This change bumps the stackdriver logging agent version to v1-9,
re-enable it, and change the script/configuration to:
* Create /var/log in the startup script, since the fluentd
configuration expects the directory to exists
* Add support for collecting kubelet/kube-proxy logs
This preference list matches is used to pick prefered field from k8s
node object. It was introduced in metrics-server 0.3 and changed default
behaviour to use DNS instead of IP addresses. It was merged into k8s
1.12 and caused breaking change by introducing dependency on DNS
configuration.
Busybox has more severe CVE issues.
This is part of the effort described in kep kubernetes/enhancements#900, we can't change the ibase image to distroless directly since a bash script is used.
Moved to debian-base and put it as a temp exception for now.
* Touched containers: kube-apiserver, kube-scheduler,
kube-controller-manager.
* Remove the shell dependencies when upstart the containers.
* Reformat the command parameters to ["Exec", "Param1", "Param2"]
The conformance image should be saving its results
regardless of the results of the tests. However,
with errexit set, when ginkgo gets test failures
it exits 1 which prevents saving the results
for Sonobuoy to pick up.
Fixes: #76036
[stackdriver addon] Bump prometheus-to-sd to v0.5.0 to pick up security fixes.
[fluentd-gcp addon] Bump fluentd-gcp-scaler to v0.5.1 to pick up security fixes.
[fluentd-gcp addon] Bump event-exporter to v0.2.4 to pick up security fixes.
[fluentd-gcp addon] Bump prometheus-to-sd to v0.5.0 to pick up security fixes.
[metatada-proxy addon] Bump prometheus-to-sd v0.5.0 to pick up security fixes.
- Pass most of the flags via kube-env, similar to Kubelet, to make it
easier to reconfigure.
- Use kube-proxy's kubeconfig file to pass the API server address,
rather than the --master flag.
- Make KUBEPROXY_ARGS a required variable in Windows kube-env, similar
to KUBELET_ARGS.
- for ginkgo parallel mode pass -p to autodetect ginkgo nodes.
- disable parallel mode by default (false).
- use provider "skeleton" instead of "local".
- make run_e2e.sh pass shellcheck.
This patch introduces `KUBERNETES_CLIENT_OS` and
`KUBERNETES_CLIENT_ARCH` to the script `cluster/get-kube-binaries.sh` in
order to download a client that is not the OS/Arch of the host on which
the script is executing.
The Dockerfile has a few more options, let's surface that in the
manifest. Also use the same defaults in the manifest as the Dockerfile
itself.
Change-Id: Ib7419cf7999430db15f39ac414c80ee362fcda76
I recently lowered the timeout value to 2 minutes but this turned out to
be too aggressive for now. 3 minutes is usually long enough for the test
containers to come up.
Note that this test is only used during development, it does not run
continuously anywhere.
--hostname-override should not be necessary, we can rely on kube-proxy
to auto-detect it just like we do in Kubelet.
I also added an optional variable to kube_env, KUBEPROXY_ARGS, that we
can use to remotely extend kube-proxy's command-line if necessary.
A common issue users run into is wanting a list of tests
a certain regexp will run, without actually running it.
ginkgo supports this with the dryRun flag but it was not
exposed via the kube-conformance image. This change
will set the flag if the E2E_DRYRUN environment variable
is set.
Fixes#74727
This PR adds the support for GCEPD volume. For now, it uses a workaround
(https://github.com/pjh/gce-tools) to get disk number in windows for a given GCE PD name.
Fix three issues with the fluentd-gcp liveness probe:
h1. STUCK_THRESHOLD_SECONDS was overridden by LIVENESS_THRESHOLD_SECONDS
if defined
Probably a copy/paste issue introduced in edf1ffc074
h1. `[[` is [a bashism](https://stackoverflow.com/a/47576482), and will always failed when called with `/bin/sh`
Introduced by a844523c20
Given that we call the liveness probe with `/bin/sh`, we cannot use the
double-bracketed `[[` syntax for test, as it is not POSIX-compliant and
will throw an error.
Annoyingly, even through it prints an error, `sh` returns with exit code 0
in this case:
```bash
root@fluentd-7mprs:/# sh liveness.sh
liveness.sh: 8: liveness.sh: [[: not found
liveness.sh: 15: liveness.sh: [[: not found
root@fluentd-7mprs:/# echo $?
0
```
Which means the liveness probe is considered successful by Kubernetes,
despite failing to test things as it was intended. This is also
probably the reason why this bug wasn't reported sooner :)
Thankfully, the test in this case can just as easily be written as
POSIX-compliant as it doesn't use any bash-specific features within the
`[[` block.
h1. Buffers are transient and cannot be relied upon for monitoring
Finally, after fixing the above issue, we started seeing the fluentd
containers being restarted very often, and found an issue with the
underlying logic of the liveness probe.
The probe checks that the pod is still alive by running the following
command:
`find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit`
This checks if any _regular_ file exists under `/var/log/fluentd-buffers`
that is more recent than a predetermined time, and will return an empty
string otherwise.
The issue is that these buffers are temporary and volatile, they get created and
deleted constantly. Here is an example of running that check every second on a
running fluentd:
```
root@fluentd-eks-playground-jdc8m:/# LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300};
root@fluentd-eks-playground-jdc8m:/# STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900};
root@fluentd-eks-playground-jdc8m:/# touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck;
root@fluentd-eks-playground-jdc8m:/# touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness;
root@fluentd-eks-playground-jdc8m:/# while true; do date ; find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit ; sleep 1 ; done
Fri Feb 22 10:52:57 UTC 2019
Fri Feb 22 10:52:58 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827964ccf4c7004103c3fa7c8533f85.log
Fri Feb 22 10:52:59 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827964ccf4c7004103c3fa7c8533f85.log
Fri Feb 22 10:53:00 UTC 2019
Fri Feb 22 10:53:01 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827964fb8b2eedcccd2763ea7775cc2.log
Fri Feb 22 10:53:02 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827964fb8b2eedcccd2763ea7775cc2.log
Fri Feb 22 10:53:03 UTC 2019
Fri Feb 22 10:53:04 UTC 2019
Fri Feb 22 10:53:05 UTC 2019
Fri Feb 22 10:53:06 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827965564883997b673d703af54848b.log
Fri Feb 22 10:53:07 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827965564883997b673d703af54848b.log
Fri Feb 22 10:53:08 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer/buffer.b5827965564883997b673d703af54848b.log
Fri Feb 22 10:53:09 UTC 2019
Fri Feb 22 10:53:10 UTC 2019
Fri Feb 22 10:53:11 UTC 2019
Fri Feb 22 10:53:12 UTC 2019
Fri Feb 22 10:53:13 UTC 2019
Fri Feb 22 10:53:14 UTC 2019
Fri Feb 22 10:53:15 UTC 2019
Fri Feb 22 10:53:16 UTC 2019
```
We can see buffers being created, then disappearing. The LivenessProbe running
under these conditions has a ~50% chance of failing, despite fluentd being
perfectly happy.
I believe that check is probably ok for fluentd installs using large
amounts of buffers, in which case the liveness probe will be correct more
often than not, but fluentd installs that use buffering less intensively
will be negatively impacted by this.
My solution to fix this is to check the last updated time of buffering
_folders_ within `/var/log/fluentd_buffers`. These _do_ get updated when
buffers are created, and do not get deleted as buffers are emptied,
making them the perfect candidate for our use.
Here's an example with the `-d` flag for directories:
```
root@fluentd-eks-playground-jdc8m:/# while true; do date ; find /var/log/fluentd-buffers -type d -newer /tmp/marker-stuck -print -quit ; sleep 1 ; done
Fri Feb 22 10:57:51 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:52 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:53 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:54 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:55 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:56 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:57 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:58 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:57:59 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:58:00 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:58:01 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:58:02 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
Fri Feb 22 10:58:03 UTC 2019
/var/log/fluentd-buffers/kubernetes.system.buffer
```
And example of the directory being updated as new buffers come in:
```
root@fluentd-eks-playground-jdc8m:/# ls -lah /var/log/fluentd-buffers/kubernetes.system.buffer
total 0
drwxr-xr-x 2 root root 6 Feb 22 11:17 .
drwxr-xr-x 3 root root 38 Feb 22 11:14 ..
root@fluentd-eks-playground-jdc8m:/# ls -lah /var/log/fluentd-buffers/kubernetes.system.buffer
total 16K
drwxr-xr-x 2 root root 224 Feb 22 11:18 .
drwxr-xr-x 3 root root 38 Feb 22 11:14 ..
-rw-r--r-- 1 root root 1.8K Feb 22 11:18 buffer.b58279be6e21e8b29fc333a7d50096ed0.log
-rw-r--r-- 1 root root 215 Feb 22 11:18 buffer.b58279be6e21e8b29fc333a7d50096ed0.log.meta
-rw-r--r-- 1 root root 429 Feb 22 11:18 buffer.b58279be6f09bdfe047a96486a525ece2.log
-rw-r--r-- 1 root root 195 Feb 22 11:18 buffer.b58279be6f09bdfe047a96486a525ece2.log.meta
root@fluentd-eks-playground-jdc8m:/# ls -lah /var/log/fluentd-buffers/kubernetes.system.buffer
total 0
drwxr-xr-x 2 root root 6 Feb 22 11:18 .
drwxr-xr-x 3 root root 38 Feb 22 11:14 ..
```
Also switches to the most recent 64-bit version of OpenSSH for Windows.
Tested:
PROJECT=${CLOUDSDK_CORE_PROJECT} KUBERNETES_SKIP_CONFIRM=y NUM_NODES=2 \
NUM_WINDOWS_NODES=2 KUBE_GCE_ENABLE_IP_ALIASES=true TEST_CLUSTER=true \
./cluster/kube-up.sh
This commit aims to add '/usr/bin/env bash' as a shebang line
to indicates scripts use bash shell for interpreting.
Signed-off-by: Nguyen Hai Truong <truongnh@vn.fujitsu.com>
Similar to `--no-negcache` on dnsmasq, this prevents issues which poll DNS for orchestration such as operators with StatefulSets. It can also be very confusing for users when negative caching results in a change they just made seeming to be broken until the cache expires. This assumes that 5 seconds is reasonable and will still catch repeated AAAA negative responses. We could also set the denial cache size to zero which should effectively fully disable it like dnsmasq in kube-dns but testing shows this approach seems to work well in our (albeit small) test clusters.
This rule is only created if the cluster has one or more Windows nodes,
but delete-firewall-rules() ignores firewall rule arguments that do not
exist so it's safe to always attempt to delete this rule.
The feature is gated behind a newly introduced 'dump-systemd-journal' flag.
We want to dump the full systemd journal in our scalability performance tests.
Looks like the get-master-root-disk-size() and get-master-disk-size() functions didn't anticipate
clusters bigger than 2K nodes.
In https://github.com/kubernetes/kubernetes/issues/72976 we found out
that 100GB may be not enough for large clusters (5K nodes) when it comes
to master root disk size.
