Automatic merge from submit-queue (batch tested with PRs 58518, 58771, 58101, 56829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Resource version parsing should all be in one place
This is 100% refactoring that ought to be a no-op at run time. It puts resource version parsing in a single file. Doing this because I want to follow up with a change which will make it obvious to users of the system our rules about resource version. Don't want to mix that with this refactor (on the off chance it gets rolled back).
Part of: #58112
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58518, 58771, 58101, 56829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase KUBE_PARALLEL_BUILD_MEMORY to 40G.
**What this PR does / why we need it**:
Memory requirements for parallel builds has grown significantly. Keep the pace with an increase in `KUBE_PARALLEL_BUILD_MEMORY`.
cc @javier-b-perez
Automatic merge from submit-queue (batch tested with PRs 58518, 58771, 58101, 56829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix typo
**What this PR does / why we need it**:
Fix a typo (evalutated -> evaluated).
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
I didn't touch pkg/generated/bindata.go and k8s.mo. Should I regenerate them in this PR?
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58713, 58841). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Tag multi-az cluster volume e2e test with sig-storage
Follow-on from #58726 to make it clear that responsibility for the test is shared between @kubernetes/sig-scheduling-pr-reviews and @kubernetes/sig-storage-pr-reviews.
```release-note
NONE
```
cc: @bsalamat @timothysc
Automatic merge from submit-queue (batch tested with PRs 58713, 58841). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Created bootstrap logic for vSphere test
**What this PR does / why we need it**:
Add bootstrapping logic and Context for vSphere tests. This context can be utilized to hold information like node-vsphere mapping, which needs to be initialized only once per test suit run.
sync.Once takes care of executing bootstrapping only once for all the specs. 'waiting' channel takes care of making sure that parallel test spec executions wait for bootstrapping to finish before moving on.
**Which issue(s) this PR fixes**
Fixes https://github.com/vmware/kubernetes/issues/437, partly
**Special notes for your reviewer**:
Successfully ran make.
Tested by added additional log messages to bootstrap process (now removed). Made sure bootstrapping logic is getting invoked just once and bootstrapping is done by the time It-blocks are executed.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57973, 57990). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix RunAsUserId validation
Use validation.IsValidUserID to properly check for valid UserId in RunAsUser field of SecurityContext.
release-note NONE
Automatic merge from submit-queue (batch tested with PRs 57973, 57990). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set pids limit at pod level
**What this PR does / why we need it**:
Add a new Alpha Feature to set a maximum number of pids per Pod.
This is to allow the use case where cluster administrators wish
to limit the pids consumed per pod (example when running a CI system).
By default, we do not set any maximum limit, If an administrator wants
to enable this, they should enable `SupportPodPidsLimit=true` in the
`--feature-gates=` parameter to kubelet and specify the limit using the
`--pod-max-pids` parameter.
The limit set is the total count of all processes running in all
containers in the pod.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#43783
**Special notes for your reviewer**:
**Release note**:
```release-note
New alpha feature to limit the number of processes running in a pod. Cluster administrators will be able to place limits by using the new kubelet command line parameter --pod-max-pids. Note that since this is a alpha feature they will need to enable the "SupportPodPidsLimit" feature.
```
Automatic merge from submit-queue (batch tested with PRs 53778, 58378, 58830). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add storage-backend configuration option to kubernetes-master charm.
**What this PR does / why we need it**: Add storage-backend configuration option to kubernetes-master charm.
**Release note**:
```release-note
Add storage-backend configuration option to kubernetes-master charm.
```
Automatic merge from submit-queue (batch tested with PRs 53778, 58378, 58830). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add more ipv6 support in userspace proxier
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
**What this PR does / why we need it**:
format `%s:%d/%s"` is not suitable for ipv6 IP, replace with net.JoinHostPort
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 58626, 58791). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
serviceaccount: check token is issued by correct iss before verifying
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.
This change helps us support multiple service account token
authenticators with different issuers.
https://github.com/kubernetes/kubernetes/issues/58790
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58626, 58791). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use correct pv annotation to fetch volume ID.
