Automatic merge from submit-queue (batch tested with PRs 41984, 41682, 41924, 41928)
Move node problem detector test into node e2e.
Move current NPD e2e test into node e2e.
In fact, current NPD e2e test is only a functionality test for NPD. It creates test NPD pod, sets test configuration, generates test logs and verifies test result.
It doesn't actually test the NPD really deployed in the cluster.
So it doesn't actually need to run in cluster e2e. Running it in node e2e will:
1) Make it easier to run the test.
2) Make it more light weight to introduce this as a pre/post submit test in NPD repo in the future.
Except this, I'm working on a cluster e2e to run some basic functionality test and benchmark test against the real NPD deployed in the cluster. Will send the PR later.
/cc @dchen1107 @kubernetes/node-problem-detector-reviewers
Automatic merge from submit-queue (batch tested with PRs 41984, 41682, 41924, 41928)
make edit respect --save-config
New behavior:
edit:
1) the flag is set to true: it will create or update the last-applied-config annotation
2) the flag is set to false or is unspecified: NOP
replace:
1) If saveConfig is true, create or update the annotation.
2) If saveConfig is false and the local config file doesn't have the annotation, we save the annotation from the live object if there is one (Try to not surprise the users).
3) If saveConfig is false and the local config file has the annotation, we use the annotation in the config file.
4) Same behavior for force replacing
fixes#40626
```release-note
stop kubectl edit from updating the last-applied-configuration annotation when --save-config is unspecified or false.
```
@pwittrock @liggitt
This is a bug fix that prevented `edit` from being respected by `apply`
Automatic merge from submit-queue (batch tested with PRs 41984, 41682, 41924, 41928)
Add options to kubefed telling it to generate HTTP Basic and/or token credentials for the Federated API server
fixes#41265.
**Release notes**:
```release-note
Adds two options to kubefed, `-apiserver-enable-basic-auth` and `-apiserver-enable-token-auth`, which generate an HTTP Basic username/password and a token respectively for the Federated API server.
```
Automatic merge from submit-queue (batch tested with PRs 41984, 41682, 41924, 41928)
RC/RS: Fully Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings ReplicaSet and ReplicationController into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
Although RC/RS had partially implemented ControllerRef, they didn't use it to determine which controller to sync, or to update expectations. This could lead to instability or controllers getting stuck.
Ref: https://github.com/kubernetes/kubernetes/issues/24433
**Special notes for your reviewer**:
**Release note**:
```release-note
```
cc @erictune @kubernetes/sig-apps-pr-reviews
Automatic merge from submit-queue
Only set a groupresource on errors if a resource was specified
@deads2k this gets rid of the weird .meta.k8s.io error on unauthorized errors
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Default E2E_ZONES to empty string.
Also print an error message and exit if host cluster context cannot be derived.
I don't think we should do any of this magic. This is a stop gap solution to get all our tests to stable state. I will actively get rid of all this defaulting magic once our main tests are stable.
cc @kubernetes/sig-federation-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Fix godep race in local builds
**What this PR does / why we need it**:
This fixes a small race condition when building a godep version other than the latest. As you're building godep once, and then building it again after checkout, this can cause inconsistency in the version selected for use. This fix tells the first `go get` to only download and not build. Then we build manually after checking out the target version.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Fix panic on nil invalid field error
bug fix for validation panic
if a field.Invalid is constructed with a nil badvalue, the Error() method panics, since reflect.TypeOf() returns nil
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
kubeadm: Rename some flags for beta UI and fixup some logic
**What this PR does / why we need it**:
In this PR:
- `--api-advertise-addresses` becomes `--apiserver-advertise-address`
- The API Server's logic here is that if the address is `0.0.0.0`, it chooses the host's default interface's address. kubeadm here uses exactly the same logic. This arg is then passed to `--advertise-address`, and the API Server will advertise that one for the service VIP.
- `--api-port` becomes `--apiserver-bind-port` for clarity
ref the meeting notes: https://docs.google.com/document/d/1deJYPIF4LmhGjDVaqrswErIrV7mtwJgovtLnPCDxP7U/edit#
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
@jbeda @dmmcquay @pires @lukemarsden @dgoodwin @mikedanese
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Add storage.k8s.io/v1 API
This is combined version of reverted #40088 (first 4 commits) and #41646. The difference is that all controllers and tests use old `storage.k8s.io/v1beta1` API so in theory all tests can pass on GKE.
Release note:
```release-note
StorageClassName attribute has been added to PersistentVolume and PersistentVolumeClaim objects and should be used instead of annotation `volume.beta.kubernetes.io/storage-class`. The beta annotation is still working in this release, however it will be removed in a future release.