Updating both get-master-root-disk-size() and get-master-disk-size() to
make them consistent and match cluster sizes with get-master-size()
function.
These DaemonSets supports only Linux today, so this change updates the
specs to reflect this limitation. The labels have recently been promoted
to GA. Using the beta labels for now until node-master version skew
problem no longer exists.
The node_exporter CPU use is bursty, as it needs a bit of CPU at scrape time. Don't set a CPU limit to avoid collection stalls.
Set the request to 100m to more closely match the typical max core needs.
setting CPU_LIMITS to '1' fixes the following log appearing every 60 seconds:
Running: kubectl set resources -n kube-system ds fluentd-gcp-v3.1.0 -c fluentd-gcp --requests=cpu=100m,memory=200Mi --limits=cpu=1000m,memory=500Mi
error: info: {extensions v1beta1 daemonsets} "fluentd-gcp-v3.1.0" was not changed
this PR does not change scaler's behaviour, pods are scaled correctly despite error in the logs
Currently, only kubernetes-server-linux-<arch>.tar.gz will be downloaded
and staged for tests. It is not possible to test a cluster where the
platform/arch of the nodes differs from that of the master
control-plane. This changes allows downloading and staging node
binaries, in addition to the existing server binaries.
This change renames the '--experimental-encryption-provider-config'
flag to '--encryption-provider-config'. The old flag is accepted but
generates a warning.
In 1.14, we will drop support for '--experimental-encryption-provider-config'
entirely.
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
This change includes the yaml files and gce startup script changes
to run this addon. It is disabled by default, can be enabled by setting
KUBE_ENABLE_NODELOCAL_DNS=true
An ip address is required for the cache instance to listen for
requests on, default is a link local ip address of value 169.254.25.10
addressed review comments, updated image location
Picked a different prometheus port so stats port is not same as the
coredns deployment
Removed the nodelocaldns-ready label.
Set memory limit to 30Mi
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Pick up some code from https://github.com/heptio/kube-conformance
Fix up build scripts for the new conformance image
Fix Header template and Copyright to make verify job go green
update README and add execute permissions for script
Change-Id: Ib6509acd816cc2fb3a516bfb8e0ff9e32bff8f79
This fixes an issue where SRV records were incorrectly being compressed.
Also updated kubedns version for kubeadm
Upgrade to 1.14.12 with manifest support. Runs dnsmasq version 2.78
2. Do not set Preemptible node label on master node unless the master node is explicitly set to be preemptible.
Signed-off-by: Vishnu kannan <vishnuk@google.com>
Automatic merge from submit-queue (batch tested with PRs 67950, 68195). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Remove e2e-image-puller
**What this PR does / why we need it**:
A long time ago, We added the image prepulling as a workaround due to
the overwhelming amount of flake caused by pulling during the tests.
This functionality has been broken for a while now when we switched to a
COS image where mounting `docker` binary into `busybox` stopped working.
So we just have dead code we should clean up.
Change-Id: I538171a5c1d9361eee7f9e0a99655b88b1721e3e
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63355
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Update default etcd server to 3.2.24 for kubernetes 1.12
**What this PR does / why we need it**:
Update default etcd server to 3.2.24 for kubernetes 1.12
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
xref #68147
**Special notes for your reviewer**:
NONE
**Release note**:
```
Update default etcd server to 3.2.24 for kubernetes 1.12
```
/assign @wojtek-t @jpbetz @dims
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews @gyuho
Automatic merge from submit-queue (batch tested with PRs 68119, 68191). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Update cluster autoscaler to 1.12.0-beta.1
Update Cluster Autoscaler to version 1.12.0-beta.1 which is compatible with k8s 1.12.
Note: this is pre release version. Update to the final version of CA image will be done a week before k8s release deadline.
Version skip from 1.3.x to 1.12.x is to synchronize version numbering between Cluster Autoscaler and k8s core.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 68087, 68256, 64621, 68299, 68296). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Bump addon-manager to v8.7
**What this PR does / why we need it**:
Major changes:
- Support extra `--prune-whitelist` resources in kube-addon-manager.
- Update kubectl to v1.10.7.
Basically picking up https://github.com/kubernetes/kubernetes/pull/67743.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @Random-Liu @mikedanese
**Release note**:
```release-note
Bump addon-manager to v8.7
- Support extra `--prune-whitelist` resources in kube-addon-manager.
- Update kubectl to v1.10.7.
```
Automatic merge from submit-queue (batch tested with PRs 68087, 68256, 64621, 68299, 68296). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
gce: use getrandom instead of urandom for on node rng
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Cleaning up the cluster directory deprecation notice
- Remove link to the kube-deploy repo
- Remove link to SaltStack
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Fix an issue about generation of secret key with invalid key size in gce
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
**What this PR does / why we need it**:
In GCE env, AESGCM encryption of secrets by default generates a secret key with /dev/random which sometime generates a key with invalid size.
This cause the cluster/kube-up.sh to fail in gce environment.
This PR replaces /dev/random with /dev/urandom to have a secret key generated consistently with right size.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#67091
**Special notes for your reviewer**:
**Release note**:
```release-note
cluster/gce: generate consistent key sizes in config-default.sh using /dev/urandom instead of /dev/random
```
Automatic merge from submit-queue (batch tested with PRs 68161, 68023, 67909, 67955, 67731). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Register RuntimeClass CRD as an addon
**What this PR does / why we need it**:
Register the RuntimeClass CRD when the RuntimeClass feature gate is enabled. This is done in through the addon manager.
This is an alternative approach to https://github.com/kubernetes/kubernetes/pull/67924
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
For https://github.com/kubernetes/features/issues/585
**Release note**:
Covered by #67737
```release-note
NONE
```
/sig node
/kind feature
/priority important-soon
/milestone v1.12
In the context, our urandoms where generally safe, however getrandom has
built in invariants around entropy pool initialization, making getrandom
safe in all contexts. This should protect us from cryptopasta errors or
weird entropy issues.
Automatic merge from submit-queue (batch tested with PRs 67691, 68147). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Bump versions of components with latest security patches.
**What this PR does / why we need it**:
Upgrade versions of monitoring components used on GCP, to include latest security patches.
**Release note**:
```release-note
[fluentd-gcp-scaler addon] Bump fluentd-gcp-scaler to 0.4 to pick up security fixes.
[prometheus-to-sd addon] Bump prometheus-to-sd to 0.3.1 to pick up security fixes, bug fixes and new features.
[event-exporter addon] Bump event-exporter to 0.2.3 to pick up security fixes.
```
Automatic merge from submit-queue (batch tested with PRs 67736, 68123, 68138). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Added support to get clusters in gce cloud provider.
**What this PR does / why we need it**:
Implemented the call to get all cluster objects in a zone for a project.
Also added code to allow the container api to be set in the gce.conf
file.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
A long time ago, We added the image prepulling as a workaround due to
the overwhelming amount of flake caused by pulling during the tests.
This functionality has been broken for a while now when we switched to a
COS image where mounting `docker` binary into `busybox` stopped working.
So we just have dead code we should clean up.
Change-Id: I538171a5c1d9361eee7f9e0a99655b88b1721e3e
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
cluster/addons: add labels to fluentd owner files
**What this PR does / why we need it**:
this PR adds SIG labels to fluentd OWNER files:
- cluster/addons/fluentd-elasticsearch/OWNERS
- cluster/addons/fluentd-gcp/OWNERS
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
let me know if the labels need adjustment.
**Release note**:
```release-note
NONE
```
/assign @roberthbailey @mikedanese
/cc @timothysc
/sig gcp
/sig instrumentation
/kind cleanup
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add spiffxp to OWNERS files in bash-heavy dirs
I'm comfortable approving changes in hack/, I think I still need
to build up a corpus of reviews in build/ and cluster/ before I'm
comfortable asking for those rights. I'm willing to be voluntold
otherwise if existing approvers feel differently.
Approvers, WDYT?
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Support extra prune resources in kube-addon-manager.
The default prune whitelist resources in https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/apply.go#L531 are sometimes not enough.
One example is that when we remove an admission webhook running as an addon pod, after we remove the addon yaml file, the admission webhook pod will be pruned, but the `MutatingWebhookConfiguration`/`ValidationWebhookConfiguration` won't... If the webhook failure policy is `Fail`, this will break the cluster, and users can't create new pods anymore.
It would be good to at least make this configurable, so that users and vendors can configure it based on their requirement.
This PR keeps the default prune resource list exactly the same with before, just makes it possible to add extra ones.
@dchen1107 @MrHohn @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-gcp-pr-reviews
Signed-off-by: Lantao Liu <lantaol@google.com>
**Release note**:
```release-note
Support extra `--prune-whitelist` resources in kube-addon-manager.
```
Automatic merge from submit-queue (batch tested with PRs 65251, 67255, 67224, 67297, 68105). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add namespace for (cluster)role(binding) cloud-provider.
**What this PR does / why we need it**:
Add namespace for (cluster)role(binding) cloud-provider.
Change the addonmanager mode to be from reconcile to EnsureExists.
Needs to be cherrypicked together with https://github.com/kubernetes/kubernetes/pull/59686.
**Special notes for your reviewer**:
/assign @bowei @tallclair
/sig auth
**Release note**:
```release-note
Role, ClusterRole and their bindings for cloud-provider is put under system namespace. Their addonmanager mode switches to EnsureExists.
```
Manual tested. Cluster can be created succesfully using kube-up.sh with desired (cluster)role(binding)s.
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Adding GCE node termination handler as an optional addon.
This step is a pre-requisite for auto-deploying that addon in GKE
cc @mikedanese
Automatic merge from submit-queue (batch tested with PRs 68051, 68130, 67211, 68065, 68117). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Put fluentd back to host network
In the future we will want to monitor each system component that is deployed as a DaemonSet using only one instance of prometheus-to-sd (which will be deployed as a DaemonSet too), but for this we need all the system components to be part of host network. There is no port colision created with this change.
```release-note
Port 31337 will be used by fluentd
```
I'm comfortable approving changes in hack/, I think I still need
to build up a corpus of reviews in build/ and cluster/ before I'm
comfortable asking for those rights
Automatic merge from submit-queue (batch tested with PRs 67756, 64149, 68076, 68131, 68120). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Update manifest and version for CoreDNS
**What this PR does / why we need it**:
Updates the manifest of CoreDNS and also bumps the version of CoreDNS to 1.2.2
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubernetes/issues/68020
**Special notes for your reviewer**:
**Release note**:
```release-note
CoreDNS is now v1.2.2 for Kubernetes 1.12
```
Automatic merge from submit-queue (batch tested with PRs 68044, 68077). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Update metrics-server to v0.3.0
v0.3.0 is the latest version of metrics-server, and brings a number of
internal stability improvements as well as some bugfixes and features.
NB: this currently disables Kubelet auth entirely, since this setup
needs to work on GKE for the tests, and GKE doesn't support delegated
Kubelet auth yet. When that's rectified, we can switch this over to
use secure options.
```release-note
Update metrics-server to v0.3.0.
