CRI socket doesn't have to be an absolute path, it should be an url.
However, attempt to use it as an url in 'kubeadm init' command line
causes this validation error:
$ sudo ./kubeadm init --cri-socket unix:///var/run/crio/crio.sock
nodeRegistration.criSocket: Invalid value:
"unix:///var/run/crio/crio.sock": path is not absolute
Fixed by adding ValidateSocket function and using it in the
ValidateNodeRegistrationOptions check instead of ValidateAbsolutePath.
Make default component configs printable via `kubeadm config print-default`.
Component configs are not printed by default. You have to explicitly request
that for concrete API objects via the `--api-objects` command line parameter.
For a list of possible API objects use the help option.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Automatic merge from submit-queue (batch tested with PRs 66064, 66040). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Re-enable write-read pv check in volume provisioning tests
**What this PR does / why we need it**: Except for the recently-added CSI tests, every test that uses testDynamicProvisioning in volume_provisioning has been skipping the
`By("checking the created volume is writable and has the PV's mount options")`
and
`By("checking the created volume is readable and retains data")`
steps due to an unintentional change in https://github.com/kubernetes/kubernetes/pull/59879
**Special notes for your reviewer**: The 'attach' variable name is not descriptive at all, default behaviour is unclear. Tests will take longer of course, but that was always the intention, to not only test provisioning of PV is according to PVC but that you can actually r/w it (hence e2e).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66064, 66040). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix Local externalTrafficPolicy is not respected for ipvs NodePort
**What this PR does / why we need it**:
Local externalTrafficPolicy is not respected for ipvs NodePort.
This PR fixes it.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#66062
**Special notes for your reviewer**:
Manually tested accessing NodePort with externalTrafficPolicy=Local and externalTrafficPolicy=Cluster.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 65052, 65594). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Derive kubelet serving certificate CSR template from node status addresses
xref https://github.com/kubernetes/features/issues/267fixes#55633
Builds on https://github.com/kubernetes/kubernetes/pull/65587
* Makes the cloud provider authoritative when recording node status addresses
* Makes the node status addresses authoritative for the kube-apiserver determining how to speak to a kubelet (stops paying attention to the hostname label when determining how to reach a kubelet, which was only done to support kubelets < 1.5)
* Updates kubelet certificate rotation to be driven from node status
* Avoids needing to compute node addresses a second time, and differently, in order to request serving certificates.
* Allows the kubelet to react to changes in its status addresses by updating its serving certificate
* Allows the kubelet to be driven by external cloud providers recording node addresses on the node status
test procedure:
```sh
# setup
export FEATURE_GATES=RotateKubeletServerCertificate=true
export KUBELET_FLAGS="--rotate-server-certificates=true --cloud-provider=external"
# cleanup from previous runs
sudo rm -fr /var/lib/kubelet/pki/
# startup
hack/local-up-cluster.sh
# wait for a node to register, verify it didn't set addresses
kubectl get nodes
kubectl get node/127.0.0.1 -o jsonpath={.status.addresses}
# verify the kubelet server isn't available, and that it didn't populate a serving certificate
curl --cacert _output/certs/server-ca.crt -v https://localhost:10250/pods
ls -la /var/lib/kubelet/pki
# set an address on the node
curl -X PATCH http://localhost:8080/api/v1/nodes/127.0.0.1/status \
-H "Content-Type: application/merge-patch+json" \
--data '{"status":{"addresses":[{"type":"Hostname","address":"localhost"}]}}'
# verify a csr was submitted with the right SAN, and approve it
kubectl describe csr
kubectl certificate approve csr-...
# verify the kubelet connection uses a cert that is properly signed and valid for the specified hostname, but NOT the IP
curl --cacert _output/certs/server-ca.crt -v https://localhost:10250/pods
curl --cacert _output/certs/server-ca.crt -v https://127.0.0.1:10250/pods
ls -la /var/lib/kubelet/pki
# set an hostname and IP address on the node
curl -X PATCH http://localhost:8080/api/v1/nodes/127.0.0.1/status \
-H "Content-Type: application/merge-patch+json" \
--data '{"status":{"addresses":[{"type":"Hostname","address":"localhost"},{"type":"InternalIP","address":"127.0.0.1"}]}}'
# verify a csr was submitted with the right SAN, and approve it
kubectl describe csr
kubectl certificate approve csr-...