```
Automatic merge from submit-queue (batch tested with PRs 41672, 42084, 42233, 42165, 42273)
ExecProbes should be able to do simple env var substitution
For containers that don't have bash, we should support env substitution
like we do on command and args. However, without major refactoring
valueFrom is not supportable from inside the prober. For now, implement
substitution based on hardcoded env and leave TODOs for future work.
Improves the state of #40846, will spawn a follow up issue for future refactoring after CRI settles down
Automatic merge from submit-queue (batch tested with PRs 41672, 42084, 42233, 42165, 42273)
Don't sync IPtables before underlying store/reflector is fully synced
Ref #42108
Build on top of #42108 - only the second commit is unique.
Automatic merge from submit-queue (batch tested with PRs 41672, 42084, 42233, 42165, 42273)
Keep entries of apimachinery in client-go's Godeps.json
1. copy.sh now copies staging/ to a temp dir, creates snapshots for them, and then adds the temp dir to GOPATH before running `godep save`. This way, we don't need the `go list` check added in #41987 so that's removed @sttts.
2. copy.sh fills the entries for k8s.io/apimachinery with dummy SHA1 in client-go's Godeps.json. The publish robot will later fill the actually published one.
3. copy.sh removes the entire `_vendor` from client-go. We cannot keep `_vendor` because it makes hard to use the `git filter-branch` magic for client-go, because the filtered commits might contain changes to `_vendor` while client-go only has `vendor/`.
Some notes on point 3: the robot will restore the vendor/ later, but exclude k8s.io/* and glog, so that users retrieving client-go with `go get` won't end up with multiple copies of them. I think this should be a ***general rule*** for published k8s.io/* repos: every published repos should have complete Godeps.json with latest commit hashes of other k8s.io/* repos, but vendor/k8s.io/* and vendor/glog will be removed from all repos.
@sttts @lavalamp @deads2k
Automatic merge from submit-queue (batch tested with PRs 41672, 42084, 42233, 42165, 42273)
remove azure getting kube-ups.
Haven't been touched in > 7 months.
@colemickens , i"m going to send out an email about this.
```release-note
Remove Azure kube-up as the Azure community has focused efforts elsewhere.
```
Automatic merge from submit-queue (batch tested with PRs 42126, 42130, 42232, 42245, 41932)
apiserver/pkg/server: include scheme in insecure self client config
Noticed this during bootkube development: https://github.com/kubernetes-incubator/bootkube/issues/325
In Go 1.8's `url.Parse` became more strict, and `url.Parse("127.0.0.1:8080")` now fails.
https://beta.golang.org/doc/go1.8#net_urlhttps://play.golang.org/p/dw_cPeotG4
Accidentally compiled bootkube with 1.8 and tracked a panic down to the loopback client config. Though we're still using the old "genericapiserver", this seems to be translated from the old one.
The actual panic we observed was
```
E0222 19:40:11.364949 5 server.go:254] Failed to create clientset: parse 127.0.0.1:8080: first path segment in URL cannot contain colon
panic: parse 127.0.0.1:8080: first path segment in URL cannot contain colon
goroutine 35 [running]:
github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion.NewForConfigOrDie(0xc420728ea0, 0xc420738e30)
/home/eric/src/github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/core_client.go:132 +0x62
github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/master.(*Config).Complete(0xc420739db8, 0x0)
/home/eric/src/github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/pkg/master/master.go:180 +0x40a
github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app.Run(0xc42007a3c0, 0x0, 0x0)
/home/eric/src/github.com/kubernetes-incubator/bootkube/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:347 +0x1e8d
github.com/kubernetes-incubator/bootkube/pkg/bootkube.(*bootkube).Run.func1(0xc4206b01e0, 0xc420164300)
/home/eric/src/github.com/kubernetes-incubator/bootkube/pkg/bootkube/bootkube.go:124 +0x2f
created by github.com/kubernetes-incubator/bootkube/pkg/bootkube.(*bootkube).Run
/home/eric/src/github.com/kubernetes-incubator/bootkube/pkg/bootkube/bootkube.go:124 +0xb0
```
I don't actually know if this is the correct fix or if there should be changes to `NewForConfigOrDie`. Am looking for comments more than anything.
edit: @abourget pointed out over on bootkube that the actual panic was fixed in the internalclient by https://github.com/kubernetes/kubernetes/pull/38519.
cc @deads2k @sttts @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42126, 42130, 42232, 42245, 41932)
allow subject access review to non-existent namespace
A localsubjectaccessreview is a special kind of resource which can be created even when the namespace doesn't exist. Since permissions can be granted at different scopes, you can reasonably check if someone *could* do something at a lower scope that isn't there yet. In addition, the permission to do an access check is separate from the permission to list all namespaces, so we're leaking information.
@liggitt @kubernetes/sig-auth-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42126, 42130, 42232, 42245, 41932)
fix LeaderTransitions always zero
on leader transition, LeaderTransitions is increased to 1, but
then cleared to zero by next renew.
