Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add code and yaml for Istio as an addon
This commit adds the following:
- YAML for istio components to the addons directory (versions with
and without auth)
- logic to copy the appropriate YAML file into the addons manager
dir, depending on ENABLE_ISTIO and ISTIO_AUTH_TYPE env vars
- changes to addon manager script which allow plugins to exist in
namespace other than kube-system. This is needed for Istio
functionality
- additional initialization for Istio in addon manager.
This has been manually tested - e2e tests are in progress but require additional code to enable istio in tests. See:
- https://github.com/istio/istio/pull/2841
- https://github.com/kubernetes/test-infra/pull/6612
**What this PR does / why we need it**:
Allow [Istio](https://istio.io/) to be installed as an addon. This simplifies the Istio setup process on k8s and GKE. Istio team is trying to make it easier for end users to get to a basic functional installation.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 59683, 59964, 59841, 59936, 59686). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
GCE: Create cloud-provider roles and bindings via addons
**What this PR does / why we need it**:
This removes the `cloud-provider` role and role binding from the rbac boostrapper and replaces it with a policy applied via addon mgr. This also creates a new clusterrole allowing the service account to create events for any namespace.
**Special notes for your reviewer**:
/assign @bowei @timstclair
/cc timstclair
**Release note**:
```release-note
GCE: A role and clusterrole will now be provided with GCE/GKE for allowing the cloud-provider to post warning events on all services and watching configmaps in the kube-system namespace.
```
This commit adds the following:
- YAML for istio components to the addons directory (versions with
and without auth)
- logic to copy the appropriate YAML file into the addons manager
dir, depending on ENABLE_ISTIO and ISTIO_AUTH_TYPE env vars
- changes to addon manager script which allow plugins to exist in
namespace other than kube-system. This is needed for Istio
functionality
- additional initialization for Istio in addon manager.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable scaling fluentd-gcp resources using ScalingPolicy.
See https://github.com/justinsb/scaler for more details about ScalingPolicy resource.
**What this PR does / why we need it**:
This is adding a way to override fluentd-gcp resources in a running cluster. The resources syncing for fluentd-gcp is decoupled from addon manager.
**Special notes for your reviewer**:
**Release note**:
```release-note
fluentd-gcp resources can be modified via a ScalingPolicy
```
cc @kawych @justinsb
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Upload container runtime log to sd/es.
I've verified this in my environment. My stackdriver has an extra `container-runtime` entry for node log, and it collects container runtime daemon log correctly.
@yujuhong @feiskyer @crassirostris @piosz
@kubernetes/sig-node-pr-reviews @kubernetes/sig-instrumentation-pr-reviews
Signed-off-by: Lantao Liu <lantaol@google.com>
**Release note**:
```release-note
Container runtime daemon (e.g. dockerd) logs in GCE cluster will be uploaded to stackdriver and elasticsearch with tag `container-runtime`
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a new environment variable to the gce startup scripts called KUBE_PROXY_MODE
**What this PR does / why we need it**:
This PR adds a new environment variable called KUBE_PROXY_MODE to the startup scripts for gce. This variable will allow a user to specify the kube-proxy implementation they want to use, with the choices being ipvs or iptables (iptables is default).
Next steps:
1. Need to remove use of feature gateway when IPVS goes GA
2. Need to add logic of loading required ipvs kernel modules in the scripts
Question: If the proxier is IPVS, is it necessary to have the iptables sync period flags?
**Release note**:
```release-note
None
```
This is the 2nd attempt. The previous was reverted while we figured out
the regional mirrors (oops).
New plan: k8s.gcr.io is a read-only facade that auto-detects your source
region (us, eu, or asia for now) and pulls from the closest. To publish
an image, push k8s-staging.gcr.io and it will be synced to the regionals
automatically (similar to today). For now the staging is an alias to
gcr.io/google_containers (the legacy URL).
When we move off of google-owned projects (working on it), then we just
do a one-time sync, and change the google-internal config, and nobody
outside should notice.
We can, in parallel, change the auto-sync into a manual sync - send a PR
to "promote" something from staging, and a bot activates it. Nice and
visible, easy to keep track of.
Automatic merge from submit-queue (batch tested with PRs 55439, 58564, 59028, 59169, 59259). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Configurable etcd quota backend bytes
```release-note
Configurable etcd quota backend bytes in GCE
```
Automatic merge from submit-queue (batch tested with PRs 56995, 58498, 57426, 58902, 58863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gce: reorder authorizers
to the order Node,Webhook,RBAC,ABAC
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58412, 56132, 58506, 58542, 58394). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implement upgrade-aliases.sh to migrate a route-based k8s cluster to use IP aliases in GCE.
**What this PR does / why we need it**:
This PR implements upgrade-aliases.sh, which is used to migrate a route-based k8s cluster to use IP aliases in GCE.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
"NONE"
```
basically just:
* move all manifests into the new gce/manifests dir
* move limit-range into gce/addons/limit-range
* move abac jsonl into gce/manifests. this is gross but we will
hopefully be able to delete this config soon. it only exists to support
a deprecated feature.
* fix build, release, deploy to look for everything in its new home
- If REMOUNT_VOLUME_PLUGIN_DIR is set to true, VOLUME_PLUGIN_DIR is remounted with `exec` option during cluster startup. This allows any writable location to be used as the plugin directory.
- New HostPath added to controller-manager deployment to enable access to volume plugin directory.
- Improved how the default directory is passed to master and node setup.
Automatic merge from submit-queue (batch tested with PRs 57906, 57425, 56939, 57317, 57762). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cluster/gce/gci: Support passing kube-scheduler policy config
**What this PR does / why we need it**:
This allows us to specify a customized scheduler policy configuration.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
I'm aware of the ConfigMap but passing a file is much simpler in our case.
This PR is low risk, we will want to cherry pick this into 1.9.
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 52259, 53951, 54385, 54805, 55145). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
COS: Keep the docker network checkpoint
This is necessary for enabling the live-restore feature.
**What this PR does / why we need it**:
This is necessary for enabling the live-restore feature on COS.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
COS: Keep the docker network checkpoint
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Override recycler pod in GCE
**What this PR does / why we need it**:
Override the default nfs and hostpath recycler pod with the busybox image from gcr.io/google-containers. It does this by:
* writing out the new recycler pod spec to /home/kubernetes
* specifying recycler pod arguments to kube-controller-manager,
* adding a hostpath volume to the recycler pod spec in the kube-controller-manager manfiest
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix configuration of Metadata Agent daemon set
**What this PR does / why we need it**:
Fixes small errors in Stackdriver Metadata Agent configuration: port number and default version.
**Release note**:
```release-note
Fix port number and default Stackdriver Metadata Agent in daemon set configuration.
```
Automatic merge from submit-queue (batch tested with PRs 55360, 56444, 56687, 56791, 56802). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Configure metadata concealment iptables rules in node startup.
**What this PR does / why we need it**: Configure iptables rule for metadata concealment at startup so the pod doesn't have to, to reduce memory consumption.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Kubernetes Submit Queue