```
v0.3.0 is the latest version of metrics-server, and brings a number of
internal stability improvements as well as some bugfixes and features.
NB: this currently disables Kubelet auth entirely, since this setup
needs to work on GKE for the tests, and GKE doesn't support delegated
Kubelet auth yet. When that's rectified, we can switch this over to
use secure options.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Promote AdvancedAuditing to GA
**What this PR does / why we need it**:
Removes deprecated legacy code used for basic audit logging in favor of advanced audit logging.
```release-note
Promote AdvancedAuditing to GA, replacing the previous (legacy) audit logging mechanisms.
```
Automatic merge from submit-queue (batch tested with PRs 67745, 67432, 67569, 67825, 67943). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Add flag for disabling prometheus-to-sd only for daemon sets
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67745, 67432, 67569, 67825, 67943). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Enable CoreDNS as default for kube-up deployments
**What this PR does / why we need it**:
Enable CoreDNS as default (for kube-up installations)
It will allow to run CI tests to prepare graduation criteria for CoreDNS as Default
see : KEP - https://github.com/kubernetes/community/blob/master/keps/sig-network/0012-20180518-coredns-default-proposal.md
see also : https://github.com/kubernetes/features/issues/566
NOTE for release : I guess that CoreDNS as default server for k8s needs a longer description. This specific PR is to ensure we validate all e2e.
```release-note
Make CoreDNS be the default DNS server in kube-up (instead of kube-dns formerly).
It is still possible to deploy kube-dns by setting CLUSTER_DNS_CORE_DNS=false.
```
Automatic merge from submit-queue (batch tested with PRs 67067, 67947). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fixes fluentd configuration params in fluentd-elasticsearch addon
**What this PR does / why we need it**:
- fixes the errors/warnings in fluentd configuration.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
```
2018-08-28 11:40:50 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2018-08-28 11:40:50 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2018-08-28 11:40:50 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2018-08-28 11:40:50 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2018-08-28 11:40:50 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2018-08-28 11:40:50 +0000 [warn]: parameter 'time_format' in <source>
@id fluentd-containers.log
@type tail
path "/var/log/containers/*.log"
pos_file "/var/log/es-containers.log.pos"
time_format %Y-%m-%dT%H:%M:%S.%NZ
tag "raw.kubernetes.*"
read_from_head true
<parse>
@type "multi_format"
<pattern>
format json
time_key "time"
time_format "%Y-%m-%dT%H:%M:%S.%NZ"
time_type string
</pattern>
<pattern>
format /^(?<time>.+) (?<stream>stdout|stderr) [^ ]* (?<log>.*)$/
time_format "%Y-%m-%dT%H:%M:%S.%N%:z"
expression ^(?<time>.+) (?<stream>stdout|stderr) [^ ]* (?<log>.*)$
ignorecase false
multiline false
</pattern>
</parse>
</source> is not used.
```
**Release note**:
```release-note
fixes the errors/warnings in fluentd configuration
```
Automatic merge from submit-queue (batch tested with PRs 67942, 67893). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Work on Juju charms:CSI, dyn config, cloud integration
**What this PR does / why we need it**: This PR updates the Juju charms with fixes/additions regarding. CSI, cloud integration, dynamic configs and cdk-addons
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67694, 64973, 67902). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
SCTP support implementation for Kubernetes
**What this PR does / why we need it**: This PR adds SCTP support to Kubernetes, including Service, Endpoint, and NetworkPolicy.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#44485
**Special notes for your reviewer**:
**Release note**:
```release-note
SCTP is now supported as additional protocol (alpha) alongside TCP and UDP in Pod, Service, Endpoint, and NetworkPolicy.
```
* add snapd_refresh config and handlers to k8s-master and -worker
* lint readmes
* add snapd_refresh doc to the readme; make "max" less specific
* adjust wording to note snapd_refresh only affects store snaps
The requested Service Protocol is checked against the supported protocols of GCE Internal LB. The supported protocols are TCP and UDP.
SCTP is not supported by OpenStack LBaaS. If SCTP is requested in a Service with type=LoadBalancer, the request is rejected. Comment style is also corrected.
SCTP is not allowed for LoadBalancer Service and for HostPort. Kube-proxy can be configured not to start listening on the host port for SCTP: see the new SCTPUserSpaceNode parameter
changed the vendor github.com/nokia/sctp to github.com/ishidawataru/sctp. I.e. from now on we use the upstream version.
netexec.go compilation fixed. Various test cases fixed
SCTP related conformance tests removed. Netexec's pod definition and Dockerfile are updated to expose the new SCTP port(8082)
SCTP related e2e test cases are removed as the e2e test systems do not support SCTP
sctp related firewall config is removed from cluster/gce/util.sh. Variable name sctp_addr is corrected to sctpAddr in pkg/proxy/ipvs/proxier.go
cluster/gce/util.sh is copied from master
Implemented the call to get all cluster objects in a zone for a project.
Also added code to allow the container api to be set in the gce.conf
file.
Requested fix for @lavalamp. Fixed GetClusters to be GetManagedClusters.
Leaving ListClusters as ListClusters as it is part of the Cloud Clusters
interface, despite also being a "managed" call.
Remove copy pasta :D
Fixed method variable name.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove rescheduler since scheduling DS pods by default scheduler is moving to beta
**What this PR does / why we need it**:
remove rescheduler since scheduling DS pods by default scheduler is moving to beta
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#64725
**Special notes for your reviewer**:
**Release note**:
```release-note
Remove rescheduler since scheduling DS pods by default scheduler is moving to beta.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set --audit-webhook-mode flag properly based on the env variable
**What this PR does / why we need it**:
Audit webhook mode control via env variable is currently broken and this is the fix.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67655, 67639). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix validate-cluster.sh for clusters with more than 500 nodes.
**What this PR does / why we need it**:
Without the change, validate-cluster.sh counts nodes using 'wc -l' minus one (header).
kubectl repeats header every 500 rows, so for bigger clusters this doesn't work.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#67597
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67378, 67675, 67654). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Store logs from 'logexporter' to allow debugging it.
**What this PR does / why we need it**:
With https://github.com/kubernetes/kubernetes/pull/67190 logexporter stopped working properly in 5000 kubemark test (while it works fine in smaller tests)
As we have no tools to debug this in a big scale, I propose storing logexporter logs in some place so that it's possible to debug all attempts.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Supplementary information for common flags and add restart second config
**What this PR does / why we need it**:
the admission-control flag has been marked deprecated, it need to be updated.
And provide them with supplementary information about flags.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/kubernetes/kubernetes/issues/67627
**Special notes for your reviewer**:
**Release note**:
```NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow adding default capabilities to unprivileged addons
**What this PR does / why we need it**:
Allow adding the default set of capabilities back to unprivileged addons, when using the the default GCE PodSecurityPolicies. This is useful when paired with `drop: [ 'all' ]`
This is not a relaxation of permissions, as a pod that didn't touch capabilities (implicitly has the default set) is already allowed.
**Which issue(s) this PR fixes**:
Fixes https://github.com/kubernetes/dns/issues/254
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add Labels to various OWNERS files
**What this PR does / why we need it**:
Will reduce the burden of manually adding labels. Information pulled
from:
https://github.com/kubernetes/community/blob/master/sigs.yaml
Change-Id: I17e661e37719f0bccf63e41347b628269cef7c8b
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67661, 67497, 66523, 67622, 67632). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Updating ceph to use CSI for k8s >= 1.10
**What this PR does / why we need it**:
Updates the ceph charms to use CSI if the k8s version is >= 1.10
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Kubernetes juju charms will now use CSI for ceph.
```
Automatic merge from submit-queue (batch tested with PRs 67493, 67617, 67582, 67337). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
updates kibana to 6.3.2
**What this PR does / why we need it**:
* updates kibana to 6.3.2
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
needed as es was updated to 6.3.2 too in https://github.com/kubernetes/kubernetes/pull/67484
**Release note**:
```release-note
updates kibana to 6.3.2
```
Automatic merge from submit-queue (batch tested with PRs 67593, 67544). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fixes json logging in fluentd-elasticsearch image
**What this PR does / why we need it**:
* fixes json logging in fluentd-elasticsearch image by downgrading fluent-plugin-kubernetes_metadata_filter plugin to version 2.0.0
* adds missing pos files to fluentd config
* adds mapping type name
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
* https://github.com/helm/charts/issues/7168
**Special notes for your reviewer**:
* https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter/issues/145
* https://github.com/uken/fluent-plugin-elasticsearch/issues/442
**Release note**:
```release-note
fixes json logging in fluentd-elasticsearch image by downgrading fluent-plugin-kubernetes_metadata_filter plugin to version 2.0.0
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add --dns-loop-detect option to dnsmasq run by kube-dns
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#67299
**Special notes for your reviewer**:
/cc @kubernetes/sig-network-pr-reviews
**Release note**:
```release-note
add --dns-loop-detect option to dnsmasq run by kube-dns
```
Automatic merge from submit-queue (batch tested with PRs 66793, 67405, 67068, 67501, 67484). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
updates es-image to elasticsearch 6.3.2
**What this PR does / why we need it**:
* updates es-image to elasticsearch 6.3.2
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
updates es-image to elasticsearch 6.3.2
```
Automatic merge from submit-queue (batch tested with PRs 64445, 67459, 67434). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
updated fluentd to 1.2.4
**What this PR does / why we need it**:
* updates fluentd in fluentd-elasticsearch to version 1.2.4
* also updates activesupport, fluent-plugin-elasticsearch & oj gems
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
* updates fluentd in fluentd-elasticsearch to version 1.2.4
* also updates activesupport, fluent-plugin-elasticsearch & oj gems
```
Automatic merge from submit-queue (batch tested with PRs 67396, 67097, 67395, 67365, 67099). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update to debian-iptables v10.1 and hyperkube-base 0.10.1
**What this PR does / why we need it**: these images are based on the `debian-base` 0.3.2 images, which include CVE fixes (#67026) and permission fixes of the qemu-ARCH-static helper binary (#67026, #67283).
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66177, 66185, 67136, 67157, 65065). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update configure-helper.sh to support heapster resource optimizations
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66177, 66185, 67136, 67157, 65065). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Templatize the scaling policy for metrics-server
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 67017, 67190, 67110, 67140, 66873). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use gcr.io/k8s-testimages/logexporter:v0.1.2.
**What this PR does / why we need it**:
Changes a version of logexporter used in our tests.
Version v0.1.2 contains fixes from https://github.com/kubernetes/test-infra/pull/8978 to help debugging #67120
```release-note
NONE
```
/assign @shyamjvs
Automatic merge from submit-queue (batch tested with PRs 66602, 67178, 67207, 67125, 66332). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix get-kube-local.sh 2 wrong parameters.
**bug fix**
1. run ./get-kube-local.sh, and get this error.