External monitoring system may watch LeaderTransitions and rely
on it's facticity.
Automatic merge from submit-queue (batch tested with PRs 42126, 42130, 42232, 42245, 41932)
Update fluentd-gcp configuration for hosted masters
This PR makes use of the new fluentd-gcp image, which is not configured per se, for the hosted masters, which cannot use configmaps.
Mirroring https://github.com/kubernetes/kubernetes/pull/42126
Automatic merge from submit-queue
Move fluentd DS config to configmap
This is the logical continuation of https://github.com/kubernetes/kubernetes/pull/41998. This PR makes fluentd-gcp DaemonSet use the new image configured using ConfigMap.
This PR doesn't change the way fluentd-gcp works in case master is not registered, that'll be fixed in a separate PR
CC @ixdy @timstclair @igorpeshansky @qingling128 @dhrupadb
**Release note:**
```release-note
Fluentd-gcp containers spawned by DaemonSet are now configured using ConfigMap
```
Automatic merge from submit-queue (batch tested with PRs 41980, 42192, 42223, 41822, 42048)
Adjust parameters of GCL cluster logging load tests
This PR increases the amount of logs produced in load tests to match the number of nodes and provide the predictable load of 100 KB/sec on each node.
Also this PR reduces in half amount of time, given for ingesting logs.
Automatic merge from submit-queue (batch tested with PRs 41980, 42192, 42223, 41822, 42048)
Take into account number of restarts in cluster logging tests
Before, in cluster logging tests, we only measured e2e number of lines delivered to the backend.
Also, befure https://github.com/kubernetes/kubernetes/pull/41795 was merged, from the k8s perspective, fluentd was always working properly, even if it's crashlooping inside.
Now we can detect whether fluentd is truly working properly, experiencing no, or almost no OOMs duing its operation.
Automatic merge from submit-queue (batch tested with PRs 41980, 42192, 42223, 41822, 42048)
CRI: Make dockershim better implements CRI.
When thinking about CRI Validation test, I found that `PodSandboxStatus.Linux.Namespaces.Options.HostPid` and `PodSandboxStatus.Linux.Namespaces.Options.HostIpc` are not populated. Although they are not used by kuberuntime now, we should populate them to conform to CRI.
/cc @yujuhong @feiskyer
Automatic merge from submit-queue (batch tested with PRs 41980, 42192, 42223, 41822, 42048)
Modified kubemark startup scripts to restore master on reboot
Fixes#41735
As discussed in the issue, modified the scripts to satisfy the conditions of restoring master env, running non-idempotent operations only for the first time and persist important data like pki/auth files on a PD.
Also attached `start-kubemark-master.sh` as startup-script metadata to master instance (on GCE) so that it is called automatically on each boot.
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Use `docker logs` directly if the docker logging driver is not `json-file`
Fixes https://github.com/kubernetes/kubernetes/issues/41996.
Post the PR first, I still need to manually test this, because we don't have test coverage for journald logging pluggin.
@yujuhong @dchen1107
/cc @kubernetes/sig-node-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Adding legacy ABAC for 1.6
This is a fork of a previous [pull request](https://github.com/kubernetes/kubernetes/pull/42014) to include feedback as the original author is unavailable.
Adds a mechanism to optionally enable legacy abac for 1.6 to provide a migration path for existing users.
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Revert conditional updates to configmap that breaks ingress
Don't prevent configmap updates to happen on existing ingress-uid configmap despite the lack of ingress objects. Otherwise, ingress objects get created with the wrong name.
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Apiserver: wait for Etcd to become available on startup
fixes#37704
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Admission Controller: Add Pod Preset
Based off the proposal in https://github.com/kubernetes/community/pull/254
cc @pmorie @pwittrock
TODO:
- [ ] tests
**What this PR does / why we need it**: Implements the Pod Injection Policy admission controller
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Added new Api `PodPreset` to enable defining cross-cutting injection of Volumes and Environment into Pods.
```
Automatic merge from submit-queue
Add RBAC roles for bootstrap controllers
Supercedes https://github.com/kubernetes/kubernetes/pull/42221
When locking down controllers to individual RBAC roles we need to make sure that the bootstrap controllers have the right permissions.
This adds the roles and bindings at the correct namespace scopes for the bootstrap-signer and token-cleaner controllers.
@liggitt ptal
@jbeda @luxas you got a good way to test this? It must not be covered in normal e2e or we'd've seen the issue before.
Automatic merge from submit-queue
AWS: run k8s master in different account or different provider
Currently the master and the nodes must run in the same account. With this change the master can run in a different AWS account, on a different cloud provider or on premise.
## Release Notes
```release-note
AWS cloud provider: allow to run the master with a different AWS account or even on a different cloud provider than the nodes.
```
Seth Jennings