Automatic merge from submit-queue (batch tested with PRs 46787, 46876, 46621, 46907, 46819)
kubeadm: Only create bootstrap configmap if not exists.
**What this PR does / why we need it**:
The fact that this method was not idempotent was breaking kubeadm upgrades.
https://github.com/kubernetes/kubeadm/issues/278
**Release note**:
```release-note
NONE
```
This helps enable a graceful upgrade/downgrade process between 1.6.x and
1.7.x kubeadm clusters (although no guarantees outside of that range) by
doing:
$ kubeadm init --kubernetes-version <version> --skip-preflight-checks
Without this change, the command fails with an error that the node taint
is duplicated.
This is part of https://github.com/kubernetes/kubeadm/issues/278
Changes:
- Support kube-master-url flag without kubeconfig
- Fix concurrent R/Ws in dns.go
- Fix confusing logging when initialize server
- Fix printf in cmd/kube-dns/app/server.go
- Fix version on startup and --version flag
- Support specifying port number for nameserver in stubDomains
Automatic merge from submit-queue
[Federation] Remove FEDERATIONS_DOMAIN_MAP references
Remove all references to FEDERATIONS_DOMAIN_MAP as this method is no longer is used and is replaced by adding federation domain map to kube-dns configmap.
cc @madhusudancs @kubernetes/sig-federation-pr-reviews
**Release note**:
```
[Federation] Mechanism of adding `federation domain maps` to kube-dns deployment via `--federations` flag is superseded by adding/updating `federations` key in `kube-system/kube-dns` configmap. If user is using kubefed tool to join cluster federation, adding federation domain maps to kube-dns is already taken care by `kubefed join` and does not need further action.
```
Automatic merge from submit-queue (batch tested with PRs 41826, 42405)
Add stubDomains and upstreamNameservers configuration to kube-dns
```release-note
Updates the dnsmasq cache/mux layer to be managed by dnsmasq-nanny.
dnsmasq-nanny manages dnsmasq based on values from the
kube-system:kube-dns configmap:
"stubDomains": {
"acme.local": ["1.2.3.4"]
},
is a map of domain to list of nameservers for the domain. This is used
to inject private DNS domains into the kube-dns namespace. In the above
example, any DNS requests for *.acme.local will be served by the
nameserver 1.2.3.4.
"upstreamNameservers": ["8.8.8.8", "8.8.4.4"]
is a list of upstreamNameservers to use, overriding the configuration
specified in /etc/resolv.conf.
```
Updates the dnsmasq cache/mux layer to be managed by dnsmasq-nanny.
dnsmasq-nanny manages dnsmasq based on values from the
kube-system:kube-dns configmap:
"stubDomains": {
"acme.local": ["1.2.3.4"]
},
is a map of domain to list of nameservers for the domain. This is used
to inject private DNS domains into the kube-dns namespace. In the above
example, any DNS requests for *.acme.local will be served by the
nameserver 1.2.3.4.
"upstreamNameservers": ["8.8.8.8", "8.8.4.4"]
is a list of upstreamNameservers to use, overriding the configuration
specified in /etc/resolv.conf.
Automatic merge from submit-queue (batch tested with PRs 41701, 41818, 41897, 41119, 41562)
kubeadm: Secure the control plane communication and add the kubeconfig phase command
**What this PR does / why we need it**:
This generates kubeconfig files for the controller-manager and the scheduler, ref: https://github.com/kubernetes/kubeadm/issues/172
The second commit adds the `kubeadm alpha phase kubeconfig` command as described in the design doc: https://github.com/kubernetes/kubeadm/pull/156
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
@dmmcquay What kind of tests would you like for the kubeconfig phase command?
**Release note**:
```release-note
```
@jbeda @mikedanese @dmmcquay @pires @liggitt @deads2k @errordeveloper
Automatic merge from submit-queue (batch tested with PRs 38957, 41819, 41851, 40667, 41373)
Change taints/tolerations to api fields
This PR changes current implementation of taints and tolerations from annotations to API fields. Taint and toleration are now part of `NodeSpec` and `PodSpec`, respectively. The annotation keys: `scheduler.alpha.kubernetes.io/tolerations` and `scheduler.alpha.kubernetes.io/taints` have been removed.
