Automatic merge from submit-queue
add import cycle checking for staging to verify scripts
Adds an import cycle check to verify scripts since we can't yet use import-boss. See https://github.com/kubernetes/gengo/pull/27 for details, but since the rule is very simple and global, this ought to provide sufficient protection.
@kubernetes/sig-api-machinery-misc
Automatic merge from submit-queue (batch tested with PRs 36229, 39450)
Bump etcd to 3.0.14 and switch to v3 API in etcd.
Ref #20504
**Release note**:
```release-note
Switch default etcd version to 3.0.14.
Switch default storage backend flag in apiserver to `etcd3` mode.
```
Automatic merge from submit-queue
Adding test-federation-cmd.sh to test kubectl with federation apiserver
There are 2 parts to the PR:
* Adding ability to run kubectl tests for a subset of resources.
* Adding test-federation-cmd.sh that runs kubectl tests for resources that are supported by federation-apiserver.
cc @kubernetes/sig-federation @kubernetes/sig-api-machinery
```release-note
Adding kubectl tests for federation
```
Automatic merge from submit-queue (batch tested with PRs 39405, 39371)
hack/local-up-cluster.sh: fix typo in error message
This commit fixes typo in error message and also removes stale comment from `hack/local-up-cluster.sh`.
Automatic merge from submit-queue (batch tested with PRs 39022, 39331, 39070, 39344)
Add a build rule for the boilerplate unit test.
We recently added unit tests that just run whenever you run `hack/verify_boilerplate.sh`, which really isn't the right time to do that. This adds a build rule instead.
Automatic merge from submit-queue
Begin paths for internationalization in kubectl
This is just the first step, purposely simple so we can get the interface correct.
@kubernetes/sig-cli @deads2k
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)
Convert * users/groups to system:authenticated group in ABAC
Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.
This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.
Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992
```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
Automatic merge from submit-queue
create kuberentes-discovery image
Creates an image for `kubernetes-discovery` since this is the API registration, aggregation, and proxy image.
Automatic merge from submit-queue
Coreos kube-up now with less cloud init
This update includes significant refactoring. It moves almost all of the
logic into bash scripts, modeled after the `gci` cluster scripts.
The reason to do this is:
1. Avoid duplicating the saltbase manifests by reusing gci's parsing logic (easier maintenance)
2. Take an incremental step towards sharing more code between gci/trusty/coreos, again for better maintenance
3. Pave the way for making future changes (e.g. improved rkt support, kubelet support) easier to share
The primary differences from the gci scripts are the following:
1. Use of the `/opt/kubernetes` directory over `/home/kubernetes`
2. Support for rkt as a runtime
3. No use of logrotate
4. No use of `/etc/default/`
5. No logic related to noexec mounts or gci-specific firewall-stuff
It will make sense to move 2 over to gci, as well as perhaps a few other small improvements. That will be a separate PR for ease of review.
Ref #29720, this is a part of that because it removes a copy of them.
Fixes#24165
cc @yifan-gu
Since this logic largely duplicates logic from the gci folder, it would be nice if someone closely familiar with that gave an OK or made sure I didn't fall into any gotchas related to that, so cc @andyzheng0831
Automatic merge from submit-queue (batch tested with PRs 38426, 38917, 38891, 38935)
Remove cluster/mesos from hack/verify-flags/exceptions.txt
`cluster/mesos` scripts was removed; so remove it from `hack/verify-flags/exceptions.txt`.
The diff was generated by `hack/verify-flags-underscore.py -e > hack/verify-flags/exceptions.txt`.
Automatic merge from submit-queue
Curating Owners: hack/jenkins
cc @rmmh @spxtr @ixdy @fejta
In an effort to expand the existing pool of reviewers and establish a
two-tiered review process (first someone lgtms and then someone
experienced in the project approves), we are adding new reviewers to
existing owners files.
If You Care About the Process:
------------------------------
We did this by algorithmically figuring out who’s contributed code to
the project and in what directories. Unfortunately, that doesn’t work
well: people that have made mechanical code changes (e.g change the
copyright header across all directories) end up as reviewers in lots of
places.
Instead of using pure commit data, we generated an excessively large
list of reviewers and pruned based on all time commit data, recent
commit data and review data (number of PRs commented on).
At this point we have a decent list of reviewers, but it needs one last
pass for fine tuning.
Also, see https://github.com/kubernetes/contrib/issues/1389.
