Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488)
simplify Run in controllermanager.go
**What this PR does / why we need it**:
remove part of code in controllermanager.go to createclient,createRecorder,startHTTP function
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488)
Use glog instaed of fmt.Printf
Signed-off-by: sakeven <jc5930@sina.cn>
**What this PR does / why we need it**:
The log `fmt.Printf` produces is inconsistent with `glog`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 51471, 50561, 50435, 51473, 51436)
Feature gate initializers field
The metadata.initializers field should be feature gated and disabled by default while in alpha, especially since enforcement of initializer permission that keeps users from submitting objects with their own initializers specified is done via an admission plugin most clusters do not enable yet.
Not gating the field and tests caused tests added in https://github.com/kubernetes/kubernetes/issues/51429 to fail on clusters that don't enable the admission plugin.
This PR:
* adds an `Initializers` feature gate, auto-enables the feature gate if the admission plugin is enabled
* clears the `metadata.initializers` field of objects on create/update if the feature gate is not set
* marks the e2e tests as feature-dependent (will follow up with PR to test-infra to enable the feature and opt in for GCE e2e tests)
```release-note
Use of the alpha initializers feature now requires enabling the `Initializers` feature gate. This feature gate is auto-enabled if the `Initialzers` admission plugin is enabled.
```
Automatic merge from submit-queue (batch tested with PRs 50932, 49610, 51312, 51415, 50705)
Add --request-timeout to kube-apiserver to make global request timeout configurable
**What this PR does / why we need it**:
Make the currently hard coded 60 global request timeout in apiserver configurable via a --request-timeout command line flag.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/51355
**Special notes for your reviewer**:
We plan to backport this to 1.6 and 1.7. To ease the backport work, we've kept this change to a minimum. After this PR we will submit an additional PR to rename `--min-request-timeout` to something that more clearly describes it's purpose, such as `--long-running-request-timeout-min`.
**Release note**:
```release-note
Add --request-timeout to kube-apiserver to make global request timeout configurable.
```
Automatic merge from submit-queue (batch tested with PRs 50932, 49610, 51312, 51415, 50705)
Deprecation warnings for auto detecting cloud providers
**What this PR does / why we need it**:
Adds deprecation warnings for auto detecting cloud providers. As part of the initiative for out-of-tree cloud providers, this feature is conflicting since we're shifting the dependency of kubernetes core into cAdvisor. In the future kubelets should be using `--cloud-provider=external` or no cloud provider at all.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50986
**Special notes for your reviewer**:
NOTE: I still have to coordinate with sig-node and kubernetes-dev to get approval for this deprecation, I'm only opening this PR since we're close to code freeze and it's something presentable.
**Release note**:
```release-note
Deprecate auto detecting cloud providers in kubelet. Auto detecting cloud providers go against the initiative for out-of-tree cloud providers as we'll now depend on cAdvisor integrations with cloud providers instead of the core repo. In the near future, `--cloud-provider` for kubelet will either be an empty string or `external`.
```
Automatic merge from submit-queue (batch tested with PRs 49861, 50933, 51380, 50688, 51305)
Add configurable groups to bootstrap tokens.
**What this PR does / why we need it**:
This change adds support for authenticating bootstrap tokens into a configurable set of extra groups in addition to `system:bootstrappers`. Previously, bootstrap tokens could only ever authenticate to the `system:bootstrappers` group.
Groups are specified as a comma-separated list in the `auth-extra-groups` key of the `bootstrap.kubernetes.io/token` Secret, and must begin with the prefix `system:bootstrapper:` (and match a validation regex that checks against our normal convention). Whether or not any extra groups are configured, `system:bootstrappers` will still be added.
This also adds a `--groups` flag for `kubeadm token create`, which sets the `auth-extra-groups` key on the resulting Secret. The default is to not set the key.
`kubeadm token list` is also updated to include a `EXTRA GROUPS` output column.
**Which issue this PR fixes**: fixes#49306
**Special notes for your reviewer**:
The use case for this is in https://github.com/kubernetes/kubernetes/issues/49306. Comments on the feature itself are probably better over there. It will be part of how HA/self-hosting kubeadm bootstraps new master nodes (post 1.8).
**Release note**:
```release-note
Add support for configurable groups for bootstrap token authentication.
```
cc @luxas @kubernetes/sig-cluster-lifecycle-api-reviews @kubernetes/sig-auth-api-reviews
/kind feature
Automatic merge from submit-queue
kubeadm: Rename FeatureFlags to FeatureGates
**What this PR does / why we need it**:
Automatic rename from `FeatureFlags` to `FeatureGates`, as I noticed that's the real name for this feature. This is for consistency in the API and generally in the code.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @fabriziopandini @jamiehannaford
Automatic merge from submit-queue (batch tested with PRs 49849, 50334, 51414)
kubeadm: Use the --enable-bootstrap-token-auth flag when possible
**What this PR does / why we need it**:
Uses the right API server flag for the right version.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/414
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @mattmoyer
Automatic merge from submit-queue
Remove null -> [] slice hack
Closes#44593
When 1.6 added protobuf storage, the storage layer lost the ability to persist slice fields with empty but non-null values.
As a workaround, we tried to convert empty slice fields to `[]`, rather than `null`. Compressing `null` -> `[]` was just as much of an API breakage as `[]` -> `null`, but was hoped to cause fewer problems in clients that don't do null checks.
Because of conversion optimizations around converting lists of objects, the `null` -> `[]` hack was discovered to only apply to individual get requests, not to a list of objects. 1.6 and 1.7 was released with this behavior, and the world didn't explode. 1.7 documented the breaking API change that `null` and `[]` should be considered equivalent, unless otherwise noted on a particular field.
This PR:
* Reverts the earlier attempt (https://github.com/kubernetes/kubernetes/pull/43422) at ensuring non-null json slice output in conversion
* Makes results of `get` consistent with the results of `list` (which helps naive clients that do deepequal comparisons of objects obtained via list/watch and get), and allows empty slice fields to be returned as `null`
```release-note
Protobuf serialization does not distinguish between `[]` and `null`.
API fields previously capable of storing and returning either `[]` and `null` via JSON API requests (for example, the Endpoints `subsets` field) can now store only `null` when created using the protobuf content-type or stored in etcd using protobuf serialization (the default in 1.6+). JSON API clients should tolerate `null` values for such fields, and treat `null` and `[]` as equivalent in meaning unless specifically documented otherwise for a particular field.
```
Automatic merge from submit-queue (batch tested with PRs 51391, 51338, 51340, 50773, 49599)
modify an little gammer error.
**What this PR does / why we need it**:
I found that it used "Found" in the middle of sentence. I think use "found" in the middle of sentence is better than "Found" ,so I modified it.
Automatic merge from submit-queue (batch tested with PRs 51174, 51363, 51087, 51382, 51388)
kubeadm: Move the uploadconfig phase right in the beginning of cluster init
**What this PR does / why we need it**:
In order to be forwards-compatible, I'm moving the uploadconfig to be the first thing in the chain in order to make it possible to rely on it being present in future releases when we have a beta or higher API to rely on.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 51054, 51101, 50031, 51296, 51173)
Add host mountpath to controller-manager for flexvolume dir
Controller manager needs access to Flexvolume plugin when using attach-detach controller interface.
This PR adds the host mount path for the default directory of flexvolume plugins
Fixes https://github.com/kubernetes/kubeadm/issues/410
Automatic merge from submit-queue (batch tested with PRs 51054, 51101, 50031, 51296, 51173)
Dynamic Flexvolume plugin discovery, probing with filesystem watch.
**What this PR does / why we need it**: Enables dynamic Flexvolume plugin discovery. This model uses a filesystem watch (fsnotify library), which notifies the system that a probe is necessary only if something changes in the Flexvolume plugin directory.
This PR uses the dependency injection model in https://github.com/kubernetes/kubernetes/pull/49668.
**Release Note**:
```release-note
Dynamic Flexvolume plugin discovery. Flexvolume plugins can now be discovered on the fly rather than only at system initialization time.
```
/sig-storage
/assign @jsafrane @saad-ali
/cc @bassam @chakri-nelluri @kokhang @liggitt @thockin
Automatic merge from submit-queue (batch tested with PRs 50889, 51347, 50582, 51297, 51264)
Change eviction manager to manage one single local storage resource
**What this PR does / why we need it**:
We decided to manage one single resource name, eviction policy should be modified too.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: part of #50818
**Special notes for your reviewer**:
**Release note**:
```release-note
Change eviction manager to manage one single local ephemeral storage resource
```
/assign @jingxu97
Automatic merge from submit-queue (batch tested with PRs 49850, 47782, 50595, 50730, 51341)
fix ReadOnlyPort defaulting, CAdvisorPort documentation
The ReadOnlyPort defaulting prevented passing 0 to diable via
the KubeletConfiguraiton struct.
The HealthzPort defaulting prevented passing 0 to disable via the
KubeletConfiguration struct. The documentation also failed to mention
this, but the check is performed in code.
The CAdvisorPort documentation failed to mention that you can pass 0 to
disable.
fixes#51345
This adds an `EXTRA GROUPS` column to the output of `kubeadm token list`. This displays any extra `system:bootstrappers:*` groups that are specified in the token's `auth-extra-groups` key.
Automatic merge from submit-queue (batch tested with PRs 51134, 51122, 50562, 50971, 51327)
set --audit-log-format default to json
Updates: https://github.com/kubernetes/kubernetes/issues/48561
**Release note**:
```
set --audit-log-format default to json for kube-apiserver
```
Controller manager needs access to Flexvolume plugin when
using attach-detach controller interface.
This PR adds the host mount path for the default directory of flexvolume
plugins
Fixes https://github.com/kubernetes/kubeadm/issues/410
The ReadOnlyPort defaulting prevented passing 0 to diable via
the KubeletConfiguraiton struct.
The HealthzPort defaulting prevented passing 0 to disable via the
KubeletConfiguration struct. The documentation also failed to mention
this, but the check is performed in code.
The CAdvisorPort documentation failed to mention that you can pass 0 to
disable.
Automatic merge from submit-queue (batch tested with PRs 51038, 50063, 51257, 47171, 51143)
update related manifest files to use hostpath type
**What this PR does / why we need it**:
Per [discussion in #46597](https://github.com/kubernetes/kubernetes/pull/46597#pullrequestreview-53568947)
Dependes on #46597
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/298
**Special notes for your reviewer**:
/cc @euank @thockin @tallclair @Random-Liu
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 50872, 51103, 51220, 51285, 50841)
kubeadm: Add 'kubeadm upgrade plan' and 'kubeadm upgrade apply' CLI commands
**What this PR does / why we need it**:
This PR is splitted out from: https://github.com/kubernetes/kubernetes/pull/48899 and only handles the CLI/command code. It adds no-op functions only to `phases/upgrade`.
A large chunk of this code is unit tests.
The code here should be pretty straightforward as there is no actual upgrade or business logic here.
It would be cool to get this merged soon-ish.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/14
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews PTAL
Automatic merge from submit-queue (batch tested with PRs 51244, 50559, 49770, 51194, 50901)
Fix zsh completion for kubeadm
**What this PR does / why we need it**:
kubeadm zsh completion will report an error when using after '--flag':
```
kubeadm join --token=1 __handle_flag:25: bad math expression: operand expected at end of string
```
There is a similar bug in kubectl which has been fixed by #48553. It is due to `__kubeadm_declare` gets 'declare -A' into function scope, and `__kubeadm_declare` could be removed now.
This is to port that fix here.
**Which issue this PR fixes**
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 50213, 50707, 49502, 51230, 50848)
Expand the test to include other flags as well
**What this PR does / why we need it**:
Expand the test to include other flags as well
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
`NONE`
Automatic merge from submit-queue (batch tested with PRs 50713, 47660, 51198, 51159, 51195)
kubeadm selfhosting CLI improvements
**What this PR does / why we need it**:
This PR implements three small improvements for kubeadm selfhosting CLI:
- `kubeadm phase selfhosting` should be `kubeadm phase self-hosting from-static-pods`
- add `--cert-dir`flag
- add `--config`flag and manage MixedArguments conditions
**Which issue this PR fixes**:
fixes [#397](https://github.com/kubernetes/kubeadm/issues/397) - `kubeadm phase selfhosting` should be `kubeadm phase self-hosting from-static-pods`
**Special notes for your reviewer**:
cc @luxas
cc @jamiehannaford
Automatic merge from submit-queue (batch tested with PRs 51047, 48573, 50764, 51092, 50578)
Use `select` to disable building static binaries if `--cpu=darwin`.
This change allows kubectl to be built on MacOS machines using
`bazel build //cmd/kubectl`.
Mac OS X doesn't support static binaries because it does not have a
stable syscall API. Userspace binaries are expected to dynamically
link against libcrt instead.
https://developer.apple.com/library/content/qa/qa1118/_index.html
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 50229, 50973, 50976, 51085, 51084)
Print root cause failure message in StartTestServerOrDie()
**What this PR does / why we need it**:
If the test server cannot be started then print the underling root cause as
opposed to the generic 'Failed to create server chain'.
For example:
Failed to create server chain: Model name conflict in merging OpenAPI spec: io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceCondition
Automatic merge from submit-queue (batch tested with PRs 50980, 46902, 51051, 51062, 51020)
Remove seemingly obsolete binaries
It's hard to tell if these are safe to remove. Let CI tell me.
Automatic merge from submit-queue
kubeadm: Implement 'kubeadm config'
**What this PR does / why we need it**:
Implements a `kubeadm config` command for viewing the current kubeadm configuration stored as a ConfigMap in the cluster and creating that configuration for v1.7- users. kubeadm v1.8+ handles the creation of this ConfigMap at init time, but v1.7 users have to create it themselves with this command in order to be able to preserve the same config after the upgrade.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/406
**Special notes for your reviewer**:
**Release note**:
```release-note
Adds a new `kubeadm config` command that lets users tell `kubeadm upgrade` what kubeadm configuration to use and lets users view the current state.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 51039, 50512, 50546, 50965, 50467)
kubeadm: Get kube-dns based on the kubernetes version
**What this PR does / why we need it**:
Makes the kube-dns version used dependent on the kubernetes version. This is required for upgrades as we have to be able to handle one kube-dns version per branch for instance...
Currently a no-op though, as both v1.7 and v1.8 seem to use 1.14.4
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Dependency for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrades)
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
@kubernetes/dns-maintainers FYI; next time you bump DNS version, please update this func instead of the constant there...
Automatic merge from submit-queue (batch tested with PRs 50967, 50505, 50706, 51033, 51028)
Revert "Merge pull request #51008 from kubernetes/revert-50789-fix-scheme"
I'm spinning up a cluster right now to test this fix, but I'm pretty sure this was the problem.
There doesn't seem to be a way to confirm from logs, because AFAICT the logs from the hollow kubelet containers are not collected as part of the kubemark test.
**What this PR does / why we need it**:
This reverts commit f4afdecef8, reversing
changes made to e633a1604f.
This also fixes a bug where Kubemark was still using the core api scheme
to manipulate the Kubelet's types, which was the cause of the initial
revert.
**Which issue this PR fixes**: fixes#51007
**Release note**:
```release-note
NONE
```
/cc @shyamjvs @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 50967, 50505, 50706, 51033, 51028)
Clean kubelet certificates on kubeadm reset
**What this PR does / why we need it**:
After `kubeadm init` and `kubeadm reset` for a few times, kubelet will fail communicating with apiserver because certificate signed by unknown authority. We should cleanup kubelet certs on kubeadm reset.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48378
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50967, 50505, 50706, 51033, 51028)
kubeadm: Tell the user when a static pod is created
**What this PR does / why we need it**:
Prints a line to notify the user of the static pod creation in order to be consistent with the other phases (one line per phase and optionally per component).
Now the phase command `controlplane all` and `etcd local` also actually outputs something.
Also renamed `[token]` to `[bootstraptoken]` to match the output below and `s/mode/modes/`
`kubeadm init` output now:
```console
$ ./kubeadm init
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.4
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[preflight] WARNING: docker service is not enabled, please run 'systemctl enable docker.service'
[preflight] Starting the kubelet service
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [thegopher kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.115]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[apiclient] All control plane components are healthy after 40.002026 seconds
[markmaster] Master thegopher tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: cfe65e.d196614967c3ffe3
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token cfe65e.d196614967c3ffe3 192.168.1.115:6443 --discovery-token-ca-cert-hash sha256:eb3461b9b707eafc214577f36ae8c351bbc4d595ab928fc84caf1325b69cb192
$ ./kubeadm alpha phase controlplane all
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
$ ./kubeadm alpha phase etcd local
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @fabriziopandini
Due to the increased size of subnets with IPv6, the node-cidr-mask-size needs to be passed to kube-controller-manager. If the user passes a IPv6 cidr, the node-cidr-mask-size will be set to 64, If IPv4 it will be set to 24 as it was previously.
Automatic merge from submit-queue (batch tested with PRs 50893, 50913, 50963, 50629, 50640)
kubeadm: Add back labels for the Static Pod control plane (attempt 2)
**What this PR does / why we need it**:
Exactly the same PR as https://github.com/kubernetes/kubernetes/pull/50174, but that PR was appearently lost in a rebase/mis-merge or something, so resending this one.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 46458, 50934, 50766, 50970, 47698)
kubeadm: Warn in preflight checks if KubernetesVersion is of a newer branch than kubeadm
**What this PR does / why we need it**:
see https://github.com/kubernetes/kubeadm/issues/307
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubeadm/issues/307
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 46458, 50934, 50766, 50970, 47698)
kubeadm: Make the self-hosting with certificates in Secrets mode work again
**What this PR does / why we need it**:
This PR:
- makes the self-hosting with certificates in Secrets mode work
- makes the wait functions timeoutable
- fixes a race condition where the kubelet may be slow to remove the Static Pod
- cleans up some of the self-hosting logic
- makes self-hosting-with-secrets respect the feature flag
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/405
**Special notes for your reviewer**:
This is work in progress. I'll add unit tests, rebase upon https://github.com/kubernetes/kubernetes/pull/50762 and maybe split out some of the functionatlity here into a separate PR
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 50693, 50831, 47506, 49119, 50871)
kubeadm: Implement support for using images from CI builds
**What this PR does / why we need it**: Implements support for CI images in kubeadm
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixeskubernetes/kubeadm#337
**Special notes for your reviewer**:
**Release note**:
```release-note
- kubeadm now supports "ci/latest-1.8" or "ci-cross/latest-1.8" and similar labels.
```
This reverts commit f4afdecef8, reversing
changes made to e633a1604f.
This also fixes a bug where Kubemark was still using the core api scheme
to manipulate the Kubelet's types, which was the cause of the initial
revert.
Automatic merge from submit-queue (batch tested with PRs 47896, 50678, 50620, 50631, 51005)
kubeadm: Adds dry-run support for kubeadm using the `--dry-run` option
**What this PR does / why we need it**:
Adds dry-run support to kubeadm by creating a fake clientset that can get totally fake values (like in the init case), or delegate GETs/LISTs to a real API server but discard all edits like POST/PUT/PATCH/DELETE
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/389
**Special notes for your reviewer**:
This PR depends on https://github.com/kubernetes/kubernetes/pull/50626, first three commits are from there
This PR is a dependency for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrades)
I have some small things to fixup and I'll yet write unit tests, but PTAL if you think this is going in the right direction
**Release note**:
```release-note
kubeadm: Adds dry-run support for kubeadm using the `--dry-run` option
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 47896, 50678, 50620, 50631, 51005)
Remove deprecated lookup cache flags.
**What this PR does / why we need it**:
Remove deprecated lookup cache flags: `replication-controller-lookup-cache-size, replicaset-lookup-cache-size, daemonset-lookup-cache-size`
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#43388
**Special notes for your reviewer**:
/cc @enisoc
**Release note**:
```release-note
The following deprecated flags have been removed from `kube-controller-manager`: `replication-controller-lookup-cache-size`, `replicaset-lookup-cache-size`, and `daemonset-lookup-cache-size`. Make sure you no longer attempt to set them.
```
Automatic merge from submit-queue (batch tested with PRs 47896, 50678, 50620, 50631, 51005)
MakeEventRecorder function cleanup
delete KubeletConfiguration arg since it is unused
fixes#50969
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50911, 50839)
Fix admission plugin registration
**What this PR does / why we need it**:
The current registration of admission plug-ins happen too late so the
command line help is not yielding correct/useful information to users.
This is already causing confusion as mentioned in some issues.
This patch fixes it by moving plugins.go down to options package because
"plugins" in this context are themselves options for users. Registration
of plugins is not an expensive operation and it is already done in most
execution paths.
**Which issue this PR fixes**
fixes#50833
**Special notes for your reviewer**:
There might be other thoughts on how to better align this with other
efforts. This PR is leaving them to future work. For example:
in future, we may want to revisit these plugins and migrate them to the
shared apiserver repo when appropriate.
**Release note**:
I'm not sure if a release note is needed for this. Maybe there is a need.
```release-note
```
The current registration of admission plug-ins happen too late so the
command line help is not yielding correct/useful information to users.
This is already causing confusion as mentioned in some issues.
This patch fixes it by moving plugins.go down to options package because
"plugins" in this context are themselves options for users. Registration
of plugins is not an expensive operation and it is already done in most
execution paths.
In future, we may want to revisit these plugins and migrate them to the
shared apiserver repo when appropriate.
Previously, kubeadm would use <ip>:<port> to construct a master
endpoint. This works fine for IPv4 addresses, but not for IPv6.
IPv6 requires the ip to be encased in brackets when being joined
to a port with a colon.
This patch updates kubeadm to support wrapping a v6 address with
[] to form the master endpoint url. Since this functionality is
needed in multiple areas, a dedicated util function was created.
Fixes: https://github.com/kubernetes/kubernetes/issues/48227
Automatic merge from submit-queue (batch tested with PRs 41901, 50762, 50756)
Feature-gate self-hosted secrets
**What this PR does / why we need it**:
Feature gates now select whether secrets are used for TLS cert storage in self-hosted clusters.
**Release note**:
```release-note
TLS cert storage for self-hosted clusters is now configurable. You can store them as secrets (alpha) or as usual host mounts.
```
/cc @luxas
Automatic merge from submit-queue
Promote CronJobs to batch/v1beta1 - just the API
This PR promotes CronJobs to beta.
@erictune @kubernetes/sig-apps-api-reviews @kubernetes/api-approvers ptal
This builds on top of #41890 and needs #40932 as well
```release-note
Promote CronJobs to batch/v1beta1.
```
Automatic merge from submit-queue (batch tested with PRs 49115, 47480)
Adds IPv6 test cases for kubeadm certs.
**What this PR does / why we need it**:
Adds IPv6 test cases in support of kubeadm certificate and validation functionality. It's needed to ensure test cases cover IPv6 related networking scenarios.
**Which issue this PR fixes**
This PR is in support of Issue #1443
**Special notes for your reviewer**:
Additional PR's will follow to ensure kubeadm supports IPv6.
**Release note**:
```NONE
```
Automatic merge from submit-queue
Adds IPv6 test case to kubeadm bootstrap
**What this PR does / why we need it**:
Adds IPv6 test cases in support of kubeadm bootstrap functionality. It's needed to ensure test cases cover IPv6 related networking scenarios.
**Which issue this PR fixes**
This PR is in support of Issue #1443 and Issue #47666
**Special notes for your reviewer**:
Additional PR's will follow to ensure kubeadm fully supports IPv6.
**Release note**:
```NONE
```
/area ipv6
Automatic merge from submit-queue (batch tested with PRs 50198, 49051, 48432)
move KubeletConfiguration out of componentconfig API group
I'm splitting #44252 into more manageable steps. This step moves the types and updates references.
To reviewers: the most important changes are the removals from pkg/apis/componentconfig and additions to pkg/kubelet/apis/kubeletconfig. Almost everything else is an import or name update.
I have one unanswered question: Should I create a whole new api scheme for Kubelet APIs rather than register e.g. a kubeletconfig group with the default runtime.Scheme instance? This feels like the right thing, as the Kubelet should be exposing its own API, but there's a big fat warning not to do this in `pkg/api/register.go`. Can anyone answer this?
Automatic merge from submit-queue (batch tested with PRs 50626, 50683, 50679, 50684, 50460)
kubeadm: Centralize client create-or-update logic in one package
**What this PR does / why we need it**:
Moves all Create-or-Update logic into one package instead of duplicating that logic all around in the codebase.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR depends on https://github.com/kubernetes/kubernetes/pull/50214.
Note that commit 2 is the only one that needs reviewing.
This PR is required for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrade)
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @mattmoyer @fabriziopandini
Automatic merge from submit-queue
Add Priority admission controller
**What this PR does / why we need it**: Add Priority admission controller. This admission controller checks creation and update of PriorityClasses. It also resolves a PriorityClass name of a pod to its integer value.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Add Priority admission controller for monitoring and resolving PriorityClasses.
```
ref/ #47604
ref/ #48646
Automatic merge from submit-queue
kubeadm: Implementing the controlplane phase
**What this PR does / why we need it:**
This contains implementation of controlplane phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage.
The original proposal for this activity can be found [here](https://github.com/kubernetes/kubeadm/pull/156/files) and related comments.
Kubeadm phase implementation checklist is defined [here](https://github.com/kubernetes/kubeadm/issues/267)
Common implementation guidelines and principles for all phases are defined [here](https://docs.google.com/document/d/1VQMyFIVMfRGQPP3oCUpfjiWtOr3pLxp4g7cP-hXQFXc/edit?usp=sharing)
This PR implements:
- [x] kubeadm phase controlplane: wip by @fabriziopandini
- [x] kubeadm phase controlplane all
- [x] kubeadm phase controlplane etcd
- [x] kubeadm phase controlplane apiserver
- [x] kubeadm phase controlplane scheduler
- [x] kubeadm phase controlplane controller-manager
**Which issue this PR fixes:**
https://github.com/kubernetes/kubeadm/issues/349
**Special notes for your reviewer:**
This PR implements the same approach of #49419, thus minimising rework/impacts on existing codebase.
Automatic merge from submit-queue (batch tested with PRs 49129, 50436, 50417, 50553, 47587)
Revert "Remove old node role label that is not used by kubeadm"
Revert the commit that removed printing of node roles from kubectl.
It sounds like we also need to update the labels we inspect, as these were previously removed. But starting with a clean revert.
Issue #49124
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49904, 50484, 50214)
Refactor addons into multiple packages
**What this PR does / why we need it**:
https://github.com/kubernetes/kubeadm/issues/348
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubeadm/issues/348
This change allows kubectl to be built on MacOS machines using
`bazel build //cmd/kubectl`.
Mac OS X doesn't support static binaries because it does not have a
stable syscall API. Userspace binaries are expected to dynamically
link against libcrt instead.
https://developer.apple.com/library/content/qa/qa1118/_index.html
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)
Enable caching successful token authentication
Resolves#50472
To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.
