Automatic merge from submit-queue (batch tested with PRs 62676, 62612). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix WaitForAttach failure issue for azure disk
**What this PR does / why we need it**:
From v1.10, `devicePath` will be updated due to following code change:
568afb4ecc/pkg/volume/util/operationexecutor/operation_generator.go (L517-L518)
So in v1.10.0, MountVolume.WaitForAttach will fail in the azure disk remount, error logs would be like following:
```
MountVolume.WaitForAttach failed for volume "pvc-f1562ecb-3e5f-11e8-ab6b-000d3af9f967" : azureDisk - Wait for attach expect device path as a lun number, instead got: /dev/disk/azure/scsi1/lun1 (strconv.Atoi: parsing "/dev/disk/azure/scsi1/lun1": invalid syntax)
Warning FailedMount 1m (x10 over 21m) kubelet, k8s-agentpool-66825246-0 Unable to mount volumes for pod
```
This PR does not use `devicePath` anymore since it could be changed, instead, it use `diskController.GetDiskLun(diskName, volumeSource.DataDiskURI, nodeName)` to get disk LUN, this ARM api call would cost about 0.12s
The GCE disk won't have this issue since `devicePath` is not used in [WaitForAttach func](https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/gce_pd/attacher.go#L133), while aws disk is also using `devicePath` in [WaitForAttach func](https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/aws_ebs/attacher.go#L145), I think there is potentical issue for aws_ebs
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62540
**Special notes for your reviewer**:
should cherry-pick to v1.10
**Release note**:
```
fix WaitForAttach failure issue for azure disk
```
/assign @feiskyer
/sig azure
FYI @khenidak
Automatic merge from submit-queue (batch tested with PRs 62676, 62612). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update kube-dns to Version 1.14.10
**What this PR does / why we need it**:
kube-dns version bump for kubeadm will be on a speparate PR.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @rramkumar1 @bowei
cc @grayluck
**Release note**:
```release-note
Update kube-dns to Version 1.14.10. Major changes:
- Fix a bug in DNS resolution for externalName services
and PTR records that need to query from upstream nameserver.
```
Automatic merge from submit-queue (batch tested with PRs 57224, 61911). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Istio addon to 0.6.0 and mirror images in gcr
**What this PR does / why we need it:**
PR addresses two issues:
1. Update Istio addon version to latest stable 0.6.0 (required for e2e test integration).
2. Mirror images in gcr.io for security scanning, since this is an addon.
Fixes#61910
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add phase command for dynamic kubelet configuration in kubeadm.
**What this PR does / why we need it**:
As the title says.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
partially fixes this: https://github.com/kubernetes/kubeadm/issues/571
**Special notes for your reviewer**:
/cc @luxas @fabriziopandini
@kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Phase `kubeadm alpha phase kubelet` is added to support dynamic kubelet configuration in kubeadm.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix kubelet flags.
pflag now sets golang flag `Parsed` before parsing flags 1ce0cc6db4. With that, all kubelet flags setting will be skipped.
We initially added `flag.Parsed` check to work around a issue that flags are parsed twice, thus kubelet flags are appended twice.
However, it doesn't seem to be the case now. I removed the `Parsed` check, and kubelet flags are only appended once.
```
/tmp/node-e2e-20180416T200912/kubelet --kubeconfig /tmp/node-e2e-20180416T200912/kubeconfig --root-dir /var/lib/kubelet --v 4 --logtostderr --allow-privileged true --network-plugin=kubenet --cni-bin-dir /tmp/node-e2e-20180416T200912/cni/bin --cni-conf-dir /tmp/node-e2e-20180416T200912/cni/net.d --hostname-override test-cos-beta-66-10452-53-0 --container-runtime docker --container-runtime-endpoint unix:///var/run/dockershim.sock --config /tmp/node-e2e-20180416T200912/kubelet-config --experimental-mounter-path=/tmp/node-e2e-20180416T200912/mounter --experimental-kernel-memcg-notification=true --runtime-cgroups=/system.slice/docker.service
```
This PR removes the unnecessary `Parsed` check to fix the test. @mtaufen
/cc @kubernetes/sig-node-pr-reviews
Signed-off-by: Lantao Liu <lantaol@google.com>
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 56040, 62627). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support groups (organizations) to be specified in client cert.
**What this PR does / why we need it**:
Provide a flag `--org` for `kubeadm alpha phase kubeconfig user` to support groups (organizations) to be specified in client cert.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubeadm/issues/753
**Special notes for your reviewer**:
cc @TomRK1089
**Release note**:
```release-note
`kubeadm alpha phase kubeconfig user` supports groups (organizations) to be specified in client cert.
