Automatic merge from submit-queue
Fix typo in local-up-cluster
Use curly braces instead of round ones for bash variable expansion. The
script complains about unknown ROOT_CA_FILE when running with
KUBE_ENABLE_CLUSTER_DNS=true.
Use curly braces instead of round ones for bash variable expansion. The
script complains about unknown ROOT_CA_FILE when running with
KUBE_ENABLE_CLUSTER_DNS=true.
Automatic merge from submit-queue
SELinux Overhaul
Overhauls handling of SELinux in Kubernetes. TLDR: Kubelet dir no longer has to be labeled `svirt_sandbox_file_t`.
Fixes#33351 and #33510. Implements #33951.
Generate a kubeconfig for use with controller-manager, kubelet,
scheduler etc. This kubeconfig should use the secure https
port of the api server with appropriate ca cert for the components
to talk to api server.
With this change, one can set API_PORT=0 to completely switch off
insecure access for testing admission controllers etc.
Fixes#33375
Automatic merge from submit-queue
add optional mutation checks for shared informer cache
We need to make sure that no one is mutating caches if they're using a shared informer. It is important that whatever is tracking those changes gets the object *before* anyone else possibly could.
This adds the ability to track the original objects in the cache and their current values. Go doesn't have an exit hook or a way to say "wait for non-daemon go-funcs to complete before exit", so this runs a gofunc on a loop that can panic the entire process. It's gated behind an env var.
@derekwaynecarr did I get the right spots to make sure that e2e runs with this flag?
@smarterclayton @kubernetes/rh-cluster-infra
Automatic merge from submit-queue
Speed up dockerized builds
This PR speeds up dockerized builds. First, we make sure that we are as incremental as possible. The bigger change is that now we use rsync to move sources into the container and get data back out.
To do yet:
* [x] Add a random password to rsync. This is 128bit MD4, but it is better than nothing.
* [x] Lock down rsync to only come from the host.
* [x] Deal with remote docker engines -- this should be necessary for docker-machine on the mac.
* [x] Allow users to specify the port for the rsync daemon. Perhaps randomize this or let docker pick an ephemeral port and detect the port?
* [x] Copy back generated files so that users can check them in. This is done for `zz_generated.*` files generated by `make generated_files`
* [x] This should include generated proto files so that we can remove the hack-o-rama that is `hack/hack/update-*-dockerized.sh`
* [x] Start "versioning" the build container and the data container so that the CI system doesn't have to be manually kicked.
* [x] Get some benchmarks to qualify how much faster.
This replaces #28518 and is related to #30600.
cc @thockin @spxtr @david-mcmahon @MHBauer
Benchmarks by running `make clean ; sync ; time bash -xc 'time build/make-build-image.sh ; time sync ; time build/run.sh make ; time sync; time build/run.sh make'` on a GCE n1-standard-8 with PD-SSD.
| setup | build image | sync | first build | sync | second build | total |
|-------|-------------|----- |----------|------|--------------|------|
| baseline | 0m11.420s | 0m0.812s | 7m2.353s | 0m42.380s | 7m8.381s | 15m5.348s |
| this pr | 0m10.977s | 0m15.168s | 7m31.096s | 1m55.692s | 0m16.514s | 10m9.449s |
Automatic merge from submit-queue
add anytoken authenticator
Adds `--insecure-allow-any-token` as a flag to the API server to create an authenticator that will accept any bearer token and transform it into a user by parsing it out as `username/group1,group2,...`.
This gives an easy way to identify as a user and check permissions:
```bash
ALLOW_ANY_TOKEN=true hack/local-up-cluster.sh
kubectl config set-cluster local-kube --server=https://localhost:6443 --insecure-skip-tls-verify=true
kubectl config set-credentials david --token=david/group1
kubectl config set-context local --cluster=local-kube --user=david
kubectl config use-context local
```
@kubernetes/sig-auth
Automatic merge from submit-queue
local-up-cluster.sh: add SERVICE_CLUSTER_IP_RANGE as option
Allows the user the use an environment variable to specify the SERVICE_CLUSTER_IP_RANGE without modifying the `hack/local-up-cluster.sh` script.
Signed-off-by: André Martins <aanm90@gmail.com>
Automatic merge from submit-queue
Make it possible to run local kubelet independently of cluster
Makes it possible to start a cluster and kubelet independently (was necessary when debugging issues related to restarting kubelet for existing node).
The admission controller adds a default class to PVCs that do not require any
specific class. This way, users (=PVC authors) do not need to care about
storage classes, administrator can configure a default one and all these PVCs
that do not care about class will get the default one.
Automatic merge from submit-queue
Silence curl output
Removes the following from script output:
curl: (7) Failed to connect to 127.0.0.1 port 8080: Connection refused
This allows us to start building real dependencies into Makefile.
Leave old hack/* scripts in place but advise to use 'make'. There are a few
rules that call things like 'go run' or 'build/*' that I left as-is for now.
Automatic merge from submit-queue
invalid arg during applying SELinux label
Tested with Ubuntu 16.04 with SELINUX support. Actually, after `chcon `with long label got: `chcon: failed to set type security context component to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Invalid argument`
Automatic merge from submit-queue
Make local-up-cluster.sh IPv6 friendly
Added a new environment variable `API_HOST_IP`. `API_HOST_IP` allows the
user to specify an IPv6 address that is parsable by Golang. `API_HOST` on
the other hand allows the user to specify the IPv6 address to be used in
a URL's format as described in RFC2732.
Example:
```bash
API_HOST_IP="FEDC:BA98:7654:3210:FEDC:BA98:7654:3210"
API_HOST="[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]
```
or
```bash
API_HOST_IP="FEDC:BA98:7654:3210:FEDC:BA98:7654:3210"
API_HOST="[${API_HOST_IP}]"
```
Signed-off-by: André Martins <aanm90@gmail.com>
Added a new environment variable API_HOST_IP. API_HOST_IP allows the
user to specify an IPv6 address that is parsable by Golang. API_HOST on
the other hand allows the user to specify the IPv6 address to be used in
a URL's format as described in RFC2732.
Example:
API_HOST_IP="FEDC:BA98:7654:3210:FEDC:BA98:7654:3210"
API_HOST="[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]
or
API_HOST_IP="FEDC:BA98:7654:3210:FEDC:BA98:7654:3210"
API_HOST="[${API_HOST_IP}]"
Signed-off-by: André Martins <aanm90@gmail.com>
Automatic merge from submit-queue
Adds --network-plugin-dir argument to hack/local-up-cluster.sh
CNI Network Plugin developers who want to use hack/local-up-cluster.sh need to specify the --network-plugin-dir option to kubelet.
Jordan Liggitt