This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication
```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
Automatic merge from submit-queue
Simplify a command for unmounting mounted directories
**What this PR does / why we need it**:
This PR simplifies a command for unmounting mounted directories. It replaces `cat | awk | grep` by a single `awk` expression.
**Special notes for your reviewer**:
Link about useless cat/grep usage: http://porkmail.org/era/unix/award.html#grep
**Credit**:
I saw this code fragment in the Julia Evans (@jvns) [write up](https://jvns.ca/blog/2017/07/30/a-couple-useful-ideas-from-google/).
**Release note**:
```release-note
NONE
```
CC @simo5
Automatic merge from submit-queue
Rewrite staging import verifier in Go
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
**What this PR does / why we need it**:
Maintaining Bash is nobody's idea of fun. The declarative config is infinitely easier to read, as well.
**Special notes for your reviewer**:
@sttts still trying to figure out the rules you have encoded in the shell script... very confusing. Please review the `kube-gen` specifically.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
move logs to kubectl/util
Move `pkg/util/logs` to `pkg/kubectl/util/logs` per https://github.com/kubernetes/kubernetes/issues/48209#issuecomment-311730681
This will make kubeadm, kubefed, gke-certificates-controller and e2e have dependency on kubectl, which should be fine.
partially addresses: kubernetes/community#598
```release-note
NONE
```
/assign @apelisse @monopole
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.
The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.
This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.
This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
This change adds a `k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin` package which implements x509 public key pinning in the style of RFC7469. This is the public key hash format used by the new `kubeadm join --discovery-token-ca-cert-hash` flag.
Hashes are namespaced with a short type, with "sha256" being the only currently-supported format. Type "sha256" is a hex-encoded SHA-256 hash over the Subject Public Key Info (SPKI) object in DER-encoded ASN.1.
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582)
Improve GC discovery sync performance
Improve GC discovery sync performance by only syncing when discovered
resource diffs are detected. Before, the GC worker pool was shut down
and monitors resynced unconditionally every sync period, leading to
significant processing delays causing test flakes where otherwise
reasonable GC timeouts were being exceeded.
Related to https://github.com/kubernetes/kubernetes/issues/49966.
/cc @kubernetes/sig-api-machinery-bugs
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49642, 50335, 50390, 49283, 46582)
Add rbac.authorization.k8s.io/v1
xref https://github.com/kubernetes/features/issues/2
Promotes the rbac.authorization.k8s.io/v1beta1 API to v1 with no changes
```release-note
The `rbac.authorization.k8s.io/v1beta1` API has been promoted to `rbac.authorization.k8s.io/v1` with no changes.
The `rbac.authorization.k8s.io/v1alpha1` version is deprecated and will be removed in a future release.
```
Automatic merge from submit-queue
kubeadm: Upload configuration used at 'kubeadm init' time to ConfigMap for easier upgrades
**What this PR does / why we need it**:
Uploads config used to a ConfigMap so we can upgrade a cluster seamlessly without forcing the user to re-specify all options they specified the first time.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/373
**Special notes for your reviewer**:
This should be a cherrypick-candidate for easier upgrading to v1.8
cc @wojtek-t
**Release note**:
```release-note
kubeadm: Upload configuration used at 'kubeadm init' time to ConfigMap for easier upgrades
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc
Automatic merge from submit-queue (batch tested with PRs 50016, 49583, 49930, 46254, 50337)
Break up node controller into packages
This change does NO actual code changes other than moving constituent
parts into packages.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50016, 49583, 49930, 46254, 50337)
Alpha Dynamic Kubelet Configuration
Feature: https://github.com/kubernetes/features/issues/281
This proposal contains the alpha implementation of the Dynamic Kubelet Configuration feature proposed in ~#29459~ [community/contributors/design-proposals/dynamic-kubelet-configuration.md](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/dynamic-kubelet-configuration.md).
Please note:
- ~The proposal doc is not yet up to date with this implementation, there are some subtle differences and some more significant ones. I will update the proposal doc to match by tomorrow afternoon.~
- ~This obviously needs more tests. I plan to write several O(soon). Since it's alpha and feature-gated, I'm decoupling this review from the review of the tests.~ I've beefed up the unit tests, though there is still plenty of testing to be done.
- ~I'm temporarily holding off on updating the generated docs, api specs, etc, for the sake of my reviewers 😄~ these files now live in a separate commit; the first commit is the one to review.
/cc @dchen1107 @vishh @bgrant0607 @thockin @derekwaynecarr
```release-note
Adds (alpha feature) the ability to dynamically configure Kubelets by enabling the DynamicKubeletConfig feature gate, posting a ConfigMap to the API server, and setting the spec.configSource field on Node objects. See the proposal at https://github.com/kubernetes/community/blob/master/contributors/design-proposals/dynamic-kubelet-configuration.md for details.
```
Improve GC discovery sync performance by only syncing when discovered
resource diffs are detected. Before, the GC worker pool was shut down
and monitors resynced unconditionally every sync period, leading to
significant processing delays causing test flakes where otherwise
reasonable GC timeouts were being exceeded.
Related to https://github.com/kubernetes/kubernetes/issues/49966.
Automatic merge from submit-queue (batch tested with PRs 50173, 50324, 50288, 50263, 50333)
Honor --use-service-account-credentials and warn when missing private key
Fixes#50275 by logging a warning and failing to start rather than continue to run ignoring the user's specified config
Automatic merge from submit-queue
kubeadm: Centralize commonly used paths/constants to the constants pkg
**What this PR does / why we need it**:
Before there were constants defined for the control plane components in three different places:
- images
- phases/controlplane
- phases/selfhosting
Now they are in one centralized place. I also moved funcs for building common paths to that lib.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Dependency for: https://github.com/kubernetes/kubernetes/pull/48899
**Special notes for your reviewer**:
Most of this PR really is autogenerated with a replace tool. I tested this and things work just normally as well.
**Release note**:
```release-note
NONE
```
@timothysc @dmmcquay @pipejakob @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 50254, 50174, 50179)
kubeadm: Add back labels for the Static Pod control plane
**What this PR does / why we need it**:
This Labels section has been removed now for a short period during the v1.8 dev cycle, but I found a good use-case for it; namely filtering Mirror Pods by the `component=kube-*` label when waiting for the self-hosted control plane to come up after an upgrade. It's not _really_ neccessary, but nice to have.
Also noticed the lack of coverage for this func, so added a small unit test.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Dependency for: https://github.com/kubernetes/kubernetes/pull/48899
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @dmmcquay @timothysc @mattmoyer
Automatic merge from submit-queue (batch tested with PRs 50208, 50259, 49702, 50267, 48986)
provide the failing health as part of the controller error
When the controllers fail to start because the master is unhealthy, the healthz message is a useful starting point for debugging. This provides it in the error returned.
Automatic merge from submit-queue (batch tested with PRs 47416, 47408, 49697, 49860, 50162)
kubeadm: Replace *clientset.Clientset with clientset.Interface
**What this PR does / why we need it**:
Needed for https://github.com/kubernetes/kubernetes/pull/48899
We should always use `clientset.Interface` instead of `*clientset.Clientset`, for better testability and all the other benefits of using an interface.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Should be straightforward to merge
**Release note**:
```release-note
NONE
```
@timothysc @dmmcquay @pipejakob
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Move remaining cert helper functions from pkg/serviceaccount to client-go/util/cert
**What this PR does / why we need it**:
Unifies all remaining certificate helper functions from pkh/serviceaccount to client-go/util/cert. Private key functions were moved in #40907
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#40807
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Fail on swap enabled and deprecate experimental-fail-swap-on flag
**What this PR does / why we need it**:
* Deprecate the old experimental-fail-swap-on
* Add a new flag fail-swap-on and set it to true
Before this change, we would not fail when swap is on. With this
change we fail for everyone when swap is on, unless they explicitly
set --fail-swap-on to false.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#34726
**Special notes for your reviewer**:
**Release note**:
```release-note
Kubelet will by default fail with swap enabled from now on. The experimental flag "--experimental-fail-swap-on" has been deprecated, please set the new "--fail-swap-on" flag to false if you wish to run with /proc/swaps on.
```
Automatic merge from submit-queue (batch tested with PRs 48237, 50084, 50019, 50069, 50090)
Fix comment of isHTTPSURL
**What this PR does / why we need it**:
fix comment of isHTTPSURL
Automatic merge from submit-queue
Add test for kube-proxy running with "--cleanup-iptables=true"
**What this PR does / why we need it**:
Add test to prevent such kube-proxy panic to happen again.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48177
**Special notes for your reviewer**:
Forgot to add this in last PR #48183. Should we also add this to v1.7 milestone?
/cc @ncdc @dchen1107
**Release note**:
```release-note
NONE
```
- Move public key functions to client-go/util/cert
- Move pki file helper functions to client-go/util/cert
- Standardize on certutil package alias
- Update dependencies to client-go/util/cert
Automatic merge from submit-queue
Add --feature-gate flags to kubeadm
**What this PR does / why we need it**:
Adds `--feature-gates` in similar manner to other `cmd` binaries
**Which issue this PR fixes**
https://github.com/kubernetes/kubeadm/issues/323
**Special notes for your reviewer**:
This results in a lot of probably unnecessary feature flags. I'm guessing a lot of kubeadm users will be confused when they see:
```
Flags:
--feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIResponseCompression=true|false (ALPHA - default=false)
Accelerators=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AllowExtTrafficLocalEndpoints=true|false (default=true)
AppArmor=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (ALPHA - default=false)
DynamicVolumeProvisioning=true|false (ALPHA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
LocalStorageCapacityIsolation=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (ALPHA - default=false)
PodPriority=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (ALPHA - default=false)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
-h, --help help for kubeadm
```
However the feature flags used in the core pkg is global, so I don't think it can be overriden. So we have a few options:
1. Allow these flags for kubeadm
2. Refactor feature pkg to allow granular features
3. Roll our own feature gating for kubeadm
/cc @luxas
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)
certificate manager: close existing client conns once cert rotates
After the kubelet rotates its client cert, it will keep connections to the API server open indefinitely, causing it to use its old credentials instead of the new certs. Because the API server authenticates client certs at the time of the request, and not the handshake, this could cause the kubelet to start hitting auth failures even if it rotated its certificate to a new, valid one.
When the kubelet rotates its cert, close down existing connections to force a new TLS handshake.
Ref https://github.com/kubernetes/features/issues/266
Updates https://github.com/kubernetes-incubator/bootkube/pull/663
```release-note
After a kubelet rotates its client cert, it now closes its connections to the API server to force a handshake using the new cert. Previously, the kubelet could keep its existing connection open, even if the cert used for that connection was expired and rejected by the API server.
```
/cc @kubernetes/sig-auth-bugs
/assign @jcbsmpsn @mikedanese
Automatic merge from submit-queue (batch tested with PRs 49989, 49806, 49649, 49412, 49512)
This adds an etcd health check endpoint to kube-apiserver
addressing https://github.com/kubernetes/kubernetes/issues/48215.
**What this PR does / why we need it**:
This ensures kube-apiserver `/healthz` endpoint fails whenever connectivity cannot be established to etcd, also ensures the etcd preflight checks works with unix sockets
**Which issue this PR fixes**: fixes#48215
**Special notes for your reviewer**:
This PR does not use the etcd client directly as the client object is wrapped behind the storage interface and not exposed directly for use, so I decided to reuse what's being done in the preflight. So this will only check fail for connectivity and not etcd auth related problems. I did not write tests for the endpoint because I couldn't find examples that I could follow for writing tests for healthz related endpoints, I'll be willing to write those tests if someone can point me at a relevant one.
**Release note**:
```release-note
Add etcd connectivity endpoint to healthz
```
@deads2k please help review, thanks!
* Deprecate the old experimental-fail-swap-on
* Add a new flag fail-swap-on and set it to true
Before this change, we would not fail when swap is on. With this
change we fail for everyone when swap is on, unless they explicitly
set --fail-swap-on to false.
Automatic merge from submit-queue (batch tested with PRs 50029, 48517, 49739, 49866, 49782)
Update generated deepcopy code
**What this PR does / why we need it**:
In generated deepcopy code, the method names in comments do not match the real method names.
**Which issue this PR fixes**: fixes#49755
**Special notes for your reviewer**:
/assign @sttts @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Emit event and retry when fail to start healthz server on kube-proxy
**What this PR does / why we need it**: Enhance kube-proxy's logic when fail to start healthz server.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: From #49263.
**Special notes for your reviewer**:
/assign @thockin @nicksardo @bowei
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49992, 48861, 49267, 49356, 49886)
Reintegrate aggregation support for OpenAPI
Reintegrating changes of #46734
Changes summary:
- Extracted all OpenAPI specs to new repo `kube-openapi`
- Make OpenAPI spec aggregator to copy and rename any non-requal model (even with documentation change only).
- Load specs when adding APIServices and retry on failure until successful spec retrieval or a 404.
- Assumes all Specs except aggregator's Spec are static
- A re-register of any APIService will result in updating the spec for that service (Suggestion for TPR: they should be registered to aggregator API Server, Open for discussion if any more changes needed for another PR.)
fixes#48548
Automatic merge from submit-queue (batch tested with PRs 49871, 49422, 49092, 49858, 48999)
adding kube-apiserver starting option tests
**What this PR does / why we need it**:
There is only one test for `--enable-swagger-ui` option in `cmd/kube-apiserver/app/options/options_test.go`, I have expanded this test with more kube-apiserver starting options.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
`NONE`
Automatic merge from submit-queue (batch tested with PRs 49870, 49416, 49872, 49892, 49908)
Make "kubeadm version" json format output more readable.
**What this PR does / why we need it**:
Add indent to json format output.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
ref: #43750#46598
**Special notes for your reviewer**:
output example:
```
#kubeadm version -o json
{
"clientVersion": {
"major": "1",
"minor": "8+",
"gitVersion": "v1.8.0-alpha.2.1026+d8205661b700c6-dirty",
"gitCommit": "d8205661b700c6f99c33ea0ac1e5ed3e49c202b2",
"gitTreeState": "dirty",
"buildDate": "2017-07-31T12:14:28Z",
"goVersion": "go1.8.3",
"compiler": "gc",
"platform": "linux/amd64"
}
}
```
**Release note**:
```release-note
NONE
```
After the kubelet rotates its client cert, it will keep connections
to the API server open indefinitely, causing it to use its old
credentials instead of the new certs
When the kubelet rotates its cert, close down existing connections
to force a new TLS handshake.
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Lowercases hostname for kubeadm cert slice
**What this PR does / why we need it**:
Previously, unit tests on master were failing due to this error:
```
--- FAIL: TestSubCmdApiServerFlags (0.99s)
certs_test.go:149: APIserverCert.DNSNames[0] is danehans-m-c1kp instead of DANEHANS-M-C1KP
```
The PR fixes the TestSubCmdApiServerFlags test, which uses the OS hostname to compare the apiserver serving cert and fails if the OS hostname is in caps.
**Which issue this PR fixes**: fixes # https://github.com/kubernetes/kubeadm/issues/361
**Special notes for your reviewer**:
**Release note**:
```NONE
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Enable garbage collection of custom resources
Enhance the garbage collector to periodically refresh the resources it monitors (via discovery) to enable custom resource definition GC (addressing #44507 and reverting #47432).
This is a replacement for #46000.
/cc @lavalamp @deads2k @sttts @caesarxuchao
/ref https://github.com/kubernetes/kubernetes/pull/48065
```release-note
The garbage collector now supports custom APIs added via CustomeResourceDefinition or aggregated apiservers. Note that the garbage collector controller refreshes periodically, so there is a latency between when the API is added and when the garbage collector starts to manage it.
```
Automatic merge from submit-queue (batch tested with PRs 49538, 49708, 47665, 49750, 49528)
Use the core client with version
**What this PR does / why we need it**:
Replace the **deprecated** `clientSet.Core()` with `clientSet.CoreV1()`.
**Which issue this PR fixes**: fixes#49535
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45813, 49594, 49443, 49167, 47539)
Deprecate keep-terminated-pod-volumes
It was discussed and agreed by sig-storage that
this flag causes unnecessary confusion and is hard to keep
synchornized with controller's attach/detach functionality.
Fixes https://github.com/kubernetes/kubernetes/issues/45615
```release-note
keep-terminated-pod-volumes flag on kubelet is deprecated.
```
Enhance the garbage collector to periodically refresh the resources it
monitors (via discovery) to enable custom resource definition GC.
This implementation caches Unstructured structs for any kinds not
covered by a shared informer. The existing meta-only codec only supports
compiled types; an improved codec which supports arbitrary types could
be introduced to optimize caching to store only metadata for all
non-informer types.
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
Should not set struct pointer directly to interface which may cause potential panic
fix https://github.com/kubernetes/kubernetes/issues/43127 to avoid potential kubelet panic.
In our old implemention, interface `kubeDeps.EventClient ` (interface) will never equals to `nil` even if `eventClient `(struct pointer )was set to `nil`. `kubeDeps.ExternalKubeClient` and `kubeDeps.KubeClient` also have same potential risk.
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
Add apps/v1beta2.ReplicaSet
~Depends on #48746~ (merged)
~Depends on #49357~ (merged)
xref: #49135
```release-note
Add a new API object apps/v1beta2.ReplicaSet
```
Automatic merge from submit-queue (batch tested with PRs 49665, 49689, 49495, 49146, 48934)
make it possible to allow discovery errors for controllers
Update the discovery client to return partial discovery information *and* an error. Since we can aggregate API servers, discovery of some resources can fail independently. Callers of this function who want to tolerate the errors can, existing callers will still get an error and fail in normal blocks.
@kubernetes/sig-api-machinery-misc @sttts
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
Use presence of kubeconfig file to toggle standalone mode
Fixes#40049
```release-note
The deprecated --api-servers flag has been removed. Use --kubeconfig to provide API server connection information instead. The --require-kubeconfig flag is now deprecated. The default kubeconfig path is also deprecated. Both --require-kubeconfig and the default kubeconfig path will be removed in Kubernetes v1.10.0.
```
/cc @kubernetes/sig-cluster-lifecycle-misc @kubernetes/sig-node-misc
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
Remove duplicated import and wrong alias name of api package
**What this PR does / why we need it**:
**Which issue this PR fixes**: fixes#48975
**Special notes for your reviewer**:
/assign @caesarxuchao
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
add reflector metrics
This adds metrics (optionally prometheus) to reflectors so that you can see when one reflector is behaving poorly and just how poorly its doing.
@eparis
```release-note
Adds metrics for checking reflector health.
```
Automatic merge from submit-queue (batch tested with PRs 49286, 49550)
use demorgans to make startRouteController implementation more readable
Signed-off-by: allencloud <allen.sun@daocloud.io>
**What this PR does / why we need it**:
When I was learning controller manager, I found that there is a `TODO` which is to use demorgans to make code more readable. So I try to make it work.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
ping @deads2k
Automatic merge from submit-queue (batch tested with PRs 49498, 49192)
kubeadm: Make sure --config can be mixed with --skip-* flags
**What this PR does / why we need it**:
fixes: https://github.com/kubernetes/kubeadm/issues/352
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Should be a cherrypick candidate
**Release note**:
```release-note
kubeadm: Fixes a small bug where `--config` and `--skip-*` flags couldn't be passed at the same time in validation.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @ericchiang @wojtek-t
Automatic merge from submit-queue
Remove flags low-diskspace-threshold-mb and outofdisk-transition-frequency
issue: #48843
This removes two flags replaced by the eviction manager. These have been depreciated for two releases, which I believe correctly follows the kubernetes depreciation guidelines.
```release-note
Remove depreciated flags: --low-diskspace-threshold-mb and --outofdisk-transition-frequency, which are replaced by --eviction-hard
```
cc @mtaufen since I am changing kubelet flags
cc @vishh @derekwaynecarr
/sig node
Automatic merge from submit-queue (batch tested with PRs 48636, 49088, 49251, 49417, 49494)
Fix issues for local storage allocatable feature
This PR fixes the following issues:
1. Use ResourceStorageScratch instead of ResourceStorage API to represent
local storage capacity
2. In eviction manager, use container manager instead of node provider
(kubelet) to retrieve the node capacity and reserved resources. Node
provider (kubelet) has a feature gate so that storagescratch information
may not be exposed if feature gate is not set. On the other hand,
container manager has all the capacity and allocatable resource
information.
This PR fixes issue #47809
Replaces use of --api-servers with --kubeconfig in Kubelet args across
the turnup scripts. In many cases this involves generating a kubeconfig
file for the Kubelet and placing it in the correct location on the node.
Automatic merge from submit-queue (batch tested with PRs 49326, 49394, 49346, 49379, 49399)
Make client-go authoritative
client-go now is authoritative except for `client-go/pkg/version`, which I think we can leave as is for a while.
Automatic merge from submit-queue (batch tested with PRs 46210, 48607, 46874, 46598, 49240)
kubeadm: Make the hostPath volume mount code more secure
**What this PR does / why we need it**:
- Refactors the hostpath volume mounting code for the Static Pods
- Splits out the functionality that was in a big function to something testable
- Unit test a lot
- Adds support for mounting external etcd CA/cert/key files in an other path than `/etc/ssl/certs`. Before this you **had** to have your files in there or the apiserver would crashloop
- Significantly improves comment coverage
- Now only mounts the bare essentials instead of nearly everything. For example, don't mount full `/etc/kubernetes` when the only thing you need is `/etc/kubernetes/scheduler.conf`
- Make everything but the etcd datadir read-only for components.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/341
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Add a new API version apps/v1beta2
xref: #49135
This PR adds a new API version `apps/v1beta2` which contains a copy (of types, conversions, and defaults) of `apps/v1beta1` StatefulSet, Deployment, and their subresources. Note that `apps/v1beta2` is still WIP and we will make breaking changes to it before releasing 1.8.
Moving core controllers (StatefulSet, Deployment, ReplicaSet, DaemonSet) to `apps/v1beta2` is the first step of moving them to `apps/v1` (GA).
This PR is a starting point for DaemonSet and ReplicaSet to move from `/extensions` to `/apps` and for Deployment and StatefulSet to make some breaking changes (e.g. new defaults and/or remove deprecated fields).
```release-note
Add a new API version apps/v1beta2
```
Automatic merge from submit-queue (batch tested with PRs 49328, 49285, 49307, 49127, 49163)
kubeadm: don't customize etcd selinux label
The original change that added the unconfined label included a comment
indicating it won't be needed in the future.
See: https://github.com/kubernetes/kubernetes/pull/33555#issuecomment-251126908
That time is now. https://github.com/kubernetes/kubernetes/pull/33663
has landed and means we no longer have to go out of our way to make that
work.
Removing the label also increases security since there wasn't really a
good reason for etcd to be run with such broad selinux privileges.
This also will allow kubeadm to avoid errors on distros without an spc_t
type, such as Gentoo and Container Linux (at the time of writing at
least).
Fixes https://github.com/kubernetes/kubeadm/issues/269
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49107, 47177, 49234, 49224, 49227)
tighten quota controller interface
While debugging a quota performance problem, I had to chase some references deeper than necessary because the interfaces were overly broad. This tightens them.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49114, 48810)
Unify fuzzers and roundtrip tests
- reorganize apimachinery/pkg/api/testing package to avoid circular imports
- make fuzzers modular per apigroup
- add roundtrip test for meta types
- add roundtrip test for a couple of staging apigroups
Follow-up:
- split `pkg/api` tests by apigroup
Automatic merge from submit-queue (batch tested with PRs 48377, 48940, 49144, 49062, 49148)
support fc volume attach and detach
**What this PR does / why we need it**:
Support FC volume attach and detach to enforce RWO access
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48953
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add PriorityClass API object under new "scheduling" API group
**What this PR does / why we need it**: This PR is a part of a series of PRs to add pod priority to Kubernetes. This PR adds a new API group called "scheduling" with a new API object called "PriorityClass". PriorityClass maps the string value of priority to its integer value.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**: Given the size of this PR, I will add the admission controller for the PriorityClass in a separate PR.
**Release note**:
```release-note
Add PriorityClass API object under new "scheduling" API group
```
ref/ #47604
ref/ #48646
Automatic merge from submit-queue (batch tested with PRs 48981, 47316, 49180)
Added golint check for pkg/kubelet.
**What this PR does / why we need it**:
Added golint check for pkg/kubelet, and make golint happy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47315
**Release note**:
```release-note-none
```
Automatic merge from submit-queue (batch tested with PRs 49058, 49072, 49137, 49182, 49045)
check for nil value in interface for proxier health
golang allows for a non-nil interface to have a nil value (not type). This results in an NPE at runtime.
@sttts remember that bit about go? Trivia becomes real :(
Automatic merge from submit-queue (batch tested with PRs 48043, 48200, 49139, 36238, 49130)
expose RegisterAllAdmissionPlugins so that admission chains can be reused
Exposes the admission plugin registration functions so that sets of plugins can be re-used.
@sttts @p0lyn0mial
Automatic merge from submit-queue (batch tested with PRs 48043, 48200, 49139, 36238, 49130)
expose method to allow externally setting defaults on an external type
The options are an exposed type. This allows you to set the defaults on them.
@derekwaynecarr who normally owns this bit?
Automatic merge from submit-queue (batch tested with PRs 49055, 49128, 49132, 49134, 49110)
OpenAPI bug: Array/Map Ptr Elements' handing was incorrect
If you have an array of map of pointers, OpenAPI spec generation would fail.
fixes: #49074
Automatic merge from submit-queue (batch tested with PRs 48481, 48256)
Refactor: pkg/util into sub-pkgs
**What this PR does / why we need it**:
- move code in pkg/util into sub-pkgs
- delete some unused funcs
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#15634
**Special notes for your reviewer**:
This is the final work of #15634. It will close that issue.
/cc @thockin
**Release note**:
```release-note
NONE
```
Add PriorityClass to pkg/registry
Add PriorityClass to pkg/master/master.go
Add PriorityClass to import_know_versions.go
Update linted packages
minor fix
Automatic merge from submit-queue (batch tested with PRs 46094, 48544, 48807, 49102, 44174)
add InstanceID to fake cadvisor (used in Kubemark)
This change is for setting Node.Spec.ProviderID field in Kubemark hollow nodes. It shouldn't affect other tests using cadvisor.Fake as field is nil by default.
cc @gmarek
Automatic merge from submit-queue (batch tested with PRs 46094, 48544, 48807, 49102, 44174)
Static deepcopy – phase 1
This PR is the follow-up of https://github.com/kubernetes/kubernetes/pull/36412, replacing the
dynamic reflection based deepcopy with static DeepCopy+DeepCopyInto methods on API types.
This PR **does not yet** include the code dropping the cloner from the scheme and all the
porting of the calls to scheme.Copy. This will be part of a follow-up "Phase 2" PR.
