The service account authenticator isn't the only authenticator that
should respect API audience. The authentication config structure should
reflect that.
Order of Volumes and VolumeMounts in the pod objects created by
kubeadm is undefined as they're represended as maps in the
controlPlaneHostPathMounts struct.
This influences 'kubeadm upgrade' logic in a way that even when
manifest of the component is not changed kubeadm tries to upgrade
it because most of the time current and new pods are not equal
due to the different order of Volumes and VolumeMounts.
For example 'kubeadm apply diff' almost always shows difference
in Volumes and VolumeMounts because of this:
volumeMounts:
+ - mountPath: /etc/kubernetes/pki
+ name: k8s-certs
+ readOnly: true
- mountPath: /etc/ssl/certs
name: ca-certs
+ readOnly: true
+ - mountPath: /etc/pki
+ name: etc-pki
+ readOnly: true
+ - mountPath: /usr/share/ca-certificates
+ name: usr-share-ca-certificates
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- - mountPath: /etc/pki
- name: etc-pki
- readOnly: true
- - mountPath: /etc/kubernetes/pki
- name: k8s-certs
- readOnly: true
- - mountPath: /usr/share/ca-certificates
- name: usr-share-ca-certificates
- readOnly: true
Sorting Volumes and VolumeMounts should fix this issue and help
to avoid unnecessary upgrades.
In order to improve the UX of kubeadm, it was decided to introduce the
following subcommands:
- `kubeadm config print` - this is currently only a placeholder for subcommands
that deal printing of some kind of configuration.
- `kubeadm config print init-defaults` - prints the default combination of
InitConfiguration and ClusterConfiguration. Selected component configs can be
printed too if the `--component-configs` command line switch is used.
- `kubeadm config print join-defaults` - prints the default JoinConfiguration.
This command also supports the use of `--component-configs`.
- `kubeadm config print-defaults` is deprecated in favor of
`kubeadm config print init/join-defaults`.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
When doing upgrades kubeadm generates new manifest and
waits until kubelet restarts correspondent pod.
However, kubelet won't restart pod if there are no changes
in the manifest. That makes kubeadm stuck waiting for
restarted pod.
Skipping upgrade if new component manifest is the same as
current manifest should solve this.
Fixes: kubernetes/kubeadm#1054
This change splits out discovery fields from JoinConfiguration by performing
the following changes:
- Introduce a BootstrapTokenDiscovery structure, that houses configuration
options needed for bootstrap token based discovery.
- Introduce a FileDiscovery structure, that houses configuration options
(currently only a single option) needed for KubeConfig based discovery.
- Introduce a Discovery structure, that houses common options (such as
discovery timeout and TLS bootstrap token) as well as pointer to an instance
of either BootstrapTokenDiscovery or FileDiscovery structures.
- Replace the old discovery related JoinConfiguration members with a single
Discovery member.
This change is required in order to cleanup the code of unnecessary logic and
make the serialized JoinConfiguration more structured (and therefore, more
intuitive).
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
It makes more sense to use advertised etcd endpoints instead of using
listened client URLS.
I'm solving this use case: Listen on localhost and public IP but I don't
want to add multiple endpoints to kube-apiservers because it's targeting
same etcd server.
Without this patch SetKubernetesVersion does not set
a version in all locations where it's called, because
the passed config to it always has a default version
stable-1.
This always triggers the != "" check and the function
returns without setting a version.
Validate against DefaultKubernetesVersion and "" instead.
This fixes all cases where fetching a version from the internet
is not needed at all - e.g. "kubeadm token create".
Also make SetKubernetesVersion default to version.Get().String()
and add unit tests for the function.
kubeadm token create --print-join-command --config <path>
fails with Error: can not mix '--config' with arguments [print-join-command]
As print-joint command can't be put into the configuration file it
should be possible to use those 2 options at the same time.
Added print-join-command options to the list of exceptions in
ValidateMixedArguments check to allow its usage with --config option.