TLDR:
-----
As an owner of a sig/directory and a leader of the project, here’s what
we need from you:
1. Use PR https://github.com/kubernetes/kubernetes/pull/35715 as an example.
2. The pull-request is made editable, please edit the `OWNERS` file to
remove the names of people that shouldn't be reviewing code in the
future in the **reviewers** section. You probably do NOT need to modify
the **approvers** section. Names asre sorted by relevance, using some
secret statistics.
3. Notify me if you want some OWNERS file to be removed. Being an
approver or reviewer of a parent directory makes you a reviewer/approver
of the subdirectories too, so not all OWNERS files may be necessary.
4. Please use ALIAS if you want to use the same list of people over and
over again (don't hesitate to ask me for help, or use the pull-request
above as an example)
Automatic merge from submit-queue (batch tested with PRs 38525, 38977)
add service status detection to kubernetes-discovery
This adds an inspection of services and endpoints before adding the APIService to kubernetes-discovery. This keeps a single bad API service from killing old clients since proxying will fail.
Automatic merge from submit-queue
conversion-gen: add --skip-unsafe flag
We should expose the SkipUnsafe option, for legacy compatability, so
that conversion-go can be used in other projects, and for platforms
where unsafe is not available.
Make unsafe code generation the default though, and have the help text
hint that the resulting code is sub-optimal.
Automatic merge from submit-queue (batch tested with PRs 37468, 36546, 38713, 38902, 38614)
Remove extensions/v1beta1 Job
Fixes https://github.com/kubernetes/kubernetes/issues/32763. This endpoint was deprecated in 1.5 and was planned to be removed in 1.6.
**Release note**:
```release-note
Remove extensions/v1beta1 Jobs resource, and job/v1beta1 generator.
```
Automatic merge from submit-queue (batch tested with PRs 37468, 36546, 38713, 38902, 38614)
local-up-cluster additions
**What this PR does / why we need it**:
Changes to local-cluster-up: These include: 1) a simple additional help option. 2) additional error message to not being able to run `docker ps`. 3) fail faster when etcd is not found in path. Hopefully these make developing a bit more pleasant.
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 38888, 38895)
Bundle federation/develop directory in the test tarball for federation testing.
cc @kubernetes/sig-federation-misc
Automatic merge from submit-queue
use in-cluster kubeconfig for genericapiserver
Allow the use of the in-cluster config to communicate with the core API server for delegated authn/authz for an addon API server.
@kubernetes/sig-api-machinery @sttts
from etcd.sh split the start process into validate fucntion + start function so that the validate piece can be reused elsewhere. the up-cluster script has been changed to remove duplicate docker logic to the one used in buid-tools/common.sh and the validate etcd function is now used here.
moved docker daemon check function to util.sh and made function name changes and upstream changes.
The current dev-build-*.sh scripts do a full release build which means
running tests and also doing cross-platform builds. This is unnecessary
and after discussing this in Slack it was suggested to either blow away
these files or fix them. This should fix them.
Automatic merge from submit-queue (batch tested with PRs 38783, 36396)
hack/cherry_pick_pull.sh: cleanup patch files
this was driving me nuts.
it will now remove the patch files from /tmp
Automatic merge from submit-queue
Rename root BUILD to BUILD.bazel, and rename build-tools/ back to build/
**What this PR does / why we need it**: undoes #35453. `build-tools/` was intended to be a temporary workaround until https://github.com/bazelbuild/bazel/issues/552 was fixed, which is has been, as of bazel 0.4.1.
**Which issue this PR fixes**: fixes#38126
FYI @thockin
since this is likely to be rebase hell, my list of actions:
```console
$ git mv BUILD BUILD.bazel
$ git commit -a
$ git mv build-tools/ build/
$ sift -l 'build-tools' | xargs sed -i -e 's:build-tools/:build/:g'
$ git checkout HEAD docs/
$ git commit -a
```
Automatic merge from submit-queue (batch tested with PRs 37708, 34410)
Add restclientconfig helper fn for parsing timeout
Related downstream PR: https://github.com/openshift/origin/pull/12062 (example of use-case for this patch)
**Release note**:
```release-note
release-note-none
```
This patch adds a package `pkg/client/unversioned/clientcmd/util` and
defines a `ParseTimeout` helper function for parsing time from a
user-defined string. This allows code re-use in other packages that
require the creation of a new restclient (and therefore must set the
`--global-timeout` flag value manually).
@fabianofranz @kubernetes/cli-review
Automatic merge from submit-queue (batch tested with PRs 38154, 38502)
Rename "release_1_5" clientset to just "clientset"
We used to keep multiple releases in the main repo. Now that [client-go](https://github.com/kubernetes/client-go) does the versioning, there is no need to keep releases in the main repo. This PR renames the "release_1_5" clientset to just "clientset", clientset development will be done in this directory.