```
Automatic merge from submit-queue (batch tested with PRs 56040, 62627). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Node-level Checkpointing manager: Migrate dockershim and device plugin manager checkpointing
**What this PR does / why we need it**:
This PR abstracts checkpoint manager at kubelet level. Currently, `dockershim`, `deviceplugin` have their own native checkpointing primitives. And most recently `cpumanager` also added package native checkpointing primitives. This adds to the redundancy at implementation level. Also degrades code readability and consistency.
To help this:
1. Checkpointing interface is being abstracted at kubelet level as `checkpointmanager` package.
2. `dockershim` and `deviceplugin` packages are modified to use `checkpointmanager` instead native checkpointing.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
```release-note
None
```
cc @jeremyeder @vishh @derekwaynecarr @sjenning @yujuhong @dchen1107 @RenaudWasTaken @ConnorDoyle @RenaudWasTaken @jiayingz @mindprince @timstclair
/sig node
Automatic merge from submit-queue (batch tested with PRs 62650, 62303, 62545, 62375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix user visible files creation for windows
**What this PR does / why we need it**:
Fix user visible files creation for windows. Without this, [createUserVisibleFiles](https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/util/atomic_writer.go#L415:24) will get linkname with subpath included, and then symlink will fail. This is because "/" is used in pod spec (e.g. `"new/path/data-1"`) while "\" is used on Windows to get linkname.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62338
**Special notes for your reviewer**:
Should also be cherry-picked to old releases.
**Release note**:
```release-note
Fix user visible files creation for windows
```
Automatic merge from submit-queue (batch tested with PRs 62650, 62303, 62545, 62375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move podsecuritypolicy registry to policy package
**What this PR does / why we need it:**
This is a part of the PSP migration from extensions to policy API group. This PR moves registry to policy package and changes preferred storage format to policy/v1beta1
**Which issue(s) this PR fixes:**
Addressed to https://github.com/kubernetes/features/issues/5
Automatic merge from submit-queue (batch tested with PRs 62650, 62303, 62545, 62375). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor subpath reconstruction tests to use util test
**What this PR does / why we need it**:
Use common util method for reconstruction tests so that test updates will be reflected in all e2es. Also increase termination grace period to allow more time for volume manager to cleanup before the tests check for leftover mounts
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62293
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[GCE] Remove parallel
**What this PR does / why we need it**:
Removes the parallel from the Loadbalancer tests. Looks like one mock method modifies a singleton variable, hence the tests currently cannot be run in parallel.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62601
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set kubemark default verbosity to 4
To match with our default for tests.
This shouldn't break large kubemark jobs (as https://github.com/kubernetes/test-infra/pull/7705 is merged which explicitly sets it to v2 for those), but will make more logs available for smaller-scale ones.
```release-note
NONE
```
/cc @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Show deprecated kube-apiserver flags
**What this PR does / why we need it**:
This PR unhides deprecated kube-apiserver flags, so that the deprecation notice is clearly visible in --help.
Fixes#62617
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update docker run flags for containized kubelet in hack/local-up-cluster.sh
**What this PR does / why we need it**:
I'm working on https://github.com/kubernetes/kubernetes/issues/61741, and found `docker run` flags in `hack/local-up-cluster.sh` for kubelet container is too old.
- /var/lib/docker should be mount read-write, because kubelet needs to
update /etc/resolv.conf file in container, see #29378
- /var/lib/kubelet should be mount shared, because mountpoints under
this directory must be propagated to other containers
- `--pid=host` is needed to run `nsenter --mount=/rootfs/proc/1/ns/mnt -- /usr/bin/systemd-run --scope` correctly (don't know exact reason, but with `--pid=host`, it works)
- configure cluster dns for kubelet running in a container
- should propagate sub-mounts of / to kubelet for local volume
With this fix, we can start a local cluster with containerized kubelet.
```
# pull or build a hyperkube image first
docker tag k8s.gcr.io/hyperkube-amd64:<tag> k8s.gcr.io/kubelet:latest
export DOCKERIZE_KUBELET=y
./hack/local-up-cluster.sh
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
refer to: https://github.com/kubernetes/kubernetes-anywhere/blob/master/phase2/ignition/vanilla/kubelet.service.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove deprecated initresource admission plugin
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
xref https://github.com/kubernetes/kubernetes/pull/55375#issuecomment-360329586
**Special notes for your reviewer**:
/assign @piosz @deads2k
**Release note**:
```release-note
remove deprecated initresource admission plugin
```
Automatic merge from submit-queue (batch tested with PRs 62407, 62602, 62539, 62639, 62647). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix kubemark image-registry name assignment
Allows to create kubemark instance without explicitly specifying the project name.
start-kubemark.sh used to not run properly when using project name acquired from the cloud provider.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
hack/test-update-storage-objects.sh: don't build a binary that the script doesn't use
**What this PR does / why we need it**:
This PR removes unused code that was building a binary that script doesn't use.