Fixes: kubernetes/kubeadm#1166
This change allows mixing InitConfiguration/ClusterConfiguration with
JoinConfiguration in a single YAML file, by performing the following changes:
- Replace the explicit error in `DetectUnsupportedVersion` with a warning.
- Modify `NodeConfigFileAndDefaultsToInternalConfig` to use only
`JoinConfiguration`.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Individual implementations are not yet being moved.
Fixed all dependencies which call the interface.
Fixed golint exceptions to reflect the move.
Added project info as per @dims and
https://github.com/kubernetes/kubernetes-template-project.
Added dims to the security contacts.
Fixed minor issues.
Added missing template files.
Copied ControllerClientBuilder interface to cp.
This allows us to break the only dependency on K8s/K8s.
Added TODO to ControllerClientBuilder.
Fixed GoDeps.
Factored in feedback from JustinSB.
The default version in kubeadm is now `stable-1`. This will
pull a version from the `stable-1.txt` endpoint which might
end up being newer than the version of the client by a magnitude
of MINOR or even a MAJOR release.
To be able to prevent this scenario add the new helper function:
validateStableVersion()
This function determines if the remote version is newer than the
local client version and if that's the case it returns `stable-X.xx`
that conforms with the version of the client. If not it returns
the remote version.
If 'kubeadm join' is run with --discovery-file option it still
prompts for bootstrap token. This makes it impossible to use
existing client certificates mentioned in the discovery file.
Fixed by checking for empty bootstrap token only if discovery file
is not specified.
Fixes: kubernetes/kubeadm#1142
A previous commit updated 17.xx -> 18.xx without considering
that some systems still use 17.xx.
Add handling for 17.0[3,6,9] as validated versions.
Also re-format the error message because the version is not validated
per maximum basis, but rather based on existing validation.
This will allow for kube-proxy to be run without `privileged` and
with only adding the capability `NET_ADMIN`.
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
As kube-dns transitioned to fat manifests, it's no longer required to use arch
suffixed images. This change makes use of fat manifests for kube-dns and
removes the last few calls to the GetGenericArchImage function, thus removing
GetGenericArchImage too.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
This fixes an issue where SRV records were incorrectly being compressed.
Also updated kubedns version for kubeadm
Upgrade to 1.14.12 with manifest support. Runs dnsmasq version 2.78
Remove the test called TestNewCmdReset in cmd/reset_test.go, since it
can prompt for root password and it then calls an actual reset
and shuts down the kubelet.
Adding blank line between comment tag and package name in doc.go. So
that the comment tags such as '+k8s:deepcopy-gen=package' do not show up
in GoDoc.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
kubeadm: add mandatory phase "annotate-cri"
**What this PR does / why we need it**:
In v1.12, after the changing how kubeadm-config upload/fetch, AnnotateCRISocket is now a necessary step for getting a cluster that can be upgraded using phases. This PR adds a new subcommand for letting users to invoke AnnotateCRISocket as a phase
**Which issue(s) this PR fixes**:
Fixes # https://github.com/kubernetes/kubeadm/issues/925
**Special notes for your reviewer**:
When testing this PR, I found that one of the tests on component config defaulting was broken (didn't have time to investigate why yet). This PR fixes this test as well
**Release note**:
```release-note
kubeadm: added phase command "alpha phase kubelet config annotate-cri"
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
/sig cluster-lifecycle
/area kubeadm
/assign @timothysc @neolit123
/kind bug
Add the:
- mandatory flag "--config" to the preflight phase
and parse the specified config file for either "master" or "node".
- flag "--ignore-preflight-errors" to the preflight phase to
allow skipping errors.
- the function AddIgnorePreflightErrorsFlag()
to "options/generic.go", because the flag is used in multiple commands.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add a completely populated yaml InitConfig to the v1lapha3 dodoc
**What this PR does / why we need it**:
The existing docs are located in [k/website][website], which means it's difficult to keep them up to date. Having an example next to the code will make it much easier to update the docs in lockstep with spec changes.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#1085
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65250, 68241). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Use informer cache instead of active pod gets in HPA controller.
