Commit Graph

622 Commits

Author SHA1 Message Date
Kubernetes Submit Queue
3a5fd6b6c1 Merge pull request #36064 from gmarek/inflight
Automatic merge from submit-queue

Split inflight requests into read-only and mutating groups

cc @smarterclayton @lavalamp @caesarxuchao 

```release-note
API server have two separate limits for read-only and mutating inflight requests.
```
2016-12-05 00:53:32 -08:00
Kubernetes Submit Queue
71182d826d Merge pull request #36816 from deads2k/api-43-front-proxy
Automatic merge from submit-queue

plumb in front proxy group header

Builds on https://github.com/kubernetes/kubernetes/pull/36662 and https://github.com/kubernetes/kubernetes/pull/36774, so only the last commit is unique.

This completes the plumbing for front proxy header information and makes it possible to add just the front proxy header authenticator.

WIP because I'm going to assess it in use downstream.
2016-12-03 18:01:42 -08:00
Kubernetes Submit Queue
12801e8bbb Merge pull request #37649 from smarterclayton/top_node
Automatic merge from submit-queue

kubectl top pod|node should handle when Heapster is somewhere else

OpenShift runs Heapster on HTTPS, which means `top node` and `top pod`
are broken because they hardcode 'http' as the scheme. Provide an
options struct allowing users to specify `--heapster-namespace`,
`--heapster-service`, `--heapster-scheme`, and `--heapster-port` to the
commands (leveraging the existing defaults).

@kubernetes/sig-metrics makes top a little more useful in other spots
2016-12-03 15:04:14 -08:00
Kubernetes Submit Queue
db323e9885 Merge pull request #36646 from kargakis/create-pdb-subcommand
Automatic merge from submit-queue (batch tested with PRs 38049, 37823, 38000, 36646)

kubectl: add create pdb subcommand

@mwielgus @mml @kubernetes/kubectl

```release-note
Add kubectl create poddisruptionbudget command
```
2016-12-03 14:20:54 -08:00
Kubernetes Submit Queue
f3d463f114 Merge pull request #37643 from ncdc/informer-gen
Automatic merge from submit-queue (batch tested with PRs 35300, 36709, 37643, 37813, 37697)

Add generated informers

Add informer-gen and the informers it generates. We'll do follow-up PRs to convert everything currently using the hand-written informers to the generated ones.

TODO:

- [x] switch to `GroupVersionResource`
- [x] finish godoc

@deads2k @caesarxuchao @sttts @liggitt
2016-12-03 08:55:57 -08:00
Michail Kargakis
065b652961 kubectl: add create pdb subcommand 2016-12-02 18:42:25 +01:00
Kubernetes Submit Queue
225cb1055f Merge pull request #37019 from pipejakob/e2e-anywhere-pr
Automatic merge from submit-queue

Add kubernetes-anywhere as a new e2e deployment option.

This change adds support for using `kubernetes-anywhere` as a deployment option for hack/e2e.go. This work is toward the larger goal of being able to run e2e tests against `kubeadm` clusters, which `kubernetes-anywhere` supports.

**Release note**:
```release-note
Add kubernetes-anywhere as a new e2e deployment option
```

The configuration in `getConfig()` comes mostly from the defaults in `kubernetes-anywhere`. In the future, we can add more plumbing to override them via CLI flags.

CC @mikedanese
2016-12-02 08:45:00 -08:00
Kubernetes Submit Queue
bbd447f555 Merge pull request #34789 from AdoHe/external_service
Automatic merge from submit-queue

create service add create ExternalName service implementation

@kubernetes/kubectl create service add ExternalName support, refer #34731 for more detail.

```release-note
kubectl create service externalname
```
2016-12-02 07:29:06 -08:00
Jacob Beacham
19fb97331d Add kubernetes-anywhere as a new e2e deployment option.
The configuration in getConfig() comes mostly from the defaults in
kubernetes-anywhere.
2016-12-01 13:29:04 -08:00
Clayton Coleman
3d237cac2e
kubectl top pod|node should handle when Heapster is somewhere else
OpenShift runs Heapster on HTTPS, which means `top node` and `top pod`
are broken because they hardcode 'http' as the scheme. Provide an
options struct allowing users to specify `--heapster-namespace`,
`--heapster-service`, `--heapster-scheme`, and `--heapster-port` to the
commands (leveraging the existing defaults).
2016-12-01 12:33:32 -05:00
Kubernetes Submit Queue
1570aad238 Merge pull request #37451 from jszczepkowski/ha-read-quorum
Automatic merge from submit-queue

