Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/securitycontext/util_test.go(TestAddNoNewPrivileges): update tests
**What this PR does / why we need it**:
This PR improves existing test in the following ways:
- remove irrelevant test cases
- add test case for `AllowPrivilegeEscalation: nil`
- explicitly specify input and expected outcome
This is addressed to the following review comment: https://github.com/kubernetes/kubernetes/pull/47019#discussion_r135808264
**Release note**:
```release-note
NONE
```
PTAL @jessfraz @kubernetes/sig-auth-pr-reviews
CC @simo5
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update comments for getting and removing loopback device for iSCSI,FC,RBD
**What this PR does / why we need it**:
This PR adds comments of the background why plugin gets loopback device and removes loopback device even if operation_generator has same functionality.
**Which issue(s) this PR fixes** : No
**Special notes for your reviewer**:
/cc @rootfs @sbezverk
related PR: https://github.com/kubernetes/kubernetes/pull/56651
**Release note**:
```release-note
NONE
```
This PR add comments for the background why plugin gets loopback
device and removes loopback device even if operation_generator has
same functionality.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
set fsGroup by securityContext.fsGroup in azure file
**What this PR does / why we need it**:
set fsGroup by securityContext.fsGroup in azure file
This PR respects `securityContext.fsGroup`, while if user both sets `gid=xxx` in mountOptions in azure storage class and `securityContext.fsGroup`, `gid=xxx` setting in mountOptions will win.
```
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#44085
**Special notes for your reviewer**:
**Release note**:
```
set fsGroup by securityContext.fsGroup in azure file
```
/assign @karataliu
cc @rootfs @avaranovich
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix update-swagger-spec.sh to always cleanup etcd
**What this PR does / why we need it**:
This PR fixes `hack/update-swagger-spec.sh` so it always cleanup etcd and to noe leave orphaned process after its execution. This process also doesn't allow to run the script again as it detects existing etcd and won't start.
I also made a minor improvement by adding guard against an empty arguments.
**Release note**:
```release-note
NONE
```
CC @simo5
Prior this change, etcd wasn't cleaned up on my machine that lead to
orphaned etcd process after the update-swagger-spec.sh failed.
This change also adds additional improvements:
- don't kill/wait/rm when argument is empty.
- use kube::util::trap_add.
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update-swagger-spec.sh: when API server fails to start, show the last lines of logs
**What this PR does / why we need it**:
When API server fails to start there is no easy way to know why. You have to read the script where you will find that there is a log file that could have some useful info. This PR simplifies debugging:
1) it includes the path to the log file in the error message
2) it also shows the last 10 lines from this log
Before this change:
```
+++ [0116 19:33:49] Starting kube-apiserver
!!! [0116 19:34:19] Timed out waiting for apiserver: to answer at 127.0.0.1:8050/healthz; tried 30 waiting 1 between each
!!! Error in ./hack/update-swagger-spec.sh:42
Error in ./hack/update-swagger-spec.sh:42. 'return 1' exited with status 1
Call stack:
1: ./hack/update-swagger-spec.sh:42 main(...)
Exiting with status 1
+++ [0116 19:34:19] Clean up complete
```
After this change:
```
+++ [0116 19:42:41] Starting kube-apiserver
!!! [0116 19:42:51] Timed out waiting for apiserver: to answer at 127.0.0.1:8050/healthz; tried 30 waiting 1 between each
!!! [0116 19:42:51] Here are the last 10 lines from kube-apiserver (/tmp/swagger-api-server.log)
!!! [0116 19:42:51] === BEGIN OF LOG ===
I0116 19:42:41.689355 30809 server.go:122] Version: v1.10.0-alpha.1.877+a02cb7c1f7d0d6-dirty
I0116 19:42:41.942601 30809 serving.go:295] Generated self-signed cert (/tmp/update-swagger-spec.2Udp/certs/apiserver.crt, /tmp/update-swagger-spec.2Udp/certs/apiserver.key)
I0116 19:42:41.942611 30809 server.go:647] external host was not specified, using 10.10.10.10
W0116 19:42:41.942618 30809 authentication.go:378] AnonymousAuth is not allowed with the AllowAll authorizer. Resetting AnonymousAuth to false. You should use a different authorizer
error in initializing storage factory: group version podsecuritypolicy.admission.k8s.io/v1beta1 that has not been registered
!!! [0116 19:42:51] === END OF LOG ===
+++ [0116 19:42:51] Clean up complete
```
**Release note**:
```release-note
NONE
```
PTAL @cblecker @sttts
CC @simo5
Automatic merge from submit-queue (batch tested with PRs 58008, 58351). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
etcd client: add keepalive
**What this PR does / why we need it**: This PR shortens the keepaliveTimeout and enables keepalive within the etcd client to allow the socket to be closed cleanly on a dead etcd server.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#46964
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/cc @xiang90
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cluster: remove salt
Nothing uses it directly. There were some dangling dependencies from GCE and Centos kube-ups, so I just copied them into respective dirs.
see #49213
```release-note
Remove deprecated and unmaintained salt support. kubernetes-salt.tar.gz will no longer be published in the release tarball.
