontal Pod Autoscaler. It includes improved support for custom metrics (and/or arbitrary metrics) as well as expanded support for resource metrics. The new HPA object is introduces in the API group "autoscaling/v1alpha1".
Note that the improved custom metric support currently is limited to per pod metrics from Heapster -- attempting to use the new "object metrics" will simply result in an error. This will change once #34586 is merged and implemented.
Automatic merge from submit-queue (batch tested with PRs 40796, 40878, 36033, 40838, 41210)
kubeadm: added tests for preflight checks
**What this PR does / why we need it**: There hadn't been much care to add more unit tests as more preflight checks were added. I added tests that increased coverage from ~9% to ~71%
Adding unit tests is a WIP from https://github.com/kubernetes/kubernetes/issues/34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 40796, 40878, 36033, 40838, 41210)
Implement TTL controller and use the ttl annotation attached to node in secret manager
For every secret attached to a pod as volume, Kubelet is trying to refresh it every sync period. Currently Kubelet has a ttl-cache of secrets of its pods and the ttl is set to 1 minute. That means that in large clusters we are targetting (5k nodes, 30pods/node), given that each pod has a secret associated with ServiceAccount from its namespaces, and with large enough number of namespaces (where on each node (almost) every pod is from a different namespace), that resource in ~30 GETs to refresh all secrets every minute from one node, which gives ~2500QPS for GET secrets to apiserver.
Apiserver cannot keep up with it very easily.
Desired solution would be to watch for secret changes, but because of security we don't want a node watching for all secrets, and it is not possible for now to watch only for secrets attached to pods from my node.
So as a temporary solution, we are introducing an annotation that would be a suggestion for kubelet for the TTL of secrets in the cache and a very simple controller that would be setting this annotation based on the cluster size (the large cluster is, the bigger ttl is).
That workaround mean that only very local changes are needed in Kubelet, we are creating a well separated very simple controller, and once watching "my secrets" will be possible it will be easy to remove it and switch to that. And it will allow us to reach scalability goals.
@dchen1107 @thockin @liggitt
This is quite often the case on AWS, and we really don't care if
the hostname is resolvable or not. It's not an easy problem
to ask user to fix, and there is no functional penalty at the
Kubernetes level, also it's possible that users fixes their host
resolution eventually, we don't have to make them do so.
Automatic merge from submit-queue (batch tested with PRs 40917, 41181, 41123, 36592, 41183)
fix ca cert in kubeadm
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
Automatic merge from submit-queue (batch tested with PRs 41074, 41147, 40854, 41167, 40045)
kubeadm: adding integration tests for init
**What this PR does / why we need it**: integration tests for kubeadm init focused on valid and invalid discovery tokens
**Special notes for your reviewer**: /cc @luxas @pires
This was taken from Pires's work in https://github.com/kubernetes/kubernetes/pull/40008 . This is just the testing aspect of it
As it stands, these tests will never complete. The reason being is once it passes with a valid discovery token, it will wait until `[apiclient] Created API client, waiting for the control plane to become ready ` which is an infinite poll (https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/master/apiclient.go#L71).
This is a WIP
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41037, 40118, 40959, 41084, 41092)
Switch CSR controller to use shared informer
Switch the CSR controller to use a shared informer. Originally part of #40097 but I'm splitting that up into multiple PRs.
I have added a test to try to ensure we don't mutate the cache. It could use some fleshing out for additional coverage but it gets the initial job done, I think.
cc @mikedanese @deads2k @liggitt @sttts @kubernetes/sig-scalability-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41121, 40048, 40502, 41136, 40759)
add k8s.io/sample-apiserver to demonstrate how to build an aggregated API server
builds on https://github.com/kubernetes/kubernetes/pull/41093
This creates a sample API server is a separate staging repo to guarantee no cheating with `k8s.io/kubernetes` dependencies. The sample is run during integration tests (simple tests on it so far) to ensure that it continues to run.
@sttts @kubernetes/sig-api-machinery-misc ptal
@pwittrock @pmorie @kris-nova an aggregated API server example that will stay up to date.