@kubernetes/sig-api-machinery @deads2k
```release-note
The main repository does not keep multiple releases of clientsets anymore. Please find previous releases at https://github.com/kubernetes/client-go
```
Automatic merge from submit-queue (batch tested with PRs 38727, 38726, 38347, 38348)
Second pass of renaming kube-dns configure files
Continue work of #38523.
Not sure why cluster/centos/deployAddons.sh was omitted in previous PR. Also deletes the non-use `DNS_REPLICAS` var and changes `-rc` suffix in hack/local-up-cluster.sh.
@thockin @bowei @deads2k
Automatic merge from submit-queue (batch tested with PRs 35436, 37090, 38700)
Significantly speed-up make
- do not call `dirname` for every go file => gives **>8 seconds** on each make run
- do not preserve time during rsync from `_output/local/go/bin` to `_output/local/bin/<os>/<arch>`:
We do a touch after our rebuild heuristic triggers.
If in `_output/local/go/bin` you have an older binary and go decides that it's good enough, the following rsync will "preserve the timestamp" of the binary copy in `_output/local/bin/<os>/<arch>`. This reverts the effect of any previous `touch` (compare `Makefile.generated_files`).
We do a complete rsync of binaries for each go target, not only the one which is rebuilt. This means that later go targets will overwrite the timestamps of freshly touched binaries. Hence, our rebuild heuristic will trigger again and again when running `make`.
This PR remove the "preserve mtime" from the rsync call. Hence, the effect of touch is not reverted anymore by later rsyncs.
Automatic merge from submit-queue (batch tested with PRs 38315, 38624, 38572, 38544)
Fix code coverage in build script on OS X.
Fixes#20223
- Fixes code coverage in build script on BSD systems (including OS X).
- Supersedes #38536.
Successfully tested on two platforms:
```
Darwin <hostname> 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 21:26:57 PDT 2016; root:xnu-3789.21.3~60/RELEASE_X86_64 x86_64
```
```
Linux <hostname> 4.4.14-040414-generic #201606241434 SMP Fri Jun 24 18:36:45 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
```
cc @ixdy @mfanjie @balajismaniam @smarterclayton @soltysh
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 38315, 38624, 38572, 38544)
kubernetes-discovery proxy
The last commit adds an authenticating (but not authorizing) proxy to `kubernetes-discovery`. The other commits are in the submit queue already.
@sttts @cjcullen This is it. After this we can start e2e wiring.
Automatic merge from submit-queue
Leak filling for newline format on benchmark-go.sh
**What this PR does / why we need it**: make hack/benchmark-go.sh work
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: First commit :D , did I make a wrong modification?
**Release note**:
```release-note
```
Automatic merge from submit-queue
goflags must be after subcommand
**What this PR does / why we need it**:
if GOFLAGS is set when calling make, kubernetes will fail to build
as an example, I often have `GOFLAGS=-v` so I can have some idea of progress during compilation
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
no known issue
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 38277, 36361, 38452)
local-up: resolve sudo -E'd paths better
This problem won't affect everyone, but for people who have `--with-secure-path` configured for their sudo binaries, `sudo -E` won't actually preserve PATH, which means the sub-bash won't necessarily be able to find the binary which `test` found to exist.
This fixes that.
Ubuntu [used to](https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/50797) configure it that way, and they might still.
It's configured as such on my (Gentoo) machine.
Automatic merge from submit-queue (batch tested with PRs 38277, 36361, 38452)
Add options for build container rsync optimization
KUBE_RSYNC_COMPRESS env var sets rsync compression level.
KUBE_RSYNC_GENERATED_TO_BUILD_CONTAINER env var disables rsyncing
generated files to build containers.
Why KUBE_RSYNC_COMPRESS is needed -- from rsync manual on `--compress` option (implied by non-zero `--compress-level`):
> Note that this option typically achieves better compression ratios than can be achieved by using a compressing remote shell or a compressing transport because it takes advantage of the implicit information in the matching data blocks that are not explicitly sent over the connection.
Use case for `KUBE_RSYNC_GENERATED_TO_BUILD_CONTAINER`: when you sometimes build stuff locally (e.g. `make WHAT=cmd/kubectl`) and sometimes do it on remote docker (`build-tools/run.sh make WHAT=cmd/hyperkube`), local builds touch generated files which causes them to be rsynced to the build data container, which may slow down the builds. Still, I'm not sure whether local->remote rsync of generated files is useful (e.g. someone may want to edit generated files for debugging purposes?), so I made not rsyncing these files an option instead of forcing such behavior.