Added setting etcd read quorum flag
2016-12-01 06:31:24 -08:00
deads2k
78f2958c0f add request header options for groups 2016-12-01 09:02:15 -05:00
gmarek
4762acbd1e Split inflight requests into read-only and mutating groups 2016-12-01 09:34:00 +01:00
Kubernetes Submit Queue
b0fd700f61 Merge pull request #36604 from deads2k/api-42-add-generic-loopback
Automatic merge from submit-queue

move parts of the mega generic run struct out

This splits the main `ServerRunOptions` into composeable pieces that are bindable separately and adds easy paths for composing servers to run delegating authentication and authorization.

@sttts @ncdc alright, I think this is as far as I need to go to make the composing servers reasonable to write.  I'll try leaving it here
2016-11-30 21:11:05 -08:00
Andy Goldstein
3bc87f9338 Add generated informers 2016-11-30 09:17:12 -05:00
deads2k
6846855929 add delegating authorization flags and options 2016-11-29 10:59:43 -05:00
deads2k
5cea15ac9f add delegating auth options 2016-11-29 10:59:43 -05:00
Jerzy Szczepkowski
02542cae06 Added setting etcd read quorum flag.
Added setting etcd read quorum flag in kube-up scripts. Required for HA master.
2016-11-25 13:53:11 +01:00
Random-Liu
dfbe7be5b5 Final cleanup for node conformance test. 2016-11-23 13:39:54 -08:00
Kubernetes Submit Queue
67dc87395b Merge pull request #36869 from madhusudancs/kubefed-join-context-secret-name-flags
Automatic merge from submit-queue

[Federation][join-flags] Add flags for cluster context and secret names while joining clusters to federation.

Vast majority of cluster contexts are not RFC 1123 subdomains. Since
cluster and secret names for the API objects are derived from the
cluster context name, there is no way for users to join clusters
with such context names to federation, unless they modify the context
name in their kubeconfigs itself. That's a lot of inconvenience and
entirely goes against the goal and beats the purpose of the `kubefed`
tool. So we are providing these flags to allow users to override these
values.

Also, since users register their clusters with federation, it is makes
sense in terms of user experience to make the cluster name a positional
argument because that feels more natural. Also, specifying cluster name
in the join command as a mandatory positional argument make
`kubefed join` consistent with `kubefed unjoin`. This also means
`--cluster-context` is now made a flag and defaults to cluster name if
unspecified.

`--secret-name` also defaults to the cluster name if unspecified.

Fixes: Issue #35954

cc @kubernetes/sig-cluster-federation @quinton-hoole @irfanurrehman
2016-11-21 13:02:03 -08:00
Bowei Du
19be1d2504 Allow kube-dns to load its configuration from a config map
- Adds command line flags --config-map, --config-map-ns.
- Fixes 36194 (https://github.com/kubernetes/kubernetes/issues/36194)
- Update kube-dns yamls
- Update bazel (hack/update-bazel.sh)
- Update known command line flags
- Temporarily reference new kube-dns image (this will be fixed with
  a separate commit when the DNS image is created)
2016-11-18 16:11:12 -08:00
Random-Liu
edf7608c51 Remove kubelet related flags from node e2e. Add a single flag kubelet-flags to pass kubelet flags all together. 2016-11-17 10:17:32 -08:00
Kubernetes Submit Queue
47a431e82f Merge pull request #36336 from justinsb/federation_dns_hosted_zone_2
Automatic merge from submit-queue

