This implementation allows Pod to request multiple hugepage resources
of different size and mount hugepage volumes using storage medium
HugePage-<size>, e.g.
spec:
containers:
resources:
requests:
hugepages-2Mi: 2Mi
hugepages-1Gi: 2Gi
volumeMounts:
- mountPath: /hugepages-2Mi
name: hugepage-2mi
- mountPath: /hugepages-1Gi
name: hugepage-1gi
...
volumes:
- name: hugepage-2mi
emptyDir:
medium: HugePages-2Mi
- name: hugepage-1gi
emptyDir:
medium: HugePages-1Gi
NOTE: This is an alpha feature.
Feature gate HugePageStorageMediumSize must be enabled for it to work.
- Add handlers for service account issuer metadata.
- Add option to manually override JWKS URI.
- Add unit and integration tests.
- Add a separate ServiceAccountIssuerDiscovery feature gate.
Additional notes:
- If not explicitly overridden, the JWKS URI will be based on
the API server's external address and port.
- The metadata server is configured with the validating key set rather
than the signing key set. This allows for key rotation because tokens
can still be validated by the keys exposed in the JWKs URL, even if the
signing key has been rotated (note this may still be a short window if
tokens have short lifetimes).
- The trust model of OIDC discovery requires that the relying party
fetch the issuer metadata via HTTPS; the trust of the issuer metadata
comes from the server presenting a TLS certificate with a trust chain
back to the from the relying party's root(s) of trust. For tests, we use
a local issuer (https://kubernetes.default.svc) for the certificate
so that workloads within the cluster can authenticate it when fetching
OIDC metadata. An API server cannot validly claim https://kubernetes.io,
but within the cluster, it is the authority for kubernetes.default.svc,
according to the in-cluster config.
Co-authored-by: Michael Taufen <mtaufen@google.com>
This creates a new EndpointSliceProxying feature gate to cover EndpointSlice
consumption (kube-proxy) and allow the existing EndpointSlice feature gate to
focus on EndpointSlice production only. Along with that addition, this enables
the EndpointSlice feature gate by default, now only affecting the controller.
The rationale here is that it's really difficult to guarantee all EndpointSlices
are created in a cluster upgrade process before kube-proxy attempts to consume
them. Although masters are generally upgraded before nodes, and in most cases,
the controller would have enough time to create EndpointSlices before a new node
with kube-proxy spun up, there are plenty of edge cases where that might not be
the case. The primary limitation on EndpointSlice creation is the API rate limit
of 20QPS. In clusters with a lot of endpoints and/or with a lot of other API
requests, it could be difficult to create all the EndpointSlices before a new
node with kube-proxy targeting EndpointSlices spun up.
Separating this into 2 feature gates allows for a more gradual rollout with the
EndpointSlice controller being enabled by default in 1.18, and EndpointSlices
for kube-proxy being enabled by default in the next release.
Given the significance this change would have we've decided to hold off
on enabling this by default until we can have better test coverage and
more real world usage of the feature.
The old name is too broad, we wanted a name that is more specific to
the actual feature.
This is an alpha gate, and no release has yet associated any
functionality with this gate.
The alpha feature for mount containers is unused, and is
superseded by CSI. By removing it, we can remove a lot of unnecessary
code, and also clean up the mount library even more before moving it out
of tree.
Concerns from alpha-phase reviews have been addressed in
https://github.com/kubernetes/kubernetes/pull/80320
and
https://github.com/kubernetes/kubernetes/pull/82109
and early adopters have given positive feedback; so it seems there are
no blockers to graduate GMSA support to beta.
This patch also enables GMSA support by default, mainly for the sake of
making it easier for cluster admins to use, as well as for e2e tests in
nightly builds.
Signed-off-by: Jean Rouge <rougej+github@gmail.com>
The current mechanism for excluding "master" nodes based on node names
is fragile and should be fixed by using a label exclusion similar to
service load balancers. The legacy code path is preserved behind a
defaulted-on gate and will be removed in the future.
This gate will default to on in 1.16 to cover the behavior of the
existing system, and then in the future default to off and then be
removed once all consumers have migrated.
The feature is complete and supported by an increasing number of CSI
drivers, but before it can be really used, it should be moved out of
alpha into beta.
Promotes the VolumePVCDataSource feature (cloning) to beta for the 1.16
release.
Since alpha release in 1.15 there have been a number of minor bug fixes
in the CSI Hospath Provisioner and the CSI provisioner sidecar. We've
also added e2e tests using the Hostpath provisioner.
Adds the field RunAsUserName in the WindowsSecurityContextOptions type,
which is used in PodSecurityContext and SecurityContext.
This field needs to allow for a valid set of usernames allowed for
Windows containers. It must have the format "U
This commit also validates the runAsUserName field, making sure that it valid,
having the format DOMAIN\USER (case insensitive), where DOMAIN\ is optional and
has to be a valid NetBios or DNS domain name.
For more information about the restrictions on the DOMAIN and USER parts, look here: [1] [2]
Adds the WindowsRunAsUserName alpha feature gate. By default, it is disabled.
If the feature gate is not enabled, the WindowsOptions.RunAsUserName field
will be dropped from both the PodSecurityContext and container
SecurityContext.
Co-Authored-By: Claudiu Belu <cbelu@cloudbasesolutions.com>
[1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
[2] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