A couple of the commits will go in first:
- [x] audit: fix deepcopy registration https://github.com/kubernetes/kubernetes/pull/48599
- [x] apimachinery+apiserver: separate test types in their own packages #48601
- [x] client-go: remove TPR example #48604
- [x] apimachinery: remove unneeded GetObjectKind() impls #48608
- [x] sanity check against origin, that OpenShift's types are fine for static deepcopy https://github.com/deads2k/origin/pull/34
TODO **after** review here:
- [x] merge https://github.com/kubernetes/gengo/pull/32 and update vendoring commit
Automatic merge from submit-queue (batch tested with PRs 48333, 48806, 49046)
kubeadm: Split out markmaster to its own phase
**What this PR does / why we need it**:
Splits out related and atomic code into its own phase that can be invokable easily from the CLI.
Makes the code much easier to read by not using recursion and `wait.InfinitePoll` _inside_ of a recursing function, etc.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/53
Part of this more long-term goal: https://github.com/kubernetes/kubeadm/issues/148
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 49019, 48919, 49040, 49018, 48874)
kubeadm: Remove the old KubernetesDir envparam
**What this PR does / why we need it**:
The last piece of https://github.com/kubernetes/kubernetes/issues/48053 for moving the env params into the API, and the KubernetesDir into a constant.
After this pretty mechanical change, we might offer short-hand functions in constants like `GetStaticPodManifestDir()` etc easily in order to centralize the `filepath.Join` logic into one place.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes https://github.com/kubernetes/kubeadm/issues/326
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews @fabriziopandini
Automatic merge from submit-queue
kubeadm: Remove some old comments
**What this PR does / why we need it**:
Removes old and outdated comments.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@dmmcquay
Automatic merge from submit-queue (batch tested with PRs 48231, 47377, 48797, 49020, 49033)
Migrate kubelet and linked code from clientset_generated to client-go
Ran a script in the kubernetes repo to migrate kubelet and linked code from clientset_generated package imports to client-go imports.
**NOTE:** There are also some manual changes that were made in order to accommodate some
differences between clientset_generated and client-go. The manual changes are isolated into a
single commit titled "Manual changes."
```sh
#! /bin/bash
for file in $(find . \( -name "clientset_generated" -o -name "informers_generated" \) -prune -o -type f -name "*.go"); do
if [[ -d $file ]]; then
continue
fi
if [[ $file == "./cmd/libs/go2idl/informer-gen/main.go" ]]; then
continue
fi
sed -i '
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"|clientset "k8s.io/client-go/kubernetes"|;
# Correct a couple of unique cases.
s|clientset clientset "k8s.io/client-go/kubernetes"|clientset "k8s.io/client-go/kubernetes"|;
s|cs clientset "k8s.io/client-go/kubernetes"|clientset "k8s.io/client-go/kubernetes"|;
s|VersionedClientSetPackage: clientset "k8s.io/client-go/kubernetes"|VersionedClientSetPackage: "k8s.io/client-go/kubernetes"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1"|"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1"|"k8s.io/client-go/kubernetes/typed/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/extensions/v1beta1"|"k8s.io/client-go/kubernetes/typed/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/autoscaling/v1"|"k8s.io/client-go/kubernetes/typed/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authentication/v1"|"k8s.io/client-go/kubernetes/typed/authentication/v1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authorization/v1beta1"|"k8s.io/client-go/kubernetes/typed/authorization/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/apps/v1beta1"|"k8s.io/client-go/kubernetes/typed/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/rbac/v1beta1"|"k8s.io/client-go/kubernetes/typed/rbac/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/fake"|"k8s.io/client-go/kubernetes/fake"|;
s|"k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1/fake"|"k8s.io/client-go/kubernetes/typed/core/v1/fake"|;
s|k8s.io/kubernetes/pkg/client/clientset_generated/clientset|k8s.io/client-go/kubernetes|;
s|informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"|"k8s.io/client-go/informers"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/core/v1"|"k8s.io/client-go/informers/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/apps/v1beta1"|"k8s.io/client-go/informers/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/extensions/v1beta1"|"k8s.io/client-go/informers/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/batch/v1"|"k8s.io/client-go/informers/batch/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/autoscaling/v1"|"k8s.io/client-go/informers/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/policy/v1beta1"|"k8s.io/client-go/informers/policy/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/certificates/v1beta1"|"k8s.io/client-go/informers/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions/storage/v1"|"k8s.io/client-go/informers/storage/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/core/v1"|"k8s.io/client-go/listers/core/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/apps/v1beta1"|"k8s.io/client-go/listers/apps/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/extensions/v1beta1"|"k8s.io/client-go/listers/extensions/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/autoscaling/v1"|"k8s.io/client-go/listers/autoscaling/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/batch/v1"|"k8s.io/client-go/listers/batch/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/certificates/v1beta1"|"k8s.io/client-go/listers/certificates/v1beta1"|;
s|"k8s.io/kubernetes/pkg/client/listers/storage/v1"|"k8s.io/client-go/listers/storage/v1"|;
s|"k8s.io/kubernetes/pkg/client/listers/policy/v1beta1"|"k8s.io/client-go/listers/policy/v1beta1"|;
' $file
done
hack/update-bazel.sh
hack/update-gofmt.sh
```
Automatic merge from submit-queue (batch tested with PRs 49017, 45440, 48384, 45894, 48808)
Make sure that image tags contain only allowed characters.
**What this PR does / why we need it**:
Version strings can contain symbols that are not allowed
as part of image tags. Replace those with underscores.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Part of work related to usage of CI images which has versions like "v1.8.0-alpha.1.910+5ca03d674e1495" but image tags in registry are "v1.8.0-alpha.1.910_5ca03d674e1495"
Attn @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47309, 47187)
Add IPv6 test cases to kube-proxy server test.
**What this PR does / why we need it**: This change adds some IPv6 test cases for the kube-proxy server. Also adds some test cases for negative conditions for better test coverage.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47313
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 44129, 48030, 48906)
Add default=false to usage of kube-apiserver allow-privileged flag
**What this PR does / why we need it**:
Users will be clear about default value of `allow-privileged` flag.
Automatic merge from submit-queue
remove some people from OWNERS so they don't get reviews anymore
These are googlers who don't work on the project anymore but are still
getting reviews assigned to them:
- @bprashanth
- @rjnagal
- @vmarmol
Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090)
kubeadm: change the default bootstrap token TTL to 24 hours
**What this PR does / why we need it**:
This PR changes the TTL for the default bootstrap token generated by `kubeadm init` (without the `--token-ttl` parameter) and `kubeadm token create` (without the `--ttl` flag). Previously, the default TTL was infinite. After this change it is 24 hours.
~~The reasoning for 2 hours as a default is that it's 1) long enough that someone manually using kubeadm (copy-pasting) shouldn't have any issues and 2) short enough that if something is going to break, it should break while the user/admin is still paying attention to the cluster. I'm open to bikeshedding about the exact value, 2 hours is a bit of a strawman.~~
**Edit: updated this to 24 hours instead of 2 hours.**
This is a breaking change if you rely on infinite TTL tokens (e.g., if you had an ASG group of worker nodes). The old behavior is easily restored by passing `--token-ttl 0` to `kubeadm init` or the `--ttl 0` flag to `kubeadm token create`.
**Which issue this PR fixes**: fixes https://github.com/kubernetes/kubeadm/issues/343
**Special notes for your reviewer**:
This was discussed earlier today in SIG-cluster-lifecycle
**Release note**:
```release-note
Change the default kubeadm bootstrap token TTL from infinite to 24 hours. This is a breaking change. If you require the old behavior, use `kubeadm init --token-ttl 0` / `kubeadm token create --ttl 0`.
```
cc @jbeda
Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090)
kubeadm: add a warning about the default token TTL changing in 1.8
**What this PR does / why we need it**:
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL.
The actual default change is in https://github.com/kubernetes/kubernetes/pull/48783. This change is separate so we can cherry pick the warning into the `release-1.7` branch.
**Which issue this PR fixes**: ref https://github.com/kubernetes/kubeadm/issues/343
**Special notes for your reviewer**:
This change is blocked on https://github.com/kubernetes/kubeadm/issues/343. These warnings should probably be removed in the 1.9 cycle.
**Release note**:
```release-note
Add a runtime warning about the kubeadm default token TTL changes in 1.8.
```
/assign @luxas
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL.
The actual default change is in https://github.com/kubernetes/kubernetes/pull/48783. This change is separate so we can cherry pick the warning into the release-1.7 branch.
This code was changed in ea196490a0 to validate that `--config` wasn't passed along with other flags. Unfortunately, the implementation was checking `PersistentFlags()`, which was not parsed at the point it was being validated. The result was that `--config` was _always_ rejected, not just when it was specified alongside other flags.
The fix is to use `Flags()` instead, which contains the expected data.
This PR fixes the following issues:
1. Use ResourceStorageScratch instead of ResourceStorage API to represent
local storage capacity
2. In eviction manager, use container manager instead of node provider
(kubelet) to retrieve the node capacity and reserved resources. Node
provider (kubelet) has a feature gate so that storagescratch information
may not be exposed if feature gate is not set. On the other hand,
container manager has all the capacity and allocatable resource
information.
Automatic merge from submit-queue (batch tested with PRs 48781, 48817, 48830, 48829, 48053)
kubeadm: Start to remove old envparams
**What this PR does / why we need it**:
Historically, the envparams feature was used as a way to easily debug `kubeadm` while developing it in the v1.3-v1.4 timeframe. Since then some parameters have been hanging around and not being moved into the API as they should have.
Note: This is a temporary step; moving things into the API. Still, the API is gonna change, this is not the end state. But this is better than keeping the envparams.
I'm gonna deal with `KubernetesDir` in the next PR.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: kubernetes/kubeadm#326
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@timothysc @pipejakob
Automatic merge from submit-queue
Add node-name flag to `init` phase
**What this PR does / why we need it**: Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Partially fix: kubernetes/kubeadm#64
**Release note**:
```release-note
Added new flag to `kubeadm init`: --node-name, that lets you specify the name of the Node object that will be created
```
Automatic merge from submit-queue
kubeadm: begin polling for bootstrap cluster info immediately
**What this PR does / why we need it**:
This PR changes the behavior of the `kubeadm` loop that polls the API server waiting for discovery information (`cluster-info`). The previous (inadvertent?) behavior was to sleep for `constants.DiscoveryRetryInterval` (5 seconds) before the first request ([`PollInfinite`](https://godoc.org/k8s.io/apimachinery/pkg/util/wait#PollInfinite) vs. [`PollImmediateInfinite`](https://godoc.org/k8s.io/apimachinery/pkg/util/wait#PollImmediateInfinite)).
After this change, `kubeadm` begins does the first check immediately before it moves into the slower polling mode. This takes around 5 seconds off the average time for a new node to join.
#### Before (~5.5s)
```
root@worker:~# time kubeadm join --token abc.123 192.168.42.10:6443
[...]
real 0m5.523s
user 0m0.112s
sys 0m0.124s
```
#### After (~0.5s)
```
root@worker:~# time kubeadm join --token abc.123 192.168.42.10:6443
[...]
real 0m0.587s
user 0m0.092s
sys 0m0.132s
```
**Which issue this PR fixes**:
**Special notes for your reviewer**:
This is my first Kubernetes PR, so please let me know if it's formatted correctly.
**Release note**:
```release-note
NONE
```
Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
Partially fix: kubernetes/kubeadm#64
Automatic merge from submit-queue
kube-apiserver: tests for aggregation and CRDs via delegation
In our integration tests we do not use the real kube-apiserver setup code, but mock our own. Here I use the actual `cmd/kube-apiserver/app.Run()` func with an testing etcd server. This can test the whole delegation chain of aggregator, apiextensions and kube-apiserver.
Automatic merge from submit-queue (batch tested with PRs 47232, 48625, 48613, 48567, 39173)
Include leaderelection in client-go;
Fix#39117
Fix https://github.com/kubernetes/client-go/issues/28
This PR:
* includes the leaderelection to the staging client-go
* to avoid conflict with golang's testing package, renames package /testing to /testutil, and renames cache/testing to cache/testframework
```release-note
client-go now includes the leaderelection package
```
Automatic merge from submit-queue (batch tested with PRs 47232, 48625, 48613, 48567, 39173)
Make kube-proxy's MetricsBindAddress configurable via flag
**What this PR does / why we need it**: From #48600, `MetricsBindAddress` used to be configurable through flag (coupled with `HealthzBindAddress`). But this functionality went away after #44968 separated healthz server from metrics server. This PR adds that functionality back.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
/assign @ncdc
cc @bowei @r0bj
**Release note**:
```release-note
none
```
Automatic merge from submit-queue
Removed mesos as cloud provider from Kubernetes.
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47205
**Special notes for your reviewer**:
**Release note**:
```release-note
Move Mesos Cloud Provider out of Kubernetes Repo
```
Automatic merge from submit-queue (batch tested with PRs 48196, 42783, 48507, 47719, 46138)
kubeadm: Allows to use versions like 1.6.4 instead v1.6.4
**What this PR does / why we need it**:
As part of issue kubernetes/kubeadm#292 discussion, it
turned out that for users it is not always obvious that
version specification parameter must be in form "vX.Y.Z".
This patch allows to specify it in form "X.Y.Z" and
converts it internally to normal semantic version which
expected in the rest of the code.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
- kubeadm now can accept versions like "1.6.4" where previously it strictly required "v1.6.4"
```
Automatic merge from submit-queue (batch tested with PRs 48196, 42783, 48507, 47719, 46138)
add extra args validate
`ExtraArgsCheck` return warnings not errors. because kubeadm may create the newer version control plane, there are new arguments that kubeadm doesn't know.
Automatic merge from submit-queue
kubeadm: Implementing the certificates phase fully
**What this PR does / why we need it:**
This contains implementation of certs phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage.
The original proposal for this activity can be found [here](https://github.com/kubernetes/kubeadm/pull/156/files) and related comments.
Kubeadm phase implementation checklist is defined [here](https://github.com/kubernetes/kubeadm/issues/267)
Common implementation guidelines and principles for all phases are defined [here](https://docs.google.com/document/d/1VQMyFIVMfRGQPP3oCUpfjiWtOr3pLxp4g7cP-hXQFXc/edit?usp=sharing)
This PR implements:
- [x] kubeadm phase certs
- [x] kubeadm phase certs all
- [x] kubeadm phase certs ca
- [x] kubeadm phase certs apiserver
- [x] kubeadm phase certs apiserver-kubelet-client
- [x] kubeadm phase certs sa
- [x] kubeadm phase certs front-proxy-ca
- [x] kubeadm phase certs front-proxy-client
**Which issue this PR fixes:**
none
**Special notes for your reviewer:**
This PR resubmits the work of #45617, and already includes @luxas reviews.
Please note that:
- the API - phase\certs.go - is now totally free by any UX concerns, and implements only the core logic for cert generation.
- the UX - cmd\phase\certs.go - now takes charge of UX commands and kubeadm own's rules for placing certs in the certificate dir (e.g. create only if exists)
Automatic merge from submit-queue
controller-manager: fix horizontal-pod-autoscaler-use-rest-clients fl…
…ag help info
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48497, 48604, 48599, 48560, 48546)
remove dead code
This removes the dead code cruft since we stopped serving TPRs.
ref #48152
Automatic merge from submit-queue (batch tested with PRs 48374, 48524, 48519, 42548, 48615)
Kubelet run() should accept partial KubeletDeps
This is used by integrators that want to perform partial overrides of
key interfaces. Refactors the run() method to fit the existing style and
preserve the existing behavior, but allow (for instance) client
bootstrap and cert refresh even when some dependencies are injected.
@derekwaynecarr hit while reviewing client bootstrap code
Automatic merge from submit-queue (batch tested with PRs 48518, 48525, 48269)
Move the kubelet certificate management code into a single package
Code is very similar and belongs together. Will allow future cert callers to potentially make this more generic, as well as to make it easier reuse code elsewhere.
Automatic merge from submit-queue (batch tested with PRs 47435, 46044)
kubeadm: Make self-hosting work and split it out to a phase
**What this PR does / why we need it**:
- Removes the old self-hosting code
- Puts the new self-hosting code in `phases/selfhosting`
- The new code reads manifests from disk (static pods)...
- ...mutates the PodSpec as necessary...
- ...and posts the DaemonSet to the API Server...
- ...and waits for it to come up
- Uses DaemonSets for all control plane components
- Creates a `kubeadm alpha phase selfhosting` command that can be invoked against any kubeadm-cluster after install.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/127
(large part of at least)
**Special notes for your reviewer**:
Please only review the fourth commit, based on https://github.com/kubernetes/kubernetes/pull/47345
**Release note**:
```release-note
kubeadm: Make self-hosting work by using DaemonSets and split it out to a phase that can be invoked via the CLI
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @jbeda
This is used by integrators that want to perform partial overrides of
key interfaces. Refactors the run() method to fit the existing style and
preserve the existing behavior, but allow (for instance) client
bootstrap and cert refresh even when some dependencies are injected.
Automatic merge from submit-queue
Add node-name flag to `join` phase
**What this PR does / why we need it**: Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partially fixeskubernetes/kubeadm#64
**Special notes for your reviewer**:
**Release note**:
```release-note
Added new flag to `kubeadm join`: --node-name, that lets you specify the name of the Node object that's gonna be created
```
Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
Partially fix: kubernetes/kubeadm#64
As part of issue kubernetes/kubeadm#292 discussion, it
turned out that for users it is not always obvious that
version specification parameter must be in form "vX.Y.Z".
This patch allows to specify it in form "X.Y.Z" and
converts it internally to normal semantic version which
expected in the rest of the code.
Automatic merge from submit-queue (batch tested with PRs 48480, 48353)
remove tpr api access
xref https://github.com/kubernetes/kubernetes/issues/48152
TPR tentacles go pretty deep. This gets us started by removing API access and we'll move down from there.
@kubernetes/sig-api-machinery-misc
@ironcladlou this should free up the GC implementation since TPRs will no longer be present and failing.
```release-note
Removing TPR api access per https://github.com/kubernetes/kubernetes/issues/48152
```
Automatic merge from submit-queue (batch tested with PRs 48473, 48341)
remove redundant alias
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
remove redundant alias
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46928, 47345)
kubeadm: Move directory ./master to ./phases/controlplane
**What this PR does / why we need it**:
- Moves app/master into phases/controlplane. It should be in the phases directory, was just overlooked earlier
- Harmonizes the import names in phases/controlplane with the similar import names in cmd/kubeadm
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Please review only second and third commit, based on https://github.com/kubernetes/kubernetes/pull/47339
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @pipejakob
Automatic merge from submit-queue
Add timothysc to kubeadm reviewers
**What this PR does / why we need it**:
Adds timothysc to kubeadm reviewers b/c I'm working on it this cycle.
**Release note**:
```
NONE
```
Automatic merge from submit-queue
Remove old node role label that is not used by kubeadm
**What this PR does / why we need it**:
This label hasn't been used by kubeadm since v1.5.
v1.5 support was dropped when v1.6 arrived due to a potential security flaw and the earlier alpha status.
So this label hasn't been used for around three months.
It makes sense to remove it in time for v1.8, could already have been done for v1.7
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 48264, 48324, 48125, 47944, 47489)
remove unneeded variable
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
**What this PR does / why we need it**:
small fix, remove unneeded variable
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: If `--config` is set, don't allow any other option as it won't have effect
If use config in kubeadm init, cann't get other values from other arguments.
`kubeadm init --config=../kubeadm.config --token 447ad3.96cda76e3206fca0 --apiserver-bind-port 6445`
So I think we need to allow get values from command and is prior than cofig file.
Automatic merge from submit-queue (batch tested with PRs 48295, 48298, 47339, 44910, 48037)
kubeadm: Remove v1.6 version gates, cleanup unused code, etc.
**What this PR does / why we need it**:
- Removes v1.6 version gates and requires a control plane version of v1.7.0 and above
- Removes unused/unnecessary functions that got freed up as a consequence of that
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: kubernetes/kubeadm#327
**Special notes for your reviewer**:
This PR targets v1.8, can be merged first when the code freeze is lifted
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @mikedanese @pipejakob
Automatic merge from submit-queue
Fix kube-proxy panic when running with "--cleanup-iptables=true"
**What this PR does / why we need it**:
Save the `--cleanup-iptables` config for new ProxyServer when it's true.
Also check if Broadcaster and EventClient are nil to avoid other potential panic.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#48177
**Special notes for your reviewer**:
/cc @ncdc @irake99
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: Start using Tolerations in yaml code again and unit-test
**What this PR does / why we need it**:
- Earlier there was a problem with decoding Tolerations from yaml. Seems to be fixed now.
- Added an unit test to catch such a failure if that regression ever happens again
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc
Automatic merge from submit-queue
kubeadm: Expose only the cluster-info ConfigMap in the kube-public ns
**What this PR does / why we need it**:
Noticed a bug; we should only expose the `cluster-info` ConfigMap.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/320
**Special notes for your reviewer**:
Cherrypick-candidate for v1.8 cc @dchen1107
Not blocking the release though...
**Release note**:
```release-note
NONE
```
@jbeda @pipejakob @timothysc @kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue
Use endpoints informer for the endpoint controller
This substantially reduces the number of API calls made by the endpoint
controller. Currently the controller makes an API call per endpoint for
each service that is synced. When the 30s resync is triggered, this
results in an API call for every single endpoint in the cluster. This
quickly exceeds the default qps/burst limit of 20/30 even in small
clusters, leading to delays in endpoint updates.
This change modifies the controller to use the endpoint informer cache
for all endpoint GETs. This means we only make API calls for changes in
endpoints. As a result, qps only depends on the pod activity in the
cluster, rather than the number of services.
**What this PR does / why we need it**:
Address endpoint update delays as described in https://github.com/kubernetes/kubernetes/issues/47597.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
https://github.com/kubernetes/kubernetes/issues/47597
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
kubeadm: Make kube-proxy RollingUpgradeable
**What this PR does / why we need it**:
Sets the right updateStrategy for kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/319
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@pipejakob @timothysc @kubernetes/sig-cluster-lifecycle-pr-reviews
This substantially reduces the number of API calls made by the endpoint
controller. Currently the controller makes an API call per endpoint for
each service that is synced. When the 30s resync is triggered, this
results in an API call for every single endpoint in the cluster. This
quickly exceeds the default qps/burst limit of 20/30 even in small
clusters, leading to delays in endpoint updates.
This change modifies the controller to use the endpoint informer cache
for all endpoint GETs. This means we only make API calls for changes in
endpoints. As a result, qps only depends on the pod activity in the
cluster, rather than the number of services.
Automatic merge from submit-queue (batch tested with PRs 48012, 47443, 47702, 47178)
incluster config will be used when creating external shared informers.
**What this PR does / why we need it**:
Previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
This PR changes the above by using incluster configuration to create shared informers.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48074, 47971, 48044, 47514, 47647)
Move LoadPodFromFile to volume utils
SavePodToFile is not used anywhere and LoadPodFromFile is used only by PV
recycler.
Fix#16970
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47961, 46276)
Remove duplicate error message output in hyperkube.
**What this PR does / why we need it**:
Currently hyperkube binary will always print duplicate messages if fatal error occurs:
```
$ ./kubelet # run without permission
I0523 08:38:02.642638 25701 feature_gate.go:144] feature gates: map[]
W0523 08:38:02.642827 25701 server.go:472] No API client: no api servers specified
Error: failed to run Kubelet: error reading /var/run/kubernetes/kubelet.key, certificate and key must be supplied as a pair
Error: failed to run Kubelet: error reading /var/run/kubernetes/kubelet.key, certificate and key must be supplied as a pair
```
This is due to RunToExit will print out the error which Run has just printed. https://github.com/kubernetes/kubernetes/blob/8bee44b/cmd/hyperkube/hyperkube.go#L178-L189
This was introduced in following commit for adding GOMAXPROCS calls.
1e679f0069
The following commit removes GOMAXPROCS calls, but did not remove the corresponding error output line.
88ea80b572
**Which issue this PR fixes**
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue
kubeadm: Remove the validate phase as it's not needed
**What this PR does / why we need it**:
This validation code was added in v1.4 as a way to remove flakiness between deploying the control plane in Static Pods and deploying kube-discovery as a Deployment.
That isn't the case anymore and we're not experiencing such flakiness, as we're using other methods like checking `/healthz` to determine a healthy control plane before proceeding.
https://github.com/kubernetes/kubernetes/pull/43881 removed this logic from `kubeadm init` to having it as a phase. But that phase isn't needed or used in any way, so now I'm removing it here.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Targets v1.8
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @timothysc @mikedanese
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Add "alpha phase preflight" command
**What this PR does / why we need it:**
Adds "alpha phase preflight" command to kubeadm in order to run pre-flight checks independently of init phase.
**Which issue this PR fixes:** fixeskubernetes/kubeadm#314
/cc @luxas
Automatic merge from submit-queue (batch tested with PRs 47694, 47772, 47783, 47803, 47673)
Make different container runtimes constant
Make different container runtimes constant to avoid hardcode
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475)
kubelet should resume csr bootstrap
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue (batch tested with PRs 47922, 47195, 47241, 47095, 47401)
Run cAdvisor on the same interface as kubelet
**What this PR does / why we need it**:
cAdvisor currently binds to all interfaces. Currently the only
solution is to use iptables to block access to the port. We
are better off making cAdvisor to bind to the interface that
kubelet uses for better security.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#11710
**Special notes for your reviewer**:
**Release note**:
```release-note
cAdvisor binds only to the interface that kubelet is running on instead of all interfaces.
```
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable. Also using a list watch here eliminates a race condition
where a watch event is missed and the kubelet stalls.
Automatic merge from submit-queue
Update addons with upstream CVE fixes
**What this PR does / why we need it**: refreshes the kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-1000366
* CVE-2017-2616
* CVE-2017-9526
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#47386 (yay!)
**Special notes for your reviewer**:
**Release note**:
```release-note
Update kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for CVE-2016-4448, CVE-2016-9841, CVE-2016-9843, CVE-2017-1000366, CVE-2017-2616, and CVE-2017-9526.
```
/assign @bowei @MrHohn @Q-Lee @crassirostris @dnardo
/cc @dchen1107 @timstclair
Automatic merge from submit-queue (batch tested with PRs 47878, 47503, 47857)
restore working aggregator and avoid duplicate informers
Fixes https://github.com/kubernetes/kubernetes/issues/47866
This runs the informer all the way through and makes sure its started.
@lavalamp ptal
@kubernetes/sig-api-machinery-bugs
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)
bump the gke-cert-controller wokers to match it's qps
This increases Issuance per second from 2.5 csrs to 5 csrs which is the theoretical limit with the current client side rate limiting.
Issue https://github.com/kubernetes/kubernetes/issues/47855
Automatic merge from submit-queue
Separate serviceaccount and secret storage config
Fixes#47815, and is required in order to enable the secret encryption feature with a recommended configuration
This passes distinct storage options for serviceaccounts and secrets, since secrets can now have an encrypting transformer associated with them
Automatic merge from submit-queue
kubeadm: Use the v1.7 branch by default
**What this PR does / why we need it**:
Makes kubeadm use the v1.7 branch instead of v1.6
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This should be merged right before the rc.0 is cut I guess
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 47726, 47693, 46909, 46812)
Plumb service resolver into webhook AC
This is the last piece of plumbing needed for https://github.com/kubernetes/features/issues/209
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Serialized protobuf should have stable map order
Leverage `stable_marshaller_all` tag in gogo-protobuf to ensure all of our maps have stable ordering when serialized to protobuf. This preserves the behavior from JSON that we rely on to avoid writing to etcd except when the content has changed.