Federation: allow specification of dns zone by ID
2016-11-17 00:49:09 -08:00
AdoHe
d66bcbfa61 create service add create ExternalName service implementation 2016-11-16 04:47:10 -05:00
Madhusudan.C.S
005f5cd21e [Federation][join-flags] Add flags for cluster context and secret names while joining clusters to federation.
Vast majority of cluster contexts are not RFC 1123 subdomains. Since
cluster and secret names for the API objects are derived from the
cluster context name, there is no way for users to join clusters
with such context names to federation, unless they modify the context
name in their kubeconfigs itself. That's a lot of inconvenience and
entirely goes against the goal and beats the purpose of the `kubefed`
tool. So we are providing these flags to allow users to override these
values.

Also, since users register their clusters with federation, it is makes
sense in terms of user experience to make the cluster name a positional
argument because that feels more natural. Also, specifying cluster name
in the join command as a mandatory positional argument make `kubefed
join` consistent with `kubefed unjoin`. This also means `--cluster-
context` is now made a flag and defaults to cluster name if unspecified.

`--secret-name` also defaults to the cluster name if unspecified.
2016-11-15 23:47:53 -08:00
Kubernetes Submit Queue
b2cd67c31f Merge pull request #36756 from gmarek/contention
Automatic merge from submit-queue

Add a flag allowing contention profiling of the API server

Useful for performance debugging.

cc @smarterclayton @timothysc @lavalamp

```release-note
Add a flag allowing contention profiling of the API server
```
2016-11-15 03:04:27 -08:00
Vishnu kannan
9066253491 [kubelet] rename --cgroups-per-qos to --experimental-cgroups-per-qos to reflect the true nature of that feature
Signed-off-by: Vishnu kannan <vishnuk@google.com>
2016-11-14 14:06:39 -08:00
gmarek
c97633b1f5 Add a flag allowing contention profiling of the API server 2016-11-14 17:38:26 +01:00
Rajat Ramesh Koujalagi
d81e216fc6 Better messaging for missing volume components on host to perform mount 2016-11-09 15:16:11 -08:00
Kubernetes Submit Queue
916f526811 Merge pull request #36435 from wojtek-t/fix_max_inflight_requests
Automatic merge from submit-queue

Increase max-requests-inflight in large clusters

Fix #35402
2016-11-09 09:27:02 -08:00
Kubernetes Submit Queue
6983262914 Merge pull request #36267 from vishh/gci-mounter-scope
Automatic merge from submit-queue

Make GCI nodes mount non tmpfs, ext* & bind mounts using an external mounter 

This PR downloads the stage1 & gci-mounter ACIs as part of cluster bring up instead of downloading them dynamically from gcr.io, which was the cause for #36206.

I have also optimized the containerized mounter to pre-load the mounter image once to avoid fetch latency while using it.

Original PR which got reverted: https://github.com/kubernetes/kubernetes/pull/35821

```release-note
GCI nodes use an external mounter script to mount NFS & GlusterFS storage volumes
```

@mtaufen Node e2e is not re-enabled in this PR.

cc @jingxu97
2016-11-08 19:46:32 -08:00
Kubernetes Submit Queue
860cae0933 Merge pull request #35488 from dixudx/keystone-ca-cert
Automatic merge from submit-queue

specify custom ca file to verify the keystone server

<!--  Thanks for sending a pull request!  Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->

**What this PR does / why we need it**:

Sometimes the keystone server's certificate is self-signed, mainly used for internal development, testing and etc.

For this kind of ca, we need a way to verify the keystone server.

Otherwise, below error will occur.

> x509: certificate signed by unknown authority

This patch provide a way to pass in a ca file to verify the keystone server when starting `kube-apiserver`.

