github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
101,992 Commits 1 Branch 31 Tags
58b91ffca9efe3afb20d80914cdc33c6b0acdef2
Commit Graph

42465 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
3e0432c3e1 Merge pull request #102168 from adisky/credential-provider-1 
Improve concurrency and cache for kubelet credential provider
 2021-07-02 01:16:12 -07:00
Kubernetes Prow Robot
659c7e709f Merge pull request #99494 from enj/enj/i/not_after_ttl_hint 
csr: add expirationSeconds field to control cert lifetime
 2021-07-01 23:02:12 -07:00
Monis Khan
29b3fa7826 Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-07-01 23:38:16 -04:00
Monis Khan
cd91e59f7c csr: add expirationSeconds field to control cert lifetime 
This change updates the CSR API to add a new, optional field called
expirationSeconds.  This field is a request to the signer for the
maximum duration the client wishes the cert to have.  The signer is
free to ignore this request based on its own internal policy.  The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration.  The minimum allowed
value for this field is 600 seconds (ten minutes).

This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.

Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-07-01 23:38:15 -04:00
Kubernetes Prow Robot
25bbe2ebc5 Merge pull request #99594 from cofyc/kep1845-api 
Prioritizing nodes based on volume capacity: API changes
 2021-07-01 15:35:51 -07:00
Kubernetes Prow Robot
43ebff8fa4 Merge pull request #103306 from swetharepakula/convert-proxy 
Kubeproxy uses V1 EndpointSlice
 2021-07-01 14:28:11 -07:00
Kubernetes Prow Robot
062bc359ca Merge pull request #102444 from sanwishe/resourceStartTime 
Expose container start time in kubelet /metrics/resource endpoint
 2021-07-01 14:27:51 -07:00
Kubernetes Prow Robot
b0af328e6e Merge pull request #103326 from pacoxu/safe-sysctls 
Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl
 2021-07-01 09:49:55 -07:00
pacoxu
2cab85a403 Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl 
Signed-off-by: pacoxu <paco.xu@daocloud.io>
 2021-07-01 10:31:21 +08:00
Yecheng Fu
b522e95aae Prioritizing nodes based on volume capacity: API changes 2021-07-01 10:00:59 +08:00
Swetha Repakula
03b7a699c2 Kubeproxy uses V1 EndpointSlice 2021-06-30 18:41:57 -07:00
Kir Kolyshkin
ab5b77944e kubelet/cm: don't set Devices 
Since runc 1.0.0 it is now sufficient to have SkipDevices: true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2021-06-30 16:17:35 -07:00
Kubernetes Prow Robot
385402d506 Merge pull request #103082 from chrishenzie/read-write-once-pod-access-mode-scheduler 
Enforce ReadWriteOncePod during scheduling
 2021-06-30 16:11:36 -07:00
Kubernetes Prow Robot
98d20f552b Merge pull request #99378 from mattcary/api 
StatefulSet PersistentVolumeClaimDeletePolicy
 2021-06-30 11:49:03 -07:00
Chris Henzie
7ad44d04fc Enforce ReadWriteOncePod access mode during scheduling 
Check the PVC ref count on the node info cache to determine if a pod's
PVCs are in use. If they are and it is using ReadWriteOncePod, fail the
request.
 2021-06-30 10:40:14 -07:00
Kubernetes Prow Robot
21f41b8e82 Merge pull request #101711 from hbagdi/ingressclass-namespaced-params-beta 
graduate IngressClassNamespacedParams to beta
 2021-06-29 17:07:03 -07:00
Kubernetes Prow Robot
e0f66be1aa Merge pull request #101822 from yuzhiquan/NodeResourcesFit-score 
Add score func for NodeResourcesFit plugin
 2021-06-29 13:42:20 -07:00
Harry Bagdi
f0d917a3ca add fuzzer patch to fix tests 2021-06-29 12:59:59 -07:00
yuzhiquan
deb14b995a Add score plugin for NodeResourcesFit 2021-06-29 13:16:55 -04:00
Chris Henzie
ebc3fdb293 Store PVC reference counts in NodeInfo cache 
This map will be queried as part of enforcement of the ReadWriteOncePod
access mode for PVCs
 2021-06-29 10:07:32 -07:00
Kubernetes Prow Robot
01819dd322 Merge pull request #102028 from chrishenzie/read-write-once-pod-access-mode 
ReadWriteOncePod access mode for PVs and PVCs
 2021-06-29 10:04:40 -07:00
Kubernetes Prow Robot
756203fda0 Merge pull request #102576 from dobsonj/101911 
kubelet: do not call RemoveAll on volumes directory for orphaned pods
 2021-06-29 06:54:40 -07:00
Kubernetes Prow Robot
1151dc1ee5 Merge pull request #103138 from sbangari/winDsrLoadBalancerServiceFix 
Loadbalancer IngressIP policy should be configured as non-DSR to enable routing mesh by default
 2021-06-28 23:26:51 -07:00
Chris Henzie
b7d732d3d6 Map PV access modes to CSI access modes 2021-06-28 21:25:38 -07:00
Chris Henzie
8db83c89aa CSI client helpers for NodeGetCapabilities 2021-06-28 21:25:37 -07:00
Chris Henzie
5f98f6cfa4 Update helper methods to print and parse ReadWriteOncePod access mode 2021-06-28 21:25:37 -07:00
Chris Henzie
2b98f8edc7 Enforce ReadWriteOncePod access mode during mount 2021-06-28 21:25:37 -07:00
Chris Henzie
7491d01651 Validate use of the ReadWriteOncePod access mode 
This will only work if the "ReadWriteOncePod" feature gate is enabled.
Additionally, this access mode will only work when used by itself. This
is because when ReadWriteOncePod is used on a PV or PVC, it renders all
other access modes useless since it is most restrictive.
 2021-06-28 21:25:37 -07:00
Chris Henzie
48ba5020a2 ReadWriteOncePod PV access mode and feature gate 2021-06-28 21:25:35 -07:00
Chris Henzie
358d2e0bd1 Export contains access mode helper method 
Will be used during validation of PVs and PVCs
 2021-06-28 21:24:56 -07:00
Chris Henzie
83e3ee780a Rename access mode contains helper method 
So it is consistent with other methods performing the same check (one
for internal and external types)
 2021-06-28 21:24:56 -07:00
Chris Henzie
dba8ee229e Add validation options for PersistentVolumeClaims 
These options provide an extensible way of configuring how PVCs are
validated
 2021-06-28 21:24:55 -07:00
Chris Henzie
9ba0eed7c5 Add validation options for PersistentVolumes 
These options provide an extensible way of configuring how PVs are
validated
 2021-06-28 21:24:55 -07:00
Kubernetes Prow Robot
d92f6c424d Merge pull request #103099 from liggitt/podsecurity 
PodSecurity admission
 2021-06-28 20:46:52 -07:00
Kubernetes Prow Robot
db3a216fbb Merge pull request #97238 from andrewsykim/kube-proxy-handle-terminating 
kube-proxy handle terminating endpoints
 2021-06-28 20:46:40 -07:00
Kubernetes Prow Robot
15d3c3a5e2 Merge pull request #102821 from ehashman/phase-fix 
Ensure kubelet statuses can handle loss of container runtime state
 2021-06-28 15:38:40 -07:00
Kubernetes Prow Robot
38f012320f Merge pull request #101947 from cynepco3hahue/memory_manager_move_to_beta 
memory manager: move to beta
 2021-06-28 15:38:28 -07:00
Jordan Liggitt
f39bddd767 PodSecurity: kube-apiserver: admission wiring 2021-06-28 17:45:35 -04:00
Jordan Liggitt
65a42a483c PodSecurity: pkg/features: feature gate 2021-06-28 17:45:35 -04:00
Kubernetes Prow Robot
51e1969d9c Merge pull request #103133 from marwanad/allow-scheduler-to-patch-conditions 
switch scheduler to generate the merge patch on pod status instead of the full pod
 2021-06-28 12:46:28 -07:00
Marwan Ahmed
48dfa2a554 generate scheduler merge patches on the pod status instead of the full pod 2021-06-28 09:35:55 -07:00
Aditi Sharma
def93317b4 Kubelet Credential Provider 
Improve concurrency and cache for credential provider