Fix , Issue #58627
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 58302, 58782, 58555, 58741). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
use containing API group when resolving shortname from discovery
**What this PR does / why we need it**:
kubectl does not use containing API group when resolving shortname from discovery
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58695
**Special notes for your reviewer**:
/assign @liggitt
/cc @nikhita @zjj2wry
**Release note**:
```release-note
use containing API group when resolving shortname from discovery
```
Automatic merge from submit-queue (batch tested with PRs 58302, 58782, 58555, 58741). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Change equivalence class hashing function
**What this PR does / why we need it**:
This updates the Pod equivalence class hashing function to hash pod fields which are read by scheduler predicates. Until now, we used a pod's OwnerReference as a shorthand for equivalence, but not all controllers will create homogeneous sets of pods.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
/ref #58222
**Performance impact**:
Hashing is not expensive enough to impact scheduling performance.
|Test|Result|
|---|---|
| Before | `BenchmarkEquivalenceHash-40 200000 7722 ns/op` |
| After | `BenchmarkEquivalenceHash-40 10000 114184 ns/op` |
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig scheduling
Automatic merge from submit-queue (batch tested with PRs 58302, 58782, 58555, 58741). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make it possible to override the driver installer daemonset url from test-infra.
This will enable things like kubernetes/test-infra#6430
/kind enhancement
/sig testing
/sig scheduling
**Release note**:
```release-note
NONE
```
/assign @jiayingz @vishh
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
uniquify resource lock identities
Resource lock identities on the same host were not unique. This keeps the hostname (that's valuable), but also adds a UUID so that you can start a process twice on the same host and not end up with two processes trying to lead.
@kubernetes/sig-api-machinery-bugs @liggitt @smarterclayton
This ensures the `ipcs` command from util-linux will be used, which
succeeds when Docker is running with SELinux enabled (while the one from
busybox fails.)
Tested: On a host with Docker running with SELinux enabled:
$ make test-e2e-node REMOTE=true FOCUS="host IPC"
• [SLOW TEST:17.272 seconds] (passed)
[k8s.io] Security Context
when creating a pod in the host IPC namespace
should show the shared memory ID in the host IPC containers
• [SLOW TEST:20.419 seconds] (passed)
[k8s.io] Security Context
when creating a pod in the host IPC namespace
should not show the shared memory ID in the non-hostIPC containers
Ran 2 of 257 Specs in 43.934 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 255 Skipped
This container will be used to exercise the HostIPC functionality in
e2e-node tests.
The version of `ipcs` shipped in busybox performs operations that get
blocked by SELinux on hosts where it is enabled. The version of `ipcs`
in util-linux does not perform those operations, rather it checks
whether the /proc files it needs are available and proceeds to reading
from them directly.
Using `ipcs` from util-linux makes these tests pass, even when running
under SELinux enabled, so let's use them here.
Tested: On a host where Docker with SELinux enabled:
- Checked that `ipcs` from busybox does not work:
$ docker run busybox ipcs -m
kernel not configured for shared memory
- Checked that the one from this container does work:
$ docker run gcr.io/kubernetes-e2e-test-images/ipc-utils-amd64:1.0 ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
Having the field set in modifyCommonNamespaceOptions is misleading,
since for the actual container it is later unconditionally overwritten
to point to the sandbox container.
So let's move its setting to modifyHostOptionsForSandbox (renamed from
modifyHostNetworkOptionForSandbox as it's not about network only), since
that reflects what actually happens in practice.
This commit is purely a refactor, it doesn't change any behavior.
Expand the use of "1M" to the corresponding number of bytes, since
support for size suffix was only added to `ipcmk` in util-linux 2.27
which is not yet available in some Linux distributions.
Tested by running `make test-e2e-node` against distributions with ipcmk
that supports and doesn't support the suffix syntax, all of them passed.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move multizone e2e to e2e/scheduling from e2e/multicluster
afaik these tests should be the responsibility of @kubernetes/sig-scheduling-pr-reviews instead of @kubernetes/sig-multicluster-pr-reviews.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix kubectl explain for cronjobs
**What this PR does / why we need it**:
`kubectl explain cronjob` was failing with `error: Couldn't find resource for "batch/v1, Kind=CronJob"` the reason for that is that even though we were getting the group and version from the mapper, we always rewrote it with the default value for a specific group, unless user specified the output version.
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix kubectl explain for resources not existing in default version of API group
```
for review:
/assign @juanvallejo
for approval:
/assign @deads2k
A bug in the SELinux policy prevented NoNewPrivileges from working on
Docker with SELinux support enabled.