Will slightly increase allocations (1 slice per non-empty map in an object) during Encode, which has a minor impact on CPU. However, avoiding writes when a client issues a blind put results in significantly less CPU across the whole cluster (avoiding a new etcd version for an Endpoints object might save ~1 core/sec on large clusters).
Fixes#47678
```release-note
The protobuf serialization of API objects has been updated to store maps in a predictable order to ensure that the representation of that object does not change when saved into etcd. This prevents the same object from being seen as being modified, even when no values have changed.
```
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)
Mark Static pods on the Master as critical
fixes#47277.
A known issue with static pods is that they do not interact well with evictions. If a static pod is evicted or oom killed, then it will never be recreated. To mitigate this, we do not evict static pods that are critical. In addition, non-critical pods are candidates for preemption if a critical pod is scheduled to the node. If there are not enough allocatable resources on the node, this causes the static pod to be preempted.
This PR marks all static pods in the kube-system namspace as critical.
cc @vishh @dchen1107
Automatic merge from submit-queue (batch tested with PRs 46327, 47166)
Fixed typo in comments.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # N/A
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46327, 47166)
mark --network-plugin-dir deprecated for kubelet
**What this PR does / why we need it**:
**Which issue this PR fixes** : fixes#43967
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The default marshalers from gogo-protobuf do not order keys, which means
successive serializations of the same data would result in same bytes.
Kubernetes leverages stable serialization to avoid excessive writes to
etcd when body content has not changed, which reduces the amount of
watch traffic generated by successive callers.
This will have a small memory impact on objects which have maps -
allocating a new string array for each map key. All maps must be keys
because we serialize those to JSON, so non-string types are not
relevant.
Automatic merge from submit-queue (batch tested with PRs 38751, 44282, 46382, 47603, 47606)
Add files specified in the kube config as a potential source of cert/…
Fixes#47208
Add files specified in the kube config as a potential source of cert/key data.
Without this change, the kubelet won't use certificates that are specified using file paths in the kubeconfig file. This specifically affects GCE clusters started with kube-up.sh with the RotateKubelet*Certificate feature gate flags enabled, but may affect other configurations.
This change only affects feature gated alpha code.
Internal attach/detach controller timers should be configurable and tests
should use much shorter values.
reconcilerSyncDuration is deliberately left out of TimerConfig because it's
the only one that's not a constant one, it's configurable by user.
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)
kubeadm: Fix kube-proxy regression caused by #46372
**What this PR does / why we need it**:
Fixes: https://github.com/kubernetes/kubeadm/issues/306
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Required for kubeadm v1.7 to work
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @cmluciano
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)
kubeadm: Fix subtle versioning ordering issue with v1.8.0-alpha.0
**What this PR does / why we need it**:
`--kubernetes-version latest` is broken since it evals to `v1.8.0-alpha.0` which actually is `v1.7.0-beta.0`, so kubeadm enables features that don't exist
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)
separate group and version priority
Fixes https://github.com/kubernetes/kubernetes/issues/46322
This just modifies the API and does the minimal plumbing. I can extend this pull or do another to fix the priority problem.
It was discussed and agreed by sig-storage that
this flag causes unnecessary confusion and is hard to keep
synchornized with controller's attach/detach functionality.
Automatic merge from submit-queue (batch tested with PRs 47084, 46016, 46372)
Enable iptables -w in kubeadm selfhosted
Currently containerized kube-proxy cannot support iptables -w
unless the xtables.lock is mounted.
Related: #46103
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
**Special notes for your reviewer**:
- I need to figure out how to do some pre-setup to touch the file if it does not exist.
**Release note**:
```
support iptables -w in kubeadm containerized kube-proxy
```
Currently containerized kube-proxy cannot support iptables -w
unless the xtables.lock is mounted.
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
Automatic merge from submit-queue
fix#46039: iptables proxier need use '--bind-address' if set
**What this PR does / why we need it**:
iptables proxier need use '--bind-address' if set
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#46039
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
bazel: stamp multiple packages by using x_defs instead of linkstamp in go_binary rules
**What this PR does / why we need it**: Fixes regression introduced sometime in the last few months that prevented bazel-built clusters from identifying version properly.
It does so by updating the bazelbuild/rules_go and kubernetes/repo-infra dependencies to support using stamp values in `go_binary` `x_defs`, and then changing our `go_binary` rules to use `x_defs` instead of `linkstamp`.
This whole charade is necessary because we need to stamp version information in multiple packages.
This pretty much only affects the bazel build, so it should be low risk.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45298
**Special notes for your reviewer**: depends on https://github.com/kubernetes/repo-infra/pull/18; should not be merged before it.
**Release note**:
```release-note
NONE
```
/assign @spxtr @mikedanese
Automatic merge from submit-queue
StorageOS Volume Plugin
**What this PR does / why we need it**:
This PR adds a new volume plugin for StorageOS volumes. StorageOS runs as a container on Kubelet nodes, aggregating local or attached storage and making its capacity available to all nodes within the cluster. More information at http://storageos.com.
The StorageOS plugin supports:
1. Dynamic Provisioning using Storage Classes
2. Persistent Volumes and Persistent Volume Claims.
**Which issue this PR fixes**
A feature request has been created:
https://github.com/kubernetes/features/issues/190
This isn't on the schedule for 1.6 as I wasn't sure when it would be ready. We intend to make the StorageOS container openly available within the 1.6 lifetime.
**Special notes for your reviewer**:
Separate commits for feature and godep changes.
**Release note**:
```release-note
StorageOS Volume Driver
[StorageOS](http://www.storageos.com) can be used as a storage provider for Kubernetes. With StorageOS, capacity from local or attached storage is pooled across the cluster, providing converged infrastructure for cloud-native applications.
```
Automatic merge from submit-queue (batch tested with PRs 45057, 47259)
Allow conversion-gen to take types that are not in the output path
Part of fixing https://github.com/kubernetes/kubernetes/issues/44065.
Partially address https://github.com/kubernetes/features/issues/282.
The first commit is the changes to the conversion-gen (and vendor).
The second commit moves the api/v1 types to staging, and the third commit shows the resulted changes in the generated conversions.
cAdvisor currently binds to all interfaces. Currently the only
solution is to use iptables to block access to the port. We
are better off making cAdvisor to bind to the interface that
kubelet uses for better security.
Fixes#11710
Automatic merge from submit-queue
kubeadm: Enable the Node Authorizer/Admission plugin in v1.7
**What this PR does / why we need it**:
This is similar to https://github.com/kubernetes/kubernetes/pull/46796, but for kubeadm.
Basically it was a part of https://github.com/kubernetes/kubernetes/pull/46796, but there were some other upgradability and compability concerns for kubeadm I took care of while working today.
Example:
```console
$ kubeadm init --kubernetes-version v1.7.0-beta.0
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.0-beta.0
[init] Using Authorization mode: [RBAC Node]
...
$ sudo kubectl --kubeconfig=/etc/kubernetes/kubelet.conf get secret foo
Error from server (Forbidden): User "system:node:thegopher" cannot get secrets in the namespace "default".: "no path found to object" (get secrets foo)
$ echo '{"apiVersion":"v1","kind":"Node","metadata":{"name":"foo"}}' | sudo kubectl create -f - --kubeconfig=/etc/kubernetes/kubelet.conf
Error from server (Forbidden): error when creating "STDIN": nodes "foo" is forbidden: node thegopher cannot modify node foo
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Depends on https://github.com/kubernetes/kubernetes/pull/46864 (uses that PR as a base, will rebase once it's merged)
Please only review the second commit. Will also fix tests in a minute.
**Release note**:
```release-note
kubeadm: Enable the Node Authorizer/Admission plugin in v1.7
```
@mikedanese @liggitt @pipejakob @roberthbailey @jbeda @timothysc
Automatic merge from submit-queue (batch tested with PRs 47024, 47050, 47086, 47081, 47013)
kubeadm: Make the creation of the RBAC rules phase idempotent
**What this PR does / why we need it**:
Bugfix: Currently kubeadm fails with a non-zero code if resources it's trying to create already exist. This PR fixes that by making kubeadm try to Update resources that already exist.
After this PR, https://github.com/kubernetes/kubernetes/pull/46879 and a beta.1 release, kubeadm will be fully upgradeable from v1.6 to v1.7 using only kubeadm init.
Last piece of https://github.com/kubernetes/kubeadm/issues/288
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/288
**Special notes for your reviewer**:
**Release note**:
```release-note
kubeadm: Modifications to cluster-internal resources installed by kubeadm will be overwritten when upgrading from v1.6 to v1.7.
```
@pipejakob @mikedanese @timothysc
Automatic merge from submit-queue (batch tested with PRs 43005, 46660, 46385, 46991, 47103)
Consolidate sysctl commands for kubelet
**What this PR does / why we need it**:
These commands are important enough to be in the Kubelet itself.
By default, Ubuntu 14.04 and Debian Jessie have these set to 200 and
20000. Without this setting, nodes are limited in the number of
containers that they can start.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#26005
**Special notes for your reviewer**:
I had a difficult time writing tests for this. It is trivial to create a fake sysctl for testing, but the Kubelet does not have any tests for the prior settings.
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 46235, 44786, 46833, 46756, 46669)
implements StatefulSet update
**What this PR does / why we need it**:
1. Implements rolling update for StatefulSets
2. Implements controller history for StatefulSets.
3. Makes StatefulSet status reporting consistent with DaemonSet and ReplicaSet.
https://github.com/kubernetes/features/issues/188
**Special notes for your reviewer**:
**Release note**:
```release-note
Implements rolling update for StatefulSets. Updates can be performed using the RollingUpdate, Paritioned, or OnDelete strategies. OnDelete implements the manual behavior from 1.6. status now tracks
replicas, readyReplicas, currentReplicas, and updatedReplicas. The semantics of replicas is now consistent with DaemonSet and ReplicaSet, and readyReplicas has the semantics that replicas did prior to this release.
```
Automatic merge from submit-queue
kubeadm: improve quickstart instructions
**What this PR does / why we need it**:
Improves instructional output following setup of a kubernetes master with kubeadm.
This helps prevent unnecessary support overhead such as: https://github.com/kubernetes/kubeadm/issues/212#issuecomment-292015402
**Example current output**:
```
To start using your cluster, you need to run (as a regular user):
sudo cp /etc/kubernetes/admin.conf $HOME/
sudo chown $(id -u):$(id -g) $HOME/admin.conf
export KUBECONFIG=$HOME/admin.conf
```
**Example new output**:
```
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)
Simply changed the names of packages of some admission plugins.
**What this PR does / why we need it**:
This PR simply changes the names of packages of some admission plugins so that they are not in conflict with admission pkg.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)
Update docs/ links to point to main site
**What this PR does / why we need it**:
This updates various links to either point to kubernetes.io or to the kubernetes/community repo instead of the legacy docs/ tree in k/k
Pre-requisite for #46813
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-docs-maintainers @chenopis @ahmetb @thockin
Automatic merge from submit-queue
Rename {kube- ->}apiextensions-{-> api}server
Completely mechanical renaming, as preparation of the repo sync. This repo is generic, the prefix does not make sense.
Part of issue https://github.com/kubernetes/kubernetes/issues/46702
TODOs
- [ ] Waiting for the submit queue to settle, then rebase.
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875)
kubeadm: Idempotent service account creation.
**What this PR does / why we need it**:
During `kubeadm init`, ignore errors for duplicates when creating service accounts.
https://github.com/kubernetes/kubeadm/issues/278
Fixes: https://github.com/kubernetes/kubeadm/issues/288
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875)
kubeadm: Make kubeadm use the right CSR approver for the right version
**What this PR does / why we need it**:
fixes regression caused in: https://github.com/kubernetes/kubernetes/pull/45619
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/289
**Special notes for your reviewer**:
cc @pipejakob our e2e CI should probably go green after this change
**Release note**:
```release-note
NONE
```
@mikedanese @pipejakob @timothysc @liggitt
Automatic merge from submit-queue (batch tested with PRs 46787, 46876, 46621, 46907, 46819)
kubeadm: Only create bootstrap configmap if not exists.
**What this PR does / why we need it**:
The fact that this method was not idempotent was breaking kubeadm upgrades.
https://github.com/kubernetes/kubeadm/issues/278
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: don't duplicate master taint if it already exists.
**What this PR does / why we need it**:
This helps enable a graceful upgrade/downgrade process between 1.6.x and 1.7.x kubeadm clusters (although no guarantees outside of that range) by doing:
$ kubeadm init --kubernetes-version <version> --skip-preflight-checks
Without this change, the command fails with an error that the node taint is duplicated.
This is part of https://github.com/kubernetes/kubeadm/issues/278
**Release note**:
```release-note
NONE
```
Fixes: https://github.com/kubernetes/kubeadm/issues/288
Automatic merge from submit-queue (batch tested with PRs 46967, 46992, 43338, 46717, 46672)
Generate protobuf for the audit API
Add protobuf generation & annotations for the advanced auditing API. We're not using them directly now, but settling on the field numbering will help with some 3rd party integrations.
For kubernetes/features#22
/cc @ihmccreery
Automatic merge from submit-queue (batch tested with PRs 44883, 46836, 46765, 46683, 46050)
While deleting a namespace, the TPR instances under this ns should be…
… deleted.
While deleting a namespace, the TPR instances under this ns should be deleted.
Fixed#46736
**Release note**:
```
None
```
Automatic merge from submit-queue (batch tested with PRs 46972, 42829, 46799, 46802, 46844)
promote tls-bootstrap to beta
last commit of this PR.
Towards https://github.com/kubernetes/kubernetes/issues/46999
```release-note
Promote kubelet tls bootstrap to beta. Add a non-experimental flag to use it and deprecate the old flag.
```
Automatic merge from submit-queue (batch tested with PRs 46550, 46663, 46816, 46820, 46460)
Add configuration for encryption providers
## Additions
Allows providing a configuration file (using flag `--experimental-encryption-provider-config`) to use the existing AEAD transformer (with multiple keys) by composing mutable transformer, prefix transformer (for parsing providerId), another prefix transformer (for parsing keyId), and AES-GCM transformers (one for each key). Multiple providers can be configured using the configuration file.
Example configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- namespaces
providers:
- aes:
keys:
- name: key1
secret: c2vjcmv0iglzihnly3vyzq==
- name: key2
secret: dghpcybpcybwyxnzd29yza==
- identity: {}
```
Need for configuration discussed in:
#41939
[Encryption](3418b4e4c6/contributors/design-proposals/encryption.md)
**Pathway of a read/write request**:
1. MutableTransformer
2. PrefixTransformer reads the provider-id, and passes the request further if that matches.
3. PrefixTransformer reads the key-id, and passes the request further if that matches.
4. GCMTransformer tries decrypting and authenticating the cipher text in case of reads. Similarly for writes.
## Caveats
1. To keep the command line parameter parsing independent of the individual transformer's configuration, we need to convert the configuration to an `interface{}` and manually parse it in the transformer. Suggestions on better ways to do this are welcome.
2. Flags `--encryption-provider` and `--encrypt-resource` (both mentioned in [this document](3418b4e4c6/contributors/design-proposals/encryption.md) ) are not supported in this because they do not allow more than one provider, and the current format for the configuration file possibly supersedes their functionality.
3. Currently, it can be tested by adding `--experimental-encryption-provider-config=config.yml` to `hack/local-up-cluster.sh` on line 511, and placing the above configuration in `config.yml` in the root project directory.
Previous discussion on these changes:
https://github.com/sakshamsharma/kubernetes/pull/1
@jcbsmpsn @destijl @smarterclayton
## TODO
1. Investigate if we need to store keys on disk (per [encryption.md](3418b4e4c6/contributors/design-proposals/encryption.md (option-1-simple-list-of-keys-on-disk)))
2. Look at [alpha flag conventions](https://github.com/kubernetes/kubernetes/blob/master/pkg/features/kube_features.go)
3. Need to reserve `k8s:enc` prefix formally for encrypted data. Else find a better way to detect transformed data.
Handle failure cases on startup gracefully to avoid causing cascading
errors and poor initialization in other components. Initial errors from
config load cause the initializer to pause and hold requests. Return
typed errors to better communicate failures to clients.
Add code to handle two specific cases - admin wants to bypass
initialization defaulting, and mirror pods (which want to bypass
initialization because the kubelet owns their lifecycle).
This helps enable a graceful upgrade/downgrade process between 1.6.x and
1.7.x kubeadm clusters (although no guarantees outside of that range) by
doing:
$ kubeadm init --kubernetes-version <version> --skip-preflight-checks
Without this change, the command fails with an error that the node taint
is duplicated.
This is part of https://github.com/kubernetes/kubeadm/issues/278
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)
Enable Dialer on the Aggregator
Centralize the creation of the dialer during startup.
Have the dialer then passed in to both APIServer and Aggregator.
Aggregator the uses the dialer as its Transport base.
**What this PR does / why we need it**:Enables the Aggregator to use the Dialer/SSHTunneler to connect to the user-apiserver.
**Which issue this PR fixes** : fixes ##46679
**Special notes for your reviewer**:
**Release note**: None
Automatic merge from submit-queue (batch tested with PRs 40760, 46706, 46783, 46742, 46751)
complete the controller context for init funcs
This completes the conversion to initFuncs for the controller initialization to make easier and more manageable to add them.
Automatic merge from submit-queue
Implement Daemonset history
~Depends on #45867 (the 1st commit, ignore it when reviewing)~ (already merged)
Ref https://github.com/kubernetes/community/pull/527/ and https://github.com/kubernetes/community/pull/594
@kubernetes/sig-apps-api-reviews @kubernetes/sig-apps-pr-reviews @erictune @kow3ns @lukaszo @kargakis
---
TODOs:
- [x] API changes
- [x] (maybe) Remove rollback subresource if we decide to do client-side rollback
- [x] deployment controller
- [x] controller revision
- [x] owner ref (claim & adoption)
- [x] history reconstruct (put revision number, hash collision avoidance)
- [x] de-dup history and relabel pods
- [x] compare ds template with history
- [x] hash labels (put it in controller revision, pods, and maybe deployment)
- [x] clean up old history
- [x] Rename status.uniquifier when we reach consensus in #44774
- [x] e2e tests
- [x] unit tests
- [x] daemoncontroller_test.go
- [x] update_test.go
- [x] ~(maybe) storage_test.go // if we do server side rollback~
kubectl part is in #46144
---
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 36721, 46483, 45500, 46724, 46036)
stop special casing the loopback connection for aggregator
Fixes a TODO for the aggregator loopback connection.
Automatic merge from submit-queue
Add initializer support to admission and uninitialized filtering to rest storage
Initializers are the opposite of finalizers - they allow API clients to react to object creation and populate fields prior to other clients seeing them.
High level description:
1. Add `metadata.initializers` field to all objects
2. By default, filter objects with > 0 initializers from LIST and WATCH to preserve legacy client behavior (known as partially-initialized objects)
3. Add an admission controller that populates .initializer values per type, and denies mutation of initializers except by certain privilege levels (you must have the `initialize` verb on a resource)
4. Allow partially-initialized objects to be viewed via LIST and WATCH for initializer types
5. When creating objects, the object is "held" by the server until the initializers list is empty
6. Allow some creators to bypass initialization (set initializers to `[]`), or to have the result returned immediately when the object is created.
The code here should be backwards compatible for all clients because they do not see partially initialized objects unless they GET the resource directly. The watch cache makes checking for partially initialized objects cheap. Some reflectors may need to change to ask for partially-initialized objects.
```release-note
Kubernetes resources, when the `Initializers` admission controller is enabled, can be initialized (defaulting or other additive functions) by other agents in the system prior to those resources being visible to other clients. An initialized resource is not visible to clients unless they request (for get, list, or watch) to see uninitialized resources with the `?includeUninitialized=true` query parameter. Once the initializers have completed the resource is then visible. Clients must have the the ability to perform the `initialize` action on a resource in order to modify it prior to initialization being completed.
```
1. Create controllerrevisions (history) and label pods with template
hash for both RollingUpdate and OnDelete update strategy
2. Clean up old, non-live history based on revisionHistoryLimit
3. Remove duplicate controllerrevisions (the ones with the same template)
and relabel their pods
4. Update RBAC to allow DaemonSet controller to manage
controllerrevisions
5. In DaemonSet controller unit tests, create new pods with hash labels
Automatic merge from submit-queue
Add local storage (scratch space) allocatable support
This PR adds the support for allocatable local storage (scratch space).
This feature is only for root file system which is shared by kubernetes
componenets, users' containers and/or images. User could use
--kube-reserved flag to reserve the storage for kube system components.
If the allocatable storage for user's pods is used up, some pods will be
evicted to free the storage resource.
This feature is part of local storage capacity isolation and described in the proposal https://github.com/kubernetes/community/pull/306
**Release note**:
```release-note
This feature exposes local storage capacity for the primary partitions, and supports & enforces storage reservation in Node Allocatable
```
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)
Dynamic webhook admission control plugin
Unit tests pass.
Needs plumbing:
* [ ] service resolver (depends on @wfender PR)
* [x] client cert (depends on ????)
* [ ] hook source (depends on @caesarxuchao PR)
Also at least one thing will need to be renamed after Chao's PR merges.
```release-note
Allow remote admission controllers to be dynamically added and removed by administrators. External admission controllers make an HTTP POST containing details of the requested action which the service can approve or reject.
```
Automatic merge from submit-queue (batch tested with PRs 46239, 46627, 46346, 46388, 46524)
move labels to components which own the APIs
During the apimachinery split in 1.6, we accidentally moved several label APIs into apimachinery. They don't belong there, since the individual APIs are not general machinery concerns, but instead are the concern of particular components: most commonly the kubelet. This pull moves the labels into their owning components and out of API machinery.
@kubernetes/sig-api-machinery-misc @kubernetes/api-reviewers @kubernetes/api-approvers
@derekwaynecarr since most of these are related to the kubelet
Automatic merge from submit-queue (batch tested with PRs 46726, 41912, 46695, 46034, 46551)
Rotate kubelet client certificate.
Changes the kubelet so it bootstraps off the cert/key specified in the
config file and uses those to request new cert/key pairs from the
Certificate Signing Request API, as well as rotating client certificates
when they approach expiration.
Default behavior is for client certificate rotation to be disabled. If enabled
using a command line flag, the kubelet exits each time the certificate is
rotated. I tried to use `GetCertificate` in [tls.Config](https://golang.org/pkg/crypto/tls/#Config) but it is only called
on the server side of connections. Then I tried `GetClientCertificate`,
but it is new in 1.8.
**Release note**
```release-note
With --feature-gates=RotateKubeletClientCertificate=true set, the kubelet will
request a client certificate from the API server during the boot cycle and pause
waiting for the request to be satisfied. It will continually refresh the certificate
as the certificates expiration approaches.
```
Add support for creating resources that are not immediately visible to
naive clients, but must first be initialized by one or more privileged
cluster agents. These controllers can mark the object as initialized,
allowing others to see them.
Permission to override initialization defaults or modify an initializing
object is limited per resource to a virtual subresource "RESOURCE/initialize"
via RBAC.
Initialization is currently alpha.
Automatic merge from submit-queue (batch tested with PRs 46801, 45184, 45930, 46192, 45563)
adds log when --kubeconfig with wrong config
**What this PR does / why we need it**:
easy for troubleshooting
I have set --kubeconfig==/etc/kubernetes/kubelet.conf when copy & paste(the file path is wrong “==/etc/kubernetes/kubelet.conf”), but kubelet start with no error log. I don't know what happend.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46801, 45184, 45930, 46192, 45563)
Tweak client-gen to support metrics API
This PR adds support to client-gen for readonly APIs as well as for customizing the resource name used for a given type.
This is required to support the clients generated for `k8s.io/metrics/pkg/apis/metrics`.
cc @caesarxuchao
Currently based on #45180
**Release note**:
```release-note
NONE
```
Add location transformer, config for transformers
Location transformer helps choose the most specific transformer for
read/write operations depending on the path of resource being accessed.
Configuration allows use of --experimental-encryption-provider-config
to set up encryption providers. Only AEAD is supported at the moment.
Add new files to BUILD, AEAD => k8s-aes-gcm
Use group resources to select encryption provider
Update tests for configuration parsing
Remove location transformer
Allow specifying providers per resource group in configuration
Add IdentityTransformer configuration option
Fix minor issues with initial AEAD implementation
Unified parsing of all configurations
Parse configuration using a union struct
Run configuration parsing in APIserver, refactor parsing
More gdoc, fix minor bugs
Add test coverage for combined transformers
Use table driven tests for encryptionconfig
This PR adds the check for local storage request when admitting pods. If
the local storage request exceeds the available resource, pod will be
rejected.
This PR adds the support for allocatable local storage (scratch space).
This feature is only for root file system which is shared by kubernetes
componenets, users' containers and/or images. User could use
--kube-reserved flag to reserve the storage for kube system components.
If the allocatable storage for user's pods is used up, some pods will be
evicted to free the storage resource.
Automatic merge from submit-queue
apiserver: add a webhook implementation of the audit backend
This builds off of #45315 and is intended to implement an interfaced defined in #45766.
TODO:
- [x] Rebase on top of API types PR.
- [x] Rebase on top of API types updates (#46065)
- [x] Rebase on top of feature flag (#46009)
- [x] Rebase on top of audit instrumentation.
- [x] Hook up API server flag or register plugin (depending on #45766)
Features issue https://github.com/kubernetes/features/issues/22
Design proposal https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auditing.md
```release-notes
Webhook added to the API server which omits structured audit log events.
```
/cc @soltysh @timstclair @soltysh @deads2k
Changes the kubelet so it bootstraps off the cert/key specified in the
config file and uses those to request new cert/key pairs from the
Certificate Signing Request API, as well as rotating client certificates
when they approach expiration.
Automatic merge from submit-queue (batch tested with PRs 43505, 45168, 46439, 46677, 46623)
Add TPR to CRD migration helper.
This is a helper for migrating TPR data to CustomResource. It's rather hacky because it requires crossing apiserver boundaries, but doing it this way keeps the mess contained to the TPR code, which is scheduled for deletion anyway.
It's also not completely hands-free because making it resilient enough to be completely automated is too involved to be worth it for an alpha-to-beta migration, and would require investing significant effort to fix up soon-to-be-deleted TPR code. Instead, this feature will be documented as a best-effort helper whose results should be verified by hand.
The intended benefit of this over a totally manual process is that it should be possible to copy TPR data into a CRD without having to tear everything down in the middle. The process would look like this:
1. Upgrade to k8s 1.7. Nothing happens to your TPRs.
1. Create CRD with group/version and resource names that match the TPR. Still nothing happens to your TPRs, as the CRD is hidden by the overlapping TPR.