Automatic merge from submit-queue (batch tested with PRs 41121, 40048, 40502, 41136, 40759)
Remove deprecated kubelet flags that look safe to remove
Removes:
```
--config
--auth-path
--resource-container
--system-container
```
which have all been marked deprecated since at least 1.4 and look safe to remove.
```release-note
The deprecated flags --config, --auth-path, --resource-container, and --system-container were removed.
```
Automatic merge from submit-queue (batch tested with PRs 40175, 41107, 41111, 40893, 40919)
kubeadm: skip integration tests if kubeadm-cmd-skip flag passed
Will skip integration tests for token generation if it can't find a file by the given --kubeadm-path or default value.
**What this PR does / why we need it**: Tests would fail if just running `go test` in the dir because it expects to have more values. This won't change the behavior of `make test-cmd` which gets run here:
https://github.com/kubernetes/kubernetes/blob/master/Makefile#L258
**Which issue this PR fixes**: fixes#40155
**Special notes for your reviewer**: /cc @pires @pipejakob @liggitt
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 38796, 40823, 40756, 41083, 41105)
Add more options to the RecommendedOptions struct.
Builds on https://github.com/kubernetes/kubernetes/pull/41028
Adds `AuditOptions` to the `RecommendedOptions`
@sttts @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41061, 40888, 40664, 41020, 41085)
move --runtime-config to kubeapiserver
`--runtime-config` is only useful if you have a lot of API groups in one server. If you have a single API group in your server (the vast majority of aggregated API servers), then the flag is unneeded and relatively complex. This moves it to closer to point of use.
@sttts
Automatic merge from submit-queue (batch tested with PRs 41061, 40888, 40664, 41020, 41085)
kubeadm: Small cleanup and fixes, validate the service subnet
**What this PR does / why we need it**:
- Validate the minimum subnet cidr so there are always 10 available addresses
- Remove an old proxy arg function, add clustercidr to the proxy manifest and automatically calculate the dns ip
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@errordeveloper @pires @mikedanese @dmmcquay @dgoodwin
Automatic merge from submit-queue (batch tested with PRs 41061, 40888, 40664, 41020, 41085)
kubeadm: added tests cert/pkiutil pkg
raised coverage from ~37% to ~77%
**What this PR does / why we need it**: added tests to cert/pkiutil pkg and raised coverage from ~37% to ~77%
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41103, 41042, 41097, 40946, 40770)
Use Clientset interface in KubeletDeps
**What this PR does / why we need it**:
This replaces the Clientset struct with the equivalent interface for the KubeClient injected via KubeletDeps. This is useful for testing and for accessing the Node and Pod status event stream without an API server.
**Special notes for your reviewer**:
Follow up to #4907
**Release note**:
`NONE`
Automatic merge from submit-queue (batch tested with PRs 41064, 41090, 41068, 41073, 40882)
kubeadm: updated tests in app/util pkg
**What this PR does / why we need it**: Tests did not follow the standard of being table driven. Updated to make future changes (Adding/deleting tests) easier as well as more readable
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
After today's SIG meeting, it was discussed how to proceed with these
types of test-cmd tests. They will live in kubeamd/test/cmd and will
provide a flag that will allow you to skip them (--kubeadm-cmd-skip) and
by default will fail if kubeadm binary is not present
Automatic merge from submit-queue (batch tested with PRs 40345, 38183, 40236, 40861, 40900)
refactor approver and signer interfaces to be consisten w.r.t. apiserver interaction
This makes it so that only the controller loop talks to the
API server directly. The signatures for Sign and Approve also
become more consistent, while allowing the Signer to report
conditions (which it wasn't able to do before).
Automatic merge from submit-queue (batch tested with PRs 41023, 41031, 40947)
apiserver command line options lead to config
Logically command line options lead to config, not the other way around. We're clean enough now we can actually do the inversion.
WIP because I have some test cycles to fix, but this is all the meat.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 41023, 41031, 40947)
scrub aggregator names to eliminate discovery
Cleanup old uses of `discovery`. Also removes the legacy functionality.