> ./get-kube-local.sh: line 60: 2: unbound variable
2. remove duplicate filename in docker run command: `--kubeconfig=${KUBELET_KUBECONFIG}`
**Special notes for your reviewer**:
code detail:
line 88: create-kubelet-kubeconfig "${KUBELET_KUBECONFIG}"
line 59: function create-kubelet-kubeconfig() {
line 60: local destination="${1}"
**Release note**:
```release-note
NONE
```
1. keep function signature consistent.
implementations of the create-kubelet-kubeconfig function take an apiserver address as the first argument and the destination as the second argument.
2. remove duplicate file name(/kubelet.kubeconfig) in --kubeconfig=${KUBELET_KUBECONFIG}/kubelet.kubeconfig
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
GCE: Add OWNERS for image (gci) configuration
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66634, 66260). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
ip-masq-agent daemonset will be scheduled in all nodes.
**What this PR does / why we need it**:
ip-masq-agent tolerate NoSchedule and NoExecute so that it will be scheduled in all nodes.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#66255
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump Heapster to v1.6.0-beta.1
**What this PR does / why we need it**:
Bump Heapster to version v1.6.0-beta.1
**Release note**:
```release-note
Bump Heapster to v1.6.0-beta.1
```
Automatic merge from submit-queue (batch tested with PRs 59030, 64666, 66251, 66485, 66813). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
A large set of improvements to the Stackdriver components.
**What this PR does / why we need it**:
This PR delivers a large set of improvements for both the Stackdriver Logging agent and the Stackdriver Metadata agent.
**Release note**:
```release-note
Metadata Agent Improvements
Bump metadata agent version to 0.2-0.0.21-1.
Expand the metadata agent's access to all API groups.
Remove metadata agent config maps in favor of command line flags.
Update the metadata agent's liveness probe to a new /healthz handler.
Logging Agent Improvements
Bump logging agent version to 0.2-1.5.33-1-k8s-1.
Appropriately set log severity for k8s_container.
Fix detect exceptions plugin to analyze message field instead of log field.
Fix detect exceptions plugin to analyze streams based on local resource id.
Disable the metadata agent for monitored resource construction in logging.
Disable timestamp adjustment in logs to optimize performance.
Reduce logging agent buffer chunk limit to 512k to optimize performance.
```
Metadata Agent Improvements
Bump metadata agent version to 0.2-0.0.21-1.
Expand the metadata agent's access to all API groups.
Remove metadata agent config maps in favor of command line flags.
Update the metadata agent's liveness probe to a new /healthz handler.
Logging Agent Improvements
Bump logging agent version to 0.2-1.5.33-1-k8s-1.
Appropriately set log severity for k8s_container.
Fix detect exceptions plugin to analyze message field instead of log field.
Fix detect exceptions plugin to analyze streams based on local resource id.
Disable the metadata agent for monitored resource construction in logging.
Disable timestamp adjustment in logs to optimize performance.
Reduce logging agent buffer chunk limit to 512k to optimize performance.
Automatic merge from submit-queue (batch tested with PRs 66235, 66908, 66907). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
set standard storage class addon mode to "ensure-exists"
**What this PR does / why we need it**:
Change addon mode for standard storage class to `EnsureExists`.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#66222
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Default some unbound cluster/gce env vars
**What this PR does / why we need it**:
Sets defaults for two env vars used by cluster/gce/* scripts so as to
avoid the following warnings when bringing a cluster up for test
```
METADATA_CONCEALMENT_NO_FIREWALL: unbound variable
CUSTOM_KUBE_DASHBOARD_BANNER: unbound variable
```
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#60850
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
dd status=none does not exist on macOS
**What this PR does / why we need it**:
When running cluster/kubectl.sh on macOS 10.13.6, the use of the
`status=none` operand leads to `dd: unknown operand status` being
printed out as an error message. Redirecting to /dev/null does
the same thing, supressing transfer status.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66284, 66690). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Exit gce kube-up.sh early if openssl is LibreSSL
**What this PR does / why we need it**:
macOS has an openssl binary, but it's actually LibreSSL, which doesn't play well with the easyrsa script that cluster/gce/util.sh uses to generate certs
Instead of waiting until we generate certs to discover easyrsa doesn't work, consider openssl a prereq for gce, and include a check for the version string starting with OpenSSL
Also, mirror kube-up.sh's "... calling" output in kube-down.sh
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/community#1954
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 66225, 66648, 65799, 66630, 66619). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump to k8s.gcr.io/metadata-proxy:v0.1.10
This PR bumps the metadata-proxy to a version which is compatible with `gcloud`'s GCE Metadata access_token logic.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63955, 66685, 66671). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add KUBE_CUSTOM_CALICO_NODE_DAEMONSET_YAML and KUBE_CUSTOM_TYPHA_DEPL…
**What this PR does / why we need it**:
PR https://github.com/kubernetes/kubernetes/pull/65024 Add a helper function to customize K8s addon yamls and use it to customize Calico addons on GKE.
This PR will expose CUSTOM_CALICO_NODE_DAEMONSET_YAML and CUSTOM_TYPHA_DEPLOYMENT_YAML so that we can easily overwrite calico yamls on k8s opensource.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONRE
```
macOS has an openssl binary, but it's actually LibreSSL, which
doesn't play well with the easyrsa script that cluster/gce/util.sh
uses to generate certs
Instead of waiting until we generate certs to discover easyrsa doesn't
work, consider openssl a prereq for gce, and include a check for the
version string starting with OpenSSL
Also, mirror kube-up.sh's "... calling" output in kube-down.sh
Automatic merge from submit-queue (batch tested with PRs 66676, 66624). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump Heapster to v1.5.4
**What this PR does / why we need it**:
Bump Heapster v1.5.4.
**Which issue(s) this PR fixes**
This Heapster release fixes Stackdriver integration with Kubernetes 1.11.
**Release note**:
```release-note
Fix Stackdriver integration based on node annotation container.googleapis.com/instance_id.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
more clear err log
**What this PR does / why we need it**:
more clear err log
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62423, 66180, 66492, 66506, 65242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding IKS functionality to kubemark
**What this PR does / why we need it**:
This PR adds bash scripts in which kubemark is able to be run on IKS clusters. This adds versatility to the testing ability of kubemark by adding another cloud provider and example of use. The scripts to clean up kubemark after use are also included. In addition to this, minor changes were added to other kubemark related files to increase cloud-provider flexibility.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
No issues will be fixed, as this is an extension to a feature.
**Special notes for your reviewer**:
I currently have the IKS scripts separate from the default ones, which are mainly based off of GCE. If it is preferable, I could combine them into single scripts which prompt the user to choose which cloud provider to test. If there are any issues with the scripts or code, please let me know. Thank you!
**Release note**:
```release-note
NONE
```
In addition to the shell script changes the heapster yaml has been
updated to use addon resizer 1.8.3 for the heapster-nanny. Addon resizer 1.8.3
is being used to take advantage of the new minClusterSize flag. Note this is a
no-op change. The values specified for heapster-nanny reflect the current
configuration used with version 1.8.2.
Automatic merge from submit-queue (batch tested with PRs 66152, 66406, 66218, 66278, 65660). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update crictl to v1.11.1.
Update `crictl` to v1.11.1 to fix several bugs. Release note: https://github.com/kubernetes-incubator/cri-tools/releases/tag/v1.11.1
@kubernetes/sig-node-pr-reviews @kubernetes/sig-cluster-lifecycle-pr-reviews
@kubernetes/sig-gcp-pr-reviews
Signed-off-by: Lantao Liu <lantaol@google.com>
```release-note
Update crictl to v1.11.1.
```
Automatic merge from submit-queue (batch tested with PRs 66342, 66330, 65641). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
bump ingress version to 1.2
```release-note
Bump Ingress-gce version to 1.2.0
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix test failure when executed using build/run.sh
**What this PR does / why we need it**:
The container used by build/run.sh doesn't necessarily have an entry in
/etc/passwd for the host user's uid, and this missing data causes
`whoami` to fail.
Switch `whoami` to `id -un` to fall back to the uid if the /etc/passwd
entry is missing.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#66340
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
The container used by build/run.sh doesn't necessarily have an entry in
/etc/passwd for the host user's uid, and this missing data causes
`whoami` to fail.
Switch `whoami` to `id -un` to fall back to the uid if the /etc/passwd
entry is missing.
Signed-off-by: Andy Goldstein <andy.goldstein@gmail.com>
Automatic merge from submit-queue (batch tested with PRs 66238, 66157). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump version of event-exporter.
```release-note
Bump event-exporter to 0.2.2 to pick up security fixes.
```
Automatic merge from submit-queue (batch tested with PRs 66011, 66111, 66106, 66039, 65745). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Disable initializers by default
The API group driving this field is not enabled by default, and it does not appear that these will progress beyond the alpha phase.
Remove the admission plugin from default configurations.
/sig api-machinery
/cc @smarterclayton
```release-note
The alpha `Initializers` admission plugin is no longer enabled by default. This matches the off-by-default behavior of the alpha API which drives initializer behavior.
```
Automatic merge from submit-queue (batch tested with PRs 66095, 66092). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
make the addons docker registry configurable
**What this PR does / why we need it**:
Allow users to configure the docker registry used when applying cdk-addons templates.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
Depends on https://github.com/juju-solutions/cdk-addons/pull/45
**Release note**:
```release-note
Expose docker registry config for addons used in Juju deployments
```
Automatic merge from submit-queue (batch tested with PRs 65794, 65919). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Incremented the elasticsearch version
**What this PR does / why we need it**:
Applies changes implemented in:
https://github.com/kubernetes/kubernetes/pull/65627
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65794, 65919). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove references to the Debian-based Container-VM image
The image reached end-of-life in October 2017. Remove the associated
references from the cluster setup script.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65456, 65549). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix flexvolume in containerized kubelets
Fixes flex volumes in containerized kubelets.
cc @jsafrane @chakri-nelluri @verult
Note to reviewers : e2e tests pass in local containarized cluster.
```release-note
Fix flexvolume in containarized kubelets
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove echo cmd when overwriting a file from an Env var.
**What this PR does / why we need it**:
Cleanup the shell script.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
"NONE"
```
Automatic merge from submit-queue (batch tested with PRs 65719, 65764). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
juju: Fix upgrade actions not working with resources
**What this PR does / why we need it**:
This fixes an issue with the kubernetes-master and kubernetes-worker charms, where running the `upgrade` action does not actually perform an upgrade when snaps are attached as resources.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/528
**Special notes for your reviewer**:
The underlying issue is that both layer-snap and the kubernetes layers are using `any_file_changed` to look for changes in the resources. This PR fixes it by removing the use of `any_file_changed` in the top-level layers, and implementing our own code for it instead.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65094, 65533, 63522, 65694, 65702). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Reload systemd config files before starting kubelet.
In some environments, the os image comes with preloaded kubelet.service,
so we need to reload systemctl configs to make changes effective.
**What this PR does / why we need it**:
Some OS images already contains kubelet.service with preloaded kubelet in some random version. After doing changes to kubelet.service we need to call 'systemctl daemon-reload' to make changes effective.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
stop using deprecated --etcd-quorum-read
etcd-quorum-read was deprecated, but it is still used.
