Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixes for HostIPC tests to work when Docker has SELinux support enabled.
**What this PR does / why we need it**:
Fixes for HostIPC tests to work when Docker has SELinux support enabled.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
N/A
**Special notes for your reviewer**:
The core of the matter is to use `ipcs` from util-linux rather than the one from busybox. The typical SELinux policy has enough to allow Docker containers (running under svirt_lxc_net_t SELinux type) to access IPC information by reading the contents of the files under /proc/sysvipc/, but not by using the shmctl etc. syscalls.
The `ipcs` implementation in busybox will use `shmctl(0, SHM_INFO, ...)` to detect whether it can read IPC info (see source code [here](https://git.busybox.net/busybox/tree/util-linux/ipcs.c?h=1_28_0#n138)), while the one in util-linux will prefer to read from the /proc files directly if they are available (see source code [here](https://github.com/karelzak/util-linux/blob/v2.27.1/sys-utils/ipcutils.c#L108)).
It turns out the SELinux policy doesn't allow the shmctl syscalls in an unprivileged container, while access to it through the /proc interface is fine. (One could argue this is a bug in the SELinux policy, but getting it fixed on stable OSs is hard, and it's not that hard for us to test it with an util-linux `ipcs`, so I propose we do so.)
This PR also contains a refactor of the code setting IpcMode, since setting it in the "common options" function is misleading, as on containers other than the sandbox, it ends up always getting overwritten, so let's only set it to "host" in the Sandbox.
It also has a minor fix for the `ipcmk` call, since support for size suffix was only introduced in recent versions of it.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Change manifest file perms to remove execute
**What this PR does / why we need it**:
Currently, the manifests generated by kubeadm have permission 0700. The kubernetes CIS benchmarks state the perms should be 0644 or better, so this change sets the file permissions to 0600, as they are static files, and don't need to be executable.
**Which issue(s) this PR fixes** *: Fixes # https://github.com/kubernetes/kubeadm/issues/678
**Special notes for your reviewer**:
None
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove setInitError.
**What this PR does / why we need it**:
Removes setInitError, it's not sure it was ever really used, and it causes the kubelet to hang and get wedged.
**Which issue(s) this PR fixes**
Fixes#46086
**Special notes for your reviewer**:
If `initializeModules()` in `kubelet.go` encounters an error, it calls `runtimeState.setInitError(...)`
47d61ef472/pkg/kubelet/kubelet.go (L1339)
The trouble with this is that `initError` is never cleared, which means that `runtimeState.runtimeErrors()` always returns this `initError`, and thus pods never start sync-ing.
In normal operation, this is expected and desired because eventually the runtime is expected to become healthy, but in this case, `initError` is never updated, and so the system just gets wedged.
47d61ef472/pkg/kubelet/kubelet.go (L1751)
We could add some retry to `initializeModules()` but that seems unnecessary, as eventually we'd want to just die anyway. Instead, just log fatal and die, a supervisor will restart us.
Note, I'm happy to add some retry here too, if that makes reviewers happier.
**Release note**:
```release-note
Prevent kubelet from getting wedged if initialization of modules returns an error.
```
@feiskyer @dchen1107 @janetkuo
@kubernetes/sig-node-bugs
Automatic merge from submit-queue (batch tested with PRs 59053, 59005). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Forcing get_node_name to continue searching for a node name.
There was a race condition where the kubelet was restarting and we were querying the api server for this node. In that case, we may get a valid list of nodes that doesn't include our node. This would cause the code to just raise an exception. Now we wait the full timeout before raising the exception.
**What this PR does / why we need it**:
Fixes a race condition on the get_node_name function inside the kubernetes-worker charm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed a race condition inside kubernetes-worker that would result in a temporary error situation.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Reset DeferredDiscoveryRESTMapper before use
DeferredDiscoveryRESTMapper won't automatically `Reset` itself before its
initial use, since actually trying to construct the delegate will error
out before it gets a chance to `Reset` itself. Ergo, we have to
manually call `Reset` before use.
Fixes#59043
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make eviction manager work with CRI container runtime.
Previously, eviction manager uses a function `HasDedicatedImageFs` in `pkg/kubelet/cadvisor` to detect whether image fs and root fs are on the same device.
However, it doesn't work with CRI container runtime which provides container/image stats through CRI. Thus all eviction tests for containerd are failing now. https://k8s-testgrid.appspot.com/sig-node-containerd#node-e2e-flaky
This PR makes it work with CRI container runtime.
@kubernetes/sig-node-pr-reviews
@yujuhong @yguo0905 @feiskyer @mrunalp @abhi @dashpole
Signed-off-by: Lantao Liu <lantaol@google.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
They should both follow the convention of not being a pointer on the
internal type. This required adding a conversion function between
`int64` and `*int64`.
A side effect is this removes a warning in the generated code for the
apps API group.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[GCE] Set --kubelet-preferred-address-types on apiserver by default
**What this PR does / why we need it**:
We currently set the default value of `PreferredAddressTypes` in `KubeletConfig` for apiserver as below:
2f403b7ad1/cmd/kube-apiserver/app/options/options.go (L99-L110)
It denotes the ways (order matters) we prefer to use for kubelet connections, in which `NodeHostName` is listed as the most preferred one. However, it is not safe to assume `NodeHostName` will always be resolvable. This PR makes `InternalIP` as the most preferred one instead.
