Automatic merge from submit-queue (batch tested with PRs 39373, 41585, 41617, 41707, 39958)
Fix ConfigMaps for Windows
**What this PR does / why we need it**: ConfigMaps were broken for Windows as the existing code used linux specific file paths. Updated the code in `kubelet_getters.go` to use `path/filepath` to get the directories. Also reverted back the code in `secret.go` as updating `kubelet_getters.go` to use `path/filepath` also fixes `secrets`
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/39372
```release-note
Fix ConfigMap for Windows Containers.
```
cc: @pires
Automatic merge from submit-queue (batch tested with PRs 41043, 39058, 41021, 41603, 41414)
add defaultTolerationSeconds admission controller
**What this PR does / why we need it**:
Splited from #34825, add a new admission-controller that
1. adds toleration (with tolerationSeconds = 300) for taint `notReady:NoExecute` to every pod that does not already have a toleration for that taint, and
2. adds toleration (with tolerationSeconds = 300) for taint `unreachable:NoExecute` to every pod that does not already have a toleration for that taint.
**Which issue this PR fixes**:
Related issue: #1574
Related PR: #34825
**Special notes for your reviewer**:
**Release note**:
```release-note
add defaultTolerationSeconds admission controller
```
Automatic merge from submit-queue (batch tested with PRs 41043, 39058, 41021, 41603, 41414)
Rotate the kubelet certificate when about to expire.
Changes the kubelet so it doesn't use the cert/key files directly for
starting the TLS server. Instead the TLS server reads the cert/key from
the new CertificateManager component, which is responsible for
requesting new certificates from the Certificate Signing Request API on
the API Server.
We have some heuristics that ensure that volumes (and hence stateful set
pods) are spread out across zones. Sadly they forgot to account for
multiple mounts. This PR updates the heuristic to ignore the mount name
when we see something that looks like a statefulset volume, thus
ensuring that multiple mounts end up in the same AZ.
Fix#35695
We recognize a few AWS tags, and skip over masters when finding zones
for dynamic volumes. This will fix#34583.
This is not perfect, in that really the scheduler is the only component
that can correctly choose the zone, but should address the common
problem.
Automatic merge from submit-queue
nodeports usage should be part of LoadBalancer service type
Since a creation of Service of type LoadBalancer will allocate NodePorts as well, so it makes more sense to account for the NodePort usage in the LoadBalancer switch case.
check here: https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/core/service/rest.go#L553 for the logic on whether it should assign a nodeport for the service.
Automatic merge from submit-queue (batch tested with PRs 41401, 41195, 41664, 41521, 41651)
Allow `make test` to pass on OSX
**What this PR does / why we need it**: `make test` doesn't pass on my OSX setup (10.11.6, go1.7, docker 1.13.1) on `master`, `release-1.5`, nor `release-1.4`. Our [docs on unit tests](https://github.com/kubernetes/community/blob/master/contributors/devel/testing.md#unit-tests) say they should always pass on OS X. This PR allows them to pass.
**Release note**:
```release-note
NONE
```
ref: #24717 for the motivation behind dereferencing mount symlinks
/cc @kubernetes/sig-testing-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41401, 41195, 41664, 41521, 41651)
Remove default failure domains from anti-affinity feature
Removing it is necessary to make performance of this feature acceptable at some point.
With default failure domains (or in general when multiple topology keys are possible), we don't have transitivity between node belonging to a topology. And without this, it's pretty much impossible to solve this effectively.
@timothysc
Automatic merge from submit-queue
Generate valid container id in fake docker client.
Fixes https://github.com/kubernetes/kubernetes/issues/41488.
This PR generates valid container id by hashing container name. So that dockershim checkpoint won't report `checkpoint key XXX is not valid` error.
This PR also reverts #41460.
@yujuhong @freehan /cc @kubernetes/sig-node-pr-reviews
Changes the kubelet so it doesn't use the cert/key files directly for
starting the TLS server. Instead the TLS server reads the cert/key from
the new CertificateManager component, which is responsible for
requesting new certificates from the Certificate Signing Request API on
the API Server.
Automatic merge from submit-queue (batch tested with PRs 41649, 41658, 41266, 41371, 41626)
Understand why kubelet cannot cleanup orphaned pod dirs
**What this PR does / why we need it**:
Understand if we are unable to clean up orphaned pod directories due to a failure to read the directory versus paths still existing to improve ability to debug error situations.
Automatic merge from submit-queue (batch tested with PRs 41649, 41658, 41266, 41371, 41626)
Split request node certificate
Split the `RequestNodeCertificate` function so the behavior can also be used by non-node callers.