This pr stops using it.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64758, 65627). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fixed the wrong elasticsearch node counter
**What this PR does / why we need it**:
I am experiencing the nasty bug during the deployment of the elasticsearch-logging statefulset on my custom Kubernetes in Azure (AzureDisk persistant storage). Let's imaging that we want two master nodes which our elasticsearch will try to find during the discovery procedure. Because of the delay between creation of two nodes (azure disk creation) there will be a situation when only one node exists in the service endpoint list and it will be enough to pass the elasticsearch logging discovery step. Only one node will be written to the elasticsearch.yml, but it expects two. Elasticsearch will not be able to find required two nodes. Then Kubernetes will terminate the first pod while the second pod is almost ready (remove that endpoint from service). Then it adds the ip of the second pod to the endpoint and discovery fails as well. This is the endless procedure.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixes the wrong elasticsearch node counter
```
Automatic merge from submit-queue (batch tested with PRs 65582, 65480, 65310, 65644, 65645). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add Ubuntu 18.04 (Bionic) series to Juju charms
**What this PR does / why we need it**:
Adds Ubuntu 18.04 (Bionic) series to Juju charms. 16.04 (Xenial) is still the default series, but with this change the charms can be easily deployed on Bionic if desired.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Add Ubuntu 18.04 (Bionic) series to Juju charms
```
Automatic merge from submit-queue (batch tested with PRs 65518, 65624, 65380, 65390, 65586). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Preparing for 1.11 release and update ingress image to 0.16.1
**What this PR does / why we need it**: This is to prepare Juju charms to default to 1.11 release.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65319, 64513, 65474, 65601, 65634). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable “Kubernetes Monitoring” and “PodSecurityPolicies” on the same cluster
Without that the daemonset "metadata-agent" return:
```pods "metadata-agent-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 8799: Host port 8799 is not allowed to be used. Allowed ports: []]```
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65319, 64513, 65474, 65601, 65634). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Allow custom manifests in GCP master setup
Add a hook in GCE setup script to allow using custom manifests on master, so we can decouple some GKE changes from k8s. Note that this PR just adds a hook there is no change in default behavior.
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add prometheus scrape port to CoreDNS service
**What this PR does / why we need it**:
Add prometheus scrape port
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #https://github.com/kubernetes/kubeadm/issues/955
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bug fix: Should allow alias range size equals to max number of pods * 2
**What this PR does / why we need it**:
Currently in gce/config-common.sh, function get-alias-range-size returns a range which is strictly bigger than log2(max pods * 2). Where equal should be also acceptable. Say if max pods constraint = 8, it should return /28, instead of /27.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65521
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 60150, 65467, 65487, 65595, 65374). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
use lowercase hostnames for node names
**What this PR does / why we need it**:
Uppercase hostnames used in charms result in (lowercase) node name lookup errors. This happens when /etc/hostname contains uppercase characters and gethostname or getfqdn return those characters.
**Special notes for your reviewer**:
Discovered in a field deployment where hostnames are all uppercase.
**Release note**:
```release-note
Hostnames are now converted to lowercase before being used for node lookups in the kubernetes-worker charm.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set pod priority on kube-proxy manifest by default
**What this PR does / why we need it**:
Follow up of https://github.com/kubernetes/kubernetes/pull/59237, set pod priority on kube-proxy by default and remove the unneeded logic in startup script.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @bsalamat @bowei
cc @tanshanshan
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65361, 64527). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix exception detection in new version of fluentd-gcp addon
**What this PR does / why we need it**:
The `detect_exceptions` plugin is used to group log entries that belong to a common exception together into one log message. A [recent change](1ca851baec/cluster/addons/fluentd-gcp/fluentd-gcp-configmap.yaml (L100)) to the configuration modified which field is used for the log message, but this change was not applied to the configuration of the `detect_exceptions` plugin, so currently no collation of exception lines is happening.
This change fixes the issue by changing the field the `detect_exceptions` plugin is using.
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixed exception detection in fluentd-gcp plugin.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Rescheduler's manifest
**What this PR does / why we need it**: Updates Rescheduler's manifest to use version 0.4.0
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Update Rescheduler's manifest to use version 0.4.0.
```
Automatic merge from submit-queue (batch tested with PRs 65342, 65460). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update NPD config for GCI
**What this PR does / why we need it**:
Use https://github.com/kubernetes/node-problem-detector/pull/180 on GCI
**Special notes for your reviewer**:
This is currently pending an NPD release.
**Release note**:
```release-note
NONE
```
/assign @Random-Liu
/sig node
/kind feature
/priority important-soon
Usage of names containing uppercase characters returned by calls to
gethostname and getfqdn in requests to apiserver related to nodes
results in 404 errors. Node names are lowercase in K8s itself so charms
should make sure to use lowercase names well as it results in errors.
pkg/util/node/node.go has code to convert hostnames to lowercase in
GetHostname and that function is used to form node names.
Without that the daemonset "metadata-agent" return:
```pods "metadata-agent-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 8799: Host port 8799 is not allowed to be used. Allowed ports: []]```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add /home/kubernetes/bin into sudoers path, so that `sudo crictl` works.
Add `/home/kubernetes/bin` to sudoers path, so that user can call `sudo crictl` directly.
Without this fix, user has to either use the full path `sudo /home/kubernetes/bin/crictl` or switch to root, which is not a good user experience.
/cc @yujuhong @feiskyer @filbranden @kubernetes/sig-node-pr-reviews @kubernetes/sig-gcp-pr-reviews
**Release note**:
```release-note
User can now use `sudo crictl` on GCE cluster.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
juju: Add audit support to kubernetes-master charm
**What this PR does / why we need it**:
This PR adds audit configuration support to the kubernetes-master charm. Specifically, it enables audit logging by default, and adds two new config options: `audit-policy` and `audit-webhook-config`.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65024, 65287, 65345, 64693, 64941). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a helper function to customize K8s addon yamls and use it to customize Calico addons on GKE
**What this PR does / why we need it**:
Allow customizing Calico addon in GCP. With #65022, this allows us to do a couple of things:, e.g., run Calico 3.0+ on GCP, use a non-default MTU etc.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65045, #65067
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 65301, 65291, 65307, 63845, 65313). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add option to control SSL chain completion
**What this PR does / why we need it**:
This adds templated support to the kubernetes-worker juju charm for the --enable-ssl-chain-completion option on the ingress proxy. It defaults to false, to ensure that production sites are not reliant on OCSP or DNS in order to function.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
kubernetes-worker juju charm: Added support for setting the --enable-ssl-chain-completion option on the ingress proxy. "action required": if your installation relies on supplying incomplete certificate chains and using OCSP to fill them in, you must set "ingress-ssl-chain-completion" to "true" in your juju configuration.
```
Automatic merge from submit-queue (batch tested with PRs 65064, 65218, 65260, 65241, 64372). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
updated fluentd in fluentd-es-image to version 1.2.2
**What this PR does / why we need it**: Updates fluentd in fluentd-es-image to version 1.2.2.
Also updates all other used gems to most recent versions.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
juju charms: set more accurate status based on goal_state
**What this PR does / why we need it**:
Use juju goal-state to report more accurate charm status.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/593
**Special notes for your reviewer**:
The goal-state hook tool was released in juju 2.4. For deployments on earlier versions of juju, this will fall back to the current status reporting behavior.
**Release note**:
```release-note
Report accurate status for kubernetes-master and -worker charms.
```
Automatic merge from submit-queue (batch tested with PRs 65123, 65176, 65139, 65084, 65056). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase fluentd-gcp grace termination period to 1min
By default, all pods have 30s for graceful termination. This gives fluentd additional 30s to export logs e.g. when the node is shutting down.
**What this PR does / why we need it**:
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
fluentd-gcp grace termination period increased to 60s.
```
cc @vishh
Automatic merge from submit-queue (batch tested with PRs 65123, 65176, 65139, 65084, 65056). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Periodically fetch logexported nodes instead of sleeping
Automatic merge from submit-queue (batch tested with PRs 65123, 65176, 65139, 65084, 65056). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Pass cluster_location argument to Heapster
**What this PR does / why we need it**:
Fixes Stackdriver monitoring on GCE clusters where cluster location is not a single zone, for example regional clusters.
**Release note**:
```release-note
Pass cluster_location argument to Heapster
```
Automatic merge from submit-queue (batch tested with PRs 64140, 64898, 65022, 65037, 65027). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Calico addon yamls to make it work for both 2.x and 3.x. versions.
**What this PR does / why we need it**:
Without this PR, one could not run Calico 3.0+.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#65045
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64140, 64898, 65022, 65037, 65027). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add charm support for OpenStack Integrator
**What this PR does / why we need it**:
Add charm support for OpenStack Integrator
Also rename interfaces for existing integrator charms
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64285, 63660, 63661, 63662, 64883). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Mwilson/nginx image bump
**What this PR does / why we need it**:
Updating default nginx image for CDK
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/576
**Special notes for your reviewer**:
**Release note**:
```release-note
Updated default image for nginx ingress in CDK to match current Kubernetes docs.
```
Automatic merge from submit-queue (batch tested with PRs 64142, 64426, 62910, 63942, 64548). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
update fluentd-elasticsearch addon
**What this PR does / why we need it**:
Elastic now provides a fully opensource version for their prebuild
docker images (elasticsearch, kibana and so on). To avoid running into
licensing conflicts for this addon example, we should rather use these
images instead of the premium ones (were we also have to disable premium
features manually right now).
This PR updates:
- fluentd from <=1.1.0 to ~>1.1.3
- elasticsearch and kibana from 5.6.2 to 6.2.4
- fluentd-elasticsearch-plugin from 2.4.1 to 2.9.1
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
https://github.com/fluent/fluentd/issues/1894
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix dead links in kube-dns/README.md
**What this PR does / why we need it**:
fix dead links in kube-dns/README.md
**Which issue(s) this PR fixes**
no issue
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix dead-link to dns-horizontal-autoscaler
**What this PR does / why we need it**:
It looks like dns-horizontal-autoscaler doesn't exist in the dns repository anymore, but one level higher.
This PR fixes the dead link.
Automatic merge from submit-queue (batch tested with PRs 64974, 65009, 65018). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase logexporter timeout and add debug logs
Ref - https://github.com/kubernetes/kubernetes/issues/63030#issuecomment-396335294
So it seems that logexporter isn't running on too many nodes on our 5k node cluster (~40% of nodes). As a result we fallback to ssh-based copying for so many nodes which is slow and hence the job times out. My feeling is it's because of slow scheduling of logexporter pods (and hence quite some nodes didn't even get the chance to run those pods before we delete the daemonset).
