github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
103,756 Commits 1 Branch 31 Tags 1,019 MiB
1e26115df5
Commit Graph

14194 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
dc2fe6d56c
Merge pull request #105078 from aramase/fix-typo-kms-config 
fix typo in kms encryption config logs
 2021-09-27 07:33:49 -07:00
Kubernetes Prow Robot
48d844ec64
Merge pull request #104483 from margocrawf/master 
Add UID to client-go impersonation config
 2021-09-27 07:33:36 -07:00
Kubernetes Prow Robot
486ca678a0
Merge pull request #104923 from davidkarlsen/xfsFormatIssue 
mount-utils: force-format xfs-filesystems too
 2021-09-27 02:29:36 -07:00
Khaled Henidak (Kal)
a53e2eaeab
move IPv6DualStack feature to stable. (#104691) 
* kube-proxy

* endpoints controller

* app: kube-controller-manager

* app: cloud-controller-manager

* kubelet

* app: api-server

* node utils + registry/strategy

* api: validation (comment removal)

* api:pod strategy (util pkg)

* api: docs

* core: integration testing

* kubeadm: change feature gate to GA

* service registry and rest stack

* move feature to GA

* generated
 2021-09-24 16:30:22 -07:00
Margo Crawford
d9ddfb26e1 Introduces Impersonate-Uid to client-go. 
* Updates ImpersonationConfig in rest/config.go to include UID
  attribute, and pass it through when copying the config
* Updates ImpersonationConfig in transport/config.go to include UID
  attribute
* In transport/round_tripper.go, Set the "Impersonate-Uid" header in
  requests based on the UID value in the config
* Update auth_test.go integration test to specify a UID through the new
  rest.ImpersonationConfig field rather than manually setting the
  Impersonate-Uid header

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-09-24 14:06:30 -07:00
Kubernetes Prow Robot
dce069ce22
Merge pull request #104588 from liggitt/podsecurity-benchmark 
PodSecurity: benchmark and optimize privileged namespace evaluations
 2021-09-22 16:17:10 -07:00
Kubernetes Prow Robot
752c4b7f0b
Merge pull request #105160 from MikeSpreitzer/improve-sharding-and-dispatch 
Improve sharding and dispatch
 2021-09-22 12:58:32 -07:00
Jordan Liggitt
32a5f41ec4 PodSecurity: avoid double parsing policy from namespace labels 
benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          224           225           +0.40%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   237           234           -1.31%
BenchmarkVerifyPod/enforce-privileged_pod-12                        259           245           -5.26%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 261           254           -2.72%
BenchmarkVerifyPod/enforce-baseline_pod-12                          2967          2850          -3.94%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   252           255           +0.87%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3244          3125          -3.67%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 258           261           +0.97%
BenchmarkVerifyPod/warn-baseline_pod-12                             2956          2841          -3.89%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3034          2913          -3.99%
BenchmarkVerifyPod/warn-restricted_pod-12                           3276          3176          -3.05%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3302          3157          -4.39%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5159          5132          -0.52%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4208          4069          -3.30%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4336          4252          -1.94%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4436          4316          -2.71%
 2021-09-22 10:26:34 -04:00
Kubernetes Prow Robot
5b489e2846
Merge pull request #104983 from MikeSpreitzer/list-metrics-take3 
Try yet again to add metrics about LIST handling
 2021-09-22 07:16:02 -07:00
Kubernetes Prow Robot
950e978ff1
Merge pull request #105180 from tallclair/forbidden 
Fix PodSecurity forbidden response reason
 2021-09-21 21:08:00 -07:00
Kubernetes Prow Robot
7432904c53
Merge pull request #105169 from liggitt/gomodule-codegenerator 
Smoke test code-generator using full packages
 2021-09-21 14:08:41 -07:00
Jordan Liggitt
636c769fb8 PodSecurity: preconstruct reused values 
benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          370           228           -38.49%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   408           241           -40.86%
BenchmarkVerifyPod/enforce-privileged_pod-12                        420           242           -42.27%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 426           256           -39.84%
BenchmarkVerifyPod/enforce-baseline_pod-12                          4259          3006          -29.42%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   341           266           -22.12%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3322          3282          -1.20%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 327           260           -20.59%
BenchmarkVerifyPod/warn-baseline_pod-12                             2964          3020          +1.89%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3069          3127          +1.89%
BenchmarkVerifyPod/warn-restricted_pod-12                           3223          3330          +3.32%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3443          3533          +2.61%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5193          5405          +4.08%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4295          4358          +1.47%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4363          4513          +3.44%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4482          4588          +2.37%