**Special notes for your reviewer**:
`hack/test-update-storage-objects.sh` used `attachlease` and `migrate-if-needed.sh` for performing etcd2 -> etcd3 migration. In the commit 39e5a56691 we stopped migrating data, but still built unused `attachlease` binary.
Later, in the dc4d92e154 commit, `migrate-if-needed.sh` was reimplemented in go and unused `attachlease` was replaced by `migrate` that also wasn't needed.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add andyzhangx as windows related code Reviewer of pkg/util/mount
**What this PR does / why we need it**:
I just found recently there is some feature not working on windows storage, e.g. local, hostpath volume etc. So I woul like to be a reviewer for windows related code of volume storage. The windows code under https://github.com/kubernetes/kubernetes/tree/master/pkg/util/mount are mostly implemented by me, I am quite familiar with this component. Just let me know if it's ok, thanks.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```
none
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm/phases: small grammar improvements
**What this PR does / why we need it**:
small grammar fixes and cleanup in `kubeadm/phases`.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
none
**Release note**:
```release-note
NONE
```
Lubomir (VMware)
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix machineID getting for vmss nodes when using instance metadata
**What this PR does / why we need it**:
When instancemetadata is for Kubelet on master nodes , kubelet is not able to register itself with errors:
```sh
Unable to construct v1.Node object for kubelet: failed to get external ID from cloud provider: not a vmss instance
```
This PR fixes this issue by composing standard instance ID for such nodes.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62610
**Special notes for your reviewer**:
Need cherry pick to 1.10.
**Release note**:
```release-note
Fix machineID getting for vmss nodes when using instance metadata
```
/assign @andyzhangx
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix volume node affinity to OR node selector terms
**What this PR does / why we need it**:
Fixes node selector terms to be ORed, to be consistent with documentation and Pod.NodeAffinity. Also handles the "node selector term nil or empty matches nothing" behavior.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62551
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixes issue where PersistentVolume.NodeAffinity.NodeSelectorTerms were ANDed instead of ORed.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Prevent virtual infinite loop in volume controller
**What this PR does / why we need it**:
In WatchPod(), if one of the two channels being watched (pod updates and events) is closed, the for/select loop turns into a tight infinite loop because the select immediately falls through due to the channel being closed.
This PR changes WatchPod() to Watch the two channels independently instead.
**Which issue(s) this PR fixes**:
Fixes#62571
**Release note**:
```release-note
Fix potential infinite loop that can occur when NFS PVs are recycled.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix Forward chain default reject policy for IPVS proxier
**What this PR does / why we need it**:
Testing with the IPVS mode proxier on a host with iptables FORWARD policy = DROP, as configured by docker in recent versions, I found that traffic to NodePorts failed when the NodePort forwarded the traffic to another node.
Saw the iptables FORWARD=DROP counter increasing with each packet.
IPVS mode should whitelist such traffic in a similar way to the iptables mode:
PR implementing the fix for iptables mode: #52569
**Which issue(s) this PR fixes**:
Fixes#59656
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix Forward chain default reject policy for IPVS proxier
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
not return 500 status code for insufficient quota
This is not an unexpected error, so it should not return a 500 code, I think.
@derekwaynecarr
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Show help for deprecated Kubelet flags
We recently deprecated a bunch of Kubelet flags, which caused them to disappear from `--help` output. This PR unhides these flags, so that the deprecation notice is clearly visible in `--help`.
Fixes: #62009
```release-note
NONE
```
/cc @eparis
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
use glog.Infof instead of glog.Info in volumn_host
**What this PR does / why we need it**:
use glog.Infof instead of glog.Info
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[GCE] Loadbalancer Tests
**What this PR does / why we need it**:
* Refactors existing Loadbalancer tests
- Create a new v1.Service per test, instead of a global one
- Encapsulate checking resource creation/deletion for internal and external loadbalancers in functions
* Adds tests for `gce_loadbalancer.go` - brings coverage from 10.3% -> 65.4%
**Release note**:
```release-note
NONE
```
In WatchPod(), if one of the two channels being watched (pod updates and
events) is closed, the for/select loop turns into a tight infinite loop because
the select immediately falls through due to the channel being closed. Watch
them independently instead.
Matthieu Maquevice