/cc @wojtek-t @krzyzacy
```release-note
NONE
```
/sig scalability
/kind bug
/priority important-soon
/milestone v1.11
/status approved-for-milestone
Automatic merge from submit-queue (batch tested with PRs 64503, 64903, 64643, 64987). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use unix.EpollWait to determine when memcg events are available to be Read
**What this PR does / why we need it**:
This fixes a file descriptor leak introduced in https://github.com/kubernetes/kubernetes/pull/60531 when the `--experimental-kernel-memcg-notification` kubelet flag is enabled. The root of the issue is that `unix.Read` blocks indefinitely when reading from an event file descriptor and there is nothing to read. Since we refresh the memcg notifications, these reads accumulate until the memcg threshold is crossed, at which time all reads complete. However, if the node never comes under memory pressure, the node can run out of file descriptors.
This PR changes the eviction manager to use `unix.EpollWait` to wait, with a 10 second timeout, for events to be available on the eventfd. We only read from the eventfd when there is an event available to be read, preventing an accumulation of `unix.Read` threads, and allowing the event file descriptors to be reclaimed by the kernel.
This PR also breaks the creation, and updating of the memcg threshold into separate portions, and performs creation before starting the periodic synchronize calls. It also moves the logic of configuring memory thresholds into memory_threshold_notifier into a separate file.
This also reverts https://github.com/kubernetes/kubernetes/pull/64582, as the underlying leak that caused us to disable it for testing is fixed here.
Fixes#62808
**Release note**:
```release-note
NONE
```
/sig node
/kind bug
/priority critical-urgent
Automatic merge from submit-queue (batch tested with PRs 64503, 64903, 64643, 64987). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create system:cluster-autoscaler account & role and introduce it to C…
**What this PR does / why we need it**:
This PR adds cluster-autoscaler ClusterRole & binding, to be used by the Cluster Autoscaler (kubernetes/autoscaler repository).
It also updates GCE scripts to make CA use the cluster-autoscaler user account.
User account instead of Service account is chosen to be more in line with kube-scheduler.
**Which issue(s) this PR fixes**:
Fixes [issue 383](https://github.com/kubernetes/autoscaler/issues/383) from kubernetes/autoscaler.
**Special notes for your reviewer**:
This PR might be treated as a security fix since prior to it CA on GCE was using system:cluster-admin account, assumed due to default handling of unsecured & unauthenticated traffic over plain HTTP.
**Release note**:
```release-note
A cluster-autoscaler ClusterRole is added to cover only the functionality required by Cluster Autoscaler and avoid abusing system:cluster-admin role.
action required: Cloud providers other than GCE might want to update their deployments or sample yaml files to reuse the role created via add-on.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove deprecated option '--enable-custom-metrics'
**Release note**:
```release-note
deprecated and inactive option '--enable-custom-metrics' is removed in 1.11
```
Automatic merge from submit-queue (batch tested with PRs 64723, 64537). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update istio addon manifest to 0.8
**What this PR does / why we need it:**
Update Istio addon version to latest stable 0.8.0.
Changes from vanilla istio[-auth].yaml include:
- k8s addon Reconcile labels
- add all available Istio addons (grafana)
- mirror docker images to gcr.io
- add auto-injection in default namespace (not reconciled to allow Istio uninstall)
- remove instance counts to prevent addon reconcile reverting any manual scaling
**Release note**:
```release-note
Update version of Istio addon from 0.6.0 to 0.8.0.
See https://istio.io/about/notes/0.8.html for full Isto release notes.
```
Automatic merge from submit-queue (batch tested with PRs 64276, 64094, 64719, 64766, 64750). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use default seccomp profile for GCE manifests
**What this PR does / why we need it**:
This PR sets the default seccomp profile of unprivileged addons to 'docker/default' for GCE manifests. This PR is a followup of #62662. We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When seccomp profile is applied automatically by default later, we can remove those annotations.
This is PR is part of #39845.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Drop capabilities of CoreDNS container and run in read-only
**What this PR does / why we need it**: Make the CoreDNS container more secure by dropping (root) capabilities. Improve the integrity of the of the container by running the whole container in read-only.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
Same [changes](aba0245609) as in the CoreDNS deployment repository.
**Release note**:
```release-note
Kubeadm: Make CoreDNS run in read-only mode and drop all unneeded privileges
```
Automatic merge from submit-queue (batch tested with PRs 64344, 64709, 64717, 63631, 58647). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
CoreDNS pull image from gcr.io
**What this PR does / why we need it**:
CoreDNS now pulls image from gcr.io
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63453, 64592, 64482, 64618, 64661). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Revert "Remove rescheduler and corresponding tests from master"
Reverts kubernetes/kubernetes#64364
After discussing with @bsalamat on how DS controllers(ref: https://github.com/kubernetes/kubernetes/pull/63223#discussion_r192277527) cannot create pods if the cluster is at capacity and they have to rely on rescheduler for making some space, we thought it is better to
- Bring rescheduler back.
- Make rescheduler priority aware.
- If cluster is full and if **only** DS controller is not able to create pods, let rescheduler be run and let it evict some pods which have less priority.
- The DS controller pods will be scheduled now.
So, I am reverting this PR now. Step 2, 3 above are going to be in rescheduler.
/cc @bsalamat @aveshagarwal @k82cn
Please let me know your thoughts on this.
```release-note
Revert #64364 to resurrect rescheduler. More info https://github.com/kubernetes/kubernetes/issues/64725 :)
```
Automatic merge from submit-queue (batch tested with PRs 61610, 64591, 58143, 63929). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add netd as an addon for GCP
**What this PR does / why we need it**:
Add netd as an addon for GKE.
The PR will add setup functions and var to help deploy netd daemon on GKE.
Please checkout more detail for netd at https://github.com/GoogleCloudPlatform/netd
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 61610, 64591, 58143, 63929). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create CoreDNS and kube-dns folders
**What this PR does / why we need it**:
Separate the CoreDNS and kube-dns manifests by creating their own folders (dns/coredns and dns/kube-dns)
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61435
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @MrHohn
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add ipvs module loading logic to gce scripts
**What this PR does / why we need it**:
Add ipvs module loading logic to gce scripts.
Fixes a part of #59402.
/cc @Lion-Wei
/assign @roberthbailey @m1093782566
**Release note**:
```release-note
None
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Disable memcg for testing prior to 1.11 release
**What this PR does / why we need it**:
Turn off kubelet memory cgroup notifications on GCE to unblock scalability testing.
Related issue: #62808
```release-note
NONE
```
/sig node
/kind bug
/priority critical-urgent
/assign @shyamjvs @yujuhong
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove rescheduler and corresponding tests from master
**What this PR does / why we need it**:
This is to remove rescheduler from master branch as we are promoting priority and preemption to beta.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of #57471
**Special notes for your reviewer**:
/cc @bsalamat @aveshagarwal
**Release note**:
```release-note
Remove rescheduler from master.
```
Automatic merge from submit-queue (batch tested with PRs 64281, 62991). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use default seccomp profile for flutend-elasticsearch addons
**What this PR does / why we need it**:
This PR sets the default seccomp profile to 'docker/default' for:
- fluentd-es daemon set.
- kibana-logging deployment.
The elasticsearch-logging stateful set is still unconfined because it uses gce:podsecuritypolicy:privileged.
This PR is a followup of #62662. We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When seccomp profile is applied automatically by default later, we can remove those annotations.
This is PR is part of #39845.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64258, 63068). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update the CoreDNS version and manifest
**What this PR does / why we need it**:
Bumps CoreDNS to 1.1.3 and updates manifest
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
CoreDNS is now v1.1.3
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update nvidia-gpu-device-plugin to apps/v1 and use RollingUpdate updateStrategy.
Even though RollingUpdate is the default updateStrategy, we need to
specify it explicitly here because otherwise updating from
extensions/v1beta1 to apps/v1 doesn't change the updateStrategy.
Related to #57125 and #63634
```release-note
NONE
```
/assign @vishh @jiayingz
/cc @janetkuo
Automatic merge from submit-queue (batch tested with PRs 61963, 64279, 64130, 64125, 64049). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use default seccomp profile for DNS addons.
**What this PR does / why we need it**:
This PR sets the default seccomp profile of DNS addons to 'docker/default'. This PR is a followup of #62662. We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When seccomp profile is applied automatically by default later, we can remove those annotations.
This is PR is part of #39845.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63417, 64249, 64242, 64128, 64275). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
graduate DynamicKubeletConfig feature to beta
Everything in the https://github.com/kubernetes/features/issues/281 beta target except a few documentation-related items is complete. Docs should be done very soon, so I'm sending this PR to graduate to beta before freeze.
```release-note
The dynamic Kubelet config feature is now beta, and the DynamicKubeletConfig feature gate is on by default. In order to use dynamic Kubelet config, ensure that the Kubelet's --dynamic-config-dir option is set.
```
/cc @luxas
Even though RollingUpdate is the default updateStrategy, we need to
specify it explicitly here because otherwise updating from
extensions/v1beta1 to apps/v1 doesn't change the updateStrategy.
Automatic merge from submit-queue (batch tested with PRs 64060, 63904, 64218, 64208, 64247). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Revert enable PodPreset admission and also enable settings.k8s.io/v1a…
…lpha1 api resource
**What this PR does / why we need it**:
Enable PodPreset admission for there are alpha feature test cases covering it. Simultaneously enable sttings.k8s.io/v1alpha1 api resource.
Fixes#63843
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63434, 64172, 63975, 64180, 63755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Dump Stack when docker fails on healthcheck
Save stack dump of docker daemon in order to be able to
investigate why docker daemon was unresposive to `docker ps`
See https://github.com/moby/moby/blob/master/daemon/daemon.go on
how docker sets up a trap for SIGUSR1 with `setupDumpStackTrap()`
**What this PR does / why we need it**:
This allows us to investigate why docker daemon was unresponsive to "docker ps" command.
**Special notes for your reviewer**:
Manually tested on Ubuntu and COS.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63434, 64172, 63975, 64180, 63755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
re-reorder authorizers (RBAC before Webhook).
Sort of reverts #57426
We aren't relying on the ordering for anything, and it's not worth the additional latency/traffic at this point.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use default seccomp profile for unprivileged addons
**What this PR does / why we need it**:
This PR sets the default seccomp profile of unprivileged addons to 'docker/default'. This PR is a followup of [#62662](https://github.com/kubernetes/kubernetes/pull/62662) and [#62671](https://github.com/kubernetes/kubernetes/pull/62671). We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When seccomp profile is applied automatically by default later, we can remove those annotations.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#39845
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Send SIGUSR1 to dockerd to save stack dump of docker daemon
in order to be able to investigate why docker daemon was
unresposive to health check done by `docker ps`.
See https://github.com/moby/moby/blob/master/daemon/daemon.go on
how docker sets up a trap for SIGUSR1 with `setupDumpStackTrap()`
Automatic merge from submit-queue (batch tested with PRs 63969, 63902, 63689, 63973, 63978). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Reuse existing CA cert path for kubelet certs
**What this PR does / why we need it**: configure-helper.sh already knows the path to CA cert, re-use that to avoid typos.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63569, 63918, 63980, 63295, 63989). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
New event exporter config with support for new stackdriver resources
New event exporter, with support for use new and old stackdriver resource model.