benchmark                                                           old allocs     new allocs     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2              1              -50.00%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2              1              -50.00%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2              1              -50.00%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2              1              -50.00%
BenchmarkVerifyPod/enforce-baseline_pod-12                          17             17             +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2              1              -50.00%
BenchmarkVerifyPod/enforce-restricted_pod-12                        17             17             +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 2              1              -50.00%
BenchmarkVerifyPod/warn-baseline_pod-12                             17             17             +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      19             19             +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           17             17             +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    19             19             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               27             27             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        24             24             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            22             22             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     24             24             +0.00%

benchmark                                                           old bytes     new bytes     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          208           112           -46.15%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   208           112           -46.15%
BenchmarkVerifyPod/enforce-privileged_pod-12                        208           112           -46.15%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 208           112           -46.15%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3368          3368          +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   208           112           -46.15%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3368          3368          +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 208           112           -46.15%
BenchmarkVerifyPod/warn-baseline_pod-12                             3368          3368          +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3552          3552          +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           3368          3368          +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3552          3552          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5864          5864          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4800          4800          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4616          4616          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4800          4800          +0.00%
 2021-09-21 16:20:11 -04:00
Jordan Liggitt
d5589ba65f PodSecurity: optimize evaluation of fully-privileged namespaces 
benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2658          370           -86.07%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2462          408           -83.42%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2346          420           -82.11%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2318          426           -81.64%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3606          4259          +18.11%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2032          341           -83.22%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3522          3322          -5.68%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 1893          327           -82.70%
BenchmarkVerifyPod/warn-baseline_pod-12                             3076          2964          -3.64%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3111          3069          -1.35%
BenchmarkVerifyPod/warn-restricted_pod-12                           3155          3223          +2.16%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3235          3443          +6.43%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5148          5193          +0.87%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4147          4295          +3.57%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4286          4363          +1.80%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4447          4482          +0.79%

benchmark                                                           old allocs     new allocs     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          12             2              -83.33%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   14             2              -85.71%
BenchmarkVerifyPod/enforce-privileged_pod-12                        12             2              -83.33%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 14             2              -85.71%
BenchmarkVerifyPod/enforce-baseline_pod-12                          17             17             +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   14             2              -85.71%
BenchmarkVerifyPod/enforce-restricted_pod-12                        17             17             +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 14             2              -85.71%
BenchmarkVerifyPod/warn-baseline_pod-12                             17             17             +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      19             19             +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           17             17             +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    19             19             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               27             27             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        24             24             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            22             22             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     24             24             +0.00%

benchmark                                                           old bytes     new bytes     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2120          208           -90.19%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2304          208           -90.97%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2120          208           -90.19%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2304          208           -90.97%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3368          3368          +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2304          208           -90.97%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3368          3368          +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 2304          208           -90.97%
BenchmarkVerifyPod/warn-baseline_pod-12                             3368          3368          +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3552          3552          +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           3368          3368          +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3552          3552          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5864          5864          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4800          4800          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4616          4616          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4800          4800          +0.00%
 2021-09-21 16:20:11 -04:00
Kubernetes Prow Robot
d5f39ebe4d
Merge pull request #105064 from knight42/refactor-switch-to-stdlib-cipher 
refactor: switch to tls cipher suite in stdlib
 2021-09-21 11:56:42 -07:00
Tim Allclair
4633670153 Fix PodSecurity forbidden response reason 2021-09-21 11:34:13 -07:00
Kubernetes Prow Robot
bf77f8ff43
Merge pull request #105162 from MadhavJivrajani/migrate-clock-pkg 
migrate k8s.io/apimachinery/util/clock -> k8s.io/utils/clock
 2021-09-21 08:44:24 -07:00
Mike Spreitzer
4b9cba8587 Improve queueset sharding and dispatching 
New anti-windup technique: use the request arrival time as the floor
on the virtual dispatch time.  Prevent bound violations where they
might arise rather than fixing up just one queue at dispatch time,
so that the fixed up dispatch times figure into the dispatching choice.

Two tweaks to the shuffle sharding.  Take seats of executing requests
into account as well as seats of waiting requests.  Do not always
consider the generated hand in the same order.

Rename the queueset methods that do shuffle sharding and finding the
queue to dispatch from, because the old names were confusingly
similar.

Tighten up some request margins.