@kubernetes/sig-api-machinery-misc @sttts
Automatic merge from submit-queue (batch tested with PRs 40971, 41027, 40709, 40903, 39369)
Promote SubjectAccessReview to v1
We have multiple features that depend on this API:
SubjectAccessReview
- [webhook authorization](https://kubernetes.io/docs/admin/authorization/#webhook-mode)
- [kubelet delegated authorization](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authorization)
- add-on API server delegated authorization
The API has been in use since 1.3 in beta status (v1beta1) with negligible changes:
- Added a status field for reporting errors evaluating access
- A typo was discovered in the SubjectAccessReviewSpec Groups field name
This PR promotes the existing v1beta1 API to v1, with the only change being the typo fix to the groups field. (fixes https://github.com/kubernetes/kubernetes/issues/32709)
Because the API does not persist data (it is a query/response-style API), there are no data migration concerns.
This positions us to promote the features that depend on this API to stable in 1.7
cc @kubernetes/sig-auth-api-reviews @kubernetes/sig-auth-misc
```release-note
The authorization.k8s.io API group was promoted to v1
```
Automatic merge from submit-queue (batch tested with PRs 40385, 40786, 40999, 41026, 40996)
kubeadm: change os.Remove to os.RemoveAll
**What this PR does / why we need it**: This would not correctly clean out the tmp dir, since os.Remove doesn't recursively remove dirs, which could exist in the tmp dir.
Unit tests are a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Replace hand-written informers with generated ones
Replace existing uses of hand-written informers with generated ones.
Follow-up commits will switch the use of one-off informers to shared
informers.
This is a precursor to #40097. That PR will switch one-off informers to shared informers for the majority of the code base (but not quite all of it...).
NOTE: this does create a second set of shared informers in the kube-controller-manager. This will be resolved back down to a single factory once #40097 is reviewed and merged.
There are a couple of places where I expanded the # of caches we wait for in the calls to `WaitForCacheSync` - please pay attention to those. I also added in a commented-out wait in the attach/detach controller. If @kubernetes/sig-storage-pr-reviews is ok with enabling the waiting, I'll do it (I'll just need to tweak an integration test slightly).
@deads2k @sttts @smarterclayton @liggitt @soltysh @timothysc @lavalamp @wojtek-t @gmarek @sjenning @derekwaynecarr @kubernetes/sig-scalability-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 39681, 39321, 41018, 40883)
kubeadm: app/util/template.go has unit tests
**What this PR does / why we need it**: There was a TODO tag about adding unit tests, but unit tests have been added and the coverage for that file is ~90%. Tag should be removed.
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Kubeadm discovery remove error passing
**What this PR does / why we need it**: In the app/discovery there is some confusion about the passing of error values created in the discovery/token, discovery/https/ and discovery/file pkgs. Since they always return `nil` , it was very confusing in discovery/flags.go why to propagate them up as if there was a chance for them to return a value other than `nil`. This change makes it much more clear what is being passed.
I noticed this as I was making a sweep through trying to add more unit tests and it was very confusing to read the code.
**Which issue this PR fixes** : fixes #https://github.com/kubernetes/kubeadm/issues/141
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: Remove the kubernetes.io/cluster-service label from the Deployment templates
**What this PR does / why we need it**:
As discussed on Slack, these labels have no function when not using the addon-manager, so it's best to remove them to avoid confusion.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@thockin @mikedanese @pires @MrHohn @bowei @dmmcquay @deads2k @philips
This makes it so that only the controller loop talks to the
API server directly. The signatures for Sign and Approve also
become more consistent, while allowing the Signer to report
conditions (which it wasn't able to do before).
Automatic merge from submit-queue (batch tested with PRs 35782, 35831, 39279, 40853, 40867)
remove unnecessarily duplication since types collapsed
We collapsed duplicate types into client-go, so we get to clean this up.
@sttts as promised.
Automatic merge from submit-queue (batch tested with PRs 35782, 35831, 39279, 40853, 40867)
genericapiserver: cut off more dependencies – episode 7
Follow-up of https://github.com/kubernetes/kubernetes/pull/40822
approved based on #40363
Automatic merge from submit-queue
Removed HPA objects from extensions api group
fix#29778
``` release-note
HorizontalPodAutoscaler is no longer supported in extensions/v1beta1 version. Use autoscaling/v1 instead.