1. Delete the TPR. The TPR data is converted to CustomResource data, and the CRD begins serving at the same REST path.
Note that the old TPR data is left behind by this process, so watchers should not receive DELETE events. This also means the user can revert to the pre-migration state by recreating the TPR definition.
Ref. https://github.com/kubernetes/kubernetes/issues/45728
Centralize the creation of the dialer during startup.
Have the dialer then passed in to both APIServer and Aggregator.
Aggregator the sets the dialer on its Transport base.
This should allow the SSTunnel to be used but also allow the Aggregation
Auth to work with it.
Depending on Environment InsecureSkipTLSVerify *may* need to be set to
true.
Fixed as few tests to call CreateDialer as part of start-up.
As part of https://github.com/kubernetes/community/pull/132, thsi commit
adds a generic webhook admission controller. This plugin allows for a
completely declarative approach for filtering/matching admission requests
and for matching admission requests, calls out to an external webhook for
handling admission requests.
Automatic merge from submit-queue (batch tested with PRs 46076, 43879, 44897, 46556, 46654)
Local storage plugin
**What this PR does / why we need it**:
Volume plugin implementation for local persistent volumes. Scheduler predicate will direct already-bound PVCs to the node that the local PV is at. PVC binding still happens independently.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
Part of #43640
**Release note**:
```
Alpha feature: Local volume plugin allows local directories to be created and consumed as a Persistent Volume. These volumes have node affinity and pods will only be scheduled to the node that the volume is at.
```
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415)
Certificate rotation for kubelet server certs.
Replaces the current kubelet server side self signed certs with certs signed by
the Certificate Request Signing API on the API server. Also renews expiring
kubelet server certs as expiration approaches.
Two Points:
1. With `--feature-gates=RotateKubeletServerCertificate=true` set, the kubelet will
request a certificate during the boot cycle and pause waiting for the request to
be satisfied.
2. In order to have the kubelet's certificate signing request auto approved,
`--insecure-experimental-approve-all-kubelet-csrs-for-group=` must be set on
the cluster controller manager. There is an improved mechanism for auto
approval [proposed](https://github.com/kubernetes/kubernetes/issues/45030).
**Release note**:
```release-note
With `--feature-gates=RotateKubeletServerCertificate=true` set, the kubelet will
request a server certificate from the API server during the boot cycle and pause
waiting for the request to be satisfied. It will continually refresh the certificate as
the certificates expiration approaches.
```
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415)
migrate group approver to use subject access reviews
WIP, needs test and changes to kubeadm
depends on https://github.com/kubernetes/kubernetes/pull/45514
Automatic merge from submit-queue
kubelet: group all container-runtime-specific flags/options into a separate struct
They don't belong in the KubeletConfig.
This addresses #43253
Automatic merge from submit-queue
fixtypo
**What this PR does / why we need it**:
fix typo seperated -> separated
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 46552, 46608, 46390, 46605, 46459)
Move admission lifecycle to genericapi
**What this PR does / why we need it**: ends the whole sequence of moving some admission plugins to generic api.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46561, 46566)
Fix golint errors in cmd/kube-apiserver
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45327, 46217, 46377, 46428, 46588)
ommitting close file while testing manifest
ommitting close file while testing manifest.
Automatic merge from submit-queue (batch tested with PRs 45327, 46217, 46377, 46428, 46588)
Fix comment typo in kube-apiserver and cachesize
**What this PR does / why we need it**:
Fix comment typo in files cmd/kube-apiserver/app/server.go and pkg/registry/cachesize/cachesize.go
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Not a major issue, just a minor improvement.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Kubeadm - Make code OS-agnostic
**What this PR does / why we need it**:
Kubernetes just got Windows Containers alpha support, opening the opportunity for kubeadm to also be used to setup, at least, Windows Server 2016 or newer worker nodes. With that in mind, we should take the effort of writing OS-agnostic code whenever possible, e.g. when dealing with the filesystem.
**Which issue this PR fixes**
https://github.com/kubernetes/kubeadm/issues/108
**Special notes for your reviewer**:
**Release note**:
lifecycle plugin: make use of the libraries under k8s.io/client-go/pkg/api and k8s.io/client-go/kubernetes
for the client libraries instead of k8s.io/kubernetes/client/*
move registration to AdmissionOptions
Replaces the current kubelet server side self signed certs with certs
signed by the Certificate Request Signing API on the API server. Also
renews expiring kubelet server certs as expiration approaches.
Automatic merge from submit-queue (batch tested with PRs 45699, 46200, 46335, 46599)
modify the initialization statement
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
Protobuf generation for k8s.io/metrics
This PR introduces protobuf generation for k8s.io/metrics. Doing so required:
- fixing a bug in `go-to-protobuf` causing the `cast{key,value,type}` values to not be quoted when coming from struct tags (and not auto-injection by `go-to-protobuf` itself).
- Making sure the proto IDL in k8s.io/client-go had a package name of `k8s.io.client_go.xyz` and not `k8s.io.kubernetes.xyz`.
Additionally, I updated `go-to-protobuf` to skip functions and non-public types when composing the import list, which cuts down on the more bizarre imports in the IDL (like importing the sample API package in every IDL file because it contained `addToScheme`, like every other API package).
We use `castvalue` to force gogo-proto to realize that it should consider the value of the map which underlies `ResourceList` when calculating which imports need to be named. Otherwise, it ignores the value's type, leading to compilation errors when it later can't find an import it assumed existed. We accidentally didn't hit this in `k8s.io/kubernetes/pkg/api/v1` since another field coincidentally happens to directly use `resource.Quantity` (the value type of `ResourceList`).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46302, 44597, 44742, 46554)
Do not install do-nothing iptables rules
Deprecate kubelet non-masquerade-cidr.
Do not install iptables rules if it is set to 0.0.0.0/0.
Fixes#46553
Automatic merge from submit-queue (batch tested with PRs 46302, 44597, 44742, 46554)
Change to aggregator so it calls a user apiservice via its pod IP.
proxy_handler now does a sideways call to lookup the pod IPs for aservice.
It will then pick a random pod IP to forward the use apiserver request to.
**What this PR does / why we need it**: It allows the aggregator to work without setting up the full network stack on the kube master (i.e. with kube-dns or kube-proxy)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#44619
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 46252, 45524, 46236, 46277, 46522)
Add /healthz back to kube-proxy metrics server
Fixes#46447.
/healthz is removed from kube-proxy metrics server by #44968 and that breaks our upgrade test, which run 1.6 tests on 1.7 cluster. It seems harmless to continue holding /healthz on metrics server as well, so that we won't break other potential users.
/assign @bowei
cc @dchen1107
**Release note**:
```release-note
NONE
```
When using a `cast{key,value,type}` that was injected via struct tag, we
need to make sure to quote the value when transfering it over to proto
tags. Otherwise, it'll come through as unquoted, resulting in invalid
proto.
This was previously not a problem, since all values of `castkey` and
`casttype` were actually coming from the auto-injecting code which deals
with maps and aliases, which does correctly quote values.
This commit adds the `k8s.io/metrics` APIs to the list of packages for
which to generate protobuf. Additionally, it adds
`k8s.io/client-go/pkg/apis/v1` as a non-generated (referenced) package.
Since go-to-protobuf doesn't care about functions or private types (only
public types), we can skip them. This helps to clean up the generated
IDL: previously, the IDL contained erroneous imports due to matching
functions and private types which were not actually converted to protobuf,
but which were the same as functions and private types in other packages.
proxy_handler now uses the endpoint router to map the cluster IP to
appropriate endpoint (Pod) IP for the given resource.
Added code to allow aggregator routing to be optional.
Updated bazel build.
Fixes to cover JLiggit comments.
Added util ResourceLocation method based on Listers.
Fixed issues from verification steps.
Updated to add an interface to obfuscate some of the routing logic.
Collapsed cluster IP resolution in to the aggregator routing
implementation.
Added 2 simple unit tests for ResolveEndpoint
Automatic merge from submit-queue (batch tested with PRs 42256, 46479, 45436, 46440, 46417)
move CRD behind TPR
Second attempt at https://github.com/kubernetes/kubernetes/pull/46297
@liggitt since @sttts is out can you take a look and hopefully find me a different, more sane way to do this? It's a little crazy, but I left a large comment explaining why I think its the only way.
Automatic merge from submit-queue (batch tested with PRs 46383, 45645, 45923, 44884, 46294)
Dynamic registration prototype
Implementing the api proposed in https://github.com/kubernetes/community/pull/611.
Wiring the code to serve the api via apiserver.
```release-note
Adding admissionregistration API group which enables dynamic registration of initializers and external admission webhooks. It is an alpha feature.
```
Automatic merge from submit-queue (batch tested with PRs 46124, 46434, 46089, 45589, 46045)
Support TCP type runtime endpoint for kubelet
**What this PR does / why we need it**:
Currently the grpc server for kubelet and dockershim has a hardcoded endpoint: unix socket '/var/run/dockershim.sock', which is not applicable on non-unix OS.
This PR is to support TCP endpoint type besides unix socket.
**Which issue this PR fixes**
This is a first attempt to address issue https://github.com/kubernetes/kubernetes/issues/45927
**Special notes for your reviewer**:
Before this change, running on Windows node results in:
```
Container Manager is unsupported in this build
```
After adding the cm stub, error becomes:
```
listen unix /var/run/dockershim.sock: socket: An address incompatible with the requested protocol was used.
```
This PR is to fix those two issues.
After this change, still meets 'seccomp' related issue when running on Windows node, needs more updates later.
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 45514, 45635)
hyperkube_test should not depend on number of spaces.
From #45524.
Apparently adding a long flag to kube-controller-manager breaks the hyperkube unit tests, because they depend on number of spaces :)
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45514, 45635)
refactor certificate controller to break it into two parts
Break pkg/controller/certificates into:
* pkg/controller/certificates/approver: containing the group approver
* pkg/controller/certificates/signer: containing the local signer
* pkg/controller/certificates: containing shared infrastructure
```release-note
Break the 'certificatesigningrequests' controller into a 'csrapprover' controller and 'csrsigner' controller.
```
Automatic merge from submit-queue
remove init blocks from all admission plugins
**What this PR does / why we need it**:
removes init blocks from all admission plugins
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 46149, 45897, 46293, 46296, 46194)
GC: update required verbs for deletable resources, allow list of ignored resources to be customized
The garbage collector controller currently needs to list, watch, get,
patch, update, and delete resources. Update the criteria for
deletable resources to reflect this.
Also allow the list of resources the garbage collector controller should
ignore to be customizable, so downstream integrators can add their own
resources to the list, if necessary.
cc @caesarxuchao @deads2k @smarterclayton @mfojtik @liggitt @sttts @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
Allow the /logs handler on the apiserver to be toggled.
Adds a flag to kube-apiserver, and plumbs through en environment variable in configure-helper.sh
Allow the list of resources the garbage collector controller should
ignore to be customizable, so downstream integrators can add their own
resources to the list, if necessary.
The garbage collector controller currently needs to list, watch, get,
patch, update, and delete resources. Update the criteria for
deletable resources to reflect this.
Automatic merge from submit-queue (batch tested with PRs 46201, 45952, 45427, 46247, 46062)
Use shared informers in gc controller if possible
Modify the garbage collector controller to try to use shared informers for resources, if possible, to reduce the number of unique reflectors listing and watching the same thing.
cc @kubernetes/sig-api-machinery-pr-reviews @caesarxuchao @deads2k @liggitt @sttts @smarterclayton @timothysc @soltysh @kargakis @kubernetes/rh-cluster-infra @derekwaynecarr @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 46022, 46055, 45308, 46209, 43590)
More cli sanity verifications
Adds some more `kubectl` command sanity checks to improve consistency and avoid the need of code reviews for some of our CLI style and standards.
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cli-pr-reviews
Tokens controller previously needed a bit of extra help in order to be
safe for concurrent use. The new MutationCache allows it to keep a local
cache and still use a shared informer. The filtering event handler lets
it only see changes to secrets it cares about.
Automatic merge from submit-queue (batch tested with PRs 46033, 46122, 46053, 46018, 45981)
ineffectual assignment to baseCommand, delete it
Signed-off-by: yupengzte <yu.peng36@zte.com.cn>
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 45346, 45903, 45958, 46042, 45975)
ResourceQuota admission control injects registry
**What this PR does / why we need it**:
The `ResourceQuota` admission controller works with a registry that maps a GroupKind to an Evaluator. The registry used in the existing plug-in is not injectable, which makes usage of the ResourceQuota plug-in in other API server contexts difficult. This PR updates the code to support late injection of the registry via a plug-in initializer.
This commit is an initial pass at providing an admission API group.
The API group is required by the webhook admission controller being
developed as part of https://github.com/kubernetes/community/pull/132
and could be used more as that proposal comes to fruition.
Automatic merge from submit-queue
kube-proxy: add --write-config-to flag
Add --write-config-to flag to kube-proxy to write the default configuration
values to the specified file location.
@deads2k suggested I create my own scheme for this, so I followed the example he shared with me. The only bit currently still referring to `api.Scheme` is where we create the event broadcaster recorder. In order to use the custom private scheme, I either have to pass it in to `NewProxyServer()`, or I have to make `NewProxyServer()` a member of the `Options` struct. If the former, then I probably need to export `Options.scheme`. Thoughts?
cc @mikedanese @sttts @liggitt @deads2k @smarterclayton @timothysc @kubernetes/sig-network-pr-reviews @kubernetes/sig-api-machinery-pr-reviews
```release-note
Add --write-config-to flag to kube-proxy to allow users to write the default configuration settings to a file.
```
Automatic merge from submit-queue
Initialize cloud providers with a K8s clientBuilder
**What this PR does / why we need it**:
This PR provides each cloud provider the ability to generate kubernetes clients. Either the full access or service account client builder is passed from the controller manager. Cloud providers could need to retrieve information from the cluster that isn't provided through defined interfaces, and this seems more preferable to adding parameters.
Please leave your thoughts/comments.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056)
NodeRestriction admission plugin
Adds an optional `NodeRestriction` admission plugin that limits identifiable kubelets to mutating their own Node object, and Pod objects bound to their node.
This is the admission portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279
```release-note
The `NodeRestriction` admission plugin limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission plugin, kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
```
Automatic merge from submit-queue
let client-gen understand vendor
This is extracted from #44784, where we move external api types to k8s.io/api. After the move, the types will locate at vendor/k8s.io/api/xxx. However, gengo index the parsed package using the import path, which is stripped of the vendor/ prefix, so we'll need to strip the vendor/ prefix as necessary in client-gen.
This PR doesn't produce any change to the generated clientset yet since all types are still in the kubernetes repo.
Automatic merge from submit-queue
More owners from SIG-CLI
Adds SIG-CLI as reviewers and approvers of `cmd/clicheck/` and adds me + @pwittrock as approvers in `hack/` (mostly for `test-cmd` and some `hack/verify*.sh` and `hack/update*.sh` scripts).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Make real proxier in hollow-proxy optional (default=true)
Ref https://github.com/kubernetes/kubernetes/pull/45622
This allows using real proxier for hollow proxy, but we use the fake one by default.
cc @kubernetes/sig-scalability-misc @wojtek-t @gmarek
Automatic merge from submit-queue (batch tested with PRs 45953, 45889)
Add /metrics and profiling handlers to kube-proxy
Also expose "syncProxyRules latency" as a prometheus metrics.
Fix https://github.com/kubernetes/kubernetes/issues/45876
Automatic merge from submit-queue (batch tested with PRs 44520, 45253, 45838, 44685, 45901)
API for server side tabular output
These are the APIs necessary to implement propsoal kubernetes/community#363
They consist of a new meta group (v1alpha1) that indicates these are alpha apis for the server as a whole, a new kind `TableList` which is a simple row + header arranged table capable of returning both object and columnar data, a `TableListOptions` for altering the behavior of the return, and `PartialObjectMetadata` which is an "interface" style API object which allows a client to ask any object for their metadata (without having to know how to parse the object or perform gymnastics).
Extracted from #40848
A few minor tweaks still required.
Automatic merge from submit-queue (batch tested with PRs 45247, 45810, 45034, 45898, 45899)
Apiregistration v1alpha1→v1beta1
Promoting apiregistration api from v1alpha1 to v1beta1.
API Registration is responsible for registering an API `Group`/`Version` with
another kubernetes like API server. The `APIService` holds information
about the other API server in `APIServiceSpec` type as well as general
`TypeMeta` and `ObjectMeta`. The `APIServiceSpec` type have the main
configuration needed to do the aggregation. Any request coming for
specified `Group`/`Version` will be directed to the service defined by
`ServiceReference` (on port 443) after validating the target using provided
`CABundle` or skipping validation if development flag `InsecureSkipTLSVerify`
is set. `Priority` is controlling the order of this API group in the overall
discovery document.
The return status is a set of conditions for this aggregation. Currently
there is only one condition named "Available", if true, it means the
api/server requests will be redirected to specified API server.
```release-note
API Registration is now in beta.
```
Automatic merge from submit-queue (batch tested with PRs 45374, 44537, 45739, 44474, 45888)
Allow kcm and scheduler to lock on ConfigMaps.
**What this PR does / why we need it**:
Plumbs through the ability to lock on ConfigMaps through the kcm and scheduler.
**Which issue this PR fixes**
Fixes: #44857
Addresses issues with: #45415
**Special notes for your reviewer**:
**Release note**:
```
Add leader-election-resource-lock support to kcm and scheduler to allow for locking on ConfigMaps as well as Endpoints(default)
```
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @jamiehannaford @bsalamat @mikedanese
Automatic merge from submit-queue (batch tested with PRs 45408, 45355, 45528)
Admission options spits out admission control
**What this PR does / why we need it**:
This PR adds ApplyTo method to AdmissionOptions struct. The method creates and initialises admission control to the server configuration.
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45835, 45389)
Introduce visibility rules to kubernetes code.
**What this PR does / why we need it**:
Use rules to identify "bad" dependencies on kubectl code for later refactoring or removal, and prevent their reintroduction.
**Which issue this PR fixes**
First in a series of PRs to address kubernetes/community#598
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45835, 45389)
client-gen: honor groupName overrides in customArgs
If there is a comment of the form "// +groupName=somegroup" or
"// +groupName=somegroup.foo.bar.io", use the first field (somegroup) as
the name of the group in customArgs.GroupVersions and
customArgs.GroupVersionToInputPath.
@deads2k this lets OpenShift generate the correct group names for pkg/deploy (groupName=apps) and pkg/sdn (groupName=network), although we still need your hack to specify `--group`.
cc @smarterclayton @liggitt @sttts @kubernetes/sig-api-machinery-pr-reviews
Automatic merge from submit-queue
Use groupName comment for listers/informers
If present, use the "// +groupName" doc comment as the desired group
name when generating listers and informers.
@kubernetes/sig-api-machinery-pr-reviews @smarterclayton @deads2k @liggitt @sttts
If there is a comment of the form "// +groupName=somegroup" or
"// +groupName=somegroup.foo.bar.io", use the first field (somegroup) as
the name of the group in customArgs.GroupVersions and
customArgs.GroupVersionToInputPath.
**What this PR does / why we need it**:
Visibility rules allow dependency control. The rules currently in
place make all targets public, to override the default state of
private. This PR removes public visibility from kubectl code. It
uses specially named pacakge groups to identify "bad" dependencies on
kubectl code for later refactoring or removal.
**Which issue this PR fixes**
First in a series of PRs to address kubernetes/community#598
**Release note**:
```release-note
NONE
```
ApplyTo adds the admission chain to the server configuration the method lazily initializes a generic plugin
that is appended to the list of pluginInitializers.
apiserver.Config will hold an instance of SharedInformerFactory to ensure we only have once instance.
The field will be initialized in apisever.SecureServingOptions
Automatic merge from submit-queue (batch tested with PRs 44748, 45692)
Limiting client go packages visibility, round 3
Continue the work in the merged PR https://github.com/kubernetes/kubernetes/pull/45258
These packages in client-go will be gone after #44065 is fixed:
pkg/api/helper, pkg/api/util, internal version of api groups, API install packages.
This PR removes the dependency on these packages and add bazel visibility rules to prevent relapse.
Automatic merge from submit-queue
Update kube-dns version to 1.14.2
```release-note
Updates kube-dns to 1.14.2
- Support kube-master-url flag without kubeconfig
- Fix concurrent R/Ws in dns.go
- Fix confusing logging when initialize server
- Fix printf in cmd/kube-dns/app/server.go
- Fix version on startup and --version flag
- Support specifying port number for nameserver in stubDomains
```
Automatic merge from submit-queue (batch tested with PRs 45571, 45657, 45638, 45663, 45622)
Use real proxier inside hollow-proxy but with mocked syscalls
Fixes https://github.com/kubernetes/kubernetes/issues/43701
This should make hollow-proxy better mimic the real kube-proxy in performance.
Maybe next we should have a more realistic implementation even for fake iptables (adding/updating/deleting rules/chains in an table, just not on the real one)? Though I'm not sure how important it is.
cc @kubernetes/sig-scalability-misc @kubernetes/sig-network-misc @wojtek-t @gmarek
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Changes:
- Support kube-master-url flag without kubeconfig
- Fix concurrent R/Ws in dns.go
- Fix confusing logging when initialize server
- Fix printf in cmd/kube-dns/app/server.go
- Fix version on startup and --version flag
- Support specifying port number for nameserver in stubDomains
Automatic merge from submit-queue
Remove the deprecated `--enable-cri` flag
Except for rkt, CRI is the default and only integration point for
container runtimes.
```release-note
Remove the deprecated `--enable-cri` flag. CRI is now the default,
and the only way to integrate with kubelet for the container runtimes.
```
Automatic merge from submit-queue (batch tested with PRs 45382, 45384, 44781, 45333, 45543)
Copy internal types to metrics
Supersedes #45306.
#45306 removed the internal types and suggested whoever needs the internal types should define their own copy, and use the code-gen tools to generated the conversion functions. Per offline discussion with @DirectXMan12, we wanted to go that direction but it's not clear where to put the internal types yet. Hence, as a temporary solution, we decided copy the referred client-go/pkg/api types into metrics api to avoid the dependency.
The commit "remove need of registry from custom_metrics/client.go" is similar to what I did to the fake client in an earlier PR. Let me know if you want to put the commit in another PR.
Automatic merge from submit-queue
Edge based winuserspace proxy
Last PR in the series of making kube-proxy event-based.
This is a sibling PR to https://github.com/kubernetes/kubernetes/pull/45356 that is already merged.
The second commit is removing the code that is no longer used.
Automatic merge from submit-queue
Enable shared PID namespace by default for docker pods
**What this PR does / why we need it**: This PR enables PID namespace sharing for docker pods by default, bringing the behavior of docker in line with the other CRI runtimes when used with docker >= 1.13.1.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: ref #1615
**Special notes for your reviewer**: cc @dchen1107 @yujuhong
**Release note**:
```release-note
Kubernetes now shares a single PID namespace among all containers in a pod when running with docker >= 1.13.1. This means processes can now signal processes in other containers in a pod, but it also means that the `kubectl exec {pod} kill 1` pattern will cause the pod to be restarted rather than a single container.
```
This commit adds support for read-only APIs to client-gen.
If the tag `// +readonly=true` is used, only the {Get,List,Watch}
client methods will be generated.
This commit allows client-gen to generate clients where the resource
name does not directly correspond to the type name.
The tag `// +resourceName=<name>` can be used to override the resource
name.
Automatic merge from submit-queue (batch tested with PRs 45453, 45307, 44987)
Migrate the docker client code from dockertools to dockershim
Move docker client code from dockertools to dockershim/libdocker. This includes
DockerInterface (renamed to Interface), FakeDockerClient, etc.
This is part of #43234
Automatic merge from submit-queue (batch tested with PRs 45453, 45307, 44987)
Init cache with assigned non-terminated pods before scheduling
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#45220
**Release note**:
```release-note
The fix makes scheduling go routine waiting for cache (e.g. Pod) to be synced.
```
Automatic merge from submit-queue (batch tested with PRs 45304, 45006, 45527)
increase the QPS for namespace controller
The namespace controller is really chatty. Especially to discovery since that involves two requests for every API version available. This bumps the QPS and burst on the namespace controller to avoid being stuck waiting.
Automatic merge from submit-queue (batch tested with PRs 45508, 44258, 44126, 45441, 45320)
cloud initialize node in external cloud controller
@thockin This PR adds support in the `cloud-controller-manager` to initialize nodes (instead of kubelet, which did it previously)
This also adds support in the kubelet to skip node cloud initialization when `--cloud-provider=external`
Specifically,
Kubelet
1. The kubelet has a new flag called `--provider-id` which uniquely identifies a node in an external DB
2. The kubelet sets a node taint - called "ExternalCloudProvider=true:NoSchedule" if cloudprovider == "external"
Cloud-Controller-Manager
1. The cloud-controller-manager listens on "AddNode" events, and then processes nodes that starts with that above taint. It performs the cloud node initialization steps that were previously being done by the kubelet.
2. On addition of node, it figures out the zone, region, instance-type, removes the above taint and updates the node.
3. Then periodically queries the cloudprovider for node addresses (which was previously done by the kubelet) and updates the node if there are new addresses
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44727, 45409, 44968, 45122, 45493)
Separate healthz server from metrics server in kube-proxy
From #14661, proposal is on kubernetes/community#552.
Couple bullet points as in commit:
- /healthz will be served on 0.0.0.0:10256 by default.
- /metrics and /proxyMode will be served on port 10249 as before.
- Healthz handler will verify timestamp in iptables mode.
/assign @nicksardo @bowei @thockin
**Release note**:
```release-note
NONE
```
- /healthz will be served on 0.0.0.0:10256 by default.
- /metrics and /proxyMode will be served on port 10249
as before.
- Healthz handler will verify timestamp in iptables mode.
Automatic merge from submit-queue (batch tested with PRs 45364, 45369, 45323)
kubeadm: edit apiserver flags for storage-backend
**What this PR does / why we need it**: Since storage-backend defaults to etcd3 in 1.6 (see https://github.com/kubernetes/kubernetes/pull/36229), no need to have a flag defining the default.
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 45309, 45376)
kubeadm: Fix the tainting of the master node
**What this PR does / why we need it**:
Currently, kubeadm unintentionally removes Taints set with the kubelet flag `--register-with-taints` when creating a new Taint slice instead of appening the existing one. This PR fixes that behavior.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This should be a cherrypick candidate for v1.6 cc @enisoc
**Release note**:
```release-note
kubeadm: Fix invalid assign statement so it is possible to register the master kubelet with other initial Taints
```
@jbeda @dmmcquay @mikedanese @krousey PTAL, very straightforward PR
Automatic merge from submit-queue (batch tested with PRs 45362, 45159, 45321, 45238)
expose kubelet authentication and authorization builders
The kubelet authentication and authorization builder methods are useful for consumers.