Name the test cases in TestNoRestraint and TestWindup.
 2021-09-21 11:20:02 -04:00
Jordan Liggitt
e63725425f Smoke test code-generator using full packages 2021-09-21 10:17:42 -04:00
Kubernetes Prow Robot
68d646a101
Merge pull request #105085 from MikeSpreitzer/fix-queueset-tests 
Update TestNoRestraint and TestWindup
 2021-09-21 03:48:23 -07:00
Madhav Jivrajani
fed2ec99c6 migrate k8s.io/apimachinery/util/clock -> k8s.io/utils/clock 
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
 2021-09-21 15:54:44 +05:30
Mike Spreitzer
0ee1a7b4ff More test tweaks 
Canonicalize listing of test cases.

Make TestNoRestraint try both cases: competition and none.
 2021-09-21 03:06:38 -04:00
Kubernetes Prow Robot
775c9314ad
Merge pull request #104578 from MadhavJivrajani/refactor-rate-limiters 
Move client-go/tools/record tests away from `IntervalClock` to `SimpleIntervalClock`
 2021-09-20 15:02:24 -07:00
Kubernetes Prow Robot
353f0a5eab
Merge pull request #105095 from wojtek-t/migrate_clock_3 
Unify towards k8s.io/utils/clock - part 3
 2021-09-20 12:46:45 -07:00
Kubernetes Prow Robot
f55101913f
Merge pull request #105098 from Karthik-K-N/fix-error-format 
Fix incorrect format specifier in test files
 2021-09-20 08:56:09 -07:00
Kubernetes Prow Robot
232bc67b22
Merge pull request #104655 from luyou86/client-go-bucket-rate-limiter-add-maxDelay 
client-go bucket rate limiter add maxDelay
 2021-09-20 07:46:11 -07:00
Kubernetes Prow Robot
6e92ee6788
Merge pull request #105106 from MikeSpreitzer/apf-migrate-clock 
Migrate apiserver/pkg/util/flowcontrol to use k8s.io/utils/clock
 2021-09-20 03:52:09 -07:00
Kubernetes Prow Robot
a73f45dd96
Merge pull request #105031 from howardjohn/q/memory-leak 
workqueue: fix leak in queue preventing objects from being GCed
 2021-09-17 23:42:06 -07:00
Kubernetes Prow Robot
35ae8c9fe4
Merge pull request #105080 from smira/client-error-wrapping 
fix: wrap errors correct when validating kubeconfig
 2021-09-17 12:55:03 -07:00
Mike Spreitzer
9f45c0f8c0 Migrate apiserver/pkg/util/flowcontrol to use k8s.io/utils/clock 
.. instead of apimachinery/pkt/util/clock
 2021-09-17 15:36:14 -04:00
Madhav Jivrajani
ac5c55f0bd Refactor client-go/util/flowcontrol/throttle.go RateLimiter 
- Introduce PassiveRateLimiter which implements all methods of previous RateLimiter except Accept() and Wait()
- Change RateLimiter interface to extend PassiveRateLimiter by additionally implementing Accept() and Wait()
- Make client-go/tools/record use PassiveRateLimiter

Refactor EventSourceObjectSpamFilter, EventAggregator, EventCorrelator

- EventSourceObjectSpamFilter, EventAggregator, EventCorrelator use clock.PassiveClock now.
	- This won't be a breaking change because even if a clock.Clock is passed, it still implements the clock.PassiveClock interface.
- Extend clock.PassiveClock through Clock.
- Replace pacakge local implementation of realClock with clock.RealClock
- In flowcontrol/throttle.go split tokenBucketRateLimiters to use Clock and clock.PassiveClock.
- Migrate client-go/tools/record tests from using IntervalClock to using SimpleIntervalClock (honest implementation of clock.PassiveClock)

Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
 2021-09-17 21:20:46 +05:30
John Howard
2a34801168 workqueue: fix leak in queue preventing objects from being GCed 
See https://github.com/grpc/grpc-go/issues/4758 for a real world example
of this leaking 2gb+ of data.

Basically, when we do `q.queue[1:]` we are just repositioning the slice.
The underlying array is still active, which contains the object formerly
known as `q.queue[0]`. Because its referencing this object, it will not
be GCed. The only thing that will trigger it to free is eventually when
we add enough to the queue that we allocate a whole new array.