```
cc @kubernetes/autoscaling
Automatic merge from submit-queue
kubeadm: fix reset error logging.
**What this PR does / why we need it**: while investigating https://github.com/kubernetes/kubeadm/issues/142 I realized error logging was misleading. This PR is meant to fix it.
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Move post processing/backward compatibility of openapi out of generic package
Post processing step was put into generic package and was the same for both k8s api server and federation api server. They have different backward compatibility list of types. This PR move that step out of generic package and put it in each server's file.
Automatic merge from submit-queue
kubeadm: Refactoring the apiconfig and addons phases
**What this PR does / why we need it**:
First commit: Fix the defaulting for AuthorizationMode - **Ready for review**
Second commit: Refactoring the apiconfig and addons phases in kubeadm - **work in progress, broken at the moment**
**Special notes for your reviewer**:
Please take a look at the first commit now. You can also see the direction I'm going with the addons and apiconfig phases.
For example, I'm using Go templates instead of creating native Go structs for kube-dns and kube-proxy now. The question is if I should do it for the RBAC rules as well, it might make sense there as well.
Converting the dns addon to a yaml spec makes it 100x easier to maintain when changes are made to the "upstream" DNS spec, and also more swappable. We could for instance have a configuration param for it for those who want a custom file, etc.
**Release note**:
```release-note
NONE
```
@mikedanese @pires @lukemarsden @errordeveloper @dgoodwin @liggitt @andrewrynhard
Automatic merge from submit-queue (batch tested with PRs 40574, 40806, 40308, 40771, 39440)
kubeadm: kube-proxy needs to know the pod subnet CIDR
**What this PR does / why we need it**: `kube-proxy` 1.5 has a new flag `cluster-cidr` that isn't specified by `kubeadm`, thus resulting in bug https://github.com/kubernetes/kubeadm/issues/102.
**Which issue this PR fixes**: fixes https://github.com/kubernetes/kubeadm/issues/102
**Special notes for your reviewer**:
/cc @luxas @dmmcquay
Automatic merge from submit-queue (batch tested with PRs 40574, 40806, 40308, 40771, 39440)
kubeadm: preflight check for incorrect FQDN
**What this PR does / why we need it**: There are a variety of system configuration errors (such as cloud-init bugs when deploying on AWS) which can cause hostname and uname -n to be wrong for a given host. This will cause kubeadm setup to fail in interesting and hard-to-figure-out ways (it doesn't fail until you start trying to set up DNS on the master, for example).
This PR adds a preflight check to test whether or not the server can reach itself using that name. This does not catch the case that the FQDN belongs to a different but valid server, but it would catch some of the cases.
**Which issue this PR fixes** : fixes https://github.com/kubernetes/kubeadm/issues/135
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 40574, 40806, 40308, 40771, 39440)
move api server no kube dep packages
Simple moves, see commit titles. I did not move the source of the generated swagger, I simply change the destination of the script. I'm ok building a little debt to complete the move.
@sttts
Depending on an exact cluster setup multiple dns may make sense.
Comma-seperated lists of DNS server are quite common as DNS servers
are always plain IPs.
Automatic merge from submit-queue
kubeadm: Move some code from apiclient.go to the dedicated apiconfig phase
**What this PR does / why we need it**:
Add constants and somewhat refactor the RBAC code as well + some cleanup.
I'm planning to rewrite the code in `setupmaster.go` later, but this PR has only the move of the code for easier reviewing.
**Special notes for your reviewer**:
This is broken out from: https://github.com/kubernetes/kubernetes/pull/40556
**Release note**:
```release-note
NONE
```
@mikedanese @pires @dmmcquay @dgoodwin
Automatic merge from submit-queue
Use full package path for definition name in OpenAPI spec
We were using short package name (last part of package name) plus type name for OpenAPI spec definition name. That can result in duplicate names and make the spec invalid. To be sure we will always have unique names, we are going to use full package name as definition name. Also "x-kubernetes-tag" custom field is added to definitions to list Group/Version/Kind for the definitions that has it. This will help clients to discover definitions easier.
Lastly, we've added a reference from old definition names to the new ones to keep backward compatibilities. The list of old definitions will not be updated.