@liggitt
Automatic merge from submit-queue (batch tested with PRs 45316, 45341)
Pass NoOpLegacyHost to dockershim in --experimental-dockershim mode
This allows dockershim to use network plugins, if needed.
/cc @Random-Liu
Automatic merge from submit-queue
[WIP] Skip resize of nf_conntrack/parameters/hashsize if not necessary
**What this PR does / why we need it**:
Linux does not support writing to `/sys/module/nf_conntrack/parameters/hashsize` when the writer process is not in the initial network namespace
(https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796).
Usually that's fine. But in some configurations such as with https://github.com/kinvolk/kubeadm-nspawn, kube-proxy is in another netns.
Therefore, check if writing in hashsize is necessary and skip the writing if not.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue
kubelet/get-pods-from-path: correct description of implemention
**What this PR does / why we need it**:
I find this description does not follow the current implementation, it should be describe like this according to my understanding of the source code.
These commands are important enough to be in the Kubelet itself.
By default, Ubuntu 14.04 and Debian Jessie have these set to 200 and
20000. Without this setting, nodes are limited in the number of
containers that they can start.
Automatic merge from submit-queue (batch tested with PRs 45227, 43003, 45231)
kubeadm: move preflight kubelet check
**What this PR does / why we need it**: If you passed the `--skip-preflight-checks` to kubeadm, it would still try to start up the kubelet, which is part of preflight checks. This was causing issues for test-cmds. Now, passing `--skip-preflight-checks` will skip over the kubelet check.
**Special notes for your reviewer**: /cc @luxas @deads2k
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Delete "hard-coded" default value in flags usage.
**What this PR does / why we need it**:
Some flags of kubernetes components have "hard-coded" default values in their usage info. In fact, [pflag pkg](https://github.com/kubernetes/kubernetes/blob/master/vendor/github.com/spf13/pflag/flag.go#L602-L608) has already added a string `(default value)` automatically in the usage info if the flag is initialized. Then we don't need to hard-code the default value in usage info. After this PR, if we want to update the default value of a flag, we only need to update the flag where it is initialized. `pflag` will update the usage info for us. This will avoid inconsistency.
For example:
Before
```
kubelet -h
...
--node-status-update-frequency duration Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s (default 10s)
...
```
After
```
kubelet -h
...
--node-status-update-frequency duration Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. (default 10s)
...
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR doesn't delete some "hard-coded" default values because they are not explicitly initialized. We still need to hard-code them to give users friendly info.
```
--allow-privileged If true, allow containers to request privileged mode. [default=false]
```
**Release note**:
```release-note
None
```
Automatic merge from submit-queue (batch tested with PRs 41583, 45117, 45123)
Implement shared PID namespace in the dockershim
**What this PR does / why we need it**: Defaults the Docker CRI to using a shared PID namespace for pods. Implements proposal in https://github.com/kubernetes/community/pull/207 tracked by #1615.
//cc @dchen1107 @vishh @timstclair
**Special notes for your reviewer**: none
**Release note**:
```release-note
Some container runtimes share a process (PID) namespace for all containers in a pod. This will become the default for Docker in a future release of Kubernetes. You can preview this functionality if running with the CRI and Docker 1.13.1 by enabling the --experimental-docker-enable-shared-pid kubelet flag.
```
Automatic merge from submit-queue (batch tested with PRs 44044, 44766, 44930, 45109, 43301)
add APIService conditions
Adds conditions to the APIServiceStatus struct and fixes up generators that appear to have slipped.
The first condition is "ServiceAvailable" which will provide the status currently derived in the discovery handler that decides about whether to expose the version in discovery.
@kubernetes/sig-api-machinery-pr-reviews @liggitt @ncdc
Automatic merge from submit-queue (batch tested with PRs 42432, 44628, 45101, 44921)
kubeadm: join test cmds for new flags
**What this PR does / why we need it**: Adding test-cmds for new kubeadm join flags.
Adding tests is a WIP from #34136
This is a continuation from https://github.com/kubernetes/kubernetes/pull/42812 since it had to be closed.
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Prepare for move zz_generated_deepcopy.go to k8s.io/api
This is in preparation to move deep copies to with the types to the types repo (see https://github.com/kubernetes/gengo/pull/47#issuecomment-296855818). The init() function is referring the `SchemeBuilder` defined in the register.go in the same packge, so we need to revert the dependency.
This PR depends on https://github.com/kubernetes/gengo/pull/49, otherwise verification will fail.
Automatic merge from submit-queue (batch tested with PRs 45052, 44983, 41254)
Non-controversial part of #44523
For easier review of #44523, i extracted the non-controversial part out to this PR.
Automatic merge from submit-queue (batch tested with PRs 44940, 44974, 44935)
Remove import of internal api package in generated external-versioned listers
Follow up of https://github.com/kubernetes/kubernetes/pull/44523
One line change in cmd/libs/go2idl/lister-gen/generators/lister.go, and simple changes in pkg/apis/autoscaling/v2alpha1/register.go, other changes are generated.
The internal api package will be eliminated from client-go, so these imports should be removed. Also, it's more correct to report the versioned resource in the error.
Automatic merge from submit-queue
kubeadm: remove func arg that isn't being used
**What this PR does / why we need it**: Functions had args passed to them that weren't being used. See https://github.com/kubernetes/kubernetes/pull/44601 for more details.
**Special notes for your reviewer**: @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Add --apiserver-advertise-address option to kubeadm alpha phase certs…
**What this PR does / why we need it**:
`kubeadm alpha phase certs` command currently does not support `--apiserver-advertise-address` options, and certificates by default are linked to the bind address of the machine where the kubeadm command is run. This behaviour is not adequate f.i. for use cases where you are using `kubeadm alpha phase certs` for an HA deployments or for use cases where you generate certificates on a machine different that the master.
The PR adds support for `--apiserver-advertise-address` to `kubeadm alpha phase certs`, with the following behaviour:
- if `--apiserver-advertise-address` is specified and valid, certificates are linked to the given IP
- if `--apiserver-advertise-address` is specified but not valid, the given ip is not valid an error is given
**Special notes for your reviewer**:
Implementation follow the track already in place for other flags (with validation, but no tests).
Automatic merge from submit-queue (batch tested with PRs 44601, 44842, 44893, 44491, 44588)
kubeadm: add flag to skip token print out
**What this PR does / why we need it**: When kubeadm init is used in an automated context, it still prints the token to standard out. When standard output ends up in a log file, it can be considered that the token is leaked there and can be compromised. This PR adds a flag you can select to not have it print out and explicitly disable this behavior.
This is a continuation from https://github.com/kubernetes/kubernetes/pull/42823 since it had to be closed.
**Which issue this PR fixes** : fixes #https://github.com/kubernetes/kubeadm/issues/160
**Special notes for your reviewer**: /cc @luxas @errordeveloper
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 44862, 42241, 42101, 43181, 44147)
Feature/hpa upscale downscale delay configurable
**What this PR does / why we need it**:
Makes "upscale forbidden window" and "downscale forbidden window" duration configurable in arguments of kube-controller-manager. Those are options of horizontal pod autoscaler.
**Special notes for your reviewer**:
Please have a look @DirectXMan12 , the PR as discussed in Slack.
**Release note**:
```
Make "upscale forbidden window" and "downscale forbidden window" duration configurable in arguments of kube-controller-manager. Those are options of horizontal pod autoscaler. Right now are hardcoded 3 minutes for upscale, and 5 minutes to downscale. But sometimes cluster administrator might want to change this for his own needs.
```
Automatic merge from submit-queue
Optimize getProxyMode() to get proxy mode
1. getProxyMode() does not need nodeGetter args after remove
proxy-mode annotation.
2. we should get error when the version of iptables less than
MinVersion.
Automatic merge from submit-queue
kubeadm: add api validation exit code
**What this PR does / why we need it**: This will help with automation and provide more meaningful exit code for api validation.
WIP to add more meaningful exit codes https://github.com/kubernetes/kubeadm/issues/61
This is a continuation from https://github.com/kubernetes/kubernetes/pull/42825 since it had to be closed.
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42202, 40784, 44642, 44623, 44761)
Split out AdmissionOptions
**What this PR does / why we need it**: The changes in this PR split out AdmissionOptions from ServerRunOptions. In the long term AdmissionOptions will accepts various dependencies
and spit out AdmissionControl
**Release note**:
NONE
Automatic merge from submit-queue
Edge based services in proxy
This is sibling effort to what I did for endpoints in KubeProxy.
This PR is first one (changing config & iptables) - userspace will follow.
Automatic merge from submit-queue
Allow configurable etcd options
**What this PR does / why we need it**:
Allows users to set the `--listen-client-urls` and `--advertise-client-urls` flags on etcd binaries for clusters set up with kubeadm.
**Which issue this PR fixes**:
As far as I can tell right now, other nodes in a cluster set up with kubeadm cannot communicate with the etcd static pod running on the master. This is needed in order to set up calico/canal SDN which needs access to a publicly addressable IPv4 _before_ the overlay network and inter-cluster subnet is created.
Addresses https://github.com/kubernetes/features/issues/138 and https://github.com/kubernetes/features/issues/11.
**Release note**:
```release-note
Users can now specify listen and advertise URLs for etcd in a kubeadm cluster
```
Automatic merge from submit-queue (batch tested with PRs 40055, 42085, 44509, 44568, 43956)
Fix gofmt errors
**What this PR does / why we need it**:
There were some gofmt errors on master. Ran the following to fix:
```
hack/verify-gofmt.sh | grep ^diff | awk '{ print $2 }' | xargs gofmt -w -s
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: none
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Make controller Run methods consistent
- startup/shutdown logging
- wait for cache sync logging
- defer utilruntime.HandleCrash()
- wait for stop channel before exiting
Please review for accuracy and consistency.
cc @deads2k @wojtek-t @smarterclayton @sttts @mikedanese @liggitt @rrati @derekwaynecarr
Automatic merge from submit-queue (batch tested with PRs 44440, 44038, 44302, 44316, 43876)
Extend the gc admission plugin to check ownerReference.blockOwnerDeletion
#Extend the gc admission plugin to prevent user who doesn't have delete permission of the *owner* from changing blockOwnerDeletion field of existing ownerReferences, or adding ownerReference with blockOwnerDeletion=true.
The plugin need a RESTMapper to translate ownerRef.Kind to Resource. It should be using a dynamic one. However, as discussed in https://github.com/kubernetes/kubernetes/pull/42615, such a RESTMapper will be built after watchable discovery API is implemented, so in this PR the plugin is using the `api.Registry.RESTMapper()`, which is also [used](https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-controller-manager/app/core.go#L165-L166) by the garbage collector currently.
```release-note
Extending the gc admission plugin so that a user who doesn't have delete permission of the *owner* cannot modify blockOwnerDeletion field of existing ownerReferences, or add new ownerReference with blockOwnerDeletion=true
```
cc @lavalamp
Automatic merge from submit-queue (batch tested with PRs 44424, 44026, 43939, 44386, 42914)
remove defaulting from conversion path
follow up for #42764
* remove call to defaulting from conversion path (defaulting is a separate step from conversion)
* remove non-top-level-object defaulting registration (unused after conversion call is removed)
* generate missing top-level defaults for some api groups:
* autoscaling/v2alpha1
* policy/v1alpha1
* policy/v1beta1
* register top-level defaults for some api groups that were missing them:
* autoscaling/v2alpha1
* settings/v1alpha1
Automatic merge from submit-queue
Bugfix: cloud-controller-manager routeController.run() block in WaitForCacheSync
**What this PR does / why we need it**:
cloud-controller-manager routeController.run not run in goroutine will block to wait nodeListerSynced because sharedInformers not started
**Special notes for your reviewer**:
cloud-controller-manager routeController.run should run in goroutine like the same code in kube-controller-manager,or it will block to wait nodeListerSynced,but sharedInformers not startd.
```go
//controller-manager.go:197
func StartControllers(s *options.CloudControllerManagerServer, kubeconfig *restclient.Config, rootClientBuilder, clientBuilder controller.ControllerClientBuilder, stop <-chan struct{}, recorder record.EventRecorder, cloud cloudprovider.Interface) error {
// Function to build the kube client object
client := func(serviceAccountName string) clientset.Interface {
return rootClientBuilder.ClientOrDie(serviceAccountName)
}
versionedClient := client("shared-informers")
sharedInformers := informers.NewSharedInformerFactory(versionedClient, resyncPeriod(s)())
ocateNodeCIDRs && s.ConfigureCloudRoutes {
if routes, ok := cloud.Routes(); !ok {
glog.Warning("configure-cloud-routes is set, but cloud provider does not support routes. Will not configure cloud provider routes.")
} else {
routeController := routecontroller.New(routes, client("route-controller"), sharedInformers.Core().V1().Nodes(), s.ClusterName, clusterCIDR)
//should run in goroutine
-----> routeController.Run(stop, s.RouteReconciliationPeriod.Duration)
time.Sleep(wait.Jitter(s.ControllerStartInterval.Duration, ControllerStartJitter))
}
} else {
glog.Infof("Will not configure cloud provider routes for allocate-node-cidrs: %v, configure-cloud-routes: %v.", s.AllocateNodeCIDRs, s.ConfigureCloudRoutes)
}
---> sharedInformers.Start(stop)
select {}
}
//routecontroller.go:77
func (rc *RouteController) Run(stopCh <-chan struct{}, syncPeriod time.Duration) {
defer utilruntime.HandleCrash()
glog.Info("Starting the route controller")
//will block
---> if !cache.WaitForCacheSync(stopCh, rc.nodeListerSynced) {
utilruntime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
return
}
go wait.NonSlidingUntil(func() {
if err := rc.reconcileNodeRoutes(); err != nil {
glog.Errorf("Couldn't reconcile node routes: %v", err)
}
}, syncPeriod, wait.NeverStop)
}
```
Automatic merge from submit-queue
Make the dockershim root directory configurable
Make the dockershim root directory configurable so things like
integration tests (e.g. in OpenShift) can run as non-root.
cc @sttts @derekwaynecarr @yujuhong @Random-Liu @kubernetes/sig-node-pr-reviews @kubernetes/rh-cluster-infra
Automatic merge from submit-queue
Exit from NewController() for PersistentVolumeController when InitPlugins() failed
Exit from NewController() for PersistentVolumeController when InitPlugins() failed just like NewAttachDetachController() does
**Release note**:
```release-note
NONE
```
@jsafrane @saad-ali PTAL. Thanks in advance
Automatic merge from submit-queue
Non global admission plugin registry
For testing the global state is a problem. This PR turns the actual registry into a struct that must be instantiated. For the beginning, we do this in `pkg/kubeapiserver/admission`. In some follow-up (where we hunt down all globals some day), we will move this into the genericapiserver.
Automatic merge from submit-queue
Conversionlint
**What this PR does / why we need it**:
This PR adds a comment placeholder for the exported or public functions in conversion generator files. Such functions without a comment results into golint failure in various generated files. The changes in this patch takes care of about 36 related lint failures.
Given below is an example lint error,
zz_generated.conversion.go:91:1: exported function Convert_v1alpha1_Binding_To_servicecatalog_Binding should have comment or be unexported
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Considering minor changes no issue is created.
**Special notes for your reviewer**:
Hello, I am trying to fix golint failures as we see them in the kubernetes-incubator/service-catalog project. I have separate PRs opened for lint issues related to other generator code which are in separate libraries like gengo. Thanks!
**Release note**:
```release-note
```
Automatic merge from submit-queue
Edge-based userspace LB in kube-proxy
@thockin @bowei - if one of you could take a look if that PR doesn't break some basic kube-proxy assumptions. The similar change for winuserproxy should be pretty trivial.
And we should also do that for iptables, but that requires splitting the iptables code to syncProxyRules (which from what I know @thockin already started working on so we should probably wait for it to be done).
Automatic merge from submit-queue
Add support for IP aliases for pod IPs (GCP alpha feature)
```release-note
Adds support for allocation of pod IPs via IP aliases.
# Adds KUBE_GCE_ENABLE_IP_ALIASES flag to the cluster up scripts (`kube-{up,down}.sh`).
KUBE_GCE_ENABLE_IP_ALIASES=true will enable allocation of PodCIDR ips
using the ip alias mechanism rather than using routes. This feature is currently
only available on GCE.
## Usage
$ CLUSTER_IP_RANGE=10.100.0.0/16 KUBE_GCE_ENABLE_IP_ALIASES=true bash -x cluster/kube-up.sh
# Adds CloudAllocator to the node CIDR allocator (kubernetes-controller manager).
If CIDRAllocatorType is set to `CloudCIDRAllocator`, then allocation
of CIDR allocation instead is done by the external cloud provider and
the node controller is only responsible for reflecting the allocation
into the node spec.
- Splits off the rangeAllocator from the cidr_allocator.go file.
- Adds cloudCIDRAllocator, which is used when the cloud provider allocates
the CIDR ranges externally. (GCE support only)
- Updates RBAC permission for node controller to include PATCH
```
Automatic merge from submit-queue
Remove alphaProvisioner in PVController and AlphaStorageClassAnnotation
remove alpha annotation and alphaProvisioner
**Release note**:
```release-note
NONE
```
If CIDRAllocatorType is set to `CloudCIDRAllocator`, then allocation
of CIDR allocation instead is done by the external cloud provider and
the node controller is only responsible for reflecting the allocation
into the node spec.
- Splits off the rangeAllocator from the cidr_allocator.go file.
- Adds cloudCIDRAllocator, which is used when the cloud provider allocates
the CIDR ranges externally. (GCE support only)
- Updates RBAC permission for node controller to include PATCH
The exported or public functions without a comment results into golint failure
in various generated files. The changes in this patch takes care of about 36
related lint failures.
Given below is an example lint error,
zz_generated.conversion.go:91:1: exported function
Convert_v1alpha1_Binding_To_servicecatalog_Binding should have comment or be
unexported
Automatic merge from submit-queue (batch tested with PRs 43870, 30302, 42722, 43736)
Admission plugin to merge pod and namespace tolerations for restricting pod placement on nodes
```release-note
This admission plugin checks for tolerations on the pod being admitted and its namespace, and verifies if there is any conflict. If there is no conflict, then it merges the pod's namespace tolerations with the the pod's tolerations and it verifies them against its namespace' whitelist of tolerations and returns. If a namespace does not have its default or whitelist tolerations specified, then cluster level default and whitelist is used. An example of its versioned config:
apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- name: "PodTolerationRestriction"
configuration:
apiVersion: podtolerationrestriction.admission.k8s.io/v1alpha1
kind: Configuration
default:
- Key: key1
Value: value1
- Key: key2
Value: value2
whitelist:
- Key: key1
Value: value1
- Key: key2
Value: value2
```
Automatic merge from submit-queue
Add dockershim only mode
This PR added a `experimental-dockershim` hidden flag in kubelet to run dockershim only.
We introduce this flag mainly for cri validation test. In the future we should compile dockershim into another binary.
@yujuhong @feiskyer @xlgao-zju
/cc @kubernetes/sig-node-pr-reviews
Automatic merge from submit-queue
add rancher credential provider
This adds rancher as a credential provider in kubernetes.
@erictune This might be a good opportunity to discuss adding a provision for people to have their own credential providers that is similar to the new cloud provider changes (https://github.com/kubernetes/community/pull/128). WDYT?
```
release-note
Added Rancher Credential Provider to use Rancher Registry credentials when running in a Rancher cluster
```
Automatic merge from submit-queue (batch tested with PRs 43777, 44121)
Add patchMergeKey and patchStrategy support to OpenAPI
Support generating Open API extensions for strategic merge patch tags in go struct tags
Support `patchStrategy` and `patchMergeKey`.
Also support checking if the Open API extension and struct tags match.
```release-note
Support generating Open API extensions for strategic merge patch tags in go struct tags
```
cc: @pwittrock @ymqytw
(Description mostly copied from #43833)
Automatic merge from submit-queue (batch tested with PRs 43951, 43386)
kubeadm: Fix issue when kubeadm reset isn't working and the docker service is disabled
**What this PR does / why we need it**:
If the docker service is disabled, the preflight check lib will return a warning.
That warning _should not_ matter when deciding whether to reset docker state or not.
The current code skips the docker reset if the docker service is disabled, which is a bug.
Also, `Check()` must not return a `nil` slice.
It should be added that I **really don't like what we have at the moment**, I'd love to discuss with the node team to add something to CRI that basically says, "remove everything on this node" so we can stop doing this. Basically, kubeadm could talk to the specified socket (by default dockershim.sock), and call the CRI interface and say that everything should be cleaned up. This would then be cross-CRI-implementation at the same time and would work if you're using rkt, cri-o or whatever.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
helps in https://github.com/kubernetes/kubernetes/issues/43950
**Special notes for your reviewer**:
**Release note**:
```release-note
kubeadm: Make `kubeadm reset` tolerant of a disabled docker service.
```
@mikedanese @jbeda @dmmcquay @pipejakob @yujuhong @freehan
Automatic merge from submit-queue
Adding krousey as a kubeadm reviewer and owner
I would like to join the illustrious ranks of kubeadm owners. I plan to spend a considerable amount of time integrating this tool into our GCE and GKE deployments. If approver is too much, I would still like to be a reviewer.
I will mark this as "Do not merge" until I see approval from all current owners.
Automatic merge from submit-queue (batch tested with PRs 44143, 44133)
Fix panic in kubeadm master node setup
The problem was [caught](https://travis-ci.org/Mirantis/kubeadm-dind-cluster/jobs/218999640#L3249) by kubeadm-dind-cluster CI.
```
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.6.1
[init] Using Authorization mode: RBAC
[preflight] Skipping pre-flight checks
[certificates] Generated CA certificate and key.
[certificates] Generated API server certificate and key.
[certificates] API Server serving cert is signed for DNS names [kube-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.192.0.2]
[certificates] Generated API server kubelet client certificate and key.
[certificates] Generated service account token signing key and public key.
[certificates] Generated front-proxy CA certificate and key.
[certificates] Generated front-proxy client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[apiclient] Created API client, waiting for the control plane to become ready
[apiclient] All control plane components are healthy after 19.017839 seconds
panic: assignment to entry in nil map
goroutine 1 [running]:
panic(0x1b62140, 0xc4203f0380)
/usr/local/go/src/runtime/panic.go:500 +0x1a1
k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig.attemptToUpdateMasterRoleLabelsAndTaints(0xc420b18be0, 0x4e, 0x0)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig/setupmaster.go:57 +0x15b
k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig.UpdateMasterRoleLabelsAndTaints(0xc420b18be0, 0x1a, 0xc420b18be0)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig/setupmaster.go:86 +0x2f
k8s.io/kubernetes/cmd/kubeadm/app/cmd.(*Init).Run(0xc4201a4040, 0x29886e0, 0xc420022010, 0x1c73d01, 0xc4201a4040)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kubeadm/app/cmd/init.go:220 +0x29c
k8s.io/kubernetes/cmd/kubeadm/app/cmd.NewCmdInit.func1(0xc4203a46c0, 0xc420660680, 0x0, 0x2)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kubeadm/app/cmd/init.go:86 +0x197
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).execute(0xc4203a46c0, 0xc420660560, 0x2, 0x2, 0xc4203a46c0, 0xc420660560)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:603 +0x439
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc4203b1d40, 0xc4203a4b40, 0xc4203a46c0, 0xc4203a4000)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:689 +0x367
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).Execute(0xc4203b1d40, 0xc42046c420, 0x29886a0)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/spf13/cobra/command.go:648 +0x2b
k8s.io/kubernetes/cmd/kubeadm/app.Run(0xc420627f70, 0xc4200001a0)
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kubeadm/app/kubeadm.go:35 +0xe8
main.main()
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kubeadm/kubeadm.go:26 +0x22
```
Automatic merge from submit-queue
[Federation] Remove FEDERATIONS_DOMAIN_MAP references
Remove all references to FEDERATIONS_DOMAIN_MAP as this method is no longer is used and is replaced by adding federation domain map to kube-dns configmap.
cc @madhusudancs @kubernetes/sig-federation-pr-reviews
**Release note**:
```
[Federation] Mechanism of adding `federation domain maps` to kube-dns deployment via `--federations` flag is superseded by adding/updating `federations` key in `kube-system/kube-dns` configmap. If user is using kubefed tool to join cluster federation, adding federation domain maps to kube-dns is already taken care by `kubefed join` and does not need further action.
```
Automatic merge from submit-queue (batch tested with PRs 44097, 42772, 43880, 44031, 44066)
kubeadm: Wait for node before updating labels and taints
**What this PR does / why we need it**:
Adds again (removed in #43881) waiting for at last single node appearance during kubeadm attempt to update master role labels and taints.
**Which issue this PR fixes**:
fixeskubernetes/kubeadm#221
**Release note**:
```NONE
```
Use shared informers instead of creating local controllers/reflectors
for the proxy's endpoints and service configs. This allows downstream
integrators to pass in preexisting shared informers to save on memory &
cpu usage.
This also enables the cache mutation detector for kube-proxy for those
presubmit jobs that already turn it on.
Kubelet flags are not necessarily appropriate for the KubeletConfiguration
object. For example, this PR also removes HostnameOverride and NodeIP
from KubeletConfiguration. This is a preleminary step to enabling Nodes
to share configurations, as part of the dynamic Kubelet configuration
feature (#29459). Fields that must be unique for each node inhibit
sharing, because their values, by definition, cannot be shared.
Automatic merge from submit-queue
kubelet: change image-gc-high-threshold below docker dm.min_free_space
docker dm.min_free_space defaults to 10%, which "specifies the min free space percent in a thin pool require for new device creation to succeed....Whenever a new a thin pool device is created (during docker pull or during container creation), the Engine checks if the minimum free space is available. If sufficient space is unavailable, then device creation fails and any relevant docker operation fails." [1]
This setting is preventing the storage usage to cross the 90% limit. However, image GC is expected to kick in only beyond image-gc-high-threshold. The image-gc-high-threshold has a default value of 90%, and hence GC never triggers. If image-gc-high-threshold is set to a value lower than (100 - dm.min_free_space)%, GC triggers.
xref https://bugzilla.redhat.com/show_bug.cgi?id=1408309
```release-note
changed kubelet default image-gc-high-threshold to 85% to resolve a conflict with default settings in docker that prevented image garbage collection from resolving low disk space situations when using devicemapper storage.
```
@derekwaynecarr @sdodson @rhvgoyal
Automatic merge from submit-queue
fix typo in kubeadm join -h
```
Flags:
--config string Path to kubeadm config file
--discovery-file string A file or url from which to load cluster information
--discovery-token string A token used to validate cluster information fetched from the master
--skip-preflight-checks skip preflight checks normally run before modifying the system
--tls-bootstrap-token string A token used for TLS bootstrapping
--token string Use this token for both discovery-token and tls-bootstrap-token
```
Automatic merge from submit-queue
Make RBAC post-start hook conditional on RBAC authorizer being used
Makes the RBAC post-start hook (and reconciliation) conditional on the RBAC authorizer being used
Ensures we don't set up unnecessary objects.