# verify the kubelet connection uses a cert that is properly signed and valid for the specified hostname AND IP
curl --cacert _output/certs/server-ca.crt -v https://localhost:10250/pods
curl --cacert _output/certs/server-ca.crt -v https://127.0.0.1:10250/pods
ls -la /var/lib/kubelet/pki
```
```release-note
* kubelets that specify `--cloud-provider` now only report addresses in Node status as determined by the cloud provider
* kubelet serving certificate rotation now reacts to changes in reported node addresses, and will request certificates for addresses set by an external cloud provider
```
Automatic merge from submit-queue (batch tested with PRs 65052, 65594). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix update node condition
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65051
/area cloudprovider
/sig cluster-lifecycle
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66076, 65792, 65649). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubernetes: fix printf format errors
These are all flagged by Go 1.11's
more accurate printf checking in go vet,
which runs as part of go test.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66076, 65792, 65649). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove DefaultingSerializer as it is not being used
Keeping unused code around is confusing at least. The Serializer is not used as far as I can tell. If any external project is using it, they should just copy it in their code.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Don't delete pkg/generated/bindata.go in make clean
**What this PR does / why we need it**: follow-up to #65985: `pkg/generated/bindata.go` has been re-added to the repo, so `make clean` shouldn't delete it, as doing so makes the tree dirty.
This is mostly problematic for jobs which run `make clean` followed by `make quick-release` or `make release` (like our CI build job), since those won't regenerate `pkg/generated/bindata.go`, as they run builds inside the build container.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add region label to dynamic provisioned cinder PVs
**What this PR does / why we need it**:
This PR adds region label to dynamic provisioned Cinder PVs at the time of the PV creation.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65977
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66051, 66049). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Always mark gke-exec-auth-plugin executable
**What this PR does / why we need it**:
mark gke-exec-auth-plugin executable after downloading
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66051, 66049). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix:Image garbage collection is always disabled in kubelet in 1.11
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #66046
**Special notes for your reviewer**:
@yujuhong @derekwaynecarr
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add local volume pod affinity tests.
**What this PR does / why we need it**:
Add local volume pod affinity tests.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#56100 (with already merged prs #59682, #60260)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixing comments in types.go to describe the changes for CSI driver default FS type override fix
This PR fixes the comment in types.go which was made in the commit 5dfe7b5758
In the above commit, the change that fixed the override of default FSType for CSI driver was made. However the comments in types.go were made for GCEPersistentDiskVolumeSource and RBDVolumeSource respectively. This commit fixes that comment to reflect the changes for CSI driver
```release-note
none
```
check in existing API rule violations;
the Make rule fails if generated violation report differs from the
checked-in violation file and prints error message;
add documentation.
Automatic merge from submit-queue (batch tested with PRs 66038, 65992, 66008). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Convert TestServerRunWithSNI to subtests to isolate flake
This test is flaking - make it easier to pin down where and why by
converting to subtests and making cleanup logic simpler. Also turn an
ignored listen error into a "fatal".
Make the test run in parallel to speed up individual runs and hopefully
flush out issues.
Noticed and reported in OpenShift, https://github.com/openshift/origin/issues/20220
@deads2k / @sttts
Automatic merge from submit-queue (batch tested with PRs 66038, 65992, 66008). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Stop sorting downward api file lines
Fixes#65159
```release-note
fixes an issue with multi-line annotations injected via downward API files getting scrambled
```
Automatic merge from submit-queue (batch tested with PRs 65794, 65919). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Incremented the elasticsearch version
**What this PR does / why we need it**:
Applies changes implemented in:
https://github.com/kubernetes/kubernetes/pull/65627
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65794, 65919). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove references to the Debian-based Container-VM image
The image reached end-of-life in October 2017. Remove the associated
references from the cluster setup script.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
These are all flagged by Go 1.11's
more accurate printf checking in go vet,
which runs as part of go test.
Lubomir I. Ivanov <neolit123@gmail.com>
applied ammend for:
pkg/cloudprovider/provivers/vsphere/nodemanager.go
Automatic merge from submit-queue (batch tested with PRs 65931, 65705, 66033). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove unused x509 code
We don't intend to use/support these user extraction methods
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65931, 65705, 66033). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Block volumes should have empty FSType
FSType in block PVs has no meaning and it should be empty in provisioned PVs.
**Which issue(s) this PR fixes**
Fixes#65704
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65931, 65705, 66033). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: run kube-proxy on non-master tainted nodes
**What this PR does / why we need it**:
kube-proxy should be able to run on all nodes, independent
on the taint of such nodes.
This restriction was previously removed in bb28449e31 but
then was brought back in d1949261ab.
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/cc @luxas @detiber @dixudx @discordianfish @mxey
/kind bug
/area kube-proxy
/area kubeadm
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#699
**Special notes for your reviewer**:
we are removing the requirement again, but please have a look at all the implications here.
hopefully we don't have to bring it again.
**Release note**:
```release-note
kubeadm: run kube-proxy on non-master tainted nodes
```
This test is flaking - make it easier to pin down where and why by
converting to subtests and making cleanup logic easier. Also turn an
ignored listen error into a "fatal".
Make the test run in parallel to speed up individual runs and hopefully
flush out issues.
Cao Shufeng