**Release note**:
- Rename OpenAPI definition names to type's full package names to prevent duplicates
- Create OpenAPI extension "x-kubernetes-group-version-kind" for definitions to store Group/Version/Kind
- Deprecate old definition names and create a reference to the new definitions. Old definitions will be removed in the next release.
Automatic merge from submit-queue
error strings should not end with punctuation
**What this PR does / why we need it**:
Delete the end punctuation of error strings
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
https://github.com/golang/go/wiki/CodeReviewComments#error-strings
**Release note**:
```release-note
```
Signed-off-by: yupeng <yu.peng36@zte.com.cn>
Automatic merge from submit-queue
remove unneeded storage options
Cleanup of some storage serialization options that only kube and federation api server (and maybe not even that one) need.
You may have called it a snip, but this moves the options out of generic entirely.
Automatic merge from submit-queue (batch tested with PRs 40638, 40742, 40710, 40718, 40763)
move client/record
An attempt at moving client/record to client-go. It's proving very stubborn and needs a lot manual intervention and near as I can tell, no one actually gets any benefit from the sink and source complexity it adds.
@sttts @caesarchaoxu
Automatic merge from submit-queue
add deads2k to some cmd packages
Selectively adding myself to cmd packages for commands that I've authored or significantly touched.
Automatic merge from submit-queue (batch tested with PRs 40707, 40698)
kubeadm: Default to control plane v1.6.0-alpha.1 and using RBAC
Also use constants for authz modes
**What this PR does / why we need it**:
Defaults to v1.6.0-alpha.1 (will be cut later today) because the certificates API group has been upgraded to beta, so `kubeadm join` at HEAD doesn't work on a `v1.5` cluster anyway.
By defaulting to v1.6.0-alpha.1, we can focus totally on v1.6 for kubeadm at HEAD, we don't support other versions in the upcoming v1.6 kubeadm release because of the alpha -> beta upgrades.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@mikedanese @pires
Automatic merge from submit-queue (batch tested with PRs 40392, 39242, 40579, 40628, 40713)
fixed bug #36988 -- kubeadm join crashes when using multiple API endpoints
**What this PR does / why we need it**:
Simple bug fix for #36988 (kubeadm crashes when trying to join nodes to a master with multiple API endpoints) -- stopChan was getting closed multiple times, once per endpoint. Moved the close into the once.Do(...)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes#36988
**Special notes for your reviewer**:
this is my first kubernetes commit, just getting familiar with the process, so any/all feedback is appreciated
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 38443, 40145, 40701, 40682)
Move kubeadm etcd SELinux options from container to pod.
**What this PR does / why we need it**:
Works around a bug that surfaces in Docker 1.12+ related to the pause
container's namespace and selinux labels being transferred to the etcd
container when it runs.
At present it appears that applying selinux options to a container may
be broken, or perhaps shouldn't be supported at all. Moving these to the
pod causes all containers (including pause) to run with the correct
labels.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Related to and partial fix for https://github.com/kubernetes/kubeadm/issues/107
This is one of several selinux related fixes in flight for upcoming releases, and newer versions of Docker. To successfully run kubeadm with selinux enforcing right now would like require a recent container-selinux build as uncovered in https://github.com/kubernetes/kubeadm/issues/107, a bugfix for the format labels in #40179, and finally this fix.
**Release note**:
```release-note
Fixed an SELinux issue in kubeadm on Docker 1.12+ by moving etcd SELinux options from container to pod.
```
Automatic merge from submit-queue (batch tested with PRs 40691, 40551, 40683, 40700, 40702)
Clean up generated comment for lister/informers
The generated comment including the command line means the addition of a new group/version touches all listers/informers, not just the ones for the new group/version
@ncdc PTAL
Automatic merge from submit-queue (batch tested with PRs 40691, 40551, 40683, 40700, 40702)
Enable protobufs as storage format by default
**Release note**:
```release-note
Change default storage format to protobufs. With this PR apiserver will be writing objects serialized as protobufs to etcd. If the apiserver was upgraded in the existing clusters, until an object will be written, it will still be stored as JSON. Apiserver can deal with some data being in json and some in protobuf format as of 1.4 release.