**What this PR does / why we need it**:
Use informer cache instead of active pod gets in HPA controller.
**Which issue(s) this PR fixes**:
Fixes#68217
**Release note**:
```release-note
kube-controller-manager: use informer cache instead of active pod gets in HPA controller
```
Automatic merge from submit-queue (batch tested with PRs 68341, 68385). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Fix kubeadm token list
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #https://github.com/kubernetes/kubeadm/issues/1094
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 67950, 68195). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Consolidate componentconfig code standards
**What this PR does / why we need it**:
This PR fixes a bunch of very small misalignments in ComponentConfig packages:
- Add sane comments to all functions/variables in componentconfig `register.go` files
- Make the `register.go` files of componentconfig pkgs follow the same pattern and not differ from each other like they do today.
- Register the `openapi-gen` tag in all `doc.go` files where the pkg contains _external_ types.
- Add the `groupName` tag where missing
- Fix cases where `addKnownTypes` was registered twice in the `SchemeBuilder`
- Add `Readme` and `OWNERS` files to `Godeps` directories if missing.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @sttts @thockin
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Update default etcd server to 3.2.24 for kubernetes 1.12
**What this PR does / why we need it**:
Update default etcd server to 3.2.24 for kubernetes 1.12
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
xref #68147
**Special notes for your reviewer**:
NONE
**Release note**:
```
Update default etcd server to 3.2.24 for kubernetes 1.12
```
/assign @wojtek-t @jpbetz @dims
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @gyuho
Automatic merge from submit-queue (batch tested with PRs 68087, 68256, 64621, 68299, 68296). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Fixes using externally managed certs for kubeadm
**What this PR does / why we need it**:
The certificates overhaul caused a regression when using external certificates. This fixes that issue so external CAs no longer require a key if all certificates exist.
Walk the certificate tree, at each step checking for a CACert.
If the CACert is found, try to use it to generate certificates.
Otherwise, generate a new CA cert.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#918
**Special notes for your reviewer**:
**Release note**:
```release-note
External CAs can now be used for kubeadm with only a certificate, as long as all required certificates already exist.
```
This changes the custom metrics client logic over to support multiple versions
of the custom metrics API by checking discovery to find the appropriate versions.
Fixes#68011
Co-authored-by: Solly Ross <sross@redhat.com>
Walk the certificate tree, at each step checking for a CACert.
If the CACert is found, try to use it to generate certificates.
Otherwise, generate a new CA cert.
Technically we don't need this. the instruction below:
```
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/controller/apis/config/v1alpha1
```
registers the apiserver/apimachinery packages in the "package universe"
of the conversion-gen program per comment from lucas in PR 68233
However it looks like some files that use both packages run into trouble
and causes failures in CI harness. Attempting here to see if we fix the
order by specifying them explicitly helps.
Change-Id: I20e9c9256f0b7ffdf4e2101d0ca1fe5090e51344
Automatic merge from submit-queue (batch tested with PRs 68171, 67945, 68233). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Move the CloudControllerManagerConfiguration to an API group in `cmd/`
**What this PR does / why we need it**:
This PR is the last piece of https://github.com/kubernetes/kubernetes/issues/67233.
It moves the `CloudControllerManagerConfiguration` to its own `cloudcontrollermanager.config.k8s.io` config API group, but unlike the other components this API group is "private" (only available in `k8s.io/kubernetes`, which limits consumer base), as it's located entirely in `cmd/` vs a staging repo.
This decision was made for now as we're not sure what the story for the ccm loading ComponentConfig files is, and probably a "real" file-loading ccm will never exist in core, only helper libraries. Eventually the ccm will only be a library in any case, and implementors will/can use the base types the ccm library API group provides. It's probably good to note that there is no practical implication of this change as the ccm **cannot** read ComponentConfig files. Hencec the code move isn't user-facing.