**Release note**:
Pod tolerations and node taints have moved from annotations to API fields in the PodSpec and NodeSpec, respectively. Pod tolerations and node taints that are defined in the annotations will be ignored. The annotation keys: `scheduler.alpha.kubernetes.io/tolerations` and `scheduler.alpha.kubernetes.io/taints` have been removed.
Automatic merge from submit-queue (batch tested with PRs 38101, 41431, 39606, 41569, 41509)
kubeadm: Reorder the token packages more logically
**What this PR does / why we need it**:
In order to be able to implement https://github.com/kubernetes/kubernetes/pull/41417, the token functionality (which now is spread across the codebase), should be in two places: a generic token functions library, which in the future _may_ [move into client-go](https://github.com/kubernetes/kubernetes/pull/41281#discussion_r101357106) in some form, and a package for the token handling against the api server.
This commit has no large functional changes.
```
kubeadm: Aggregate the token functionality in sane packages.
- Factor out token constants to kubeadmconstants.
- Move cmd/kubeadm/app/util/{,token/}tokens.go
- Use the token-id, token-secret, etc constants provided by the bootstrapapi package
- Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go
This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@mikedanese @pires @errordeveloper @dmmcquay @jbeda @GheRivero
Automatic merge from submit-queue (batch tested with PRs 41505, 41484, 41544, 41514, 41022)
add front proxy to kubeadm created kube-apiservers
The front proxy authenticator configuration has been in a release or two. It allows a front proxy (secured by mutual TLS auth) to provide user information for a request. The kube-aggregator uses this to securely terminate authentication (has to terminate TLS and thus client-certs) and communicate user info to backing API servers.
Since the kube-apiserver always verifies the front-proxy via a client certificate, this isn't open for abuse unless you already have access to either the signing key or client cert which kubeadm creates locally. If you got there, you already owned the box. Therefore, this adds the authenticator unconditionally.
@luxas Are there e2e tests for `kubeadm`?
@liggitt @kubernetes/sig-auth-misc
- Factor out token constants to kubeadmconstants.
- Move cmd/kubeadm/app/util/{,token/}tokens.go
- Use the token-id, token-secret, etc constants provided by the bootstrapapi package
- Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go
This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on
Some imports dont exist yet (or so it seems) in client-go (examples
being:
- "k8s.io/kubernetes/pkg/api/validation"
- "k8s.io/kubernetes/pkg/util/initsystem"
- "k8s.io/kubernetes/pkg/util/node"
one change in kubelet to import to client-go
Automatic merge from submit-queue (batch tested with PRs 41061, 40888, 40664, 41020, 41085)
kubeadm: Small cleanup and fixes, validate the service subnet
**What this PR does / why we need it**:
- Validate the minimum subnet cidr so there are always 10 available addresses
- Remove an old proxy arg function, add clustercidr to the proxy manifest and automatically calculate the dns ip
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@errordeveloper @pires @mikedanese @dmmcquay @dgoodwin
Automatic merge from submit-queue (batch tested with PRs 41061, 40888, 40664, 41020, 41085)
kubeadm: added tests cert/pkiutil pkg
raised coverage from ~37% to ~77%
**What this PR does / why we need it**: added tests to cert/pkiutil pkg and raised coverage from ~37% to ~77%
Adding unit tests is a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 40385, 40786, 40999, 41026, 40996)
kubeadm: change os.Remove to os.RemoveAll
**What this PR does / why we need it**: This would not correctly clean out the tmp dir, since os.Remove doesn't recursively remove dirs, which could exist in the tmp dir.
Unit tests are a WIP from #34136
**Special notes for your reviewer**: /cc @luxas @pires
**Release note**:
```release-note
NONE
```