```
@kubernetes/sig-api-machinery-misc @kubernetes/sig-api-machinery-pr-reviews
Works around a bug that surfaces in Docker 1.12+ related to the pause
container's namespace and selinux labels being transferred to the etcd
container when it runs.
At present it appears that applying selinux options to a container may
be broken, or perhaps shouldn't be supported at all. Moving these to the
pod causes all containers (including pause) to run with the correct
labels.
Automatic merge from submit-queue
Remove proxy-mode annotation from kube-proxy
**What this PR does / why we need it**:
This removes the net.experimental.kubernetes.io/proxy-mode and net.beta.kubernetes.io/proxy-mode annotations from kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#40582
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove outdated net.experimental.kubernetes.io/proxy-mode and net.beta.kubernetes.io/proxy-mode annotations from kube-proxy.
```
Automatic merge from submit-queue (batch tested with PRs 40132, 39302, 40194, 40619, 40601)
fix error message in TestGetAddonImage
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. fix incorrect error message in TestGetAddonImage
2. rename some variables to make them more reasonable
Automatic merge from submit-queue (batch tested with PRs 40132, 39302, 40194, 40619, 40601)
fix nil check and typos
**What this PR does / why we need it**:
1. nil error should be checked before defer statement.
2. fix some typos.
Signed-off-by: bruceauyeung ouyang.qinhua@zte.com.cn
Automatic merge from submit-queue
add test tokens for TestValidateToken
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. add invalid tokens which token ID and token secret contain special characters such as `*`
2. add valid tokens which token ID and token secret contain mixed lowercase characters and numeric numbers
Automatic merge from submit-queue
fix incorrect parameter passing
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. fix incorrect parameter passing when creating error
2. fix ineffectual assignment to err variable.
Automatic merge from submit-queue (batch tested with PRs 40543, 39999)
remove pkg/feature dependency from genericapiserver.
@sttts I think you just forgot this when you were snipping the rest of the link. If I understood the previous pull correctly, this ought to ensure proper registration of the bits we need, right?
Automatic merge from submit-queue (batch tested with PRs 40239, 40397, 40449, 40448, 40360)
move the discovery and dynamic clients
Moved the dynamic client, discovery client, testing/core, and testing/cache to `client-go`. Dependencies on api groups we don't have generated clients for have dropped out, so federation, kubeadm, and imagepolicy.
@caesarxuchao @sttts
approved based on https://github.com/kubernetes/kubernetes/issues/40363
Automatic merge from submit-queue (batch tested with PRs 39538, 40188, 40357, 38214, 40195)
genericapiserver: cut off more dependencies – episode 2
Compare commit subjects.
approved based on #40363
Automatic merge from submit-queue
Wait for the self-hosted control plane during kubeadm init.
**What this PR does / why we need it**:
Currently we are completing kubeadm init while the scheduler and
controller manager are likely still not yet up. In some cases if they
will fail, they won't ever come up.
Instead wait until each pod enters running state before exiting kubeadm.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 40428, 40176)
Cleaup Affinity post conversion from annotations to fields
**What this PR does / why we need it**:
Cleans up leftover work from the conversion of affinity from annotations to fields.
fixes#40016
related #25319
**Special notes for your reviewer**:
There are some TODO items left for @luxas or @errordeveloper b/c they were trying to use affinity in a way that is not possible.
**Release note**:
```release-note
NONE
```
/cc @kubernetes/sig-scheduling-misc @rrati
Automatic merge from submit-queue
update kubectl approvers
All the other owners files have names (not groups). Updated for individual users for approvers so `/approve` works.
@kubernetes/sig-cli-api-reviews
Automatic merge from submit-queue
move client/cache and client/discovery to client-go
mechanical changes to move those packages. Had to create a `k8s.io/kubernetes/pkg/client/tests` package for tests that were blacklisted from client-go. We can rewrite these tests later and move them, but for now they'll still run at least.
@caesarxuchao @sttts
Currently we are completing kubeadm init while the scheduler and
controller manager are likely still not yet up. In some cases if they
will fail, they won't ever come up.
Instead wait until each pod enters running state before exiting kubeadm.
Kubernetes Submit Queue