Automatic merge from submit-queue (batch tested with PRs 34002, 38535, 37330, 38522, 38423)
Node E2E: `make test-e2e-node` runs the same test with pr builder by default.
This PR makes `make test-e2e-node` run non-serial, non-flaky, non-slow test by default.
This will make it easier to use.
/cc @timstclair
Automatic merge from submit-queue (batch tested with PRs 37270, 38309, 37568, 34554)
Remove update/verify-munge-docs.sh
These scripts are no long needed because:
1. most docs are moved to other repos
2. the mungers are pre-processing the docs for gh pages, which are created with a whole different process now.
cc @bgrant0607 @thockin
Automatic merge from submit-queue (batch tested with PRs 37860, 38429, 38451, 36050, 38463)
[Part 2] Adding s390x cross-compilation support for gcr.io images in this repo
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->
**What this PR does / why we need it**: This PR enables s390x support to kube-dns , pause, addon-manager, etcd, hyperkube, kube-discovery etc. This PR also includes the changes due to which it can be cross compiled on x86 host architecture.
**Which issue this PR fixes#34328
**Special notes for your reviewer**: In existing file "build-tools/build-image/cross/Dockerfile" the repository mentioned for installing cross build tool chains for supporting architecture does not have a tool chain for s390x hence in my PR I am changing the repository so that it will be cross compiled for s390x.
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```
Allows cross compilation of Kubernetes on x86 host for s390x also enables s390x support to kube-dns , pause, addon-manager, etcd, hyperkube, kube-discovery etc
```
Automatic merge from submit-queue (batch tested with PRs 38284, 38403, 38265)
Fix local up cluster dns with RBAC
The DNS server needs permissions to run using RBAC. This does it with a big hammer before we sort out tight permissions.
@fabianofranz for the CLI change
@xilabao for the local-up-cluster change
Automatic merge from submit-queue (batch tested with PRs 38278, 37770)
Refactor REST storage to use generic defaults
This removes the repetition in the REST storage builders by moving the logic to `restoptions.ApplyOptions`. `registry.StorageWithCacher`/`generic.StorageDecorator` no longer assume that they can build the `keyFunc` for arbitrary objects. `restoptions.ApplyOptions` uses the `registry.Store`'s `KeyFunc` for its call to `generic.StorageDecorator`.
```release-note
Cluster federation servers have changed the location in etcd where federated services are stored, so existing federated services must be deleted and recreated. Before upgrading, export all federated services from the federation server and delete the services. After upgrading the cluster, recreate the federated services from the exported data.
```
On machines where sudo is configured with the `--with-secure-path`
option, the `sudo -E /bin/bash` portions of the script would execute
with a different path (e.g. not including $GOPATH/bin) and thus could
fail even though the check for those binaries passed.
We should expose the SkipUnsafe option, for legacy compatability, so
that conversion-go can be used in other projects, and for platforms
where unsafe is not available.
Make unsafe code generation the default though, and have the help text
hint that the resulting code is sub-optimal.
Automatic merge from submit-queue (batch tested with PRs 36310, 37349, 38319, 38402, 38338)
add summarizing discovery controller and handlers
Requires https://github.com/kubernetes/kubernetes/pull/38304 .
This adds discovery support to the new `kubernetes-discovery` that runs based on a controller wired up to the `APIService.apiregistration.k8s.io`. It also adds in plumbing for `local-up-cluster.sh` to register the "normal" kube resources.
@kubernetes/sig-api-machinery
@sttts
Automatic merge from submit-queue
[Federation] Make federation etcd PVC size configurable
This one implements one of the many TODO items pending in the previous set of kubefed PRs.
The design doc PR is at https://github.com/kubernetes/kubernetes/pull/34484
cc @kubernetes/sig-cluster-federation @madhusudancs
**Release note**:
<!-- Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access)
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`.
-->
```
[Federation] kubefed init now has a new flag, --etcd-pv-capacity, which can be used to configure the persistent volume capacity for etcd.
```
Automatic merge from submit-queue
kubedns: use initial resource listing as ready signal
Fix#35140.
Set up the ready signal after the first resource listing finished for both endpoints and services instead of listen on kubernetes service.
@bprashanth @bowei @thockin
**Release note**:
```
```
Automatic merge from submit-queue
Fix local-cluster-up on Mac and discovery on all systems
- use cfssl on the host, not from Docker. Solves a number of permission problem with selinux and Mac
- fix discovery startup
Automatic merge from submit-queue (batch tested with PRs 38260, 32811, 28458, 33570, 37096)
Fix support for DNS in local-up-cluster.sh
[]()
The default appears to be gce now, so this tries to spawn a service in
gce... not the desired outcome for a local test setup.