Note that this doesn't affect how the ssh tunnel is setup, which is configured explicitly elsewhere:
d0d1e1dcc4/pkg/master/master.go (L442-L445)d0d1e1dcc4/pkg/master/master.go (L388-L389)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @bowei @cjcullen
cc @dnardo in case I made terrible mistakes.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-apiserver flag --admision-control is deprecated, use the new --e…
…nable-admission-plugins
**What this PR does / why we need it**:
1. As #58123 mark kube-apiserver flag `admission-control` deprecated, replace it in some places.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @liggitt @deads2k @sttts
DeferredDiscoveryRESTMapper won't automatically `Reset` itself before its
initial use, since actually trying to construct the delegate will error
out before it gets a chance to `Reset` itself. Ergo, we have to
manually call `Reset` before use.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
code cleanup in integration test framework
**What this PR does / why we need it**:
code cleanup
**Special notes for your reviewer**:
/kind cleanup
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix mistaken info print
**What this PR does / why we need it**:
fix mistaken info print
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
deprecate insecure http flags and remove already deprecated flags
**What this PR does / why we need it**:
1. deprecate `insecure-bind-address` `insecure-port` flags
2. remove flags `public-address-override` `address` `port` They are mark deprecated in #36604, which is more than a year ago.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58951
**Special notes for your reviewer**:
**Release note**:
```release-note
Deprecate insecure flags `--insecure-bind-address`, `--insecure-port` and remove `--public-address-override`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
use glog.info instead of glog.infof when no format
**What this PR does / why we need it**:
use glog.info instead of glog.infof when no format
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 59012, 58871). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support GetLabelsForVolume In OpenStack
**What this PR does / why we need it**:
Since PersistentVolumeLabelController will invoke ```GetLabelsForVolume``` interface
in Cloud-Controller-Manager, OpenStack Provider should support it.
https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/cloud.go#L213
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#58870
**Special notes for your reviewer**:
**Release note**:
```release-note
Support GetLabelsForVolume in OpenStack Provider
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Build using go1.9.3
**What this PR does / why we need it**: more minor bugfixes, which I guess we probably want. https://github.com/golang/go/issues?q=milestone%3AGo1.9.3
**Special notes for your reviewer**: I haven't built/pushed the crossbuild image yet, but will do so if we think this is a good idea. I don't have plans to rebuild the test images.
**Release note**:
```release-note
Build using go1.9.3.
```
Who are good people to review this?
/assign @cblecker @luxas
(for lack of better ideas)
Automatic merge from submit-queue (batch tested with PRs 57322, 57723, 58706, 59004, 58857). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Skip rescheduler test.
Skip the rescheduler test per discussion https://github.com/kubernetes/kubernetes/issues/59002.
The test `[sig-scheduling] Rescheduler [Serial] should ensure that critical pod is scheduled in case there is no resources available` has failing for a long time. And the serial suite is never green because of it. https://k8s-testgrid.appspot.com/google-gce#gci-gce-serial
@kubernetes/sig-scheduling-misc
Signed-off-by: Lantao Liu <lantaol@google.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 57322, 57723, 58706, 59004, 58857). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding downgrade test for ingress-gce
**What this PR does / why we need it**:
This PR improves the existing downgrade e2e test for ingress-gce. Specifically, we add a test which downgrades ingress from an image built from HEAD to the latest release image.
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 57322, 57723, 58706, 59004, 58857). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make the pause image a manifest list
**What this PR does / why we need it**:
Build and push manifest for kubernetes images
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubernetes/issues/57869
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use GetDryRunFlag to keep consistent
**What this PR does / why we need it**:
There's a cmd util GetDryRunFlag, but we still get 'dry-run' directly somewhere. This PR makes them consistent.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57467, 58996). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set generate-kubelet-config-file to true by default.
This should fix the flaky suite.
https://k8s-testgrid.appspot.com/sig-node-kubelet#kubelet-flaky-gce-e2e
@mtaufen /cc @kubernetes/sig-node-bugs
Signed-off-by: Lantao Liu <lantaol@google.com>
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 57467, 58996). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove flaky label from Eviction tests
**What this PR does / why we need it**:
All eviction tests in the flaky suite are no longer flaky. Remove the flaky label to move them from the flaky suite to the serial suite.
I removed the QoS-based memory eviction test since it does not reflect the current eviction strategy.
**Release note**:
```release-note
NONE
```
/assign @mtaufen @Random-Liu
/sig node
/priority important-soon
/kind cleanup
Several of the tests("It") in the e2e suite reuse the config name.
Since these tests can be running in parallel, causing intermittant
failures.
Changes the test so each test uses a different name.
Restructured the tests to make it easier to make sure the name in a
test is being used consistently.
Fix feedback from @caesarxuchao
Fixed format.
Kubernetes Submit Queue