Automatic merge from submit-queue
fix kubectl create configmap help messages
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. the first example command actually doesn't specify any keys. i think `with keys for each file` is incorrect.
2. `names on disk` is confusing. in usage the word `NAME` means configmap, so i think it's better saying `file basenames on disk`
3. in this context, `--from-file` can be specified multiple times, but in each occurance only one key file can be specified, besides we should keep consistent with the later case (key is specified). so i changed words in this sentence to singular. and to avoid confusing, i use `key` instead of `name`
Automatic merge from submit-queue
Switch service controller to shared informers
Originally part of #40097
cc @deads2k @smarterclayton @gmarek @wojtek-t @timothysc @sttts @liggitt @kubernetes/sig-scalability-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 41604, 41273, 41547)
remove validNonResourceVerbs in create role
non-resource-url is only reasonable for clusterroles
Automatic merge from submit-queue (batch tested with PRs 41604, 41273, 41547)
Switch pv controller to shared informer
This is WIP because I still need to do something with bazel? and add 'get storageclasses' to the controller-manager rbac role
@jsafrane PTAL and make sure I did not break anything in the PV controller. Do we need to clone the volumes/claims we get from the shared informer before we use them? I could not find a place where we modify them but you would know for certain.
cc @ncdc because I copied what you did in your other PRs.
Automatic merge from submit-queue
Improve code coverage for pkg/api/util
**What this PR does / why we need it**:
Improve code coverage for pkg/api/util .
Thanks.
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 41517, 41494, 41163)
Deployment: filter out old RSes that are deleted or with non-zero replicas before cleanup
Fixes#36379
cc @zmerlynn @yujuhong @kargakis @kubernetes/sig-apps-bugs
Automatic merge from submit-queue
only construct shortcutmapper when we have the discovery client
Resource shortnames come from the discoveryclient, so we should only wrap with that mapper when we have the information we need.
Automatic merge from submit-queue (batch tested with PRs 40505, 34664, 37036, 40726, 41595)
dockertools: call TearDownPod when GC-ing infra pods
The docker runtime doesn't tear down networking when GC-ing pods.
rkt already does so make docker do it too. To ensure this happens,
infra pods are now always GC-ed rather than gating them by
containersToKeep.
This prevents IPAM from leaking when the pod gets killed for
some reason outside kubelet (like docker restart) or when pods
are killed while kubelet isn't running.
Fixes: https://github.com/kubernetes/kubernetes/issues/14940
Related: https://github.com/kubernetes/kubernetes/pull/35572
Automatic merge from submit-queue (batch tested with PRs 40505, 34664, 37036, 40726, 41595)
filter lastAppliedConfig annotation for describe secret
Temporarily addresses: #23564.
This patch filters out the lastAppliedConfig annotation when describing a secret.
```release-note
kubectl describe no longer prints the last-applied-configuration annotation for secrets.
```
Automatic merge from submit-queue (batch tested with PRs 38101, 41431, 39606, 41569, 41509)
Report node not ready on failed PLEG health check
Report node not ready if PLEG health check fails.
Automatic merge from submit-queue (batch tested with PRs 38101, 41431, 39606, 41569, 41509)
optimize killPod() and syncPod() functions
make sure that one of the two arguments must be non-nil: runningPod, status ,just like the function note says
and judge the return value in syncPod() function before setting podKilled
Automatic merge from submit-queue (batch tested with PRs 38101, 41431, 39606, 41569, 41509)
[hairpin] fix argument of nsenter
**Release note**:
```release-note
None
```
We should use:
nsenter --net=netnsPath -- -F some_command
instend of:
nsenter -n netnsPath -- -F some_command
Because "nsenter -n netnsPath" get an error output:
# nsenter -n /proc/67197/ns/net ip addr
nsenter: neither filename nor target pid supplied for ns/net
If we really want use -n, we need to use -n in such format:
# sudo nsenter -n/proc/67197/ns/net ip addr
To prepare for implementing ControllerRef across all controllers,
this pushes the common adopt/orphan logic into ControllerRefManager
so each controller doesn't have to duplicate it.
This also shares the adopt/orphan logic between Pods and ReplicaSets,
so it lives in only one place.
Automatic merge from submit-queue (batch tested with PRs 41505, 41484, 41544, 41514, 41022)
Proxy defer on update events
This PR is a series of discrete movements in refactoring some of kube-proxy's twistier code in prep to be more async. It should be reviewed one commit at a time. Each commit is a smallish movement, which should be easier to examine. I added significant tests along the way, which, unsurprisingly, found some bugs.
