Automatic merge from submit-queue
Copy objects in federation test helper
Push clean copies of passed objects in test helper in federation controllers tests.
Fixes: #33667
cc: @gmarek @quinton-hoole @kubernetes/sig-cluster-federation
Automatic merge from submit-queue
formatting json printer for runtime.Unknown
Formatting JSONPrinter.
It prints everything in one single line before.
Now it prints in well-formatted way.
Automatic merge from submit-queue
Fake docker portfoward for in-process docker CRI integration
This is necessary to pass e2e tests for in-process docker CRI integration.
This is part of #31459.
cc/ @Random-Liu @kubernetes/sig-node
Automatic merge from submit-queue
Bump up addon kube-dns to v20 for graceful termination
Below images are built and pushed:
- gcr.io/google_containers/kubedns-amd64:1.8
- gcr.io/google_containers/kubedns-arm:1.8
- gcr.io/google_containers/kubedns-arm64:1.8
- gcr.io/google_containers/kubedns-ppc64le:1.8
Both kubedns and dnsmasq are bumped up in the manifest files.
@thockin @bprashanth
Automatic merge from submit-queue
cluster/gci: Minor spacing tweak
Two shall be the number thou shalt indent, and the level of the indent
shall be two. Three shalt thou not indent, neither indent thou once,
excepting that thou then proceed to two. Five is right out.
/cc @andyzheng0831 @jlowdermilk
Automatic merge from submit-queue
PetSet replica count status test
**What this PR does / why we need it**: It adds a test for PetSet status replica count. It should fail now, but will pass when https://github.com/kubernetes/kubernetes/pull/32117 is merged.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#31965
**Special notes for your reviewer**: It will need to be rebased after #32117 is merged in, don't need detailed review before that.
**Release note**:
```release-note
NONE
```
Added fakeKubeClient and other fake types needed to test what is sent to
API when replica count is updated. These fakes can be extended for
other tests.
Automatic merge from submit-queue
CRI: Fix mount issue in dockershim.
For https://github.com/kubernetes/kubernetes/issues/33189.
The test `Container Runtime Conformance Test container runtime conformance blackbox test when starting a container that exits should report termination message if TerminationMessagePath is set` flakes a lot. (see https://k8s-testgrid.appspot.com/google-node#kubelet-cri-gce-e2e&width=5)
After some investigation, I found the problem is that we are using pointer of iterator.
This fixes the flake.
@yujuhong @feiskyer
Automatic merge from submit-queue
Disallow headless Services with LB type
**What this PR does / why we need it**: It adds new validation rule for Services, to ensure that creating LoadBalancer type service with cluster IP set to "None" fails.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#33036
**Release note**:
```release-note
Creating LoadBalancer Service with "None" ClusterIP is no longer possible
```
Automatic merge from submit-queue
Add OpenAPI specs to source tree
Similar to swagger spec, adding openapi specs in a separate folder api/openapi-spec
To make sure we generate a consistent spec, parameters need to be sorted first.
Automatic merge from submit-queue
Increase timeout for federated ingress test.
Right now federated ingress e2e takes more than 1 minute, as we need to wait for the first clusters ingress to have an IP address allocated to it before creating the others. Sometimes this takes a while due to GCE loadbalancer backend delays.
Automatic merge from submit-queue
Add periodic reconciliation of federated ingress
This ensures that even in the face of some fairly unlikely errors, if we miss watch triggers for any reason, the ingresses still stay in sync.
Automatic merge from submit-queue
gce/coreos: Fix dnsmasq image name
This bug was inadvertently introduced in #32406.
The longer term plan (shouldn't be too much longer) is to remove this
file entirely and rely on the `gci-trusty` version of it, but to stop
some bleeding and allow our jenkins using kube-up + coreos to work, we
should merge this fix until we have the more complete solution.
cc @MrHohn @yifan-gu @thockin
Two shall be the number thou shalt indent, and the level of the indent
shall be two. Three shalt thou not indent, neither indent thou once,
excepting that thou then proceed to two. Five is right out.
Automatic merge from submit-queue
[Federation] Sleep for 2m (arbitrarily chosen) to let the underlying clusters to clean up all the resources they are holding.
cc @kubernetes/sig-cluster-federation @colhom @nikhiljindal
Ref: Issue #33388, Issue #28615, Issue #31624.
This bug was inadvertently introduced in #32406.
The longer term plan (shouldn't be too much longer) is to remove this
file entirely and rely on the `gci-trusty` version of it, but to stop
some bleeding and allow our jenkins using kube-up + coreos to work, we
should merge this fix until we have the more complete solution.
Automatic merge from submit-queue
move core storage out of master.go
Moves the core resource creation out of master.go and makes it more congruent to the other storages.
WIP because I haven't run tests yet, but I figured I'd see what breaks in the morning.
Automatic merge from submit-queue
add anytoken authenticator
Adds `--insecure-allow-any-token` as a flag to the API server to create an authenticator that will accept any bearer token and transform it into a user by parsing it out as `username/group1,group2,...`.
This gives an easy way to identify as a user and check permissions:
```bash
ALLOW_ANY_TOKEN=true hack/local-up-cluster.sh
kubectl config set-cluster local-kube --server=https://localhost:6443 --insecure-skip-tls-verify=true
kubectl config set-credentials david --token=david/group1
kubectl config set-context local --cluster=local-kube --user=david
kubectl config use-context local
```
@kubernetes/sig-auth
Automatic merge from submit-queue
Fixing local cluster up
hack: fix local-cluster-up advertise_address default value
Fixes: 9fc1d61
Signed-off-by: André Martins <aanm90@gmail.com>
ping @dims
Automatic merge from submit-queue
Allow anonymous API server access, decorate authenticated users with system:authenticated group
When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users
It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.
This PR:
* Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow`
* Decorates user.Info returned from configured authenticators with the group `system:authenticated`.
This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.
```release-note
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
Authenticated users are decorated with a 'system:authenticated' group.
NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
```
c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
Automatic merge from submit-queue
Remove glog added by mistake, start converting phase1+ TODOs to issues
**What this PR does / why we need it**:
Minor cleanup in `cmd/kubeadm/app/node/csr.go`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
use len(params["port"]) > 0 to replace port > 0
**What this PR does / why we need it**:
port also needs to be passed to server when port is negative or zero.
this is an omission of pr https://github.com/kubernetes/kubernetes/pull/29605
**Which issue this PR fixes**:
**Special notes for your reviewer**:
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```release-note
```
Automatic merge from submit-queue
Fixes in HPA: consider only running pods; proper denominator in avg.
Fixes in HPA: consider only running pods; proper denominator in avg request calculations.
Kubernetes Submit Queue