```release-note
RBAC role and rolebinding auto-reconciliation is now performed only when the RBAC authorization mode is enabled.
```
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
kubeadm: test-cmds for kubeadm completion
**What this PR does / why we need it**: Adding test-cmds for kubeadm completion.
Adding tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
don't wait for first kubelet to be ready and drop dummy deploy
Per https://github.com/kubernetes/kubernetes/issues/43815#issuecomment-290270198, I suggest that we drop both the node ready and the dummy deployment check altogether for 1.6 and move them to a validation phase for 1.7.
I really think we should drop these checks altogether. CreateClientAndWaitForAPI should create a client and wait for the API, not create dummy deployments and wait for nodes to register and be healthy. These are end to end validations and this is the wrong place to do this stuff. We need an explicit final validation phase for this.
```release-note
Fix a deadlock in kubeadm master initialization.
```
Fixes#43815
Automatic merge from submit-queue (batch tested with PRs 42617, 43247, 43509, 43644, 43820)
Bugfix: OpenAPI-gen was not generating extensions correctly
Fixes a bug in openapi-gen that generated invalid code if x-kubernetes extensions defined in types.go. The location of VendorExtensions was wrong.
Automatic merge from submit-queue (batch tested with PRs 42835, 42974)
remove legacy insecure port options from genericapiserver
The insecure port has been a source of problems and it will prevent proper aggregation into a cluster, so the genericapiserver has no need for it. In addition, there's no reason for it to be in the main kube-apiserver flow either. This pull removes it from genericapiserver and removes it from the shared kube-apiserver code. It's still wired up in the command, but its no longer possible for someone to mess up and start using in mainline code.
@kubernetes/sig-api-machinery-misc @ncdc
Automatic merge from submit-queue
proxy to IP instead of name, but still use host verification
I think I found a setting that lets us proxy to an IP and still do hostname verification on the certificate.
@liggitt @sttts Can you see if you agree that this knob does what I think it does? Last commit only, still needs tests.
Automatic merge from submit-queue (batch tested with PRs 42900, 43044, 42896, 43308, 43621)
require codecfactory
The genericapiserver requires a codec to start. Help new comers to the API by forcing them to set it when they create a new config.
Automatic merge from submit-queue (batch tested with PRs 43149, 41399, 43154, 43569, 42507)
kubeadm: only print stderr/stdout if failed test
**What this PR does / why we need it**: This PR changes when stdout/stderr will be logged during a kubeadm test-cmd test. It's useful when a real failure occurs to only see the failure rather than output that looks like it might be a failure
**Special notes for your reviewer**: /cc @luxas @marun
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
break kube-apiserver start into stages
This is a code shuffle which breaks the kube-apiserver start into
1. set defaults on the options
1. create the generic config from the options
1. create the master config from the generic config and the options
This makes apiserver composition easy/possible later on.
Automatic merge from submit-queue (batch tested with PRs 43144, 42671, 43226, 43314, 43361)
don't start controllers against unhealthy master
Operating against an unhealthy apiserver is unpredictable. Some clients like `kubectl` need to be best effort in this regard so that you can debug broken apiservers. Controllers shouldn't run against unhealthy masters.
Automatic merge from submit-queue (batch tested with PRs 43144, 42671, 43226, 43314, 43361)
start informers as a post-start-hook
Switches the shared informer start to a post start hook to make future API server composition easier. PostStartHooks will have to be unioned for server composition and this ensures that we don't accidentally skip starting them.
Automatic merge from submit-queue
Better messaging when GKE certificate signing fails.
**What this PR does / why we need it**:
On errors, the GKE signing API can respond with a JSON body that contains an error message explaining the failure. If we're able to extract it, use that message when reporting the error instead of the generic error returned by the webhook library. Also, always add an event to the CSR object on signing errors.
**Release note**:
```release-note
NONE
```
CC @mikedanese @jcbsmpsn
Automatic merge from submit-queue (batch tested with PRs 43642, 43170, 41813, 42170, 41581)
Enable storage class support in Azure File volume
**What this PR does / why we need it**:
Support StorageClass in Azure file volume
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Support StorageClass in Azure file volume
```
Automatic merge from submit-queue
kubeadm: Remove an outdated comment
Now that `AdvertiseAddress` is a `string` and not
`AdvertiseAddresses` a `[]string` this comment is no longer
necessary.
@k8s-mirror-cluster-lifecycle-misc RFR
**What this PR does / why we need it**
Just a little house cleaning by removing an outdated comment.
**Release note**:
```release-note
NONE
```
On errors, the GKE signing API can respond with a JSON body that
contains an error message explaining the failure. If we're able to
extract it, use that message when reporting the error instead of the
generic error returned by the webhook library. Also, always add an event
to the CSR object on signing errors.
Automatic merge from submit-queue
Use realistic value for the memory example of kube-reserved and system-reserved
Use realistic value for the memory example of kube-reserved and system-reserved
Currently, kublet help shows the memory example of
kube-reserved and system-reserved as 150G. This 150G is not realistic
value and it leads misconfiguration or confusion. This patch changes
to example value as 500Mi.
Before(same with system-reserved):
```
--kube-reserved value A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for kubernetes system components. Currently only cpu and memory are supported. See http://releases.k8s.io/HEAD/docs/user-guide/compute-resources.md for more detail. [default=none]
```
After(same with system-reserved):
```
--kube-reserved value A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi) pairs that describe resources reserved for kubernetes system components. Currently only cpu and memory are supported. See http://releases.k8s.io/HEAD/docs/user-guide/compute-resources.md for more detail. [default=none]
```
Automatic merge from submit-queue (batch tested with PRs 43355, 42827)
kubeadm: In-cluster DNS should be used when self-hosting
**What this PR does / why we need it**:
I noticed that the master components doesn't use the built-in cluster DNS which they really should do in order to be able to discover other services inside the cluster (like extension API Servers like service catalog).
This is a really small change that fixes a misconfiguration that had slipped though earlier.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@jbeda @bowei @MrHohn
Automatic merge from submit-queue
kubeadm: Default to v1.6.0 stable in offline scenarios in beforehand
**What this PR does / why we need it**:
In offline scenarios, kubeadm will fallback to the latest well-known version.
This PR bumps that to v1.6. We can merge now, and in the small gap between the merge of this PR and the actual v1.6 release, kubeadm devs will have to explicitely set k8s version.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@jbeda
Automatic merge from submit-queue (batch tested with PRs 43018, 42713)
kubeadm: Don't drain and remove the current node on kubeadm reset
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
In v1.5, `kubeadm reset` would drain your node and remove it from your cluster if you specified, but now in v1.6 we can't do that due to the RBAC rules we have set up.
After conversations with @liggitt, I also agree this functionality was somehow a little mis-placed (though still very convenient to use), so we're removing it for v1.6.
It's the system administrator's duty to drain and remove nodes from the cluster, not the nodes' responsibility.
The current behavior is therefore a bug that needs to be fixed in v1.6
**Release note**:
```release-note
kubeadm: `kubeadm reset` won't drain and remove the current node anymore
```
@liggitt @deads2k @jbeda @dmmcquay @pires @errordeveloper
Automatic merge from submit-queue
remove dgoodwin and dmmcquay to kubeadm reviewers
@dgoodwin says he needs to work on other stuff right now. @dmmcquay says he wants to help with reviews.
Automatic merge from submit-queue (batch tested with PRs 42940, 42906, 42970, 42848)
Improve kubeadm init message
Now that we are locking down the insecure port, we should give clearer instructions on how to copy out the root owned admin.conf file, chmod it and use it.
Signed-off-by: Joe Beda <joe.github@bedafamily.com>
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 42969, 42966)
kubeadm: update kubeadm banner to beta
**What this PR does / why we need it**: Updates the intro banner for kubeadm, which used to state it is in alpha (but we are going to beta). This also updates the tagged github group (one that no longer exists) to the sig-cluster-lifecycle-misc group.
**Special notes for your reviewer**: /cc @jbeda
**Release note**:
```release-note
NONE
```
Now that we are locking down the insecure port, we should give clearer instructions on how to copy out the root owned admin.conf file, chmod it and use it.
Signed-off-by: Joe Beda <joe.github@bedafamily.com>
Automatic merge from submit-queue (batch tested with PRs 42728, 42278)
[Federation] Create integration test fixture for api
This PR factors a reusable fixture for the federation api server out of the existing integration test.
Targets #40705
cc: @kubernetes/sig-federation-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42762, 42739, 42425, 42778)
kubeadm: update docker version for CE and EE
**What this PR does / why we need it**: Update regex for docker version to also capture new CE and EE versions.
**Which issue this PR fixes**: fixes #https://github.com/kubernetes/kubeadm/issues/189
**Special notes for your reviewer**: /cc @jbeda @luxas
**Release note**:
```release-note
NONE
```
This change allows validators to pass warnings as well as errors. This
was needed because of how support for docker 1.13+ and the new EE and CE
versions is currently being handled.
Automatic merge from submit-queue
kubeadm: Delete the dummy Deployment properly
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubeadm/issues/149
**Special notes for your reviewer**:
Earlier, the Pod created by the Deployment wasn't deleted. With this option it is.
As suggested by @deads2k, thank you!
This is a bug fix for v1.6
**Release note**:
```release-note
```
@mikedanese @jbeda @dmmcquay @pires @errordeveloper @deads2k @caesarxuchao
Automatic merge from submit-queue (batch tested with PRs 42692, 42169, 42173)
DaemonSet: Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings DaemonSet into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
This ensures that DaemonSet does not fight with other controllers over control of Pods.
**Special notes for your reviewer**:
**Release note**:
```release-note
DaemonSet now respects ControllerRef to avoid fighting over Pods.
```
cc @erictune @kubernetes/sig-apps-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42692, 42169, 42173)
Add pprof trace support
Add support for `/debug/pprof/trace`
Can wait for master to reopen for 1.7.
cc @smarterclayton @wojtek-t @gmarek @timothysc @jeremyeder @kubernetes/sig-scalability-pr-reviews
Automatic merge from submit-queue
kubeadm: Make kube-apiserver's liveness probe match its bindport.
The `kube-apiserver` liveness probe port had previously been hardcoded, so if you used `--apiserver-bind-port` to override the default port (6443), then the health check for the pod would quickly fail and kubelet would continuously kill the apiserver.
**Which issue this PR fixes**: fixes https://github.com/kubernetes/kubeadm/issues/196
**Release note**:
```release-note
kubeadm: fix kube-apiserver liveness probe port when --apiserver-bind-port given
```
Automatic merge from submit-queue (batch tested with PRs 41890, 42593, 42633, 42626, 42609)
make all controllers obey the disable flags
Fixes https://github.com/kubernetes/kubernetes/issues/42592
Some controllers weren't disable-able. This fixes them so they obey our flags.
@ncdc
It had previously been hardcoded, so if you used --apiserver-bind-port
to override the default port (6443), then the health check for the pod
would quickly fail and kubelet would continuously kill the apiserver.
Automatic merge from submit-queue (batch tested with PRs 41826, 42405)
Add stubDomains and upstreamNameservers configuration to kube-dns
```release-note
Updates the dnsmasq cache/mux layer to be managed by dnsmasq-nanny.
dnsmasq-nanny manages dnsmasq based on values from the
kube-system:kube-dns configmap:
"stubDomains": {
"acme.local": ["1.2.3.4"]
},
is a map of domain to list of nameservers for the domain. This is used
to inject private DNS domains into the kube-dns namespace. In the above
example, any DNS requests for *.acme.local will be served by the
nameserver 1.2.3.4.
"upstreamNameservers": ["8.8.8.8", "8.8.4.4"]
is a list of upstreamNameservers to use, overriding the configuration
specified in /etc/resolv.conf.
```
Automatic merge from submit-queue
Fix Multizone pv creation on GCE
When Multizone is enabled static PV creation on GCE
fails because Cloud provider configuration is not
available in admission plugins.
cc @derekwaynecarr @childsb
Automatic merge from submit-queue
kubeadm: Fix the nodeSelector and scheduler mounts when using the self-hosted mode
**What this PR does / why we need it**:
The self-hosted option in `kubeadm` was broken.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#42528
**Special notes for your reviewer**:
**Release note**:
```release-note
```
/cc @luxas
Automatic merge from submit-queue
Remove the kube-discovery binary from the tree
**What this PR does / why we need it**:
kube-discovery was a temporary solution to implementing proposal: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/bootstrap-discovery.md
However, this functionality is now gonna be implemented in the core for v1.6 and will fully replace kube-discovery:
- https://github.com/kubernetes/kubernetes/pull/36101
- https://github.com/kubernetes/kubernetes/pull/41281
- https://github.com/kubernetes/kubernetes/pull/41417
So due to that `kube-discovery` isn't used in any v1.6 code, it should be removed.
The image `gcr.io/google_containers/kube-discovery-${ARCH}:1.0` should and will continue to exist so kubeadm <= v1.5 continues to work.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove cmd/kube-discovery from the tree since it's not necessary anymore
```
@jbeda @dgoodwin @mikedanese @dmmcquay @lukemarsden @errordeveloper @pires
Automatic merge from submit-queue
kubeadm: Hook up kubeadm against the BootstrapSigner
**What this PR does / why we need it**:
This PR makes kubeadm able to use the BootstrapSigner.
Depends on a few other PRs I've made, I'll rebase and fix this up after they've merged.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Example usage:
```console
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm init --kubernetes-version v1.7.0-alpha.0.377-2a6414bc914d55
[sudo] password for lucas:
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.0-alpha.0.377-2a6414bc914d55
[init] Using Authorization mode: RBAC
[preflight] Running pre-flight checks
[preflight] Starting the kubelet service
[certificates] Generated CA certificate and key.
[certificates] Generated API server certificate and key.
[certificates] Generated API server kubelet client certificate and key.
[certificates] Generated service account token signing key.
[certificates] Generated service account token signing public key.
[certificates] Generated front-proxy CA certificate and key.
[certificates] Generated front-proxy client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[apiclient] Created API client, waiting for the control plane to become ready
[apiclient] All control plane components are healthy after 21.301384 seconds
[apiclient] Waiting for at least one node to register and become ready
[apiclient] First node is ready after 8.072688 seconds
[apiclient] Test deployment succeeded
[token-discovery] Using token: 67a96d.02405a1773564431
[apiconfig] Created RBAC rules
[addons] Created essential addon: kube-proxy
[addons] Created essential addon: kube-dns
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node:
kubeadm join --token 67a96d.02405a1773564431 192.168.1.115:6443
other-computer $ ./kubeadm join --token 67a96d.02405a1773564431 192.168.1.115:6443
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[preflight] Starting the kubelet service
[discovery] Trying to connect to API Server "192.168.1.115:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Cluster info signature and contents are valid, will use API Server "https://192.168.1.115:6443"
[discovery] Successfully established connection with API Server "192.168.1.115:6443"
[bootstrap] Detected server version: v1.7.0-alpha.0.377+2a6414bc914d55
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
# Wrong secret!
other-computer $ ./kubeadm join --token 67a96d.02405a1773564432 192.168.1.115:6443
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[preflight] Starting the kubelet service
[discovery] Trying to connect to API Server "192.168.1.115:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Failed to connect to API Server "192.168.1.115:6443": failed to verify JWS signature of received cluster info object, can't trust this API Server
[discovery] Trying to connect to API Server "192.168.1.115:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Failed to connect to API Server "192.168.1.115:6443": failed to verify JWS signature of received cluster info object, can't trust this API Server
^C
# Poor method to create a cluster-info KubeConfig (a KubeConfig file with no credentials), but...
$ printf "kind: Config\n$(sudo ./kubeadm alpha phas --client-name foo --server https://192.168.1.115:6443 --token foo | head -6)\n" > cluster-info.yaml
$ cat cluster-info.yaml
kind: Config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFM01ESXlPREl3TXpBek1Gb1hEVEkzTURJeU5qSXdNekF6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmt0ClFlUVVrenlkQjhTMVM2Y2ZSQ0ZPUnNhdDk2Wi9Id3A3TGJiNkhrSFRub1dvbDhOOVpGUXNDcCtYbDNWbStTS1AKZWFLTTFZWWVDVmNFd0JXNUlWclIxMk51UzYzcjRqK1dHK2NTdjhUOFBpYUZjWXpLalRpODYvajlMYlJYNlFQWAovYmNWTzBZZDVDMVJ1cmRLK2pnRGprdTBwbUl5RDRoWHlEZE1vZk1laStPMytwRC9BeVh5anhyd0crOUFiNjNrCmV6U3BSVHZSZ1h4R2dOMGVQclhKanMwaktKKzkxY0NXZTZJWEZkQnJKbFJnQktuMy9TazRlVVdIUTg0OWJOZHgKdllFblNON1BPaitySktPVEpLMnFlUW9ua0t3WU5qUDBGbW1zNnduL0J0dWkvQW9hanhQNUR3WXdxNEk2SzcvdgplbUM4STEvdzFpSk9RS2dxQmdzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNL1JQbTYzQTJVaGhPMVljTUNqSEJlUjROOHkKUzB0Q2RNdDRvK0NHRDJKTUt5NDJpNExmQTM2L2hvb01iM2tpUkVSWTRDaENrMGZ3VHpSMHc5Q21nZHlVSTVQSApEc0dIRWdkRHpTVXgyZ3lrWDBQU04zMjRXNCt1T0t6QVRLbm5mMUdiemo4cFA2Uk9QZDdCL09VNiswckhReGY2CnJ6cDRldHhWQjdQWVE0SWg5em1KcVY1QjBuaUZrUDBSYWNDYUxFTVI1NGZNWDk1VHM0amx1VFJrVnBtT1ZGNHAKemlzMlZlZmxLY3VHYTk1ME1CRGRZR2UvbGNXN3JpTkRIUGZZLzRybXIxWG9mUGZEY0Z0ZzVsbUNMWk8wMDljWQpNdGZBdjNBK2dYWjBUeExnU1BpYkxaajYrQU9lMnBiSkxCZkxOTmN6ODJMN1JjQ3RxS01NVHdxVnd0dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.1.115:6443
name: kubernetes
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION
67a96d.02405a1773564431 <forever> <never> authentication,signing The default bootstrap token generated by 'kubeadm init'.
# Any token with the authentication usage set works as the --tls-bootstrap-token arg here
other-computer $ ./kubeadm join --skip-preflight-checks --discovery-file cluster-info.yaml --tls-bootstrap-token 67a96d.02405a1773564431
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[preflight] Starting the kubelet service
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Synced cluster-info information from the API Server so we have got the latest information
[bootstrap] Detected server version: v1.7.0-alpha.0.377+2a6414bc914d55
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
# Delete the RoleBinding that exposes the cluster-info ConfigMap publicly. Now this ConfigMap will be private
lucas@THENINJA:~/luxas/kubernetes$ kubectl -n kube-public edit rolebindings kubeadm:bootstrap-signer-clusterinfo
# This breaks the token joining method
other-computer $ sudo ./kubeadm join --token 67a96d.02405a1773564431 192.168.1.115:6443
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[preflight] Starting the kubelet service
[discovery] Trying to connect to API Server "192.168.1.115:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Failed to request cluster info, will try again: [User "system:anonymous" cannot get configmaps in the namespace "kube-public". (get configmaps cluster-info)]
[discovery] Failed to request cluster info, will try again: [User "system:anonymous" cannot get configmaps in the namespace "kube-public". (get configmaps cluster-info)]
^C
# But we can still connect using the cluster-info file
other-computer $ sudo ./kubeadm join --skip-preflight-checks --discovery-file /k8s/cluster-info.yaml --tls-bootstrap-token 67a96d.02405a1773564431
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[preflight] Starting the kubelet service
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Could not access the cluster-info ConfigMap for refreshing the cluster-info information, but the TLS cert is valid so proceeding...
[discovery] The cluster-info ConfigMap isn't set up properly (no kubeconfig key in ConfigMap), but the TLS cert is valid so proceeding...
[bootstrap] Detected server version: v1.7.0-alpha.0.377+2a6414bc914d55
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
# What happens if the CA in the cluster-info file and the API Server's CA aren't equal?
# Generated new CA for the cluster-info file, a invalid one for connecting to the cluster
# The new cluster-info file is here:
lucas@THENINJA:~/luxas/kubernetes$ cat cluster-info.yaml
kind: Config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFM01ESXlPREUyTkRBME1Wb1hEVEkzTURJeU5qRTJOREEwTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3VHCmR3MXQ5Nmlkd1YrVmwxQjRVSmZWdGpNZ0NTd1poMG00bmR5Q1JCR3FIRkpMTGhIWjREM2N2ckg1Tk44UmZHS0EKb1cwVjN3Q3R2THl4UFdnZkZMbGtrdERPWnBDQ01oYzd2alYxU2FKUE9MS1BIUUtEdm1CVWFNcTdrUzN5NEg1VApMcUp3bFBUUXNVVW5YNWM5V0pzS2JIcEx6MnJZbC9Pam4veGRtd1lQa3JUTTJwSitMS0RjUkxLTEpiQjhGc2pzCnZBQTg2QURjY3phMDd0WEgxL1MzeTN0UDJMTDN0UVgvZWJIYWNPcHluYnVaNlIwdFhKeUpsTTVlOHRHMzFhWHMKQTV3cGo1d2Z1RGU1amRuTHgxNnFtbG5ueGV3OGp0bk4zSDExYUp6VlErOWlSQUZkUTN4WmN4dWdmQVM2ZndqRwo0QnJFeGpUOUFaRlVQb0VkR09NQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJc0pKRFIzbWMxQ1lCd2ViSkRPNm1MdWkwTk4KS3BVdlBuazlMbWlnb2JmYVhjQWlnUlo2M1pIYTd4MXBHNGpKRG8zY3lxNWEybTAzZ245RFMrcEpKYTdpMmpXUQpaV1YvZ2ZRMEk4RGc0endXU3J0T056NHpTTXQ1cW5JZjVWRC95KzVVSmVRck1XSEVFS1VrdklSQzhuUmIvV1F2CmNRWEpiN1hMY0dtbWJyaXpDSUlDYmI4KzhmNDFUWTZnTmg5ZzduaVdGZlp2VG1jN05aMTNjQVJjajJ0UTAzeVMKbWVPcEc2REdMRENFWWYzRld0QmdleE5CcFlFYy9ydUNnUE9IcEdhelYya3JHdFFNLzI0OGQ2ZndwcVNQOGc4RgpVSHNWZWxiMExnNmgvZ3VSYlZ5SENlck5zTDBJdFFhdjlscmZmWkxQaVA5TzNLQ0pBWk9MbXhEOUhaaz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.1.115:6443
name: kubernetes
# Try to join an API Server with the wrong CA
other-computer $ sudo ./kubeadm join --skip-preflight-checks --discovery-file /k8s/cluster-info.yaml --tls-bootstrap-token 67a96d.02405a1773564431
[kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters.
[preflight] Skipping pre-flight checks
[preflight] Starting the kubelet service
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.1.115:6443"
[discovery] Failed to validate the API Server's identity, will try again: [Get https://192.168.1.115:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]
[discovery] Failed to validate the API Server's identity, will try again: [Get https://192.168.1.115:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]
[discovery] Failed to validate the API Server's identity, will try again: [Get https://192.168.1.115:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]
[discovery] Failed to validate the API Server's identity, will try again: [Get https://192.168.1.115:6443/api/v1/namespaces/kube-public/configmaps/cluster-info: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]
^C
```
**Release note**:
```release-note
```
@jbeda @mikedanese @justinsb @pires @dmmcquay @roberthbailey @dgoodwin
Automatic merge from submit-queue
Eviction Manager Enforces Allocatable Thresholds
This PR modifies the eviction manager to enforce node allocatable thresholds for memory as described in kubernetes/community#348.
This PR should be merged after #41234.
cc @kubernetes/sig-node-pr-reviews @kubernetes/sig-node-feature-requests @vishh
** Why is this a bug/regression**
Kubelet uses `oom_score_adj` to enforce QoS policies. But the `oom_score_adj` is based on overall memory requested, which means that a Burstable pod that requested a lot of memory can lead to OOM kills for Guaranteed pods, which violates QoS. Even worse, we have observed system daemons like kubelet or kube-proxy being killed by the OOM killer.
Without this PR, v1.6 will have node stability issues and regressions in an existing GA feature `out of Resource` handling.
Automatic merge from submit-queue (batch tested with PRs 42443, 38924, 42367, 42391, 42310)
Dell EMC ScaleIO Volume Plugin
**What this PR does / why we need it**
This PR implements the Kubernetes volume plugin to allow pods to seamlessly access and use data stored on ScaleIO volumes. [ScaleIO](https://www.emc.com/storage/scaleio/index.htm) is a software-based storage platform that creates a pool of distributed block storage using locally attached disks on every server. The code for this PR supports persistent volumes using PVs, PVCs, and dynamic provisioning.
You can find examples of how to use and configure the ScaleIO Kubernetes volume plugin in [examples/volumes/scaleio/README.md](examples/volumes/scaleio/README.md).
**Special notes for your reviewer**:
To facilitate code review, commits for source code implementation are separated from other artifacts such as generated, docs, and vendored sources.
```release-note
ScaleIO Kubernetes Volume Plugin added enabling pods to seamlessly access and use data stored on ScaleIO volumes.
```
Automatic merge from submit-queue (batch tested with PRs 41919, 41149, 42350, 42351, 42285)
enable cgroups tiers and node allocatable enforcement on pods by default.
```release-note
Pods are launched in a separate cgroup hierarchy than system services.
```
Depends on #41753
cc @derekwaynecarr
Automatic merge from submit-queue (batch tested with PRs 41919, 41149, 42350, 42351, 42285)
kubelet: enable qos-level memory limits
```release-note
Experimental support to reserve a pod's memory request from being utilized by pods in lower QoS tiers.
```
Enables the QoS-level memory cgroup limits described in https://github.com/kubernetes/community/pull/314
**Note: QoS level cgroups have to be enabled for any of this to take effect.**
Adds a new `--experimental-qos-reserved` flag that can be used to set the percentage of a resource to be reserved at the QoS level for pod resource requests.
For example, `--experimental-qos-reserved="memory=50%`, means that if a Guaranteed pod sets a memory request of 2Gi, the Burstable and BestEffort QoS memory cgroups will have their `memory.limit_in_bytes` set to `NodeAllocatable - (2Gi*50%)` to reserve 50% of the guaranteed pod's request from being used by the lower QoS tiers.
If a Burstable pod sets a request, its reserve will be deducted from the BestEffort memory limit.
The result is that:
- Guaranteed limit matches root cgroup at is not set by this code
- Burstable limit is `NodeAllocatable - Guaranteed reserve`
- BestEffort limit is `NodeAllocatable - Guaranteed reserve - Burstable reserve`
The only resource currently supported is `memory`; however, the code is generic enough that other resources can be added in the future.