Instead, we should explicitly clear out the old space when we remove it
from the queue. This ensures the object can be GCed, assuming the users'
application doesn't reference it anymore.
 2021-09-17 08:29:26 -07:00
wojtekt
d9b08c611d Migrate to k8s.io/utils/clock 2021-09-17 15:19:08 +02:00
Karthik K N
c651d50202 Fix incorrect format specifier in test files 2021-09-17 16:27:53 +05:30
wojtekt
bb7dac443a Migrate to k8s.io/utils/clock in client-go 2021-09-17 11:37:33 +02:00
Kubernetes Prow Robot
cb2ea4bf7c
Merge pull request #101161 from rikatz/move-sysctl-util 
Move node and networking related helpers from pkg/util to component helpers
 2021-09-17 02:11:00 -07:00
Kubernetes Prow Robot
9918aa1e03
Merge pull request #105026 from wojtek-t/migrate_clock_2 
Unify towards k8s.io/utils/clock - part 2
 2021-09-17 00:01:01 -07:00
Mike Spreitzer
c4945fdf0c Update TestNoRestraint and TestWindup 
Make TestNoRestraint verify that fairness is NOT achieved
when there is real competition.

Make TestWindup run two cases, to show that 0.1 is too narrow
a margin and 0.26 is wide enough.
 2021-09-17 01:40:16 -04:00
Kubernetes Prow Robot
ff593c89a0
Merge pull request #104761 from lauchokyip/improveCM 
Improve create configmap test
 2021-09-16 16:11:45 -07:00
Ricardo Pchevuzinske Katz
37d11bcdaf Move node and networking related helpers from pkg/util to component helpers 
Signed-off-by: Ricardo Katz <rkatz@vmware.com>
 2021-09-16 17:00:19 -03:00
Andrey Smirnov
a5647fa417
fix: wrap errors correct when validating kubeconfig 
This allows to check for specific errors using `errors.Is`.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
 2021-09-16 22:56:08 +03:00
Kubernetes Prow Robot
63e7ee43bb
Merge pull request #105069 from p0lyn0mial/upstream-etcd-client-retry 
etcd client starts retrying transient errors from the etcd cluster
 2021-09-16 12:43:39 -07:00
Kubernetes Prow Robot
139a50c5d7
Merge pull request #104627 from arajkumar/add-doc-metrics-kinds 
NodeMetrics, PodMetrics: Add doc for metav1.ObjectMeta
 2021-09-16 11:35:26 -07:00
Anish Ramasekar
63295a126e
fix typo in kms encryption config logs 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2021-09-16 18:19:29 +00:00
Kubernetes Prow Robot
6a49ed41ea
Merge pull request #104949 from Karthik-K-N/json-iterator-version-update 
Updated json-iterator version to 1.1.12 from 1.1.11
 2021-09-16 10:25:46 -07:00
Paco Xu
a48a2efbd4
remove deprecated validEgressSelectorNames 'master' (#102242) 
* remove deprecated validEgressSelectorNames 'master'

Signed-off-by: pacoxu <paco.xu@daocloud.io>

* update gce configure: replace deprecated egress name 'master' with 'controlplane'

Signed-off-by: pacoxu <paco.xu@daocloud.io>

* add dup error for EgressSelection & fix converting alpha/beta to v1 name
 2021-09-16 07:09:46 -07:00
Jian Zeng
2fbbd380ea
refactor: switch to tls cipher suite in stdlib 
Signed-off-by: Jian Zeng <zengjian.zj@bytedance.com>
 2021-09-16 21:58:01 +08:00
Lukasz Szaszkiewicz
83171562b0 etcd-client starts retrying transient errors from the etcd cluster 
This PR enables unaryClientInterceptor in conjunction with Prometheus interceptor.
Previously it was simply overwritten by the Prometheus interceptor.
As a result etcd client didn't attempt to retry certain errors.

The unaryClientInterceptor is important because it knows how to retry all sorts of errors from the etcd cluster. It will make the API server more resilient to failures -  end users won't see certain errors.
The full list of retriable (codes.Unavailable) errors can be found at https://github.com/etcd-io/etcd/blob/main/api/v3rpc/rpctypes/error.go#L72
 2021-09-16 13:58:49 +02:00
wojtekt
b7221bc77c Update import restrictions 2021-09-16 10:52:28 +02:00
Kubernetes Prow Robot
b0f347350b
Merge pull request #105055 from MikeSpreitzer/its-flow-distinguisher 
Rename httplog entry from "apf_d" to "apf_fd"
 2021-09-15 23:51:45 -07:00
Jiahui Feng
2ddcf13e91 add feature gate OpenAPIEnums. 
KEP-2887 OpenAPI Enum Types
 2021-09-15 16:08:47 -07:00