Removed lock from "Provide" as it can be called in parallel
from image puller. To avoid execing for the same image concurrently
wrapped exec in singleflight.

Purging the cache for expried data with 15mins interval only when
a request for credential is made.

KEP:2133

Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
 2021-06-28 21:15:03 +05:30
Shiming Zhang
45ce2dfacc Treat negative as 1s in delete path 2021-06-28 11:49:39 +08:00
Shiming Zhang
40593fa4d3 spec.terminationGracePeriodSeconds allow it to be set to 1s if it was previously negative 2021-06-28 11:49:39 +08:00
Kubernetes Prow Robot
a0f9c8c277 Merge pull request #103001 from zshihang/csi 
CSIServiceAccountToken ga
 2021-06-26 19:31:23 -07:00
Kubernetes Prow Robot
df2e13376d Merge pull request #103169 from Huang-Wei/res-scorer 
Optimize scheduler res scorer on non-requested extended res
 2021-06-26 04:21:23 -07:00
Kubernetes Prow Robot
7ab6c5322c Merge pull request #103190 from robscott/remove-app-protocol-gate 
Removing ServiceAppProtocol feature gate
 2021-06-26 03:15:23 -07:00
Kubernetes Prow Robot
fc26906546 Merge pull request #103049 from gdsoumya/feat/errors 
Updating github.com/pkg/errors with native go errors pkg
 2021-06-25 23:43:23 -07:00
Antonio Ojea
fa7b5d86e6 remove duplicate validation on services 
The rest api for services was validating that, on updates, both
the old and new service have the same type. That guarantees that
the type is going to be the same after that, thus we don't need
to validate the service type on the old and the new service.
 2021-06-25 23:18:56 +02:00
Kubernetes Prow Robot
015a0d9b01 Merge pull request #103130 from ahg-g/ahg-ca 
Add a function that returns default scheduler configuration
 2021-06-25 12:13:24 -07:00