We also need to sync the kubectl config in the script with the instructions for users, since if people don't test with DNS enabled, it bitrots (which this aims to fix).
To test manually, run something like
```
sudo KUBE_ENABLE_CLUSTER_DNS=true API_HOST_IP=0.0.0.0 ./hack/local-up-cluster.sh
```
The API_HOST_IP=0.0.0.0 is required, otherwise the master is not contactable by kubedns, and the dns pod will fail readychecking on the healthz pod.
Automatic merge from submit-queue (batch tested with PRs 38318, 38258)
kernel memcg notification enabled via experimental flag
Kubelet integrates with kernel memcg notification API if and only if enabled via experimental flag.
Automatic merge from submit-queue (batch tested with PRs 36543, 38189, 38289, 38291, 36724)
add authentication/authorization to kubernetes-discovery
Wires authentication and authorization into `kubernetes-discovery` and re-enables the `local-up-cluster.sh` along with proper permission granting for RBAC cases.
@sttts @liggitt
Automatic merge from submit-queue (batch tested with PRs 35101, 38215, 38092)
fix informer generation
Informer generation doesn't work for informers from a different clientset. This updates the generator to generate the internal interfaces required to break the cycle.
@ncdc take a look at the last two commits.
Automatic merge from submit-queue
Disable kubernetes-discovery in local-up-cluster.sh
fix#38257
Fixes local-up-cluster until kubernetes-discovery flags are hooked up
Automatic merge from submit-queue
update local-up-cluster to allow full authentication proxying
Adds group and header information in auth proxy authenticator options for `local-up-cluster.sh`. Must have been missed in the rebase madness.
Automatic merge from submit-queue (batch tested with PRs 38173, 38151, 38197, 38221)
Include resource type headers in diff report
**What this PR does / why we need it**: when checking for leaked resources, we report a failure only if there were additions to the diff - we don't want resources that were deleted during the run to count as a failure.
The logic for this removes the resource type headers from the diff report, however, so it's harder to understand what leaked.
For example, in https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-e2e-gke-alpha-features-release-1.5/196/, the test failure shows
```
Error: 4 leaked resources
+NAME REGION IP_ADDRESS IP_PROTOCOL TARGET
+a66878dbaad1f11e695b342010af0002 us-central1 104.198.182.83 TCP us-central1/targetPools/a66878dbaad1f11e695b342010af0002
+NAME REGION SESSION_AFFINITY BACKUP HEALTH_CHECKS
+a66878dbaad1f11e695b342010af0002 us-central1 a66878dbaad1f11e695b342010af0002
```
but the [actual diff](https://storage.googleapis.com/kubernetes-jenkins/logs/ci-kubernetes-e2e-gke-alpha-features-release-1.5/196/artifacts/gcp-resources-diff.txt) contains more information:
```
--- /workspace/_artifacts/gcp-resources-before.txt 2016-12-01 14:39:14.260049037 -0800
+++ /workspace/_artifacts/gcp-resources-after.txt 2016-12-01 14:39:14.260049037 -0800
@@ -34,8 +34 @@ [ addresses ]
-NAME REGION ADDRESS STATUS
-a03d0e020a6bc11e6855f42010af0001 us-central1 104.197.135.88 RESERVED
-a23f20a47a6a011e6829a42010af0004 us-central1 104.197.147.212 RESERVED
-a32291b51a5e611e6b73342010af0002 us-central1 104.198.171.178 RESERVED
-a3c93cf79a65811e6b7c242010af0001 us-central1 104.198.58.57 RESERVED
-a9ac5bd1ba62811e68d1142010af0004 us-central1 104.154.134.135 RESERVED
-adae4c1a7a69511e6b2df42010af0000 us-central1 104.198.182.83 RESERVED
-adb4a80caa60311e689a942010af0001 us-central1 104.154.116.195 RESERVED
+
@@ -64 +57,2 @@ [ forwarding-rules ]
-
+NAME REGION IP_ADDRESS IP_PROTOCOL TARGET
+a66878dbaad1f11e695b342010af0002 us-central1 104.198.182.83 TCP us-central1/targetPools/a66878dbaad1f11e695b342010af0002
@@ -68 +62,2 @@ [ target-pools ]
-
+NAME REGION SESSION_AFFINITY BACKUP HEALTH_CHECKS
+a66878dbaad1f11e695b342010af0002 us-central1 a66878dbaad1f11e695b342010af0002
```
This PR will include the `[ type header ]`s in the report if resources are leaked.
cc @fejta
Kubernetes Submit Queue