With this change, we're able to remove `pkg/apis/componentconfig`, as this was the last consumer. That is hence done in this PR as well (so the move is easily visible in git, vs first one "big add" then a "big remove"). The only piece of code that was used was the flag helper structs, so I moved them to `pkg/util/flag` that I think makes sense for now.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: kubernetes/community#2354
**Special notes for your reviewer**:
This PR builds on top of (first two commits, marked as `Co-authored by: @stewart-yu`) https://github.com/kubernetes/kubernetes/pull/67689
**Release note**:
```release-note
NONE
```
/assign @liggitt @sttts @thockin @stewart-yu
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add yue9944882 as subproject reviewer (core admission/apiserver)
extend reviewer bandwidth 😃am a super careful reviewer
i had contributed series of refactors for core admission controllers and apiserver launch flow.
/assign @deads2k
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67709, 67556). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Fix volume scheduling issue with pod affinity and anti-affinity
**What this PR does / why we need it**:
The previous design of the volume scheduler had volume assume + bind done before pod assume + bind. This causes issues when trying to evaluate future pods with pod affinity/anti-affinity because the pod has not been assumed while the volumes have been decided.
This PR changes the design so that volume and pod are assumed first, followed by volume and pod binding. Volume binding waits (asynchronously) for the operations to complete or error. This eliminates the subsequent passes through the scheduler to wait for volume binding to complete (although pod events or resyncs may still cause the pod to run through scheduling while binding is still in progress). This design also aligns better with the scheduler framework design, so will make it easier to migrate in the future.
Many changes had to be made in the volume scheduler to handle this new design, mostly around:
* How we cache pending binding operations. Now, any delayed binding PVC that is not fully bound must have a cached binding operation. This also means bind API updates may be repeated.
* Waiting for the bind operation to fully complete, and detecting failure conditions to abort the bind and retry scheduling.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65131
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixes issue where pod scheduling may fail when using local PVs and pod affinity and anti-affinity without the default StatefulSet OrderedReady pod management policy
```
Automatic merge from submit-queue (batch tested with PRs 63011, 68089, 67944, 68132). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Kubeadm upload and fetch of kubeam config v1alpha3
**What this PR does / why we need it**:
This PR implements upload and fetch of kubeam config v1alpha3 from cluster.
More in detail:
In upload, `kubeadm-config` gets
- `ClusterConfiguration` (without components config which are already stored in separated ConfigMaps)
- `ClusterStatus`(initialised or updated with the API endpoint of the current node)
During fetch `InitConfiguration` is composed with:
- `ClusterConfiguration` from `kubeadm-config`
- The `APIEndpoint` of the current node from `ClusterStatus` in `kubeadm-config`
- Component configs from corresponding ConfigMaps
**Which issue(s) this PR fixes** :
refs https://github.com/kubernetes/kubeadm/issues/911, refs https://github.com/kubernetes/kubeadm/issues/963
**Special notes for your reviewer**:
In order to implement this it was necessary to extend current component config management with a new GetFromConfigMap operation. This is implemented in a separated commit "
implement component configs GetFromConfigMap".
The real change build on this (commi "upload and fetch kubeadm v1alpha3")
**Release note**:
```release-note
NONE
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/sig cluster-lifecycle
/area kubeadm
/kind enhancement
/assign @luxas
/assign @timothysc
/cc @chuckha @rosti @neolit123 @liztio
Automatic merge from submit-queue (batch tested with PRs 63011, 68089, 67944, 68132). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Mark HPA REST Clients Flag as Deprecated
This marks the option to switch to Heapster for the HPA as deprecated.
It'll be removed next release when Heapster is retired.
**Release note**:
```release-note
Using the Horizontal Pod Autoscaler with metrics from Heapster is now deprecated.
```
k8s-ci-robot