The problem has been fixed upstream:
https://github.com/projectatomic/container-selinux/issues/45
But hasn't been backported yet (a fix might come in RHEL 7.5)
For now, let's skip the NoNewPrivileges test when SELinux support is
enabled in Docker.
Tested:
- Before this commit, the test fails:
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux enabled)
• [SLOW TEST:22.798 seconds] (passed)
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when true
• Failure [16.539 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should not allow privilege escalation when false [It]
wait for pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" to success
Expected success, but got an error:
<*errors.errorString | 0xc4204e26d0>: {
s: "pod \"alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009\" failed with reason: \"\", message: \"\"",
}
pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" failed with reason: "", message: ""
• [SLOW TEST:26.572 seconds] (passed)
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when not explicitly set and uid != 0
Ran 3 of 257 Specs in 45.364 seconds
FAIL! -- 2 Passed | 1 Failed | 0 Pending | 254 Skipped
Ginkgo ran 1 suite in 49.389123442s
Test Suite Failed
- After this commit, the test is skipped:
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux enabled)
S [SKIPPING] in Spec Setup (BeforeEach) [12.452 seconds]
S [SKIPPING] in Spec Setup (BeforeEach) [16.298 seconds]
S [SKIPPING] in Spec Setup (BeforeEach) [18.183 seconds]
Ran 0 of 257 Specs in 39.174 seconds
SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 257 Skipped
Ginkgo ran 1 suite in 43.570630357s
Test Suite Passed
- No changes when SELinux is disabled:
$ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
(on a host with SELinux disabled)
• [SLOW TEST:15.013 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should not allow privilege escalation when false
• [SLOW TEST:19.155 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when true
• [SLOW TEST:21.087 seconds]
[k8s.io] Security Context
when creating containers with AllowPrivilegeEscalation
should allow privilege escalation when not explicitly set and uid != 0
Ran 3 of 259 Specs in 38.560 seconds
SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 256 Skipped
Ginkgo ran 1 suite in 41.937918928s
Test Suite Passed
Current code adds FileContentCheck only for the first API
Server mentioned in the command line. The test is never added
as net.ParseIP always fails because <address>:<port> is passed
to it instead of <address>.
Fixed both issues by introducing a loop over all API Servers
and splitting <address>:<port> before passing <address> to the
net.ParseIP API.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add list of pods that use a volume to multiattach events
So users knows what pods are blocking a volume and can realize their error.
**Release note**:
```release-note
NONE
```
UX:
* User can get one of following events, depending what other pod(s) are already using a volume and in which namespace they are:
```
Multi-Attach error for volume"volume-name" Volume is already exclusively attached to one node and can't be attached to another
Multi-Attach error for volume "volume-name" Volume is already used by pod(s) pod3 and 1 pod(s) in different namespaces
```
* controller-manager gets always full logs:
* When the node where is the volume attached is known:
```
Multi-Attach error for volume "volume-name" (UniqueName: "fake-plugin/volume-name") from node "node1" Volume is already used by pods ns2/pod2, ns1/pod3 on node node2, node3
```
* When the node where is the volume attached is not known:
```
Multi-Attach error for volume "volume-name" (UniqueName: "fake-plugin/volume-name") from node "node1" Volume is already exclusively attached to node node2 and can't be attached to another
```
/kind bug
/sig storage
/assign @gnufied
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix equivalence cache invalidation of Node condition.
Equivalence cache for CheckNodeConditionPred becomes invalid when
Node.Spec.Unschedulable changes. This can happen even if
Node.Status.Conditions does not change, so move the logic around.
This logic is covered by integration test
"test/integration/scheduler".TestUnschedulableNodes but equivalence
cache is currently skipped when test pods have no OwnerReference.
The test failure is exposed by #58555
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
/ref #58222
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig scheduling
@kubernetes/sig-scheduling-pr-reviews
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename package deviceplugin => devicemanager.
**What this PR does / why we need it**:
Fixes#58795
/kind cleanup
Rename package `deviceplugin` to `devicemanager` for consistency.
We already have components named Container manager and CPU manager. The device plugin package similarly contains an interface called `Manager`. The fact that the manager has plugins is somewhat incidental to the purpose of the package itself.
Note that this rename only affects internal API. The external gRPC interface still exports a package called deviceplugin.
**Release note**:
```release-note
NONE
```
Kubernetes Submit Queue