**Which issue this PR fixes** : fixes #22695, #24984

**Special notes for your reviewer**:

**Release note**:

<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->

``` release-note
```
2016-11-08 13:13:00 -08:00
Vishnu kannan
dd8ec911f3 Revert "Revert "Merge pull request #35821 from vishh/gci-mounter-scope""
This reverts commit 402116aed4.
2016-11-08 11:09:10 -08:00
Michael Taufen
0c6c622434 Fail kubelet creation if swap enabled
Provides an opt-in flag, --experimental-fail-swap-on (and corresponding
KubeletConfiguration value, ExperimentalFailSwapOn), which is false by default.
2016-11-08 08:39:31 -08:00
Wojciech Tyczynski
75d7d1ad37 Increase max-requests-inflight in large clusters 2016-11-08 14:41:58 +01:00
Justin Santa Barbara
df4280651c Federation: allow specification of dns zone by ID
If we have a public & private zone with the same name (which is common
on AWS), this means we can still create records.  Also tighten up some
of the logic to allow for zones with duplicate names.
2016-11-07 17:21:36 -05:00
Yu-Ju Hong
dcce768a3e Rename experimental-runtime-integration-type to experimental-cri 2016-11-07 11:29:24 -08:00
Kubernetes Submit Queue
9534c4f563 Merge pull request #32427 from Random-Liu/system-verification
Automatic merge from submit-queue

Node Conformance Test: Add system verification

For #30122 and #29081.

This PR introduces system verification test in node e2e and conformance test. It will run before the real test. Once the system verification fails, the test will just fail. The output of the system verification is like this:

```
I0909 23:33:20.622122    2717 validators.go:45] Validating os...
OS: Linux
I0909 23:33:20.623274    2717 validators.go:45] Validating kernel...
I0909 23:33:20.624037    2717 kernel_validator.go:79] Validating kernel version
KERNEL_VERSION: 3.16.0-4-amd64
I0909 23:33:20.624146    2717 kernel_validator.go:93] Validating kernel config
CONFIG_NAMESPACES: enabled
CONFIG_NET_NS: enabled
CONFIG_PID_NS: enabled
CONFIG_IPC_NS: enabled
CONFIG_UTS_NS: enabled
CONFIG_CGROUPS: enabled
CONFIG_CGROUP_CPUACCT: enabled
CONFIG_CGROUP_DEVICE: enabled
CONFIG_CGROUP_FREEZER: enabled
CONFIG_CGROUP_SCHED: enabled
CONFIG_CPUSETS: enabled
CONFIG_MEMCG: enabled
I0909 23:33:20.679328    2717 validators.go:45] Validating cgroups...
CGROUPS_CPU: enabled
CGROUPS_CPUACCT: enabled
CGROUPS_CPUSET: enabled
CGROUPS_DEVICES: enabled
CGROUPS_FREEZER: enabled
CGROUPS_MEMORY: enabled
I0909 23:33:20.679454    2717 validators.go:45] Validating docker...
DOCKER_GRAPH_DRIVER: aufs
```

It verifies the system following a predefined `SysSpec`:

``` go
// DefaultSysSpec is the default SysSpec.
 var DefaultSysSpec = SysSpec{
    OS:            "Linux",
    KernelVersion: []string{`3\.[1-9][0-9].*`, `4\..*`}, // Requires 3.10+ or 4+
    // TODO(random-liu): Add more config
    KernelConfig: KernelConfig{
        Required: []string{
            "NAMESPACES", "NET_NS", "PID_NS", "IPC_NS", "UTS_NS",
            "CGROUPS", "CGROUP_CPUACCT", "CGROUP_DEVICE", "CGROUP_FREEZER",
            "CGROUP_SCHED", "CPUSETS", "MEMCG",
        },
        Forbidden: []string{},
    },
    Cgroups: []string{"cpu", "cpuacct", "cpuset", "devices", "freezer", "memory"},
    RuntimeSpec: RuntimeSpec{
        DockerSpec: &DockerSpec{
            Version: []string{`1\.(9|\d{2,})\..*`}, // Requires 1.9+
            GraphDriver: []string{"aufs", "overlay", "devicemapper"},
        },
    },
 }
```

Currently, it only supports:
- Kernel validation: version validation and kernel configuration validation
- Cgroup validation: validating whether required cgroups subsystems are enabled.
- Runtime Validation: currently, only validates docker graph driver.