This should also be cherry-picked to release-1.10 branch, as all fluentd-gcp components support new and stackdriver resource model.
```release-note
Update event-exporter to version v0.2.0 that supports old (gke_container/gce_instance) and new (k8s_container/k8s_node/k8s_pod) stackdriver resources.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use 'docker/default' as default seccomp profile for unprivileged PodSecurityPolicy
**What this PR does / why we need it**:
This PR sets the default seccomp profile for unprivileged PodSecurityPolicy to 'docker/default'. This PR is a followup of [#62662](https://github.com/kubernetes/kubernetes/pull/62662). We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When default seccomp profile is applied later, we can remove those annotations.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#39845
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63875, 63817). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
NFS support for default storage
**What this PR does / why we need it**:
Adds NFS support for kubernetes-worker charm allowing default storage for NFS charms.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
Added support for NFS relations on kubernetes-worker charm.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Deprecate InfluxDB cluster monitoring
InfluxDB cluster monitoring addon will no longer be supported and will be removed in k8s 1.12.
Default monitoring solution will be changed to `standalone`.
Heapster will still be deployed for backward compatibility of `kubectl top`
```release-note
Stop using InfluxDB as default cluster monitoring
InfluxDB cluster monitoring is deprecated and will be removed in v1.12
```
cc @piosz
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gce: Prefer MASTER_ADVERTISE_ADDRESS in apiserver setup
MASTER_ADVERTISE_ADDRESS is used to set the --advertise-address flag
for the apiserver. It's useful for running the apiserver behind a load
balancer.
However, if PROJECT_ID, TOKEN_URL, TOKEN_BODY, and NODE_NETWORK are
all set, the GCE VM's external IP address will be fetched and used
instead and MASTER_ADVERTISE_ADDRESS will be ignored.
Change this behavior so that MASTER_ADVERTISE_ADDRESS takes precedence
because it's more specific. We still fall back to using the VM's
external IP address if the other variables are set.
Also: Move the setting of --ssh-user and --ssh-keyfile based on
PROXY_SSH_USER) to a top-level block because this is common to all
codepaths.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63167, 63357). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Install and use crictl in gce kube-up.sh
Download and use crictl in gce kube-up.sh.
This PR:
1. Downloads crictl `v1.0.0-beta.0` onto the node, which supports CRI v1alpha2. We'll upgrade it to `v1.0.0-beta.1` soon after the release is cut.
2. Change `kube-docker-monitor` to `kube-container-runtime-monitor`, and let it use `crictl` to do health monitoring.
3. Change `e2e-image-puller` to use `crictl`. Because of https://github.com/kubernetes/kubernetes/issues/63355, it doesn't work now. But in `crictl v1.0.0-beta.1`, we are going to statically link it, and the `e2e-image-puller` should work again.
4. Use `systemctl kill --kill-who=main` instead of `pkill`, the reason is that:
a. `pkill docker` will send `SIGTERM` to all processes including `dockerd`, `docker-containerd`, `docker-containerd-shim`. This is not a problem for Docker 17.03 CE, because `containerd-shim` in containerd 0.2.x doesn't exit with SIGERM (see [code](https://github.com/containerd/containerd/blob/v0.2.x/containerd-shim/main.go#L123)). However, `containerd-shim` in containerd 1.0+ does exit with SIGTERM (see [code](https://github.com/containerd/containerd/blob/master/cmd/containerd-shim/main_unix.go#L200)). This means that `pkill docker` and `pkill containerd` will kill all shim processes for Docker 17.11+ and containerd 1.0+.
b. We can use `pkill -x` instead. However, docker systemd service name is `docker`, but daemon process name is `dockerd`. We have to introduce another environment variable to specify "daemon process name". Given so, it seems easier to just use `systemctl kill` which only requires systemd service name. `systemctl kill --kill-who=main` will make sure only main process receives SIGTERM.
Signed-off-by: Lantao Liu <lantaol@google.com>
/cc @filbranden @yujuhong @feiskyer @mrunalp @kubernetes/sig-node-pr-reviews @kubernetes/sig-cluster-lifecycle-pr-reviews
**Release note**:
```release-note
Kubernetes cluster on GCE have crictl installed now. Users can use it to help debug their node. The documentation of crictl can be found https://github.com/kubernetes-incubator/cri-tools/blob/master/docs/crictl.md.
```
Automatic merge from submit-queue (batch tested with PRs 63589, 63644, 63861, 63872, 63847). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Enable CUSTOM_INGRESS_YAML to replace the glbc manifest
This allows for customized versions of the Ingress YAML separate from
stock Kubernetes.
```release-note
NONE
```
MASTER_ADVERTISE_ADDRESS is used to set the --advertise-address flag
for the apiserver. It's useful for running the apiserver behind a load
balancer.
However, if PROJECT_ID, TOKEN_URL, TOKEN_BODY, and NODE_NETWORK are
all set, the GCE VM's external IP address will be fetched and used
instead and MASTER_ADVERTISE_ADDRESS will be ignored.
Change this behavior so that MASTER_ADVERTISE_ADDRESS takes precedence
because it's more specific. We still fall back to using the VM's
external IP address if the other variables are set.
Also: Pass --ssh-user and --ssh-keyfile flags if both PROXY_SSH_USER
and MASTER_ADVERTISE_ADDRESS is set.
Automatic merge from submit-queue (batch tested with PRs 63272, 63782, 63715, 63811, 63803). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add support for GCP charm
**What this PR does / why we need it**: Continuing from #62354, add support for Juju charms to connect to GCP integration charm to automatically manage IAM labels and roles, and cloud-provider setting for GCE.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63492, 62379, 61984, 63805, 63807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove PodPreset and enable resources for Priority admission plugins in e2e-gce
**What this PR does / why we need it**:
e2e-gce start kube-apiserver without admission PodPreset and enable resources for Priority
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62377
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
It is possible that the node API object doesn't exist in a brief
window between recreation and registering. By moving the uncordon
until after the node is ready, we can be sure the API object exists.
Automatic merge from submit-queue (batch tested with PRs 62665, 62194, 63616, 63672, 63450). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump down to cos-stable-65 in config-test
Until https://github.com/kubernetes/kubernetes/issues/62456 is fixed (and we have a good patched version of cos-66), we probably should not be using the current version for testing which we anyway know we wouldn't be using for prod due to the bug.
/cc @yujuhong @filbranden @wojtek-t
Wdyt?
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62665, 62194, 63616, 63672, 63450). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Uncordon the node after upgrade
**What this PR does / why we need it**:
Previous logic was relying on the node to recreate the node API object
and, as a side-effect, uncordon itself. A change went in that no
longer ensures the node recreates itself, so the bug in this logic was exposed.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#63506
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
cc @dchen1107 @AishSundar
Previous logic was relying on the node to recreate the node API object
and, as a side-effect, uncordon itself. A change went in that no
longer ensures the node recreates itself, so the bug in this logic was exposed.
Automatic merge from submit-queue (batch tested with PRs 62354, 62934, 63502). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add support for AWS charm
Support AWS integration via proxy charm.
**What this PR does / why we need it**: Add support for Juju charms to connect to AWS integration charm to automatically manage IAM tags and roles, and cloud-provider setting for AWS.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57954, 62166). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fluentd-elasticsearch addon: allow graceful shutdown in fluentd-es image.
This PR contains an optimisation to the fluentd-elasticsearch addon. Restarting fluentd pods took unnecessarily long because the start script in the image did not support propagating signals to the actual fluentd process. This patch fixes this behaviour.
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63535, 63528). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump Heapster to v1.5.3
This PR updates heapster version in all cluster-monitoring addons
Heapster Changelog:
* Fix stackdriver metrics for node memory using wrong metric type
```release-note
Bump Heapster to v1.5.3
```
/cc @kawych
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use the logging agent's node name as the metadata agent URL.
The Stackdriver Logging agent should use the node's hostname when it constructs the Stackdriver Metadata Agent's URL, currently, it's using the GKE Master's hostname, which is a bug.
**Release note:**
```release-note
[fluentd-gcp addon] Use the logging agent's node name as the metadata agent URL.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gce: plumb --kubelet-certificate-authority flag to apiserver
**What this PR does / why we need it**:
We want to start signing kubelets' serving certs with cluster CA. This
flag is required to enforce that on apiserver side.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63340, 63266). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gcp: allow non-bootstrap kubeconfig
**What this PR does / why we need it**:
Needed for https://github.com/kubernetes/community/pull/2022
This change lets us generate a non-bootstrap kubeconfig with exec plugin for authn.
The plugin does TLS bootstrapping internally.
**Special notes for your reviewer**:
Defaults when no new env vars are set will behave same as before this change.
`KUBELET_AUTH_TYPE` should never be `tls-auth` in practice, but leaving it there just in case.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add support for arm64 to the registry action of the kuberntes-worker juju charm.
**What this PR does / why we need it**: Add support for arm64 to the registry action of the kuberntes-worker juju charm.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
juju: Make kubernetes-master status handling more robust
**What this PR does / why we need it**:
This fixes a charm hook failure that can occur after restarting kubernetes-master units in Juju-based Kubernetes deployments.
This should also hopefully make our status handling in kubernetes-master more robust in general, by making sure all of our `blocked`, `waiting`, and `active` status messages are handled in one place, on hook exit.
**Which issue(s) this PR fixes**:
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/523
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update all script shebangs to use /usr/bin/env interpreter instead of /bin/interpreter
This is required to support systems where bash doesn't reside in /bin (such as NixOS, or the *BSD family) and allow users to specify a different interpreter version through $PATH manipulation.
https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
```release-note
Use /usr/bin/env in all script shebangs to increase portability.
```
Automatic merge from submit-queue (batch tested with PRs 63138, 63091, 63201, 63341). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adds support for arm64 to microbot example of the kubernetes-worker charm.
**What this PR does / why we need it**: Adds support for arm64 to microbot example of the kubernetes-worker charm.
**Release note**:
```release-note
NONE
```
The regular kubeconfig is fetched from metadata when
CREATE_BOOTSTRAP_KUBECONFIG==false.
We will experiment with an exec plugin that does TLS bootstrapping
internally: #61803
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[Prometheus addon] Use StatefulSet
This PR changes prometheus server manifest from deployment to statefulset.
Version label is removed from pods because statefulset disallows updating selectors.
```release-note
NONE
```
/cc @branch @kawych
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Support containerized kubelet in CI
**What this PR does / why we need it**:
* Adjust hyperkube Makefile to allow HYPERKUBE_BIN to be
specified from outside
* new DOCKER_ROOT variable to specify --root-dir and associated
volume for kubelet to know where docker directory lives
* Save the docker logs when we kill the kubelet container
* Allow customized image for dockerized kubelet and build a Default
image if one is not specified
We should allow a custom build using script we have:
`VERSION="latest" REGISTRY="k8s.gcr.io" hack/dev-push-hyperkube.sh`
to be used quickly using DOCKERIZE_KUBELET. To do this we remove the
hard coded `k8s.gcr.io/kubelet` image and introduce a new environment
variable `KUBELET_IMAGE`.