```
Automatic merge from submit-queue (batch tested with PRs 58319, 58345). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
azure disk: if the disk is not found, immediately detach it. This prevents azure keeps the bad request and stops issuing new request
**What this PR does / why we need it**:
Detach and clear bad disk URI
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58344
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58319, 58345). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Call Dial in blocking mode
**What this PR does / why we need it**:
# Tests which uncover underlying problem
On the current master code:
1. comment out stub plugin server start [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/cm/deviceplugin/endpoint_test.go#L127-L128)
2. run `go test -v k8s.io/kubernetes/pkg/kubelet/cm/deviceplugin --run TestNewEndpoint --count 1`. Test succeeds.
3. run `go test -v k8s.io/kubernetes/pkg/kubelet/cm/deviceplugin --run TestRun --count 1`. Test hangs with:
> listAndWatch ended unexpectedly for device plugin mock with error rpc error: code = Unavailable desc = grpc: the connection is unavailable
`2` does not fail even though it invokes Dial and no listening server is running. It is because currently Dial is not waiting till the connection turns to Ready state. And this case does not invokes any RPC call over the `conn` returned by `Dial`
`3` hangs because this tests involves actual usage of `conn`(client) and there it does not find listening server because we dint start and deliberately stopped in `1`.
`Dial` should be using `WithBlock` option which ensures that `conn` is returned only when connection is in `Ready` state.
After using `WithBlock` in the `Dial`, in this PR, if `1`, `2` and `3` are repeated. Both, `2` and `3`, fails at `Dial`, which is expected behavior. By `fail`, I meant Dial blocks forever if `WithTimeout` is not used or otherwise, a timeout failure.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58281
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
/area hw-accelerators
/sig node
/cc @jiayingz @RenaudWasTaken @vishh @ScorpioCPH @sjenning @derekwaynecarr @jeremyeder @lichuqiang @tengqm
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fail earlier on discovery failures
When discovery fails, the object mapper and typer are incomplete. This change reflects that and returns errors instead of nils.
@juanvallejo
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix policy conflict in the CPU manager node e2e test.
**What this PR does / why we need it**:
After graduation of the CPU manager feature to Beta, the CPU manager `none` policy is ON by default. But when the CPU manager is set to use `static` policy in the node e2e test, there will always be a conflict with the policy checkpointed in the disk. This PR fixes that by deleting the state file where required.
Manually tested in an `n1-standard-4` instance with `Ubuntu 16.04` image on GCP, which is the same machine and image type as one of the configs used in the node e2e tests.
Use the following command to run the test locally:
`make test-e2e-node TEST_ARGS='--feature-gates=DynamicKubeletConfig=true' FOCUS="CPU Manager" SKIP="" PARALLELISM=1`
CC @ConnorDoyle @derekwaynecarr
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow version arg to be optional in "kubeadm upgrade apply"
**What this PR does / why we need it**:
This PR make the version arg optional if --config is specified and .KuberneteVersion is available.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes https://github.com/kubernetes/kubeadm/issues/460
**Special notes for your reviewer**:
```release-note
Allow version arg in kubeadm upgrade apply to be optional if config file already have version info
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Change default volume source to regular emptydir for e2e volume servers
**What this PR does / why we need it**:
Use regular emptydir instead of tmpfs emptydir in e2es to avoid hitting default memory limits.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58280
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add balajismaniam and ConnorDoyle to node-e2e approvers.
**What this PR does / why we need it**:
- Add balajismaniam and ConnorDoyle to node-e2e approvers.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
_Rationale:_ We are maintaining node e2e tests for the CPU manager component, and would also like to help with the rest of review load in this package. Both Balaji and I are approvers for the cpumanager and cpuset packages in the Kubelet container manager.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[quota controller] remove extra queue.Add()
requeue immediately after an error may end-up with hot-loop
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add hostPorts to pod describer
**What this PR does / why we need it**:
Missing `HostPorts` when describing pods
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
/assign @mengqiy @shiywang
**Release note**:
```release-note
None
```
basically just:
* move all manifests into the new gce/manifests dir
* move limit-range into gce/addons/limit-range
* move abac jsonl into gce/manifests. this is gross but we will
hopefully be able to delete this config soon. it only exists to support
a deprecated feature.
* fix build, release, deploy to look for everything in its new home
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
feat(fakeclient): push event on watched channel on add/update/delete
**What this PR does / why we need it**:
This PR enables watch function for kubernetes [fakeclient](1bcf0b0a22/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go (L88)).
This fake client add watchReactorFunction by wrapping [watch.NewFake](1bcf0b0a22/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go (L98)) which is a `chan Event` but actually nothing pushes objects into this channel. So all watch function called by fake client will never return or never receive any object.
This PR intercepts ReactionFunc of `Create / Update / DeleteActionImpl` and will push the requested object to channel.
Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes#54075
**Special notes for your reviewer**:
**Release note**:
```dev-release-note
enable watch function for fake client
```
Automatic merge from submit-queue (batch tested with PRs 58260, 58326). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[azure] fix TestGetInstanceIDByNodeName data race
**What this PR does / why we need it**:
fix ut case data race
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58325
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58260, 58326). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add support for submitting/receiving CRD objects as yaml
Fixes#37455
```release-note
Custom resources can now be submitted to and received from the API server in application/yaml format.
```
fix races with watch call
add test for non-namespace resource watch
add matching for all-namespace-watch
fix delete namespace watch & restrict test
fix multiple invocation on same resource & namespace
add descriptive doc for tracker.watchers
David Eads