The validating framework is ready. The specific validation items could be added over time.

@dchen1107 
/cc @kubernetes/sig-node
2016-11-06 17:12:39 -08:00
Kubernetes Submit Queue
b7512d9c8b Merge pull request #36240 from wojtek-t/quota_bytes_backend
Automatic merge from submit-queue

Increase quota-bytes for etcd in v3 mode

Ref #20504
2016-11-06 09:45:59 -08:00
Kubernetes Submit Queue
42fe4ab027 Merge pull request #35372 from justinsb/federation_dns_hosted_zone_1
Automatic merge from submit-queue

Federation: separate notion of zone-name & dns-suffix
2016-11-05 17:29:09 -07:00
Kubernetes Submit Queue
afa99c68b8 Merge pull request #35144 from pipejakob/generate-token
Automatic merge from submit-queue

New command: "kubeadm token generate"

As part of #33930, this PR adds a new top-level command to kubeadm to just generate a token for use with the init/join commands. Otherwise, users are left to either figure out how to generate a token on their own, or let `kubeadm init` generate a token, capture and parse the output, and then use that token for `kubeadm join`.

At this point, I was hoping for feedback on the CLI experience, and then I can add tests. I spoke with @mikedanese and he didn't like the original propose of `kubeadm util generate-token`, so here are the runners up:

```
$ kubeadm generate-token          # <--- current implementation
$ kubeadm generate token          # in case kubeadm might generate other things in the future?
$ kubeadm init --generate-token   # possibly as a subcommand of an existing one
```

Currently, the output is simply the token on one line without any padding/formatting:

```
$ kubeadm generate-token
1087fd.722b60cdd39b1a5f
```

CC: @kubernetes/sig-cluster-lifecycle 

**Release note**:

<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->

``` release-note
New kubeadm command: generate-token
```
2016-11-05 16:12:52 -07:00
Kubernetes Submit Queue
f1603181a3 Merge pull request #35970 from deads2k/controller-15-enable
Automatic merge from submit-queue

make using service account credentials from controllers optional

Adds a flag to make the "SA per controller" behavior optional.
2016-11-05 08:11:10 -07:00
deads2k
ebf796a649 make using service account credentials from controllers optional 2016-11-04 14:17:34 -04:00
Wojciech Tyczynski
ca99cbca02 Increase quota-bytes for etcd in v3 mode 2016-11-04 17:00:54 +01:00
Di Xu
dd6c980949 specify custom ca file to verify the keystone server 2016-11-04 15:11:41 +08:00
Timothy St. Clair
2b012e822a Add minimum iptables sync period to the proxy, default is 2/sec 2016-11-04 00:38:35 -05:00
Bowei Du
a06fc6ab7a Adds TCPCloseWaitTimeout option to kube-proxy for sysctl nf_conntrack_tcp_timeout_time_wait
Fixes issue-32551
2016-11-03 22:07:02 -07:00
Random-Liu
a5fdf3850c Add system verification. 2016-11-03 20:37:18 -07:00
saadali
402116aed4 Revert "Merge pull request #35821 from vishh/gci-mounter-scope"
This reverts commit 973fa6b334, reversing
changes made to 41b5fe86b6.
2016-11-03 20:23:25 -07:00
Kubernetes Submit Queue
973fa6b334 Merge pull request #35821 from vishh/gci-mounter-scope
Automatic merge from submit-queue

[Kubelet] Use the custom mounter script for Nfs and Glusterfs only

This patch reduces the scope for the containerized mounter to NFS and GlusterFS on GCE + GCI clusters

This patch also enabled the containerized mounter on GCI nodes

Shepherding multiple PRs through the submit queue is painful. Hence I combined them into this PR. Please review each commit individually.

cc @jingxu97 @saad-ali

https://github.com/kubernetes/kubernetes/pull/35652 has also been reverted as part of this PR
2016-11-03 04:32:19 -07:00