Note that we are switching to hyperkube from kubelet as we have a quick
and easy script to build hyperkube image and load it into local docker
daemon. This reduces bad hacks like `docker tag
k8s.gcr.io/hyperkube-amd64:<tag> k8s.gcr.io/kubelet:latest` being used
by folks today (see 62057)
* Better cope with PID 0 when running "docker inspect" to look for
the process id for kubelet container
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62718, 62863). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gcp: add env var to configure enabled controllers in controller-manager
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
[prometheus addon] Add readme
This PR adds README file that warns users about it's intended use, and redirects to more mature projects.
```release-note
NONE
```
/cc @brancz
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
etcd version typo fix
**What this PR does / why we need it**:
Allows BUNDLED_VERSIONS string to be parsed correctly.
```release-note
NONE
```
* elastic now provides a fully opensource version for their prebuild
docker images (elasticsearch, kibana and so on). To avoid running into
licensing conflicts for this addon example, we should rather use these
images instead of the premium ones (were we also have to disable premium
features manually right now)
* remove disable flags for xpack, since *-oss images do not include this anymore
* bump elasticsearch and kibana version from 5.6.4 to 6.2.4
* use oss version from elastic as baseimg for kibana and elasticsearch
* bump fluentd version to ~>1.1.3
* bump gem 'fluent-plugin-elasticsearch' to '~>2.9.1' to allow usage of elasticsearch 6.x
* bump fluentd-es-image to v2.1.0
* fix elasticserach run.sh to align with new elasticsearch upstream container structure
Automatic merge from submit-queue (batch tested with PRs 62590, 62818, 63015, 62922, 63000). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove METADATA_AGENT_VERSION config option
**What this PR does / why we need it**:
Remove METADATA_AGENT_VERSION configuration option. To keep Metadata Agent version consistent across Kubernetes deployments.
**Release note**:
```release-note
Remove METADATA_AGENT_VERSION configuration option.
```
Automatic merge from submit-queue (batch tested with PRs 62590, 62818, 63015, 62922, 63000). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use BootID instead of ExternalID to check for new instance
PR #60692 changed the way that ExternalID is reported on GCE. Its value
is no longer the GCE instance ID. It is the instance name. So it
cannot be used to determine VM uniqueness across time. Instead,
upgrade will check that the boot ID changed.
**What this PR does / why we need it**:
Node upgrades stall out because the external ID remains the same across upgrades now.
**Which issue(s) this PR fixes**:
Fixes#62713
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62590, 62818, 63015, 62922, 63000). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
gce: move etcd dir cleanup to manifests
we deploy it as a manifest, not an addon so locate it with the other
master manifests.
This is the last "bare pod addon", which needs to be remove to improve the situation in https://github.com/kubernetes/kubernetes/issues/62808.
```release-note
```
* Adjust hyperkube Makefile to allow HYPERKUBE_BIN to be
specified from outside
* new DOCKER_ROOT variable to specify --root-dir and associated
volume for kubelet to know where docker directory lives
* Save the docker logs when we kill the kubelet container
* Allow customized image for dockerized kubelet and build a Default
image if one is not specified
We should allow a custom build using script we have:
`VERSION="latest" REGISTRY="k8s.gcr.io" hack/dev-push-hyperkube.sh`
to be used quickly using DOCKERIZE_KUBELET. To do this we remove the
hard coded `k8s.gcr.io/kubelet` image and introduce a new environment
variable `KUBELET_IMAGE`.
Note that we are switching to hyperkube from kubelet as we have a quick
and easy script to build hyperkube image and load it into local docker
daemon. This reduces bad hacks like `docker tag
k8s.gcr.io/hyperkube-amd64:<tag> k8s.gcr.io/kubelet:latest` being used
by folks today (see 62057)
* Better cope with PID 0 when running "docker inspect" to look for
the process id for kubelet container
Automatic merge from submit-queue (batch tested with PRs 63033, 62993). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix bash command for liveness probes in the metadata agents.
**What this PR does / why we need it**:
This PR resolves an error in the way that the bash liveness probe is defined.
**Release note**:
```release-note
Fix the liveness probe to use `/bin/bash -c` instead of `/bin/bash c`.
```
Automatic merge from submit-queue (batch tested with PRs 63007, 62919, 62669, 62860). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add unit test for configure-helper.sh.
**What this PR does / why we need it**:
Add a framework for unit-testing configure-helper.sh.
configure-helper.sh plays a critical role in initializing clusters both on GCE and GKE. It is currently, over 2K lines of code, yet it has no unit test coverage.
This PR proposes a framework/approach on how to provide test coverage for this component.
Notes:
1. Changes to configure-helper.sh itself were necessary to enable sourcing of this script for the purposes of testing.
2. As POC api_manifest_test.go covers the logic related to the initialization of apiserver when integration with KMS was requested. The hope is that the same approach could be extended to the rest of the script.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63007, 62919, 62669, 62860). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
juju: Use k8s.gcr.io url for arm64 ingress image
**What this PR does / why we need it**:
This updates the kubernetes-worker charm to point to k8s.gcr.io for the nginx-ingress-controller-arm64 image. This should have no impact on functionality today, but as I understand it, we're all standardizing on k8s.gcr.io to allow for future changes.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update addon manifests to use policy/v1beta1
**What this PR does / why we need it:**
This is a part of the PSP migration from extensions to policy API group. This PR updates addon manifests to use policy/v1beta1 and grant permissions in policy API group.
**Which issue(s) this PR fixes:**
Addressed to https://github.com/kubernetes/features/issues/5
PR 60692 changed the way that ExternalID is reported on GCE. Its value
is no longer the GCE instance ID. It is the instance name. So it
cannot be used to determine VM uniqueness across time. Instead,
upgrade will check that the boot ID changed.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Manage Metadata Agent Config with Addon Manager
**What this PR does / why we need it**:
Fixes error where config map for Metadata Agent was not created by addon manager.
**Release note**:
```release-note
Fix error where config map for Metadata Agent was not created by addon manager.
```
Automatic merge from submit-queue (batch tested with PRs 62409, 62856). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
DNS-Autoscaler support for CoreDNS
**What this PR does / why we need it**:
This PR provides the dns-horizontal autoscaler for CoreDNS in kube-up, enabling the tests to pass once CoreDNS is the default.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61176
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add prometheus cluster monitoring addon.
This PR adds new cluster monitoring addon based on prometheus.
It adds prometheus deployment with e2e tests.
Additional components will be added iterativly in future.
Manifests based on current Helm chart.
At current state it's not intended for production use.
cc @piosz @kawych @miekg
```release-note
Add prometheus cluster monitoring addon to kube-up
```
/sig instrumentation
/kind feature
/priority important-soon
Automatic merge from submit-queue (batch tested with PRs 62568, 62220, 62743, 62751, 62753). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
GCE: Bump GLBC manifest to v1.1.1
**Special notes for your reviewer**:
/assign bowei
/cc bowei
/cc rramkumar1
**Release note**:
```release-note
GCE: Bump GLBC version to 1.1.1 - fixing an issue of handling multiple certs with identical certificates
```
Automatic merge from submit-queue (batch tested with PRs 62568, 62220, 62743, 62751, 62753). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix NPD preload.
Fix NPD preload.
NPD preload information is:
```
node-problem-detector-v0.4.1.tar.gz,a57a3fe64cab8a18ec654f5cef0aec59dae62568
```
@shiliangxue Do we need to cherrypick this?
**Release note**:
```release-note
none
```
Automatic merge from submit-queue (batch tested with PRs 62436, 62499, 62664, 62685, 62660). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Adding kube dns to kubemark
Adding kube dns to the kubemark. It will allow to test dns impact on kuberneters master performance.
Kube dns is optional - requires ENABLE_KUBEMARK_KUBE_DNS set to "true".
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 62436, 62499, 62664, 62685, 62660). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow user to scale default backends
```release-note
Allow user to scale l7 default backend deployment
```
Automatic merge from submit-queue (batch tested with PRs 62676, 62612). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update kube-dns to Version 1.14.10
**What this PR does / why we need it**:
kube-dns version bump for kubeadm will be on a speparate PR.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #NONE
**Special notes for your reviewer**:
/assign @rramkumar1 @bowei
cc @grayluck
**Release note**:
```release-note
Update kube-dns to Version 1.14.10. Major changes:
- Fix a bug in DNS resolution for externalName services
and PTR records that need to query from upstream nameserver.
```
Automatic merge from submit-queue (batch tested with PRs 57224, 61911). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Istio addon to 0.6.0 and mirror images in gcr
**What this PR does / why we need it:**
PR addresses two issues:
1. Update Istio addon version to latest stable 0.6.0 (required for e2e test integration).
2. Mirror images in gcr.io for security scanning, since this is an addon.
Fixes#61910
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set kubemark default verbosity to 4
To match with our default for tests.
This shouldn't break large kubemark jobs (as https://github.com/kubernetes/test-infra/pull/7705 is merged which explicitly sets it to v2 for those), but will make more logs available for smaller-scale ones.
```release-note
NONE
```
/cc @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 62486, 62471, 62183). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
provision kubelet config file for GCE instead of deprecated flags
Many Kubelet flags are now deprecated in favor of the versioned config file format. This PR adopts the versioned config file format in our cluster turn-up scripts.
```release-note
cluster/kube-up.sh now provisions a Kubelet config file for GCE via the metadata server. This file is installed by the corresponding GCE init scripts.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
cluster/gce/list-resources.sh: also list stackdriver logging sinks
**What this PR does / why we need it**: we seem to be logging stackdriver logging sinks on GCE, likely because we're not keeping track of them. (ref https://github.com/kubernetes/test-infra/issues/7295)
This doesn't fix the leaks, but it'll hopefully help us detect when that happens.
**Release note**:
```release-note
NONE
```
cc @krzyzacy @crassirostris @summit
This PR extends the client-side startup scripts to provision a Kubelet
config file instead of legacy flags. This PR also extends the
master/node init scripts to install this config file from the GCE
metadata server, and provide the --config argument to the Kubelet.
Automatic merge from submit-queue (batch tested with PRs 62430, 62470). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Increase CPU limit to 1000 millicores to support 100kb/s throughput.
**What this PR does / why we need it**:
The e2e tests for fluentd in gke are failing due to conservative CPU limits for the logging agent. After doing some research we have determined that 1 core is necessary to achieve 100kb/s throughput.
**Release note:**
```release-note
[fluentd-gcp addon] Increase CPU limit for fluentd to 1 core to achieve 100kb/s throughput.
```
Automatic merge from submit-queue (batch tested with PRs 62455, 62465, 62427, 62416, 62411). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bump GLBC version and remove Unreleased tag from tests
/assign rramkumar1
/cc mrhohn
**Release note**:
```release-note
GCE: Bump GLBC version to 1.1.0 - supporting multiple certificates and HTTP2
```