@derekwaynecarr @vishh
Automatic merge from submit-queue (batch tested with PRs 42365, 42429, 41770, 42018, 35055)
kubeadm: Add --cert-dir, --cert-altnames instead of --api-external-dns-names
**What this PR does / why we need it**:
- For the beta kubeadm init UX, we need this change
- Also adds the `kubeadm phase certs selfsign` command that makes the phase invokable independently
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR depends on https://github.com/kubernetes/kubernetes/pull/41897
**Release note**:
```release-note
```
@dmmcquay @pires @jbeda @errordeveloper @mikedanese @deads2k @liggitt
Automatic merge from submit-queue
Remove defaults from string flags
- The default is printed automatically
- The string text did not match the actual default
**What this PR does / why we need it**:
Adjust the documentation for flags on `client-gen`.
**Special notes for your reviewer**:
Doc change. String text only.
**Release note**:
```release-note
NONE
```
Before:
```
client-gen --help
Usage of ./client-gen:
--build-tag string A Go build tag to use to identify files generated by this command. Should be unique. (default "ignore_autogenerated")
--clientset-api-path string the value of default API path.
-n, --clientset-name string the name of the generated clientset package. (default "internalclientset")
--clientset-only when set, client-gen only generates the clientset shell, without generating the individual typed clients
--clientset-path string the generated clientset will be output to <clientset-path>/<clientset-name>. Default to "k8s.io/kubernetes/pkg/client/clientset_generated/" (default "k8s.io/kubernetes/pkg/client/clientset_generated/")
--fake-clientset when set, client-gen will generate the fake clientset that can be used in tests (default true)
-h, --go-header-file string File containing boilerplate header text. The string YEAR will be replaced with the current 4-digit year. (default "/Users/mhb/go/src/k8s.io/gengo/boilerplate/boilerplate.go.txt")
--included-types-overrides stringSlice list of group/version/type for which client should be generated. By default, client is generated for all types which have genclient=true in types.go. This overrides that. For each groupVersion in this list, only the types mentioned here will be included. The default check of genclient=true will be used for other group versions.
--input stringSlice group/versions that client-gen will generate clients for. At most one version per group is allowed. Specified in the format "group1/version1,group2/version2...". Default to "api/,extensions/,autoscaling/,batch/,rbac/" (default [api/,authentication/,authorization/,autoscaling/,batch/,certificates/,extensions/,rbac/,storage/,apps/,policy/])
--input-base string base path to look for the api group. Default to "k8s.io/kubernetes/pkg/apis" (default "k8s.io/kubernetes/pkg/apis")
-i, --input-dirs stringSlice Comma-separated list of import paths to get input types from.
-o, --output-base string Output base; defaults to $GOPATH/src/ or ./ if $GOPATH is not set. (default "/Users/mhb/go/src")
-O, --output-file-base string Base name (without .go suffix) for output files.
-p, --output-package string Base package path.
-t, --test set this flag to generate the client code for the testdata
--verify-only If true, only verify existing output, do not write anything.
```
After:
```
client-gen --help
Usage of ./client-gen:
--build-tag string A Go build tag to use to identify files generated by this command. Should be unique. (default "ignore_autogenerated")
--clientset-api-path string the value of default API path.
-n, --clientset-name string the name of the generated clientset package. (default "internalclientset")
--clientset-only when set, client-gen only generates the clientset shell, without generating the individual typed clients
--clientset-path string the generated clientset will be output to <clientset-path>/<clientset-name>. (default "k8s.io/kubernetes/pkg/client/clientset_generated/")
--fake-clientset when set, client-gen will generate the fake clientset that can be used in tests (default true)
-h, --go-header-file string File containing boilerplate header text. The string YEAR will be replaced with the current 4-digit year. (default "/Users/mhb/go/src/k8s.io/gengo/boilerplate/boilerplate.go.txt")
--included-types-overrides stringSlice list of group/version/type for which client should be generated. By default, client is generated for all types which have genclient=true in types.go. This overrides that. For each groupVersion in this list, only the types mentioned here will be included. The default check of genclient=true will be used for other group versions.
--input stringSlice group/versions that client-gen will generate clients for. At most one version per group is allowed. Specified in the format "group1/version1,group2/version2...". (default [api/,authentication/,authorization/,autoscaling/,batch/,certificates/,extensions/,rbac/,storage/,apps/,policy/])
--input-base string base path to look for the api group. (default "k8s.io/kubernetes/pkg/apis")
-i, --input-dirs stringSlice Comma-separated list of import paths to get input types from.
-o, --output-base string Output base; defaults to $GOPATH/src/ or ./ if $GOPATH is not set. (default "/Users/mhb/go/src")
-O, --output-file-base string Base name (without .go suffix) for output files.
-p, --output-package string Base package path.
-t, --test set this flag to generate the client code for the testdata
--verify-only If true, only verify existing output, do not write anything.
```
Automatic merge from submit-queue (batch tested with PRs 41984, 41682, 41924, 41928)
RC/RS: Fully Respect ControllerRef
**What this PR does / why we need it**:
This is part of the completion of the [ControllerRef](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md) proposal. It brings ReplicaSet and ReplicationController into full compliance with ControllerRef. See the individual commit messages for details.
**Which issue this PR fixes**:
Although RC/RS had partially implemented ControllerRef, they didn't use it to determine which controller to sync, or to update expectations. This could lead to instability or controllers getting stuck.
Ref: https://github.com/kubernetes/kubernetes/issues/24433
**Special notes for your reviewer**:
**Release note**:
```release-note
```
cc @erictune @kubernetes/sig-apps-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
kubeadm: Rename some flags for beta UI and fixup some logic
**What this PR does / why we need it**:
In this PR:
- `--api-advertise-addresses` becomes `--apiserver-advertise-address`
- The API Server's logic here is that if the address is `0.0.0.0`, it chooses the host's default interface's address. kubeadm here uses exactly the same logic. This arg is then passed to `--advertise-address`, and the API Server will advertise that one for the service VIP.
- `--api-port` becomes `--apiserver-bind-port` for clarity
ref the meeting notes: https://docs.google.com/document/d/1deJYPIF4LmhGjDVaqrswErIrV7mtwJgovtLnPCDxP7U/edit#
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
@jbeda @dmmcquay @pires @lukemarsden @dgoodwin @mikedanese
Automatic merge from submit-queue (batch tested with PRs 42128, 42064, 42253, 42309, 42322)
Add storage.k8s.io/v1 API
This is combined version of reverted #40088 (first 4 commits) and #41646. The difference is that all controllers and tests use old `storage.k8s.io/v1beta1` API so in theory all tests can pass on GKE.
Release note:
```release-note
StorageClassName attribute has been added to PersistentVolume and PersistentVolumeClaim objects and should be used instead of annotation `volume.beta.kubernetes.io/storage-class`. The beta annotation is still working in this release, however it will be removed in a future release.
```
Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)
Apiserver: wait for Etcd to become available on startup
fixes#37704
export functions from pkg/api/validation
add settings API
add settings to pkg/registry
add settings api to pkg/master/master.go
add admission control plugin for pod preset
add new admission control plugin to kube-apiserver
add settings to import_known_versions.go
add settings to codegen
add validation tests
add settings to client generation
add protobufs generation for settings api
update linted packages
add settings to testapi
add settings install to clientset
add start of e2e
add pod preset plugin to config-test.sh
Signed-off-by: Jess Frazelle <acidburn@google.com>
Automatic merge from submit-queue
HPA Controller: Use Custom Metrics API
This commit switches over the HPA controller to use the custom metrics
API. It also converts the HPA controller to use the generated client
in k8s.io/metrics for the resource metrics API.
In order to enable support, you must enable
`--horizontal-pod-autoscaler-use-rest-clients` on the
controller-manager, which will switch the HPA controller's MetricsClient
implementation over to use the standard rest clients for both custom
metrics and resource metrics. This requires that at the least resource
metrics API is registered with kube-aggregator, and that the controller
manager is pointed at kube-aggregator. For this to work, Heapster
must be serving the new-style API server (`--api-server=true`).
Before this merges, this will need kubernetes/metrics#2 to merge, and a godeps update to pull that in.
It's also semi-dependent on kubernetes/heapster#1537, but that is not required in order for this to merge.
**Release note**:
```release-note
Allow the Horizontal Pod Autoscaler controller to talk to the metrics API and custom metrics API as standard APIs.
```
Automatic merge from submit-queue
Extensible Userspace Proxy
This PR refactors the userspace proxy to allow for custom proxy socket implementations.
It changes the the ProxySocket interface to ensure that other packages can properly implement it (making sure all arguments are publicly exposed types, etc), and adds in a mechanism for an implementation to create an instance of the userspace proxy with a non-standard ProxySocket.
Custom ProxySockets are useful to inject additional logic into the actual proxying. For example, our idling proxier uses a custom proxy socket to hold connections and notify the cluster that idled scalable resources need to be woken up.
Also-Authored-By: Ben Bennett bbennett@redhat.com
This commit switches over the HPA controller to use the custom metrics
API. It also converts the HPA controller to use the generated client
in k8s.io/metrics for the resource metrics API.
In order to enable support, you must enable
`--horizontal-pod-autoscaler-use-rest-clients` on the
controller-manager, which will switch the HPA controller's MetricsClient
implementation over to use the standard rest clients for both custom
metrics and resource metrics. This requires that at the least resource
metrics API is registered with kube-aggregator, and that the controller
manager is pointed at kube-aggregator. For this to work, Heapster
must be serving the new-style API server (`--api-server=true`).
Automatic merge from submit-queue
Extend experimental support to multiple Nvidia GPUs
Extended from #28216
```release-note
`--experimental-nvidia-gpus` flag is **replaced** by `Accelerators` alpha feature gate along with support for multiple Nvidia GPUs.
To use GPUs, pass `Accelerators=true` as part of `--feature-gates` flag.
Works only with Docker runtime.
```
1. Automated testing for this PR is not possible since creation of clusters with GPUs isn't supported yet in GCP.
1. To test this PR locally, use the node e2e.
```shell
TEST_ARGS='--feature-gates=DynamicKubeletConfig=true' FOCUS=GPU SKIP="" make test-e2e-node
```
TODO:
- [x] Run manual tests
- [x] Add node e2e
- [x] Add unit tests for GPU manager (< 100% coverage)
- [ ] Add unit tests in kubelet package
Automatic merge from submit-queue (batch tested with PRs 41921, 41695, 42139, 42090, 41949)
kubeadm: join ux changes
**What this PR does / why we need it**: Update `kubeadm join` UX according to https://github.com/kubernetes/community/pull/381
**Which issue this PR fixes**: fixes # https://github.com/kubernetes/kubeadm/issues/176
**Special notes for your reviewer**: /cc @luxas @jbeda
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
kubeadm: Turn off insecure apiserver access on localhost:8080
**What this PR does / why we need it**:
ref: https://github.com/kubernetes/kubeadm/issues/181
depends on: https://github.com/kubernetes/kubernetes/pull/41897
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Insecure access to the API Server at localhost:8080 will be turned off in v1.6 when using kubeadm
```
@jbeda @liggitt @deads2k @pires @lukemarsden @mikedanese @errordeveloper
Automatic merge from submit-queue (batch tested with PRs 42200, 39535, 41708, 41487, 41335)
Update kube-proxy support for Windows
**What this PR does / why we need it**:
The kube-proxy is built upon the sophisticated iptables NAT rules. Windows does not have an equivalent capability. This introduces a change to the architecture of the user space mode of the Windows version of kube-proxy to match the capabilities of Windows.
The proxy is organized around service ports and portals. For each service a service port is created and then a portal, or iptables NAT rule, is opened for each service ip, external ip, node port, and ingress ip. This PR merges the service port and portal into a single concept of a "ServicePortPortal" where there is one connection opened for each of service IP, external ip, node port, and ingress IP.
This PR only affects the Windows kube-proxy. It is important for the Windows kube-proxy because it removes the limited portproxy rule and RRAS service and enables full tcp/udp capability to services.
**Special notes for your reviewer**:
**Release note**:
```
Add tcp/udp userspace proxy support for Windows.
```
- Add a new type PortworxVolumeSource
- Implement the kubernetes volume plugin for Portworx Volumes under pkg/volume/portworx
- The Portworx Volume Driver uses the libopenstorage/openstorage specifications and apis for volume operations.
Changes for k8s configuration and examples for portworx volumes.
- Add PortworxVolume hooks in kubectl, kube-controller-manager and validation.
- Add a README for PortworxVolume usage as PVs, PVCs and StorageClass.
- Add example spec files
Handle code review comments.
- Modified READMEs to incorporate to suggestions.
- Add a test for ReadWriteMany access mode.
- Use util.UnmountPath in TearDown.
- Add ReadOnly flag to PortworxVolumeSource
- Use hostname:port instead of unix sockets
- Delete the mount dir in TearDown.
- Fix link issue in persistentvolumes README
- In unit test check for mountpath after Setup is done.
- Add PVC Claim Name as a Portworx Volume Label
Generated code and documentation.
- Updated swagger spec
- Updated api-reference docs
- Updated generated code under pkg/api/v1
Godeps update for Portworx Volume Driver
- Adds github.com/libopenstorage/openstorage
- Adds go.pedge.io/pb/go/google/protobuf
- Updates Godep Licenses
Automatic merge from submit-queue (batch tested with PRs 35094, 42095, 42059, 42143, 41944)
add aggregation integration test
Wires up an integration test which runs a full kube-apiserver, the wardle server, and the kube-aggregator and creates the APIservice object for the wardle server. Without services and DNS the aggregator doesn't proxy, but it does ensure we don't have an obvious panic or bring up failure.
@sttts @ncdc
Automatic merge from submit-queue
clean up generic apiserver options
Clean up generic apiserver options before we tag any levels. This makes them more in-line with "normal" api servers running on the platform.
Also remove dead example code.
@sttts
This changes the userspace proxy so that it cleans up its conntrack
settings when a service is removed (as the iptables proxy already
does). This could theoretically cause problems when a UDP service
as deleted and recreated quickly (with the same IP address). As
long as packets from the same UDP source IP and port were going to
the same destination IP and port, the the conntrack would apply and
the packets would be sent to the old destination.
This is astronomically unlikely if you did not specify the IP address
to use in the service, and even then, only happens with an "established"
UDP connection. However, in cases where a service could be "switched"
between using the iptables proxy and the userspace proxy, this case
becomes much more frequent.
Automatic merge from submit-queue (batch tested with PRs 42053, 41282, 42056, 41663, 40927)
Update kubeadm token to work as expected
**What this PR does / why we need it**:
Follows up: https://github.com/kubernetes/kubernetes/pull/41509
Updates `kubeadm token` to work as discussed in https://docs.google.com/document/d/1deJYPIF4LmhGjDVaqrswErIrV7mtwJgovtLnPCDxP7U/edit#
Promotes the command from the `ex` subcommand which now is named `alpha` for clarity. (This will later become `kubeadm alpha phase`)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Example UX:
```console
sudo ./kubeadm token --help
This command will manage Bootstrap Token for you.
Please note this usage of this command is optional, and mostly for advanced users.
In short, Bootstrap Tokens are used for establishing bidirectional trust between a client and a server.
A Bootstrap Token can be used when a client (for example a node that's about to join the cluster) needs
to trust the server it is talking to. Then a Bootstrap Token with the "signing" usage can be used.
Bootstrap Tokens can also function as a way to allow short-lived authentication to the API Server
(the token serves as a way for the API Server to trust the client), for example for doing the TLS Bootstrap.
What is a Bootstrap Token more exactly?
- It is a Secret in the kube-system namespace of type "bootstrap.kubernetes.io/token".
- A Bootstrap Token must be of the form "[a-z0-9]{6}.[a-z0-9]{16}"; the former part is the public Token ID,
and the latter is the Token Secret, which must be kept private at all circumstances.
- The name of the Secret must be named "bootstrap-token-(token-id)".
You can read more about Bootstrap Tokens in this proposal:
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/bootstrap-discovery.md
Usage:
kubeadm token [flags]
kubeadm token [command]
Available Commands:
create Create bootstrap tokens on the server.
delete Delete bootstrap tokens on the server.
generate Generate and print a bootstrap token, but do not create it on the server.
list List bootstrap tokens on the server.
Flags:
--kubeconfig string The KubeConfig file to use for talking to the cluster (default "/etc/kubernetes/admin.conf")
Use "kubeadm token [command] --help" for more information about a command.
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION
70c388.41a07b703aa4bedf <forever> <never> authentication,signing The default bootstrap token generated by 'kubeadm init'.
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token create
c57e6a.abb75fa1debe555f
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION
70c388.41a07b703aa4bedf <forever> <never> authentication,signing The default bootstrap token generated by 'kubeadm init'.
c57e6a.abb75fa1debe555f <forever> <never> authentication,signing <none>
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token create s
token ["s"] was not of form ["^([a-z0-9]{6})\\.([a-z0-9]{16})$"]
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token create c57e6a.abb75fa1debe555f
a token with id "c57e6a" already exists
lucas@THENINJA:~/luxas/kubernetes$ sudo ./kubeadm token delete c57e6a.abb75fa1debe555f
bootstrap token with id "c57e6a" deleted
```
**Release note**:
```release-note
NONE
```
@dmmcquay @jbeda @mikedanese @errordeveloper @pires
Automatic merge from submit-queue (batch tested with PRs 42053, 41282, 42056, 41663, 40927)
Fully remove hand-written listers and informers
Note: the first commit is from #41927. Adding do-not-merge for now as we'll want that to go in first, and then I'll rebase this on top.
Update statefulset controller to use a lister for PVCs instead of a client request. Also replace a unit test's dependency on legacylisters with the generated ones. cc @kargakis @kow3ns @foxish @kubernetes/sig-apps-pr-reviews
Remove all references to pkg/controller/informers and pkg/client/legacylisters, and remove those packages.
@smarterclayton @deads2k this should be it!
cc @gmarek @wojtek-t @derekwaynecarr @kubernetes/sig-scalability-pr-reviews
Updates the dnsmasq cache/mux layer to be managed by dnsmasq-nanny.
dnsmasq-nanny manages dnsmasq based on values from the
kube-system:kube-dns configmap:
"stubDomains": {
"acme.local": ["1.2.3.4"]
},
is a map of domain to list of nameservers for the domain. This is used
to inject private DNS domains into the kube-dns namespace. In the above
example, any DNS requests for *.acme.local will be served by the
nameserver 1.2.3.4.
"upstreamNameservers": ["8.8.8.8", "8.8.4.4"]
is a list of upstreamNameservers to use, overriding the configuration
specified in /etc/resolv.conf.
Automatic merge from submit-queue (batch tested with PRs 42058, 41160, 42065, 42076, 39338)
New command for stand-alone GKE certificates controller
New stand-alone certificates controller for GKE. Rather than requiring the CA's private key on disk, this allows making external calls to GKE in order to sign cluster certificates.
**Which issue this PR fixes**: fixes#39761
**Release note**:
```release-note
New GKE certificates controller.
```
CC @mikedanese @jcbsmpsn
Automatic merge from submit-queue (batch tested with PRs 41962, 42055, 42062, 42019, 42054)
Don't restrict etcd on self host installs b/c a clipped etcd can have
**What this PR does / why we need it**:
Remove cpu-clipping from self hosted etcd install from the masters.
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41954, 40528, 41875, 41165, 41877)
preflight check external etcd version when kubeadm init
**What this PR does / why we need it**:
1. preflight check if verson of external etcd server meets the demand of kubeadm, currently requires >= 3.0.14
2. support mixed http endpoints and https endpoints
**Which issue this PR fixes** : fixes https://github.com/kubernetes/kubeadm/issues/174
**Special notes for your reviewer**:
i have tested against single endpoint including http etcd server , https etcd server, but multiple endpoints not tested yet. i'll do it tomorrow
Automatic merge from submit-queue (batch tested with PRs 41701, 41818, 41897, 41119, 41562)
kubeadm: Secure the control plane communication and add the kubeconfig phase command
**What this PR does / why we need it**:
This generates kubeconfig files for the controller-manager and the scheduler, ref: https://github.com/kubernetes/kubeadm/issues/172
The second commit adds the `kubeadm alpha phase kubeconfig` command as described in the design doc: https://github.com/kubernetes/kubeadm/pull/156
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
@dmmcquay What kind of tests would you like for the kubeconfig phase command?
**Release note**:
```release-note
```
@jbeda @mikedanese @dmmcquay @pires @liggitt @deads2k @errordeveloper
Automatic merge from submit-queue (batch tested with PRs 41857, 41864, 40522, 41835, 41991)
kubeadm: Demote --self-hosted to master config file.
**What this PR does / why we need it**:
kubeadm init --self-hosted was meant to be a short lived hack to enable self-hosted deployments until we're ready to make them the default. Rather than shipping this in 1.6 (for the first time) we will move this to the config file as it is presently only an advanced feature, leaving us with more well supported ways to remove it in the future.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
CC @luxas @pires @errordeveloper @dmmcquay
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 41857, 41864, 40522, 41835, 41991)
kubeadm: Use a new label for marking and tainting the master node
**What this PR does / why we need it**:
Implements https://github.com/kubernetes/kubernetes/pull/39112 for kubeadm until that PR is merged. I want to proceed on this stuff, it has been pending for too long already.
It's at least pretty safe to apply this for kubeadm now, since we're still in alpha in v1.6 implementation-wise, only the CLI will be beta.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Switch to the `node-role.kubernetes.io/master` label for marking and tainting the master node in kubeadm
```
cc @deads2k @liggitt @smarterclayton @jbeda @roberthbailey @mikedanese @justinsb @sttts @kubernetes/api-approvers @kubernetes/api-reviewers
Automatic merge from submit-queue (batch tested with PRs 41857, 41864, 40522, 41835, 41991)
kubeadm: update token separator to '.'
**What this PR does / why we need it**: From SIG meetings, it was agreed upon to have '.' be the separator for tokens. This PR updates that.
**Special notes for your reviewer**: /cc @luxas @jbeda
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
add client-ca to configmap in kube-public
Client CA information is not secret and it's required for any API server trying to terminate a TLS connection. This pull adds the information to configmaps in `kube-public` that look like this:
```yaml
apiVersion: v1
data:
client-ca.crt: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
requestheader-allowed-names: '["system:auth-proxy"]'
requestheader-client-ca-file: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
requestheader-extra-headers-prefix: '["X-Remote-Extra-"]'
requestheader-group-headers: '["X-Remote-Group"]'
requestheader-username-headers: '["X-Remote-User"]'
kind: ConfigMap
metadata:
creationTimestamp: 2017-02-22T17:54:37Z
name: extension-apiserver-authentication
namespace: kube-system
resourceVersion: "6"
selfLink: /api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication
uid: fa1dd328-f927-11e6-8b0e-28d2447dc82b
```
@kubernetes/sig-auth-api-reviews @liggitt @kubernetes/sig-api-machinery-pr-reviews @lavalamp @sttts
There will need to be a corresponding pull for permissions
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628)
enable DefaultTolerationSeconds admission controller by default
**What this PR does / why we need it**:
Continuation of PR #41414, enable DefaultTolerationSeconds admission controller by default.
**Which issue this PR fixes**:
fixes: #41860
related Issue: #1574, #25320
related PRs: #34825, #41133, #41414
**Special notes for your reviewer**:
**Release note**:
```release-note
enable DefaultTolerationSeconds admission controller by default
```
Automatic merge from submit-queue (batch tested with PRs 41621, 41946, 41941, 41250, 41729)
Refactor printers and describers into their own package.
This sets the stage for using printer code from the server side (decoupled from kubectl) and loosens the coupling between kubectl and the printers. `pkg/printers` contains interfaces and has an import restriction against pulling in API specific code, while `pkg/printers/internalversion` can be used for internal types.
Add a method on `Factory` for retrieving PrinterForCommand which uses the Scheme and RESTMapper from the Factory, not the hardcoded ones. This further separates kubectl from the core API scheme and allows better composition.
Change NamePrinter to use RESTMapper (previously it was hardcoding those conversions). This means that we now return plural resource names (`pods/foo`) but is correct once aliases and shortnames start being returned by the mapper.
This is a prerequisite for server side get, but is pure refactor (contains no new features).
@deads2k @liggitt
Automatic merge from submit-queue (batch tested with PRs 41854, 41801, 40088, 41590, 41911)
Add storage.k8s.io/v1 API
v1 API is direct copy of v1beta1 API. This v1 API gets installed and exposed in this PR, I tested that kubectl can create both v1beta1 and v1 StorageClass.
~~Rest of Kubernetes (controllers, examples,. tests, ...) still use v1beta1 API, I will update it when this PR gets merged as these changes would get lost among generated code.~~ Most parts use v1 API now, it would not compile / run tests without it.
**Release note**:
```
Kubernetes API storage.k8s.io for storage objects is now fully supported and is available as storage.k8s.io/v1. Beta version of the API storage.k8s.io/v1beta1 is still available in this release, however it will be removed in a future Kubernetes release.
Together with the API endpoint, StorageClass annotation "storageclass.beta.kubernetes.io/is-default-class" is deprecated and "storageclass.kubernetes.io/is-default-class" should be used instead to mark a default storage class. The beta annotation is still working in this release, however it won't be supported in the next one.
```
@kubernetes/sig-storage-misc
Automatic merge from submit-queue (batch tested with PRs 40665, 41094, 41351, 41721, 41843)
kubeadm: Add a --ca-cert-path flag to kubeadm join
**What this PR does / why we need it**:
This PR makes it possible to customize where the CA file is written
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
@pires @mikedanese @dmmcquay @jbeda @errordeveloper
Automatic merge from submit-queue (batch tested with PRs 40665, 41094, 41351, 41721, 41843)
parse single string as group rather than version
**What this PR does / why we need it**:
Prevent bad code generation by adjusting parsing of input.
When client-gen is run with `--input` as an unversioned type, it blows up if the group does not end with a trailing slash.
examples
1. `--input servicecatalog/v1alpha` is group servicecatalog, with version v1alpha1
1. `--input servicecatalog/` is group servicecatalog, with version empty string
1. `--input servicecatalog` is group empty string, with version servicecatalog
I disagree that the second and third cases are different. This adjusts them so they are both case 2.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
This change would address the concerns in PR https://github.com/kubernetes/community/pull/343
**Special notes for your reviewer**:
@caesarxuchao @pmorie this does not result in any change in any current code generation, and improves the user experience of client-gen. I ran `hack/update-codegen.sh` and saw no changes in git, nor did anything fail.
**Release note**:
```release-note
NONE
```
This adds a new stand-alone certificates controller for use on GKE. It
allows calling GKE to sign certificates instead of requiring the CA
private key locally.
It does not aim for 100% feature parity with kube-controller-manager
yet, so for instance, leader election support is omitted.
Automatic merge from submit-queue (batch tested with PRs 41667, 41820, 40910, 41645, 41361)
Switch admission to use shared informers
Originally part of #40097
cc @smarterclayton @derekwaynecarr @deads2k @liggitt @sttts @gmarek @wojtek-t @timothysc @lavalamp @kubernetes/sig-scalability-pr-reviews @kubernetes/sig-api-machinery-pr-reviews
